lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
porchlight/tests/test_auth_routes
History
Johan Lundberg 91a2277664
fix(security): store only a hash of magic-link tokens 
Magic-link tokens were persisted in plaintext, so a database read disclosed
usable login/invite tokens. The service now hashes tokens (HMAC-SHA256 when a
pepper is configured, else SHA-256 of the high-entropy token) and persists
only the hash; the raw token is exposed solely in the registration URL and is
re-attached to objects returned to callers.

Refs: porchlight-42h

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 10:36:18 +02:00
..
__init__.py feat: add authentication routes with session login, WebAuthn, and credential management 2026-02-16 11:39:50 +01:00
test_last_credential_guard.py fix: reorder imports and use ty-compatible type suppression 2026-02-19 14:29:01 +01:00
test_manage_credentials_page.py fix: reorder imports and use ty-compatible type suppression 2026-02-19 14:29:01 +01:00
test_manage_password_credential.py feat: require current password when changing password, add zxcvbn strength check 2026-03-31 15:34:43 +02:00
test_manage_webauthn_credential.py fix: reorder imports and use ty-compatible type suppression 2026-02-19 14:29:01 +01:00
test_pages.py feat: add authentication routes with session login, WebAuthn, and credential management 2026-02-16 11:39:50 +01:00
test_password_login.py fix: reorder imports and use ty-compatible type suppression 2026-02-19 14:29:01 +01:00
test_register_magic_link.py fix(security): store only a hash of magic-link tokens 2026-06-04 10:36:18 +02:00
test_session_deps.py update all imports in test files: fastapi_oidc_op → porchlight 2026-02-16 15:34:53 +01:00
test_webauthn_login.py fix: reorder imports and use ty-compatible type suppression 2026-02-19 14:29:01 +01:00