Skip to content

fix(api): RBAC default-deny + constant-time API key (#1133 #1134)#1143

Draft
FabioLeitao wants to merge 3 commits into
mainfrom
feat/rbac-hardening-1133-1134
Draft

fix(api): RBAC default-deny + constant-time API key (#1133 #1134)#1143
FabioLeitao wants to merge 3 commits into
mainfrom
feat/rbac-hardening-1133-1134

Conversation

@FabioLeitao

@FabioLeitao FabioLeitao commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Summary

Test plan

  • ./scripts/check-all.sh green
  • pytest tests/test_rbac.py — 9/9 (incl. non-ASCII API key → 401)
  • CI
  • Security Reviewer

Closes #1133, #1134, #1150.

When api.rbac is active, unclassified routes return 403; public allowlist
covers health/static/webauthn/help/about/login. Add findings and OpenAPI
doc routes to the role map.
Fail CI when a new app route lacks RBAC classification; assert rbac
resolve path uses hmac.compare_digest for API keys.
hmac.compare_digest on str rejects non-ASCII and raised TypeError → 500.
Encode provided/expected as UTF-8 bytes (constant-time, no-match → 401).

Closes #1150
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[P1][security] api/rbac.py: middleware default-allow → default-deny + cobertura completa do route-policy map

1 participant