admin

azaion/admin

Fork 0

mirror of https://github.com/azaion/admin.git synced 2026-06-21 14:41:08 +00:00

Commit Graph

Author	SHA1	Message	Date
Oleksandr Bezdieniezhnykh	8e7c602f51	[AZ-535] [AZ-533] Logout/revocation surface + UAV mission tokens ci/woodpecker/push/01-test Pipeline failed Details ci/woodpecker/push/02-build-push unknown status Details AZ-535: POST /logout (caller's session), /logout/all (all sessions for user), admin POST /sessions/{sid}/revoke, and verifier-only GET /sessions/revoked snapshot. New Service role gates the snapshot. Idempotent revoke; reason + revoked_by_user_id audited per row. AZ-533: POST /sessions/mission mints a long-lived no-refresh ES256 token bound to one aircraft + one mission. Audience narrowed to satellite-provider, hard 12 h cap, persisted as class='mission' so the existing logout/revoke surface covers it. Successful CompanionPC /login or /token/refresh auto-revokes that aircraft's open mission session (post-flight reconnect). Schema: 09_sessions_logout_and_mission.sql adds revoked_by_user_id, class, aircraft_id; drops NOT NULL on refresh_hash for mission rows; adds two partial indexes for the auto-revoke and snapshot hot paths. Tests: 13 new e2e tests, all green; full suite 75/76 (1 pre-existing flake in PasswordHashingTests AC5 timing assertion, unrelated to this batch). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-14 05:51:23 +03:00
Oleksandr Bezdieniezhnykh	51a293dbcc	[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS ci/woodpecker/push/01-test Pipeline failed Details ci/woodpecker/push/02-build-push unknown status Details AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-14 05:30:03 +03:00

Author

SHA1

Message

Date

Oleksandr Bezdieniezhnykh

8e7c602f51

[AZ-535] [AZ-533] Logout/revocation surface + UAV mission tokens

ci/woodpecker/push/01-test Pipeline failed

Details

ci/woodpecker/push/02-build-push unknown status

Details

AZ-535: POST /logout (caller's session), /logout/all (all sessions for user),
admin POST /sessions/{sid}/revoke, and verifier-only GET /sessions/revoked
snapshot. New Service role gates the snapshot. Idempotent revoke; reason +
revoked_by_user_id audited per row.

AZ-533: POST /sessions/mission mints a long-lived no-refresh ES256 token bound
to one aircraft + one mission. Audience narrowed to satellite-provider, hard
12 h cap, persisted as class='mission' so the existing logout/revoke surface
covers it. Successful CompanionPC /login or /token/refresh auto-revokes that
aircraft's open mission session (post-flight reconnect).

Schema: 09_sessions_logout_and_mission.sql adds revoked_by_user_id, class,
aircraft_id; drops NOT NULL on refresh_hash for mission rows; adds two partial
indexes for the auto-revoke and snapshot hot paths.

Tests: 13 new e2e tests, all green; full suite 75/76 (1 pre-existing flake in
PasswordHashingTests AC5 timing assertion, unrelated to this batch).

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-05-14 05:51:23 +03:00

Oleksandr Bezdieniezhnykh

51a293dbcc

[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS

ci/woodpecker/push/01-test Pipeline failed

Details

ci/woodpecker/push/02-build-push unknown status

Details

AZ-531 — /login now returns access (15 min) + opaque refresh; rotation
on /token/refresh; reuse of a rotated refresh kills the entire session
family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new
sessions table with serializable-tx rotation.

AZ-532 — switched access-token signing from HS256 shared-secret to ES256
file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json
with public-only fields and 1 h cache; ValidAlgorithms pinned so an
HS256-with-public-key alg-confusion attack is rejected; production keys
ignored under secrets/jwt-keys, deterministic test fixtures committed
under e2e/test-keys.

Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests).
Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated
for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with
ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env
to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux
budget unchanged, see batch_02_cycle2_review.md F1).

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-05-14 05:30:03 +03:00

2 Commits