feat(auth): harden the signup/login flow (verification, anti-abuse, OAuth, sessions)#172
Open
dantaspaulo wants to merge 1 commit into
Open
feat(auth): harden the signup/login flow (verification, anti-abuse, OAuth, sessions)#172dantaspaulo wants to merge 1 commit into
dantaspaulo wants to merge 1 commit into
Conversation
…Auth, sessions) Cohesive hardening of the public auth surface, no new dependencies or tables: - Mandatory email verification with a magic link: a global `EnsureEmailVerified` middleware gates page navigation until the address is confirmed; the signed verification link verifies AND logs the user in, so it works when opened on another device. Social logins/invites are already verified; self-hosted skips. - Fix email-fixup: an unverified user who mistyped their email can correct it and resend the link (`UpdateUnverifiedEmailController`). - 45s resend cooldown with a countdown on the verify screen. - Anti-abuse on register: throttle, an autofill-proof honeypot, disposable-email blocking (`NotDisposableEmail`, config-extensible) and a per-IP daily quota. - Close OAuth account-takeover: only link/create by email when the PROVIDER confirmed it (Google `email_verified` claim; GitHub `/user/emails`). - Password reset/change now drops active DB sessions, so an attacker with an open session can't survive it. - Uniform forgot-password response to stop email enumeration (+ throttle). - `SecurityHeaders` middleware and a secure session cookie by default in prod. - Strict email validation (`Email::defaults` strict + native) everywhere a new email enters, so a@b / @localhost / whitespace are rejected before they bounce. - Real-time password-strength meter on register and reset. Covered by RegistrationAbuse, AuthHardening and OauthLinkingSecurity tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cohesive hardening of the public signup/login surface. No new dependencies, no new tables.
Security / robustness
EnsureEmailVerifiedmiddleware gates page navigation (non-JSON GET) until the address is confirmed. The signed verification link verifies and logs the user in, so it works even when opened on another device/browser. Social logins and invites are already verified; self-hosted skips the gate.UpdateUnverifiedEmailController) — a user who mistyped their address at signup can change it and resend the link, only while unverified.email_verifiedclaim, GitHub's/user/emailsAPI. Otherwise it returns to login without linking.throttle:5,1, an autofill-proof honeypot (hiddencontact_time, cleared on mount/autofill so it never blocks a real signup), disposable-email blocking (NotDisposableEmail, config-extensible), and a per-IP daily quota (0disables).SecurityHeadersmiddleware (nosniff, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS in prod) andsession.securedefaulting to true in production.Email::defaults()(strict + native) soa@b,@localhostand whitespace are rejected everywhere a new email enters (register, reset, invite, email-fixup) before they bounce.Signup UX
Config
New
config/trypost.phpsecurity.*(per-IP quota, disposable blocking, extra domains) andservices.github.api(overridable GitHub API host).Tests
RegistrationAbuseTest,OauthLinkingSecurityTest,AuthHardeningTest— 17 tests / 53 assertions covering the honeypot, disposable/quota/strict-email rules, the OAuth takeover fix, the verification gate, uniform forgot-password and session invalidation.