wifi-densepose

History

rUv db3d94a313 fix(homecore-api security): auth-gate GET /api/ (was unauthenticated) + recover WS subscription on broadcast lag (#1076 ) * fix(homecore-api security): auth-gate GET /api/ (HC-API-AUTH-01, ADR-161) `rest::api_root` took no headers and unconditionally returned `200 {"message":"API running."}`, while every sibling REST route gates on `BearerAuth::from_headers`. HA's `APIStatusView` inherits `requires_auth = True`, so `/api/` must return 401 for a missing/wrong bearer — HA clients use it as a token-validation probe, so a 200 told a bad-token client its token was valid and let an unauthenticated party confirm a live endpoint. LOW severity (static body, no data leak), reported at true severity. Fix: `api_root(headers, State)` validates the bearer like `get_config`. Pinned by fails-on-old tests (200 -> assert 401): - api_root_rejects_missing_bearer - api_root_rejects_wrong_bearer guarded by api_root_accepts_correct_bearer (still 200 with valid token). Co-Authored-By: claude-flow <ruv@ruv.net> * fix(homecore-api security): recover WS subscription on broadcast lag (HC-WS-LAG-01, ADR-161) `subscribe_events`'s per-subscription task matched `Err(_) => break` on both broadcast `recv()` arms. `RecvError::Lagged(n)` (a slow consumer falling >EVENT_CHANNEL_CAPACITY=4,096 events behind) is recoverable — the bus doc says "Lagged receivers must re-sync" and HA keeps the subscription alive across a lag. The old code treated the first lag as fatal, so after an event burst the client's stream went permanently silent with no error frame — a self-inflicted event-delivery DoS under load. LOW severity. Fix: `Lagged(_) => continue` (skip dropped window, re-sync), `Closed => break`, on both the system and domain arms. Pinned by subscription_survives_broadcast_lag: subscribes, floods 6,000 filtered events past the 4,096 capacity to force a Lagged, then asserts a subsequent subscribed event is still delivered (old code: 5s timeout). Co-Authored-By: claude-flow <ruv@ruv.net> * docs(homecore-api security): record HC-API-AUTH-01 + HC-WS-LAG-01 review (ADR-161) CHANGELOG [Unreleased] Security entry + ADR-161 addendum documenting the beyond-SOTA network-API review: two LOW bugs fixed (unauthenticated GET /api/; WS subscription killed on broadcast lag) and the auth/traversal/injection/info-leak/CORS dimensions confirmed clean with evidence (no traversal surface — in-memory DashMap + EntityId allowlist; HashSet token compare, not a byte-== timing oracle). Co-Authored-By: claude-flow <ruv@ruv.net>	2026-06-14 16:48:57 -04:00
..
server_bin_auth.rs	fix(homecore-api security): auth-gate GET /api/ (was unauthenticated) + recover WS subscription on broadcast lag (#1076 )	2026-06-14 16:48:57 -04:00
ws_handshake.rs	fix(homecore-api security): auth-gate GET /api/ (was unauthenticated) + recover WS subscription on broadcast lag (#1076 )	2026-06-14 16:48:57 -04:00

fix(homecore-api security): auth-gate GET /api/ (was unauthenticated) + recover WS subscription on broadcast lag (#1076 )

* fix(homecore-api security): auth-gate GET /api/ (HC-API-AUTH-01, ADR-161)

`rest::api_root` took no headers and unconditionally returned
`200 {"message":"API running."}`, while every sibling REST route gates
on `BearerAuth::from_headers`. HA's `APIStatusView` inherits
`requires_auth = True`, so `/api/` must return 401 for a missing/wrong
bearer — HA clients use it as a token-validation probe, so a 200 told a
bad-token client its token was valid and let an unauthenticated party
confirm a live endpoint. LOW severity (static body, no data leak),
reported at true severity.

Fix: `api_root(headers, State)` validates the bearer like `get_config`.

Pinned by fails-on-old tests (200 -> assert 401):
- api_root_rejects_missing_bearer
- api_root_rejects_wrong_bearer
guarded by api_root_accepts_correct_bearer (still 200 with valid token).

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(homecore-api security): recover WS subscription on broadcast lag (HC-WS-LAG-01, ADR-161)

`subscribe_events`'s per-subscription task matched `Err(_) => break` on
both broadcast `recv()` arms. `RecvError::Lagged(n)` (a slow consumer
falling >EVENT_CHANNEL_CAPACITY=4,096 events behind) is recoverable —
the bus doc says "Lagged receivers must re-sync" and HA keeps the
subscription alive across a lag. The old code treated the first lag as
fatal, so after an event burst the client's stream went permanently
silent with no error frame — a self-inflicted event-delivery DoS under
load. LOW severity.

Fix: `Lagged(_) => continue` (skip dropped window, re-sync),
`Closed => break`, on both the system and domain arms.

Pinned by subscription_survives_broadcast_lag: subscribes, floods 6,000
filtered events past the 4,096 capacity to force a Lagged, then asserts
a subsequent subscribed event is still delivered (old code: 5s timeout).

Co-Authored-By: claude-flow <ruv@ruv.net>

* docs(homecore-api security): record HC-API-AUTH-01 + HC-WS-LAG-01 review (ADR-161)

CHANGELOG [Unreleased] Security entry + ADR-161 addendum documenting the
beyond-SOTA network-API review: two LOW bugs fixed (unauthenticated
GET /api/; WS subscription killed on broadcast lag) and the
auth/traversal/injection/info-leak/CORS dimensions confirmed clean with
evidence (no traversal surface — in-memory DashMap + EntityId allowlist;
HashSet token compare, not a byte-== timing oracle).

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-06-14 16:48:57 -04:00

server_bin_auth.rs

fix(homecore-api security): auth-gate GET /api/ (was unauthenticated) + recover WS subscription on broadcast lag (#1076 )

2026-06-14 16:48:57 -04:00

ws_handshake.rs

fix(homecore-api security): auth-gate GET /api/ (was unauthenticated) + recover WS subscription on broadcast lag (#1076 )

2026-06-14 16:48:57 -04:00