Files
ss-tools/backend/tests
busya 23719ecfbc security: JWT aud/iss validation, token blacklist, encryption key crash-early
C-2 (CRITICAL): JWT decode_token now validates aud, iss, iat, jti claims.
  Tokens without these claims are rejected. Audience 'ss-tools-api' and
  issuer 'ss-tools' prevent cross-service token reuse.

H-2 (HIGH): Server-side JWT revocation via token_blacklist table.
  - New TokenBlacklist model (SHA-256 hash only, never raw token)
  - blacklist_token() on logout — revokes current session
  - is_token_blacklisted() check in get_current_user
  - Expired entries auto-pruned via _prune_blacklist()

H-3 (HIGH): Encryption key auto-generation removed — crash-early instead.
  Previously, ensure_encryption_key() would auto-generate a Fernet key
  on first run and write it to .env. This made encrypted data unrecoverable
  when the key changed between deployments. Now raises RuntimeError with
  a clear command to generate the key explicitly.

Also: update orthogonal security test for crash-early behavior.
2026-05-26 15:08:55 +03:00
..
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-20 23:54:53 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-20 23:54:53 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00