PSA audit (non-mock fixes) + prod mock-guard #14

Merged

vas2000-work merged 3 commits from feat/m1-vas into main 2026-05-29 22:05:21 +02:00

Conversation 0 Commits 3 Files changed 14 +452 -40

vas2000-work commented 2026-05-29 20:55:24 +02:00

Owner

Copy link

Remediates the non-mock PSA-audit findings; dev mocks are kept per decision, with a production guard added.

• OIDC nonce validation in bunyip-web complete_login (reject a missing or mismatched id_token nonce).
• Sensitive-log scrub: drop email addresses and link (bearer-token) URLs from the mock-email info! lines in auth.rs/orgs.rs, keeping a non-sensitive event keyed on user_id (invitation_id + org_id for invites).
• AppShell active-org caption derives the active org from the id_token active_tenant claim instead of memberships.first().
• Feedback routes to the active org via an X-Active-Tenant header (falls back to first()); end-to-end correctness needs the SPA to forward the claim - marked // TODO(m1-vas).
• Production startup guard: bunyip-api refuses to boot when mock-auth knobs (MOCK_PASSWORD / MOCK_TOTP_CODE) or the compiled-in any-6-digit TOTP bypass are active; dev behavior unchanged.

Also includes the prior m1 Google-OAuth + wiring commit on this branch.

Remediates the non-mock PSA-audit findings; dev mocks are kept per decision, with a production guard added. - OIDC nonce validation in bunyip-web complete_login (reject a missing or mismatched id_token nonce). - Sensitive-log scrub: drop email addresses and link (bearer-token) URLs from the mock-email info! lines in auth.rs/orgs.rs, keeping a non-sensitive event keyed on user_id (invitation_id + org_id for invites). - AppShell active-org caption derives the active org from the id_token active_tenant claim instead of memberships.first(). - Feedback routes to the active org via an X-Active-Tenant header (falls back to first()); end-to-end correctness needs the SPA to forward the claim - marked // TODO(m1-vas). - Production startup guard: bunyip-api refuses to boot when mock-auth knobs (MOCK_PASSWORD / MOCK_TOTP_CODE) or the compiled-in any-6-digit TOTP bypass are active; dev behavior unchanged. Also includes the prior m1 Google-OAuth + wiring commit on this branch.

vas2000-work added 2 commits 2026-05-29 20:55:24 +02:00

feat(m1): vas sprint - google oauth + wiring ... 27f198706d

Adds bunyip-side "Continue with Google" / "Sign up with Google" SSO buttons that ride the existing PKCE OIDC flow against mokosh-server with an &idp_hint=google query param appended. No mokosh-server code changes; the hint is opt-in on the IdP side and the flow degrades gracefully (user sees the chooser) if mokosh-server's IdP UI ignores it. The button hides when BUNYIP_OIDC_ISSUER is unset so dev builds without env baked in are safe.

Refactors start_login into a small start_login_inner helper so the new start_login_with_idp_hint variant can share state + PKCE generation without duplicating the URL-building loop. Public callers of start_login keep their signature.

Adds baseline security headers (X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin) to the bunyip-web production Caddyfile. CSP is intentionally absent here; tune one after the queued security audit since Dioxus WASM needs script-src 'self' 'wasm-unsafe-eval' plus the mokosh-server origin in connect-src.

Adds a TODO note on the AppShell active-org caption since me.memberships.first() can show the wrong org for multi-org users; the fix path (read mokosh_active_tenant claim from the JWT via modules/oidc/tokens.rs::parse_unverified, or extend MeResponse server-side) is documented in For AI/m1-vas-progress.md.

Adds docs/getting-started.md per the PSA-1 milestone explicit ask ("Start of the documentation - Example: How do I get started?"). Covers the just dev fast path, mock-mode sign-in, the SSO overlay, the Google button, the cross-project domain layout, common commands, and where things live.

Appends a May 26 update to dev-docs/milestone-1-handoff.md noting what landed since the May 15 snapshot (PRs #14 #18 #2 #4 #6 plus docker feat/PSA-Staging all merged) and what this sprint added.

Local-only sprint per user constraint. No push.

feat(m1): Phase-5 audit fixes - OIDC nonce, log scrub, active-org, feedback routing, prod mock-guard ... dc0e9d5e28

B1: OIDC nonce validation in bunyip-web complete_login - reject a missing or mismatched id_token nonce (state still checked first).
B2: scrub sensitive data from the mock-email logs in auth.rs/orgs.rs - drop the email address and the link (a bearer credential) from the info! lines; keep a non-sensitive event keyed on user_id (invitation_id + org_id for invites).
B3: AppShell active-org caption derives the active org from the id_token active_tenant claim instead of memberships.first().
B4 (partial): feedback routes to the active org via an X-Active-Tenant header, falling back to first(); end-to-end correctness needs the SPA to forward the claim - marked // TODO(m1-vas).
B5: a production startup guard (config.rs) refuses to boot when mock-auth knobs (MOCK_PASSWORD / MOCK_TOTP_CODE) or the compiled-in any-6-digit TOTP bypass are active; dev behavior unchanged (mocks kept per decision).
Cargo.lock is a harmless 0.1.0 -> 0.1.1 lock refresh from the build.

Verified with cargo check (api native + bunyip-web wasm) and cargo fmt --check in the dev container.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

vas2000-work added 1 commit 2026-05-29 21:49:01 +02:00

fix(web): derive_api_host returns same-origin host on apex topology ... dfa6fe8cd0

bunyip-web's derive_api_host apex branch returned format!("msp-api.{host}"), targeting the dead cross-origin scheme. On the c-01 apex deployment bunyip-web and bunyip-api are co-resident at a8n.systems, so the API host IS the SPA host - return it as-is. Updates the doc comment to describe the new same-origin apex behavior and the corresponding api_host_derivation unit-test assertions. The dev-host branch (<user>-bunyip.<rest>) is unchanged. Follow-up: README / dev-docs / docs/getting-started still describe the msp-api.<tld> scheme.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

vas2000-work merged commit 0d7044c2d1 into main 2026-05-29 22:05:21 +02:00

vas2000-work deleted branch feat/m1-vas 2026-05-29 22:05:21 +02:00

vas2000-work referenced this pull request from a commit 2026-05-29 22:05:22 +02:00

feat(m1): vas sprint - google oauth + wiring

vas2000-work referenced this pull request from a commit 2026-05-29 22:05:22 +02:00

Merge pull request 'PSA audit (non-mock fixes) + prod mock-guard' (#14) from feat/m1-vas into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

psa-systems/bunyip!14

No description provided.