fix(security): caddy/** в deploy paths + username из 401 попытки #434
No reviewers
Labels
No labels
admin
analytics
auth
automation
bug
business
chore
ci
compliance
data
data-moat
docs
duplicate
dx
enhancement
Fable 5 ревью
feedback/max
generative
GG-форсайт
needs-discussion
needs-human
observability
pause-bots
performance
priority/p0
priority/p1
priority/p2
priority/p3
scope/backend
scope/db
scope/devops
scope/frontend
scope/qa
scrapers
security
site-finder
stage/1
stage/2
status/blocked
status/done
status/needs-analysis
status/needs-fix
status/qa
status/ready
status/review
status/wip
tech-debt
tradein
ux
week ревью 1
wontfix
вторичка
ИРД
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: lekss361/gendesign#434
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "fix/auth-forwarder-paths-and-username"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
⚠️ Production hotfix — kopylov не работает + missing username в логах
Проблема 1 — BLOCKER
PR #433 (
feat(security): добавить юзера kopylov) mergedde1652aв 09:07:51 UTC, ноcurl -u kopylov:<pass> https://gendsgn.ru/→ 401.Причина:
.forgejo/workflows/deploy.yml:10-17on.push.pathsНЕ содержитcaddy/**. PR #433 затронул толькоcaddy/users.caddy.snippet→ deploy workflow skipped. На VPS старый snippet безkopylov.Проблема 2
GlitchTip events (issue #73) показывают
user_id: "(none)"всегда. User жалуется: «логи не считывают ввод в окно авторизации».Причина: Caddy по default не пишет username провалившейся basic_auth попытки в
user_idполе access log. Доступно черезrequest.headers.Authorization(Caddy пишет все headers в JSON log по default), но в plain Base64.Fix
1.
.forgejo/workflows/deploy.ymlДобавил
"caddy/**"в двух местах:on.push.paths— чтобы любое изменение вcaddy/триггерило deployjobs.changes.filters.infra— чтобы paths-filter в downstream jobs отметил изменения какinfra2.
ops/glitchtip-auth-forwarder/forwarder.pyНовая функция
_extract_attempted_username(entry):Authorizationheader из Caddy log entryBasic xxx:→ берёт только usernameNoneесли: header отсутствует, не Basic, decode fail, нет:, username > 128 charsemit_eventдобавляет:attempted_username(для фильтра)attempted_usernameвcaddy_logcontext(tried: kopylov)Security
⚠️ НЕ включаем
log_credentials trueв Caddyfile — это раскрыло бы plain password в access log. Auth header уже там по default, username extract на этапе forwarder (не в Caddy).Password в Sentry не попадает.
Tests локально
Basic <b64(kopylov:pass)>kopylovNoneBearer xxxNoneNoneChanges
2 файла, +49 / -4.
После merge
curl -u kopylov:wGLG9RS1uEIBjYCL https://gendsgn.ru/→ 200attempted_username:<user>Related
Merged via deep-code-reviewer — verdict APPROVE.
Security verification passed:
split(":", 1)[0]discards password element; never returned/loggedlog_credentialsNOT set in Caddyfile (verified at base SHA)send_default_pii=Falsepreserved insentry_sdk.init()Noneor expected usernamevalidate=Trueonb64decodeprevents silent garbage acceptancedeploy.yml fix verified:
caddy/**added symmetrically toon.push.paths(line 15) ANDjobs.changes.filters.infra(line 50) — downstream conditional builds + caddy force-recreate will triggerops/glitchtip-auth-forwarder/**already in paths (line 17) → forwarder.py change alone would have triggered tooNon-blocking follow-ups (separate PR, MEDIUM severity):
_extract_attempted_usernameshould sanitise control chars / ANSI escapes / newlines in username before returning. Suggested:re.match(r"^[A-Za-z0-9._@+-]{1,64}$", username). Current behaviour passesalice\nbob,\x1b[31mEVIL\x1b[0m, null bytes to Sentry tag verbatim — low-impact log-injection risk for downstream notification channels (Slack/email rendering ANSI).is_monitor_ua(out of scope) still usesstartswith→ does not matchMozilla/5.0 (compatible; SentryUptimeBot/1.0). Inherited from PR #430, not regressed by this PR.fixes/Fix_Deploy_Paths_Caddy_Snippet.md— third occurrence of "silent deploy skip on new top-level dir" gotcha (data/sql/**,ops/glitchtip-auth-forwarder/**, nowcaddy/**). Pattern: when PR adds files under a NEW top-level dir, auditdeploy.yml on.push.pathscoverage.Acknowledged review miss on PR #433: I (deep-code-reviewer) did not verify
deploy.yml on.push.pathscoveredcaddy/**— that was the dir's first appearance. New rule added to my mental checklist: paths-trigger audit when any PR touches a NEW top-level directory.Post-merge verify (~3 min after deploy completes):