Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): O(1) selector+verifier token verification

Browse Source 
verifyToken loaded every non-revoked token and bcrypt-compared each (O(n) per
request — auth-latency DoS + linear scaling). New token format
vk_<selector>.<verifier>: the non-secret selector is indexed and locates exactly
one row; only the verifier is bcrypt-hashed. Legacy NULL-selector tokens still
verify via a fallback scan. Dropped the useless idx_agent_tokens_hash.

- migration 010_token_selector.sql (adds selector col + unique partial index)
- createToken/verifyToken reworked; also adds listTokenMeta (read for Yerin's
  token_audit tool)
- tests/repos/token_selector.test.js

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-02 00:17:45 +10:00
parent 10a8b813a5
commit aa9cf0917e
3 changed files with 114 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/db/migrations/010_token_selector.sql Normal file
View File

@@ -0,0 +1,12 @@
-- Selector+verifier tokens: make verifyToken O(1) instead of an O(n) bcrypt scan
-- over every non-revoked token (code-review-2026-06-01.md / security-sweep HIGH).
-- The selector is a non-secret public lookup key; the verifier stays bcrypt-hashed
-- in token_hash. Legacy rows keep selector NULL and verify via the fallback path.
ALTER TABLE agent_tokens ADD COLUMN IF NOT EXISTS selector text;
-- One row per selector (partial: legacy NULLs are exempt).
CREATE UNIQUE INDEX IF NOT EXISTS idx_agent_tokens_selector
ON agent_tokens(selector) WHERE selector IS NOT NULL;
-- The old hash index was useless — bcrypt hashes can't be looked up by value.
DROP INDEX IF EXISTS idx_agent_tokens_hash;