admin/_docs/_autodev_state.md at 51a293dbcc8e374699cbe83976710d3dbc5c29d3 - admin - Gitea: Git with a cup of tea

azaion/admin

mirror of https://github.com/azaion/admin.git synced 2026-06-21 09:31:08 +00:00

Files

T

Oleksandr Bezdieniezhnykh 51a293dbcc

ci/woodpecker/push/01-test Pipeline failed

Details

ci/woodpecker/push/02-build-push unknown status

Details

[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS

AZ-531 — /login now returns access (15 min) + opaque refresh; rotation
on /token/refresh; reuse of a rotated refresh kills the entire session
family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new
sessions table with serializable-tx rotation.

AZ-532 — switched access-token signing from HS256 shared-secret to ES256
file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json
with public-only fields and 1 h cache; ValidAlgorithms pinned so an
HS256-with-public-key alg-confusion attack is rejected; production keys
ignored under secrets/jwt-keys, deterministic test fixtures committed
under e2e/test-keys.

Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests).
Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated
for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with
ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env
to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux
budget unchanged, see batch_02_cycle2_review.md F1).

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-05-14 05:30:03 +03:00

15 lines

239 B

Markdown

Raw Blame History

 # Autodev State
 ## Current Step
 flow: existing-code
 step: 10
 name: Implement
 status: in_progress
 sub_step:
   phase: 6
   name: implement-tasks
   detail: "batch 3 of 4 — AZ-529 epic (AZ-535, AZ-533)"
 retry_count: 0
 cycle: 2
 tracker: jira