feat(security): implement AES-256-GCM encryption for API keys and HMAC-signed session tokens

This commit introduces: - AES-256-GCM encryption for LLM provider API keys in the database. - HMAC-SHA256 signed session tokens with activity-based refresh logic. - Standardized frontend XSS protection using a global escapeHtml utility. - Hardened security headers and request body size limits. - Improved database integrity with foreign key enforcement and atomic transactions. - Integration tests for the full encrypted key storage and proxy usage lifecycle.
2026-03-06 14:17:56 -05:00
parent 149a7c3a29
commit 9b8483e797
28 changed files with 1260 additions and 227 deletions
--- a/src/dashboard/auth.rs
+++ b/src/dashboard/auth.rs
@@ -1,4 +1,4 @@
-use axum::{extract::State, response::Json};
+use axum::{extract::State, http::{HeaderMap, HeaderValue}, response::{Json, IntoResponse}};
 use bcrypt;
 use serde::Deserialize;
 use sqlx::Row;
@@ -64,14 +64,14 @@ pub(super) async fn handle_login(
 pub(super) async fn handle_auth_status(
    State(state): State<DashboardState>,
    headers: axum::http::HeaderMap,
-) -> Json<ApiResponse<serde_json::Value>> {
+) -> impl IntoResponse {
    let token = headers
        .get("Authorization")
        .and_then(|v| v.to_str().ok())
        .and_then(|v| v.strip_prefix("Bearer "));

    if let Some(token) = token
-        && let Some(session) = state.session_manager.validate_session(token).await
+        && let Some((session, new_token)) = state.session_manager.validate_session_with_refresh(token).await
    {
        // Look up display_name from DB
        let display_name = sqlx::query_scalar::<_, Option<String>>(
@@ -85,17 +85,23 @@ pub(super) async fn handle_auth_status(
        .flatten()
        .unwrap_or_else(|| session.username.clone());

-        return Json(ApiResponse::success(serde_json::json!({
+        let mut headers = HeaderMap::new();
+        if let Some(refreshed_token) = new_token {
+            if let Ok(header_value) = HeaderValue::from_str(&refreshed_token) {
+                headers.insert("X-Refreshed-Token", header_value);
+            }
+        }
+        return (headers, Json(ApiResponse::success(serde_json::json!({
            "authenticated": true,
            "user": {
                "username": session.username,
                "name": display_name,
                "role": session.role
            }
-        })));
+        }))));
    }

-    Json(ApiResponse::error("Not authenticated".to_string()))
+    (HeaderMap::new(), Json(ApiResponse::error("Not authenticated".to_string())))
 }

 #[derive(Deserialize)]
@@ -108,7 +114,7 @@ pub(super) async fn handle_change_password(
    State(state): State<DashboardState>,
    headers: axum::http::HeaderMap,
    Json(payload): Json<ChangePasswordRequest>,
-) -> Json<ApiResponse<serde_json::Value>> {
+) -> impl IntoResponse {
    let pool = &state.app_state.db_pool;

    // Extract the authenticated user from the session token
@@ -117,14 +123,24 @@ pub(super) async fn handle_change_password(
        .and_then(|v| v.to_str().ok())
        .and_then(|v| v.strip_prefix("Bearer "));

-    let session = match token {
-        Some(t) => state.session_manager.validate_session(t).await,
-        None => None,
+    let (session, new_token) = match token {
+        Some(t) => match state.session_manager.validate_session_with_refresh(t).await {
+            Some((session, new_token)) => (Some(session), new_token),
+            None => (None, None),
+        },
+        None => (None, None),
    };

+    let mut response_headers = HeaderMap::new();
+    if let Some(refreshed_token) = new_token {
+        if let Ok(header_value) = HeaderValue::from_str(&refreshed_token) {
+            response_headers.insert("X-Refreshed-Token", header_value);
+        }
+    }
+
    let username = match session {
        Some(s) => s.username,
-        None => return Json(ApiResponse::error("Not authenticated".to_string())),
+        None => return (response_headers, Json(ApiResponse::error("Not authenticated".to_string()))),
    };

    let user_result = sqlx::query("SELECT password_hash FROM users WHERE username = ?")
@@ -138,7 +154,7 @@ pub(super) async fn handle_change_password(
            if bcrypt::verify(&payload.current_password, &hash).unwrap_or(false) {
                let new_hash = match bcrypt::hash(&payload.new_password, 12) {
                    Ok(h) => h,
-                    Err(_) => return Json(ApiResponse::error("Failed to hash new password".to_string())),
+                    Err(_) => return (response_headers, Json(ApiResponse::error("Failed to hash new password".to_string()))),
                };

                let update_result = sqlx::query(
@@ -150,16 +166,16 @@ pub(super) async fn handle_change_password(
                .await;

                match update_result {
-                    Ok(_) => Json(ApiResponse::success(
+                    Ok(_) => (response_headers, Json(ApiResponse::success(
                        serde_json::json!({ "message": "Password updated successfully" }),
-                    )),
-                    Err(e) => Json(ApiResponse::error(format!("Failed to update database: {}", e))),
+                    ))),
+                    Err(e) => (response_headers, Json(ApiResponse::error(format!("Failed to update database: {}", e)))),
                }
            } else {
-                Json(ApiResponse::error("Current password incorrect".to_string()))
+                (response_headers, Json(ApiResponse::error("Current password incorrect".to_string())))
            }
        }
-        Err(e) => Json(ApiResponse::error(format!("User not found: {}", e))),
+        Err(e) => (response_headers, Json(ApiResponse::error(format!("User not found: {}", e)))),
    }
 }

@@ -180,19 +196,19 @@ pub(super) async fn handle_logout(
 }

 /// Helper: Extract and validate a session from the Authorization header.
-/// Returns the Session if valid, or an error response.
+/// Returns the Session and optional new token if refreshed, or an error response.
 pub(super) async fn extract_session(
    state: &DashboardState,
    headers: &axum::http::HeaderMap,
-) -> Result<super::sessions::Session, Json<ApiResponse<serde_json::Value>>> {
+) -> Result<(super::sessions::Session, Option<String>), Json<ApiResponse<serde_json::Value>>> {
    let token = headers
        .get("Authorization")
        .and_then(|v| v.to_str().ok())
        .and_then(|v| v.strip_prefix("Bearer "));

    match token {
-        Some(t) => match state.session_manager.validate_session(t).await {
-            Some(session) => Ok(session),
+        Some(t) => match state.session_manager.validate_session_with_refresh(t).await {
+            Some((session, new_token)) => Ok((session, new_token)),
            None => Err(Json(ApiResponse::error("Session expired or invalid".to_string()))),
        },
        None => Err(Json(ApiResponse::error("Not authenticated".to_string()))),
@@ -200,13 +216,14 @@ pub(super) async fn extract_session(
 }

 /// Helper: Extract session and require admin role.
+/// Returns session and optional new token if refreshed.
 pub(super) async fn require_admin(
    state: &DashboardState,
    headers: &axum::http::HeaderMap,
-) -> Result<super::sessions::Session, Json<ApiResponse<serde_json::Value>>> {
-    let session = extract_session(state, headers).await?;
+) -> Result<(super::sessions::Session, Option<String>), Json<ApiResponse<serde_json::Value>>> {
+    let (session, new_token) = extract_session(state, headers).await?;
    if session.role != "admin" {
        return Err(Json(ApiResponse::error("Admin access required".to_string())));
    }
-    Ok(session)
+    Ok((session, new_token))
 }