apunkt/gomcp
1
0
Fork 0
mirror of https://github.com/syntrex-lab/gomcp.git synced 2026-04-25 20:36:21 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
32 commits 1 branch 1 tag 898 KiB
Commit graph

13 commits

Author SHA1 Message Date
DmitrL-dev
577fa9400a fix(auth): comprehensive sync of cookie-based sessions across register, verify, and middleware 2026-03-27 18:42:54 +10:00
DmitrL-dev
9abdd86540 fix: open registration by default and handle slug collision gracefully 2026-03-27 18:13:17 +10:00
DmitrL-dev
5ddfa74771 chore: Apply dashboard audit remediations, sync engine counts, update APIs 2026-03-27 16:54:18 +10:00
DmitrL-dev
b8097d3f1b feat: SOC ghost sinkhole, rate limiter, RBAC, demo seed 2026-03-27 12:45:11 +10:00
DmitrL-dev
ab55fe2b58 fix: make SOC ingest JWT-exempt for sensor access + battle script JWT login 2026-03-25 20:14:43 +10:00
DmitrL-dev
9b2b05dfce fix: persistUser preserves tenant_id (prevents overwrite on login) 2026-03-24 12:10:40 +10:00
DmitrL-dev
62ecc1c7a3 sec: fix C4/C5/M4/M5 + domain migration to syntrex.pro 
C4: Remove localhost:9100 fallback from 27 dashboard files (use relative URLs)
C5: JWT token_type differentiation (access vs refresh) - middleware rejects refresh as Bearer
M4: Server-side registration gate via SOC_REGISTRATION_OPEN env var
M5: HTML tag stripping on name/org_name fields (XSS prevention)

Domain migration:
- users.go: admin@syntrex.pro
- zerotrust.go: SPIFFE trust domain
- sbom.go: namespace URL
- .env.production.example: all URLs updated
- identity_test.go: test email
 2026-03-24 11:49:33 +10:00
DmitrL-dev
4a1bd09a13 fix: loadFromDB missing email_verified column in SELECT/Scan 2026-03-24 10:55:44 +10:00
DmitrL-dev
4ce94e9c77 SEC: Fix 3 CRITICAL + 3 MEDIUM red team findings 
C1: Remove verification_code_dev from API response (CVSS 9.8)
    - Code now logged server-side only when email service not configured
C2: Tenant isolation on /api/auth/users (CVSS 9.1)
    - HandleListUsers filters by claims.TenantID
    - TenantID added to User struct, DB migration, persistUser, loadFromDB
C3: Include TenantID in JWT tokens (CVSS 8.8)
    - Login handler now uses Sign() with full Claims including TenantID
    - Enables downstream RBAC tenant filtering

M1: nginx server_tokens off (hide version fingerprint)
M2: syntrex.pro added to server_name
M3: CORS multi-origin support (SOC_CORS_ORIGIN=origin1,origin2)
 2026-03-24 10:32:50 +10:00
DmitrL-dev
8d87c453b0 feat: add free starter plan with 1000 scans/month quota tracking 2026-03-24 09:37:09 +10:00
DmitrL-dev
a120aa2750 fix: add /api/v1/scan to JWT public paths (demo scanner bypass auth) 2026-03-23 20:32:11 +10:00
DmitrL-dev
4a0f17873a fix: convert auth users/tenants SQL from SQLite to PostgreSQL (BOOLEAN, ON CONFLICT, params, TIMESTAMPTZ) 2026-03-23 20:11:59 +10:00
DmitrL-dev
41cbfd6e0a Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates 2026-03-23 16:45:40 +10:00