phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): require email authentication every login

Browse Source 
CRITICAL SECURITY FIX:
- Email code required EVERY login (authentication, not verification)
- DNS TXT check cached separately (domain verification)
- New auth_sessions table for per-login state
- Codes hashed with SHA-256, constant-time comparison
- Max 3 attempts, 10-minute session expiry
- OAuth params stored server-side (security improvement)

New files:
- services/auth_session.py
- migrations 004, 005
- ADR-010: domain verification vs user authentication

312 tests passing, 86.21% coverage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil Skentelbery
2025-11-22 15:16:26 -07:00
parent 9b50f359a6
commit 9135edfe84
17 changed files with 3457 additions and 529 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
src/gondulf/database/migrations/004_create_auth_sessions.sql Normal file
View File

@@ -0,0 +1,35 @@
-- Migration 004: Create auth_sessions table for per-login authentication
--
-- This migration separates user authentication (per-login email verification)
-- from domain verification (one-time DNS check). See ADR-010 for details.
--
-- Key principle: Email code is AUTHENTICATION (every login), never cached.
-- Auth sessions table for temporary per-login authentication state
-- This table stores session data for the authorization flow
CREATE TABLE auth_sessions (
session_id TEXT PRIMARY KEY,
me TEXT NOT NULL,
email TEXT,
verification_code_hash TEXT,
code_verified INTEGER NOT NULL DEFAULT 0,
attempts INTEGER NOT NULL DEFAULT 0,
client_id TEXT NOT NULL,
redirect_uri TEXT NOT NULL,
state TEXT,
code_challenge TEXT,
code_challenge_method TEXT,
scope TEXT,
response_type TEXT DEFAULT 'id',
created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
expires_at TIMESTAMP NOT NULL
);
-- Index for expiration-based cleanup
CREATE INDEX idx_auth_sessions_expires ON auth_sessions(expires_at);
-- Index for looking up sessions by domain (for email discovery)
CREATE INDEX idx_auth_sessions_me ON auth_sessions(me);
-- Record this migration
INSERT INTO migrations (version, description) VALUES (4, 'Create auth_sessions table for per-login authentication - separates user authentication from domain verification');