Fork: 0
yangyangxie / cortex-hub
Transfer to URL with SHA Find file
Newer
Older
cortex-hub / docs / reviews / feature_review_auth_user_management.md
@Antigravity AI Antigravity AI 1 day ago 2 KB feat: comprehensive mobile responsiveness for agent dashboard and swarm control
Raw Blame History

Code Review Report: Feature 18 — Authentication & User Management

This report performs a deep-dive audit of the Hub's authentication layer and user management routes in user.py, focusing on OIDC Security, Open Redirect protection, and Administrative Data Privacy.

🏗️ 12-Factor App Compliance Audit

Factor Status Observation
III. Config Success Unified Auth Toggles: Feature flags for OIDC_ENABLED and ALLOW_PASSWORD_LOGIN are correctly propagated from the environment into the routing logic, allowing secure "Day 1" local fallbacks.
VI. Processes Success Stateless Session Management: Authentication state is consistently derived from DB records, ensuring that Hub replicas remain interchangeable.

🔍 File-by-File Diagnostic

1. app/api/routes/user.py

The gateway for user identity, preferences, and OIDC handshakes.

[!CAUTION] Open Redirect Vulnerability (OIDC Callback) Line 70: frontend_redirect_url = f"{state}?user_id={user_id}" The OIDC callback handler uses the state query parameter directly as a redirection target without validation.

The Exploit: An attacker can send a victim a link like ai.jerxie.com/api/v1/users/login?frontend_callback_uri=https://evil-site.com. After the victim logs in, the Hub will redirect them to https://evil-site.com?user_id=..., leaking their internal User ID and potentially allowing for session hijacking on the attacker's site.

Fix: Whitelist allowed redirect domains or ensure the state is compared against the originally requested frontend_callback_uri stored in a secure cookie.

Identified Problems:

  • Sensitive Config Export: The export_user_config_yaml route (Line 464) exports ALL plaintext API keys for all providers in a single YAML file. For production security (Factor VII), these keys should be redacted (masked with ***) unless an explicit reveal_secrets=true flag is passed by an Admin with Multi-Factor Authentication.
  • Hardcoded Fallbacks: The provider listing (Line 290) includes hardcoded fallbacks to "deepseek" and "gemini". These should be entirely dynamic based on the registered providers list in the factory.

🛠️ Summary Recommendations

  1. Harden OIDC Callbacks: Implement a domain whitelist or a cookie-based non-repudiation check for the state parameter to eliminate the Open Redirect vulnerability.
  2. Mask Keys in Exports: Update the YAML exporter to redact API keys by default, protecting the Hub's "Administrative Secret Surface Area."
  3. Local Login Rate Limiting: Ensure that login_local (Line 107) is wrapped in a rate-limiting middleware (to be reviewed in app.py) to prevent brute-force attacks on the local account database.

This concludes Feature 18. I have persisted this report to /app/docs/reviews/feature_review_auth_user_management.md. Should I apply a patch to fix the Open Redirect vulnerability immediately?