GeneralBots/botserver
2
1
Fork 0
Code Issues Pull requests Projects Releases 323 Packages Wiki Activity Actions
3875 commits 88 branches 325 tags 94 MiB
Commit graph

13 commits

Author SHA1 Message Date
Rodrigo Rodriguez (Pragmatismo)
355215c2a2 Update: refactor migrations, update source files, and add new features 2026-02-04 13:29:29 -03:00
Rodrigo Rodriguez (Pragmatismo)
0a24cd4b50 Fix build errors and unused imports in core, security and package_manager modules 2026-01-24 22:04:47 -03:00
Rodrigo Rodriguez (Pragmatismo)
5126c648ff Auto-commit: 20260118_195334 2026-01-18 19:53:34 -03:00
Rodrigo Rodriguez (Pragmatismo)
a2783f9b32 Fix 5 errors and 32 warnings: calendar, compliance, billing_alert_broadcast, unused vars 2026-01-13 22:21:25 -03:00
Rodrigo Rodriguez (Pragmatismo)
31777432b4 Implement TODO items: session auth, face API, task logs, intent storage 
Learn Module:
- All 9 handlers now use AuthenticatedUser extractor

Security:
- validate_session_sync reads roles from SESSION_CACHE

AutoTask:
- get_task_logs reads from manifest with status logs
- store_compiled_intent saves to cache and database

Face API:
- AWS Rekognition, OpenCV, InsightFace implementations
- Detection, verification, analysis methods

Other fixes:
- Calendar/task integration database queries
- Recording database methods
- Analytics insights trends
- Email/folder monitoring mock data
 2026-01-13 14:48:49 -03:00
Rodrigo Rodriguez (Pragmatismo)
b4003e3e0a fix(auth): align auth middleware anonymous paths with RBAC config 
- Remove broad /api/auth anonymous path that was matching /api/auth/me
- Add specific anonymous paths: /api/auth/login, /api/auth/refresh, /api/auth/bootstrap
- Remove /api/auth/logout, /api/auth/2fa/* from anonymous (require auth)
- Fix /api/auth/me returning 401 for authenticated users
 2026-01-10 17:31:50 -03:00
Rodrigo Rodriguez (Pragmatismo)
8a6d63ff3e debug: add logging for auth header extraction 2026-01-10 14:24:56 -03:00
Rodrigo Rodriguez (Pragmatismo)
0bda3ed466 fix(auth): simplify session validation and add debug logging 
- Remove restrictive length check in validate_session_sync
- Accept any non-empty token as valid session
- Add debug logging throughout auth flow
- Add RBAC decision logging for troubleshooting
 2026-01-10 14:03:34 -03:00
Rodrigo Rodriguez (Pragmatismo)
81b8fd8f2d fix(auth): handle Zitadel session tokens and grant Admin role 
- Treat non-JWT bearer tokens as Zitadel session IDs
- Grant Admin role to valid sessions (temporary until proper role lookup)
- Add is_jwt_format helper to distinguish JWTs from session IDs
- Update RBAC to allow authenticated users access to UI monitoring routes
 2026-01-10 11:14:33 -03:00
Rodrigo Rodriguez (Pragmatismo)
e3b3f04206 Normalize API paths: remove unnecessary /v1/ prefix 
- Update all internal API routes from /api/v1/* to /api/*
- Protection API: /api/security/protection/*
- Botmodels calls: /api/vision/*, /api/audio/*, /api/speech/*
- Remove /api/v1/health from anonymous paths (keep /api/health)

External APIs (Reddit, Facebook, etc.) keep their original versioned paths
 2026-01-10 09:48:43 -03:00
Rodrigo Rodriguez (Pragmatismo)
79ee009983 Fix: Add auth endpoints to anonymous paths list 
- /api/auth/login was being blocked by auth middleware
- Add all auth endpoints to allow_anonymous_paths:
  - /api/auth/login
  - /api/auth/logout
  - /api/auth/refresh
  - /api/auth/bootstrap
  - /api/auth/2fa/verify
  - /api/auth/2fa/resend
  - /oauth
  - /auth/callback
 2026-01-10 09:44:59 -03:00
Rodrigo Rodriguez (Pragmatismo)
faeae250bc Add security protection module with sudo-based privilege escalation 
- Create installer.rs for 'botserver install protection' command
- Requires root to install packages and create sudoers config
- Sudoers uses exact commands (no wildcards) for security
- Update all tool files (lynis, rkhunter, chkrootkit, suricata, lmd) to use sudo
- Update manager.rs service management to use sudo
- Add 'sudo' and 'visudo' to command_guard.rs whitelist
- Update CLI with install/remove/status protection commands

Security model:
- Installation requires root (sudo botserver install protection)
- Runtime uses sudoers NOPASSWD for specific commands only
- No wildcards in sudoers - exact command specifications
- Tools run on host system, not in containers
 2026-01-10 09:41:12 -03:00
Rodrigo Rodriguez (Pragmatismo)
c67aaa677a feat(security): Complete security infrastructure implementation 
SECURITY MODULES ADDED:
- security/auth.rs: Full RBAC with roles (Anonymous, User, Moderator, Admin, SuperAdmin, Service, Bot, BotOwner, BotOperator, BotViewer) and permissions
- security/cors.rs: Hardened CORS (no wildcard in production, env-based config)
- security/panic_handler.rs: Panic catching middleware with safe 500 responses
- security/path_guard.rs: Path traversal protection, null byte prevention
- security/request_id.rs: UUID request tracking with correlation IDs
- security/error_sanitizer.rs: Sensitive data redaction from responses
- security/zitadel_auth.rs: Zitadel token introspection and role mapping
- security/sql_guard.rs: SQL injection prevention with table whitelist
- security/command_guard.rs: Command injection prevention
- security/secrets.rs: Zeroizing secret management
- security/validation.rs: Input validation utilities
- security/rate_limiter.rs: Rate limiting with governor crate
- security/headers.rs: Security headers (CSP, HSTS, X-Frame-Options)

MAIN.RS UPDATES:
- Replaced tower_http::cors::Any with hardened create_cors_layer()
- Added panic handler middleware
- Added request ID tracking middleware
- Set global panic hook

SECURITY STATUS:
- 0 unwrap() in production code
- 0 panic! in production code
- 0 unsafe blocks
- cargo audit: PASS (no vulnerabilities)
- Estimated completion: ~98%

Remaining: Wire auth middleware to handlers, audit logs for sensitive data
 2025-12-28 19:29:18 -03:00