-
HuyDV authored
Single-pass audit across waves 1-8 + bug-bash docs. No user-facing behavior changes; corrections to existing flows. Security: - Login: removed legacy ?access_token=&refresh_token= URL handler. Backend stopped emitting it on 2026-05-10 (ticket exchange); leaving the frontend consumer was a phishing token-injection vector (CWE-345/CWE-598). - Tenant export now scrubs webhookSecret + settings.sso.clientSecret and is throttled to 1/hour per tenant via Redis SETNX. - Custom AI guidance wrapped in <tenant_guidance> with anti-injection meta-instruction so a compromised admin can't trivially override scoring rules. - security.failed-login-spike adds per-IP counter alongside per-tenant to catch cross-tenant credential stuffing. Fixed: - Mobile push notification opened /reviews/<mrId>:<score> (compound dedup key used as URL). Added AlertPayload.entityRef structured field, forwarded through DeliveryParams. 8 dispatch sites updated. - OidcService.loadConfig dropped groupMapping → SSO group→role mapping never worked. - OIDC + Digest Redis swallow paths now distinguish flap from legitimate absence/lock-held (log error vs silent skip). - useSocket setTimeout leaks: 7 progress-clear timers now tracked + cleared on unmount. - PWA updatefound listener leak across remounts (dev HMR). - login-audit threshold=0 silently became DEFAULT (|| → ??). - Chat fullscreen: body scroll lock + z-index bump (z-[60]→z-[70]) to win over cookie banner. - Reviews mobile Sort Select: fallback when toggleSort cycles past null (matches existing pattern on /security). Tests: - 5 specs rescued from silent-red state on main: login-audit (9/15→16/16), oidc (6/19→19/19), circuit-breaker, cross-file- verifier, ai-review-invoker. Root causes: corrupted [email] markdown-autolink literals in 12 places, missing mock methods after source refactors, stale assertions vs new chunking/scoping. - Full API suite: 648/648 green on Node 16 baseline. Co-Authored-By:Claude Opus 4.7 (1M context) <noreply@anthropic.com>
HuyDV authoredSingle-pass audit across waves 1-8 + bug-bash docs. No user-facing behavior changes; corrections to existing flows. Security: - Login: removed legacy ?access_token=&refresh_token= URL handler. Backend stopped emitting it on 2026-05-10 (ticket exchange); leaving the frontend consumer was a phishing token-injection vector (CWE-345/CWE-598). - Tenant export now scrubs webhookSecret + settings.sso.clientSecret and is throttled to 1/hour per tenant via Redis SETNX. - Custom AI guidance wrapped in <tenant_guidance> with anti-injection meta-instruction so a compromised admin can't trivially override scoring rules. - security.failed-login-spike adds per-IP counter alongside per-tenant to catch cross-tenant credential stuffing. Fixed: - Mobile push notification opened /reviews/<mrId>:<score> (compound dedup key used as URL). Added AlertPayload.entityRef structured field, forwarded through DeliveryParams. 8 dispatch sites updated. - OidcService.loadConfig dropped groupMapping → SSO group→role mapping never worked. - OIDC + Digest Redis swallow paths now distinguish flap from legitimate absence/lock-held (log error vs silent skip). - useSocket setTimeout leaks: 7 progress-clear timers now tracked + cleared on unmount. - PWA updatefound listener leak across remounts (dev HMR). - login-audit threshold=0 silently became DEFAULT (|| → ??). - Chat fullscreen: body scroll lock + z-index bump (z-[60]→z-[70]) to win over cookie banner. - Reviews mobile Sort Select: fallback when toggleSort cycles past null (matches existing pattern on /security). Tests: - 5 specs rescued from silent-red state on main: login-audit (9/15→16/16), oidc (6/19→19/19), circuit-breaker, cross-file- verifier, ai-review-invoker. Root causes: corrupted [email] markdown-autolink literals in 12 places, missing mock methods after source refactors, stale assertions vs new chunking/scoping. - Full API suite: 648/648 green on Node 16 baseline. Co-Authored-By:
Loading