fix: security hardening — 40 findings from full codebase review

Full codebase review by 4 independent agents (security, architecture, code quality, correctness) identified ~80 findings. This commit fixes 40 of them across all workspace crates. Critical fixes: - Federation service: validate origin against mTLS cert CN/SAN (C1) - WS bridge: add DM channel auth, size limits, rate limiting (C2) - hpke_seal: panic on error instead of silent empty ciphertext (C3) - hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7) Security fixes: - Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes() returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password, conversation hex_key all wrapped in Zeroizing - Keystore: 0o600 file permissions on Unix - MeshIdentity: 0o600 file permissions on Unix - Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor - Mobile: TLS verification gated behind insecure-dev feature flag - Proto: from_bytes default limit tightened from 64 MiB to 8 MiB Correctness fixes: - fetch_wait: register waiter before fetch to close TOCTOU window - MeshEnvelope: exclude hop_count from signature (forwarding no longer invalidates sender signature) - BroadcastChannel: encrypt returns Result instead of panicking - transcript: rename verify_transcript_chain → validate_transcript_structure - group.rs: extract shared process_incoming() for receive_message variants - auth_ops: remove spurious RegistrationRequest deserialization - MeshStore.seen: bounded to 100K with FIFO eviction Quality fixes: - FFI error classification: typed downcast instead of string matching - Plugin HookVTable: SAFETY documentation for unsafe Send+Sync - clippy::unwrap_used: warn → deny workspace-wide - Various .unwrap_or("") → proper error returns Review report: docs/REVIEW-2026-03-04.md 152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)
2026-03-04 07:52:12 +01:00
parent 4694a3098b
commit 394199b19b
58 changed files with 3893 additions and 414 deletions
--- a/crates/quicproquo-server/src/auth.rs
+++ b/crates/quicproquo-server/src/auth.rs
@@ -178,6 +178,49 @@ pub fn validate_auth_context(
    Err(crate::error_codes::coded_error(E003_INVALID_TOKEN, "invalid accessToken"))
 }

+/// Validate a raw bearer token (no Cap'n Proto dependency).
+/// Used by the WebSocket JSON-RPC bridge.
+pub fn validate_token_raw(
+    cfg: &AuthConfig,
+    sessions: &DashMap<Vec<u8>, SessionInfo>,
+    token: &[u8],
+) -> Result<AuthContext, String> {
+    if token.is_empty() {
+        return Err("empty access token".to_string());
+    }
+
+    // Check static bearer token.
+    if let Some(expected) = &cfg.required_token {
+        if expected.len() == token.len() && bool::from(expected.as_slice().ct_eq(token)) {
+            return Ok(AuthContext {
+                token: token.to_vec(),
+                identity_key: None,
+            });
+        }
+    }
+
+    // Check session tokens.
+    if let Some(session) = sessions.get(token) {
+        let now = current_timestamp();
+        if session.expires_at > now {
+            let identity = if session.identity_key.is_empty() {
+                None
+            } else {
+                Some(session.identity_key.clone())
+            };
+            return Ok(AuthContext {
+                token: token.to_vec(),
+                identity_key: identity,
+            });
+        }
+        drop(session);
+        sessions.remove(token);
+        return Err("session token has expired".to_string());
+    }
+
+    Err("invalid access token".to_string())
+}
+
 pub fn require_identity(auth_ctx: &AuthContext) -> Result<&[u8], capnp::Error> {
    match auth_ctx.identity_key.as_deref() {
        Some(ik) => Ok(ik),