mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-15 05:21:10 +02:00
4ff3ceb01a
Critical security and correctness fixes for the sync server: Security: - Fix WebSocket JWT validation — was completely broken (hardcoded "pending-auth"). Now validates JWT via JWKS, rejects invalid tokens, enforces 10-second auth deadline, sends auth-ok confirmation. - Add 10 MB request body size limit (prevents OOM attacks) - Validate op field (must be insert/update/delete) - Validate table and id fields (must be non-empty) - Abort sync on RecordChange failure (was silently continuing) Correctness: - Fix silent JSON unmarshal errors in store (now returns error) - Copy client set before iterating in NotifyUser (prevents race) - Add write timeout on WebSocket notifications Testing (19 tests, 0 -> 100% for unit-testable code): - auth: token extraction, validator init, missing auth handling - config: defaults, env override, invalid port - sync: op validation, changeset validation, response format, field change round-trip, body size constant Documentation: - Add CLAUDE.md with architecture, sync protocol, LWW explanation, API endpoints, configuration, security notes Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| it-landing | ||
| mana-analytics | ||
| mana-api-gateway-go | ||
| mana-core-auth | ||
| mana-crawler-go | ||
| mana-credits | ||
| mana-image-gen | ||
| mana-landing-builder | ||
| mana-llm | ||
| mana-matrix-bot | ||
| mana-media | ||
| mana-notify-go | ||
| mana-search-go | ||
| mana-stt | ||
| mana-sync | ||
| mana-tts | ||
| mana-user | ||
| mana-voice-bot | ||
| ollama-metrics-proxy | ||