fix: security hardening from CSO audit

- Add auth failure logging (login, API key, JWT) with IP/email/prefix - Move OAuth JWT from URL params to short-lived cookies to prevent token leakage via browser history, server logs, and Referer headers - Pin Swagger UI to v5.18.2 with SRI integrity hashes - Upgrade Go toolchain to 1.25.8 (fixes 5 called stdlib vulns) - Fix unchecked error in host agent credential refresh - Add .gstack to .gitignore for security report artifacts
2026-04-08 03:46:31 +06:00
parent 3675ecba65
commit dd50cfdcb1
9 changed files with 57 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@ -35,6 +35,7 @@ go.work.sum
 .claude/
 e2b/
 .impeccable.md
+.gstack

 ## Builds
 builds/
--- a/envd/go.mod
+++ b/envd/go.mod
@ -1,6 +1,6 @@
 module git.omukk.dev/wrenn/sandbox/envd

-go 1.25.5
+go 1.25.8

 require (
 	connectrpc.com/authn v0.1.0
--- a/frontend/src/routes/auth/github/callback/+page.svelte
+++ b/frontend/src/routes/auth/github/callback/+page.svelte
@ -4,17 +4,37 @@
 	import { auth } from '$lib/auth.svelte';
 	import { teams } from '$lib/teams.svelte';

+	// Check for error in URL params (errors are still passed via query params).
 	const params = $page.url.searchParams;
 	const error = params.get('error');

+	function getCookie(name: string): string | null {
+		const match = document.cookie.match(new RegExp(`(?:^|; )${name}=([^;]*)`));
+		return match ? decodeURIComponent(match[1]) : null;
+	}
+
+	function clearOAuthCookies() {
+		for (const name of [
+			'wrenn_oauth_token',
+			'wrenn_oauth_user_id',
+			'wrenn_oauth_team_id',
+			'wrenn_oauth_email',
+			'wrenn_oauth_name'
+		]) {
+			document.cookie = `${name}=; path=/auth/; max-age=0`;
+		}
+	}
+
 	if (error) {
 		goto(`/login?error=${encodeURIComponent(error)}`);
 	} else {
-		const token = params.get('token');
-		const userId = params.get('user_id');
-		const teamId = params.get('team_id');
-		const email = params.get('email');
-		const name = params.get('name') ?? '';
+		const token = getCookie('wrenn_oauth_token');
+		const userId = getCookie('wrenn_oauth_user_id');
+		const teamId = getCookie('wrenn_oauth_team_id');
+		const email = getCookie('wrenn_oauth_email');
+		const name = getCookie('wrenn_oauth_name') ?? '';
+
+		clearOAuthCookies();

 		if (token && userId && teamId && email) {
 			teams.reset();
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module git.omukk.dev/wrenn/sandbox

-go 1.25.0
+go 1.25.8

 require (
 	connectrpc.com/connect v1.19.1
--- a/internal/api/handlers_auth.go
+++ b/internal/api/handlers_auth.go
@ -3,6 +3,7 @@ package api
 import (
 	"context"
 	"errors"
+	"log/slog"
 	"net/http"
 	"strings"

@ -202,6 +203,7 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 	user, err := h.db.GetUserByEmail(ctx, req.Email)
 	if err != nil {
 		if errors.Is(err, pgx.ErrNoRows) {
+			slog.Warn("login failed: unknown email", "email", req.Email, "ip", r.RemoteAddr)
 			writeError(w, http.StatusUnauthorized, "unauthorized", "invalid email or password")
 			return
 		}
@ -210,10 +212,12 @@ func (h *authHandler) Login(w http.ResponseWriter, r *http.Request) {
 	}

 	if !user.PasswordHash.Valid {
+		slog.Warn("login failed: no password set", "email", req.Email, "ip", r.RemoteAddr)
 		writeError(w, http.StatusUnauthorized, "unauthorized", "invalid email or password")
 		return
 	}
 	if err := auth.CheckPassword(user.PasswordHash.String, req.Password); err != nil {
+		slog.Warn("login failed: wrong password", "email", req.Email, "ip", r.RemoteAddr)
 		writeError(w, http.StatusUnauthorized, "unauthorized", "invalid email or password")
 		return
 	}
--- a/internal/api/handlers_oauth.go
+++ b/internal/api/handlers_oauth.go
@ -300,14 +300,23 @@ func (h *oauthHandler) retryAsLogin(w http.ResponseWriter, r *http.Request, prov
 }

 func redirectWithToken(w http.ResponseWriter, r *http.Request, base, token, userID, teamID, email, name string) {
-	u := base + "?" + url.Values{
-		"token":   {token},
-		"user_id": {userID},
-		"team_id": {teamID},
-		"email":   {email},
-		"name":    {name},
-	}.Encode()
-	http.Redirect(w, r, u, http.StatusFound)
+	// Set auth data as short-lived cookies instead of URL query parameters.
+	// This prevents token leakage via server access logs, Referer headers, and browser history.
+	for _, c := range []http.Cookie{
+		{Name: "wrenn_oauth_token", Value: token},
+		{Name: "wrenn_oauth_user_id", Value: userID},
+		{Name: "wrenn_oauth_team_id", Value: teamID},
+		{Name: "wrenn_oauth_email", Value: email},
+		{Name: "wrenn_oauth_name", Value: name},
+	} {
+		c.Path = "/auth/"
+		c.MaxAge = 60
+		c.HttpOnly = false // frontend JS must read these
+		c.SameSite = http.SameSiteLaxMode
+		c.Secure = isSecure(r)
+		http.SetCookie(w, &c)
+	}
+	http.Redirect(w, r, base, http.StatusFound)
 }

 func redirectWithError(w http.ResponseWriter, r *http.Request, base, code string) {
--- a/internal/api/middleware_auth.go
+++ b/internal/api/middleware_auth.go
@ -20,6 +20,7 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				hash := auth.HashAPIKey(key)
 				row, err := queries.GetAPIKeyByHash(r.Context(), hash)
 				if err != nil {
+					slog.Warn("api key auth failed", "prefix", auth.APIKeyPrefix(key), "ip", r.RemoteAddr)
 					writeError(w, http.StatusUnauthorized, "unauthorized", "invalid API key")
 					return
 				}
@ -42,6 +43,7 @@ func requireAPIKeyOrJWT(queries *db.Queries, jwtSecret []byte) func(http.Handler
 				tokenStr := strings.TrimPrefix(header, "Bearer ")
 				claims, err := auth.VerifyJWT(jwtSecret, tokenStr)
 				if err != nil {
+					slog.Warn("jwt auth failed", "error", err, "ip", r.RemoteAddr)
 					writeError(w, http.StatusUnauthorized, "unauthorized", "invalid or expired token")
 					return
 				}
--- a/internal/api/server.go
+++ b/internal/api/server.go
@ -208,7 +208,7 @@ func serveDocs(w http.ResponseWriter, r *http.Request) {
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Wrenn Sandbox API</title>
-  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5/swagger-ui.css">
+  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.18.2/swagger-ui.css" integrity="sha384-rcbEi6xgdPk0iWkAQzT2F3FeBJXdG+ydrawGlfHAFIZG7wU6aKbQaRewysYpmrlW" crossorigin="anonymous">
  <style>
    body { margin: 0; background: #fafafa; }
    .swagger-ui .topbar { display: none; }
@ -216,7 +216,7 @@ func serveDocs(w http.ResponseWriter, r *http.Request) {
 </head>
 <body>
  <div id="swagger-ui"></div>
-  <script src="https://unpkg.com/swagger-ui-dist@5/swagger-ui-bundle.js"></script>
+  <script src="https://unpkg.com/swagger-ui-dist@5.18.2/swagger-ui-bundle.js" integrity="sha384-NXtFPpN61oWCuN4D42K6Zd5Rt2+uxeIT36R7kpXBuY9tLnZorzrJ4ykpqwJfgjpZ" crossorigin="anonymous"></script>
  <script>
    SwaggerUIBundle({
      url: "/openapi.yaml",
--- a/internal/hostagent/registration.go
+++ b/internal/hostagent/registration.go
@ -214,7 +214,10 @@ func RefreshCredentials(ctx context.Context, cpURL, credentialsFilePath string)
 	}
 	defer resp.Body.Close()

-	respBody, _ := io.ReadAll(resp.Body)
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("read refresh response body: %w", err)
+	}

 	if resp.StatusCode != http.StatusOK {
 		var errResp errorResponse