porchlight

History

Johan Lundberg e4eb539e3f fix(security): consume magic-link tokens atomically Validation and marking-used were two separate steps, so two concurrent requests for the same registration token could both pass validation before either marked it used — a replay window. Add an atomic consume() at the repository (conditional UPDATE ... WHERE used = 0 AND not expired, gated on rowcount) and service layers, and switch the /register handler to consume() instead of validate()+mark_used(). Refs: porchlight-ur7 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-04 10:46:38 +02:00
..
__init__.py	feat: add MagicLinkService with token create/validate/cleanup	2026-02-13 15:02:53 +01:00
test_service.py	fix(security): consume magic-link tokens atomically	2026-06-04 10:46:38 +02:00

fix(security): consume magic-link tokens atomically

Validation and marking-used were two separate steps, so two concurrent
requests for the same registration token could both pass validation before
either marked it used — a replay window.

Add an atomic consume() at the repository (conditional UPDATE ... WHERE
used = 0 AND not expired, gated on rowcount) and service layers, and switch
the /register handler to consume() instead of validate()+mark_used().

Refs: porchlight-ur7

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-04 10:46:38 +02:00

__init__.py

feat: add MagicLinkService with token create/validate/cleanup

2026-02-13 15:02:53 +01:00

test_service.py

fix(security): consume magic-link tokens atomically

2026-06-04 10:46:38 +02:00