feat(auth): implement PASETO token generation and validation service #89
No reviewers
Labels
No labels
CI/CD
MongoDB
PostgreSQL
api
authentication
bug
documentation
duplicate
enhancement
example issue
fix
good first issue
help wanted
high-level requirement
infrastructure
invalid
low-level requirement
medium-level requirement
question
security
test
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
AndreFerreira5/starranja!89
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "feat/auth-paseto-token-service"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
There are critical safety issues that need to be addressed. Other aspects of the implementations look good, but need more in-depth and careful checking - more reviewers should be assigned and spend some time examining this PR, namely those familiar with the authentication modules.
@ -44,6 +46,7 @@ python_files = ["test_*.py", "*_test.py"]python_classes = ["Test*"]Mismatch between this file and
authentication/config.py.env_files = ["src/.env"]is inconsistent with the path set in the config file:env_file=".envThis will never raise an error since a predefined key exists in
authentication/config.py. If a key is not defined, the initialization will accept the compromised key@ -0,0 +75,4 @@if v < 8:raise ValueError("Minimum password length should be at least 8")return vSevere Security Issue: Commiting a hardcoded, default value permanently compromises it. In the case that a real environment variable is not set when running the deployed app, the fallback value is this default, which is compromised.
A configuration file should never provide a default value for a secret. It should only define the requirement for one. If no key is set, an error must be raised.
Also, this specific key (
53d629...) should be permanently burned and must never be used again in any environment, since it is forever compromised.i fixed the main problems, please review the changes @Rodrigo2003-PT @vascodias23 @Cordeir01
@ -0,0 +75,4 @@if v < 8:raise ValueError("Minimum password length should be at least 8")return vtook the liberty of setting an empty key as default. this allows us to read the actually key from the environment and if it is non existent, the app later throws an error because the key is just an empty string. in the case of testing, i generate a random key and inject it into the settings object before the tests run (0bc5fc0) as the tests don't need reproducibility of the key
@ -44,6 +46,7 @@ python_files = ["test_*.py", "*_test.py"]python_classes = ["Test*"]fixed and now the .env file should sit on the root of the project, alongside the .env.example