Void-Homelab

Hynes/Void-Homelab

Fork 0

Commit Graph

Author	SHA1	Message	Date
root	459a7749c9	fix(auth): constant-time owner-token comparison Owner bearer token was compared with === / !==, which short-circuits on the first differing byte and leaks token length+prefix via response timing (security-sweep-2026-06-01.md). New timingSafeStrEqual (crypto.timingSafeEqual with a length pre-check so it never throws on length mismatch); wired into both owner.js and agent_auth.js. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-01 23:26:46 +10:00
root	7862d22a03	feat(api): agent bearer auth middleware Add lib/api/middleware/agent_auth.js: agentOrOwner accepts the owner token (kind=user actor) or a hashed agent token (kind=agent actor carrying capabilities + scopes). /api router now mounts this in place of ownerOnly so agent tokens become first-class. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-31 20:59:29 +10:00

Author

SHA1

Message

Date

root

459a7749c9

fix(auth): constant-time owner-token comparison

Owner bearer token was compared with === / !==, which short-circuits on the
first differing byte and leaks token length+prefix via response timing
(security-sweep-2026-06-01.md). New timingSafeStrEqual (crypto.timingSafeEqual
with a length pre-check so it never throws on length mismatch); wired into both
owner.js and agent_auth.js.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-01 23:26:46 +10:00

root

7862d22a03

feat(api): agent bearer auth middleware

Add lib/api/middleware/agent_auth.js: agentOrOwner accepts the owner
token (kind=user actor) or a hashed agent token (kind=agent actor
carrying capabilities + scopes). /api router now mounts this in place
of ownerOnly so agent tokens become first-class.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-31 20:59:29 +10:00

2 Commits