Security: Backend Hardening (Profile, Session, CORS) #65

Closed
opened 2026-04-26 16:46:21 +00:00 by icub3d · 0 comments
Owner

Migrated from GitHub issue icub3d/decentcom#91
Original Author: @icub3d
Original Date: 2026-04-18T18:23:32Z


Overview

Implement hardening measures to mitigate potential storage exhaustion and session prediction risks.

Requirements

  • Restrict profile and avatar updates to members only to prevent non-member storage usage.
  • Implement secure 128-bit random session tokens (revisiting ULID usage).
  • Add a configuration option for allowed CORS origins (avoiding Any in production).

Design Changes

  • Update server/src/profiles/handlers.rs to use MemberUser instead of AuthUser.
  • Modify server/src/storage/sqlite/sessions.rs to generate secure tokens using a cryptographically secure RNG.
  • Add allowed_origins: Vec<String> to NetworkConfig in server/src/config.rs and update the CORS layer in server/src/main.rs.

Task List

  • Modify profile handlers and update affected tests.
  • Implement secure session token generation and update storage tests.
  • Add allowed_origins to configuration and update CORS setup.
  • Verify functionality with existing tests and manually confirm non-member restrictions.
**Migrated from GitHub issue icub3d/decentcom#91** **Original Author:** @icub3d **Original Date:** 2026-04-18T18:23:32Z --- ## Overview Implement hardening measures to mitigate potential storage exhaustion and session prediction risks. ## Requirements - [x] Restrict profile and avatar updates to members only to prevent non-member storage usage. - [x] Implement secure 128-bit random session tokens (revisiting ULID usage). - [x] Add a configuration option for allowed CORS origins (avoiding `Any` in production). ## Design Changes - Update `server/src/profiles/handlers.rs` to use `MemberUser` instead of `AuthUser`. - Modify `server/src/storage/sqlite/sessions.rs` to generate secure tokens using a cryptographically secure RNG. - Add `allowed_origins: Vec<String>` to `NetworkConfig` in `server/src/config.rs` and update the CORS layer in `server/src/main.rs`. ## Task List - [x] Modify profile handlers and update affected tests. - [x] Implement secure session token generation and update storage tests. - [x] Add `allowed_origins` to configuration and update CORS setup. - [x] Verify functionality with existing tests and manually confirm non-member restrictions.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
icub3d/decentcom#65
No description provided.