grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.2.0:3 — close login timing oracle, enforce exerciseId ownership on workout writes
CI / proof-of-work (Next.js app) (push) Has been cancelled
Details
CI / start9/0.4 (StartOS package code) (push) Has been cancelled
Details

Browse Source 
Two P3 multi-user hardening fixes from the 2026-06-13 full-eval.

Login timing oracle: both login paths (the UI server action and
POST /api/auth) returned immediately on an unknown email but ran
bcrypt.compare when the email matched a user, so response latency
revealed which emails have accounts. New verifyPasswordOrDummy() in
lib/auth runs bcrypt against a fixed dummy hash when there is no user,
so every attempt spends exactly one bcrypt; the two error branches in
each route collapse into one.

exerciseId ownership: exercises are per-user, but the workout
create / PATCH (set-replace) / add-sets and CSV import-save routes wrote
SetLogs from a client-supplied exerciseId with no ownership check —
letting a user attach another user's exercise to their own workout,
which leaks that exercise's name/notes on fetch and wires up a
cross-user onDelete: Cascade link. All four now reject unowned ids with
400 via the shared lib/exerciseOwnership helper; the pre-existing inline
checks in both programs routes are refactored onto the same helper.

App-code only — no schema, no API contract change, no data migration.
This commit is contained in:
Keysat
2026-06-15 18:30:08 -05:00
parent 00a4b704e8
commit f540a473ef
14 changed files with 332 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
start9/0.4/startos/versions/index.ts
+7 -1
View File
@@ -17,6 +17,7 @@ import { v_1_1_0_8 } from './v1.1.0.8'
import { v_1_1_0_9 } from './v1.1.0.9'
import { v_1_2_0_1 } from './v1.2.0.1'
import { v_1_2_0_2 } from './v1.2.0.2'
import { v_1_2_0_3 } from './v1.2.0.3'
/**
* Version graph for the `proof-of-work` package.
@@ -66,9 +67,13 @@ import { v_1_2_0_2 } from './v1.2.0.2'
* server-action POST on a stale keep-alive socket
* (NSURLErrorNetworkConnectionLost); retry once on transport
* failure. Client-only, no schema/data change.
* v1.2.0:3 — P3 hardening: close the login timing oracle (dummy-hash
* bcrypt on unknown email) and enforce exerciseId ownership on
* workout create/PATCH/add-sets + CSV-import-save (shared
* lib/exerciseOwnership). No schema/data change.
*/
export const versionGraph = VersionGraph.of({
current: v_1_2_0_2,
current: v_1_2_0_3,
other: [
v_1_0_0_1,
v_1_0_0_2,
@@ -87,5 +92,6 @@ export const versionGraph = VersionGraph.of({
v_1_1_0_8,
v_1_1_0_9,
v_1_2_0_1,
v_1_2_0_2,
],
})