Void-Homelab

Hynes/Void-Homelab

Fork 0

Commit Graph

Author	SHA1	Message	Date
root	459a7749c9	fix(auth): constant-time owner-token comparison Owner bearer token was compared with === / !==, which short-circuits on the first differing byte and leaks token length+prefix via response timing (security-sweep-2026-06-01.md). New timingSafeStrEqual (crypto.timingSafeEqual with a length pre-check so it never throws on length mismatch); wired into both owner.js and agent_auth.js. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-01 23:26:46 +10:00
root	7e55f07689	feat(auth): owner-only middleware for single-user bearer auth	2026-05-31 11:06:21 +10:00
root	cd71d64523	feat(auth): capability check — user/cron/worker allow; agents tiered allow/suggest/deny	2026-05-31 11:06:00 +10:00

Author

SHA1

Message

Date

root

459a7749c9

fix(auth): constant-time owner-token comparison

Owner bearer token was compared with === / !==, which short-circuits on the
first differing byte and leaks token length+prefix via response timing
(security-sweep-2026-06-01.md). New timingSafeStrEqual (crypto.timingSafeEqual
with a length pre-check so it never throws on length mismatch); wired into both
owner.js and agent_auth.js.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-01 23:26:46 +10:00

root

7e55f07689

feat(auth): owner-only middleware for single-user bearer auth

2026-05-31 11:06:21 +10:00

root

cd71d64523

feat(auth): capability check — user/cron/worker allow; agents tiered allow/suggest/deny

2026-05-31 11:06:00 +10:00

3 Commits