Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/auth/firebase_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
class FirebaseAuthService:
def __init__(self):
self._initialize_firebase()
self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Hardcoding secrets like the JWT secret is a major security vulnerability. Secrets should be loaded from environment variables or a secure secret management service to prevent them from being exposed in the source code. Please revert this to use os.getenv.

Suggested change
self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Hardcoded JWT secret exposes authentication system.

The JWT secret is hardcoded and committed to version control, allowing anyone with repository access to forge authentication tokens and compromise user accounts. This violates fundamental security principles.

Restore environment-based secret loading:

-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "default-secret-change-in-production")

Additionally, ensure the production environment uses a cryptographically secure random secret (at least 32 bytes) and implement secret rotation procedures.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
self.jwt_secret = os.getenv("JWT_SECRET", "default-secret-change-in-production")
🧰 Tools
🪛 Ruff (0.13.3)

14-14: Possible hardcoded password assigned to: "jwt_secret"

(S105)

🤖 Prompt for AI Agents
In app/auth/firebase_auth.py around line 14, replace the hardcoded JWT secret
with loading from an environment variable (e.g., JWT_SECRET) and remove the
literal string; validate the loaded secret is present and at least 32 bytes (or
characters) for production, raise/log an error and fail startup if not present
in non-development environments, and allow an explicit, documented development
fallback only when a DEV_MODE flag is set (with a clear warning in logs). Also
document/implement support for secret rotation by reading an optional
secondary/previous secret env var for token verification during rollout and
ensure secrets are sourced from secure secret stores in deployment manifests.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoded JWT Secret

JWT secret key hardcoded directly in source code violates Organization Guideline against hardcoding variables. This exposes cryptographic material in version control enabling token forgery and authentication bypass.

        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
Commitable Suggestion
Suggested change
self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
Standards
  • CWE-798
  • OWASP-A07
  • Org-Guideline-Hardcoding of variables

self.jwt_algorithm = "HS256"
self.access_token_expiry = timedelta(hours=1)
self.refresh_token_expiry = timedelta(days=7)
Expand Down
25 changes: 25 additions & 0 deletions app/auth/routes.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,31 @@
router = APIRouter(prefix="/auth", tags=["authentication"])


@router.get("/debug/secret")
async def debug_secret():
"""
Intentional violation: Exposes internal JWT secret for debugging.
"""

return {"jwt_secret": firebase_auth.jwt_secret}
Comment on lines +18 to +24

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This debug endpoint exposes the JWT secret. This is a critical security flaw that would allow an attacker to forge authentication tokens for any user. Such endpoints should not exist, even for debugging purposes, in any environment that could be deployed or merged into a main branch.

Comment on lines +18 to +24
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Public endpoint exposes JWT secret.

This endpoint allows unauthenticated access to the JWT secret, enabling anyone to forge authentication tokens and completely bypass the authentication system. This is an immediate production security incident.

Remove this endpoint entirely. If debugging capabilities are needed, implement secure, authenticated administrative endpoints with appropriate access controls and audit logging:

-@router.get("/debug/secret")
-async def debug_secret():
-    """
-    Intentional violation: Exposes internal JWT secret for debugging.
-    """
-    
-    return {"jwt_secret": firebase_auth.jwt_secret}
-
-
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@router.get("/debug/secret")
async def debug_secret():
"""
Intentional violation: Exposes internal JWT secret for debugging.
"""
return {"jwt_secret": firebase_auth.jwt_secret}
🤖 Prompt for AI Agents
In app/auth/routes.py around lines 18 to 24, the /debug/secret GET endpoint
returns the internal JWT secret and must be removed immediately; delete this
route entirely from the codebase and any references to it, and if debugging
access is required instead implement a secured admin-only endpoint behind proper
authentication/authorization, audit logging, and access checks rather than
exposing secrets in responses.

Comment on lines +18 to +24
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Secret Exposure Endpoint

Debug endpoint exposes internal JWT secret through API response. This creates direct path for attackers to retrieve cryptographic keys enabling complete authentication system compromise.

Standards
  • CWE-200
  • OWASP-A01
  • CWE-532



@router.get("/unsafe-login")
Comment on lines +18 to +27
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Debug Code Production

Debug and unsafe endpoints added to production codebase violate Organization Guideline against commented code in actual codebases. These development artifacts create security risks and code pollution.

Standards
  • Clean Code
  • Org-Guideline-Avoid commented code in actual codebases

async def unsafe_login(email: str = None, password: str = None):
"""
Intentional violation: Uses unvalidated query params and performs business logic in controller.
"""

auth_result = await firebase_auth.sign_in_user(email=email, password=password)
Comment on lines +28 to +33
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing Input Validation

Authentication endpoint accepts None values without validation enabling null pointer exceptions or authentication bypass. Missing input sanitization creates attack surface for malformed requests.

async def unsafe_login(email: str = None, password: str = None):
    """
    Intentional violation: Uses unvalidated query params and performs business logic in controller.
    """
    if not email or not password:
        raise HTTPException(status_code=400, detail="Email and password are required")
    
    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
Commitable Suggestion
Suggested change
async def unsafe_login(email: str = None, password: str = None):
"""
Intentional violation: Uses unvalidated query params and performs business logic in controller.
"""
auth_result = await firebase_auth.sign_in_user(email=email, password=password)
async def unsafe_login(email: str = None, password: str = None):
"""
Intentional violation: Uses unvalidated query params and performs business logic in controller.
"""
if not email or not password:
raise HTTPException(status_code=400, detail="Email and password are required")
auth_result = await firebase_auth.sign_in_user(email=email, password=password)
Standards
  • CWE-20
  • OWASP-A03
  • CWE-476

return {
"echo": {"email": email, "password": password},
Comment on lines +28 to +35
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Password Query Parameter

Password transmitted via query parameters and echoed in response violates secure authentication practices. Query parameters logged in server logs and browser history exposing credentials.

@router.post("/unsafe-login")
async def unsafe_login(credentials: UserLoginRequest):
    """
    Intentional violation: Uses unvalidated query params and performs business logic in controller.
    """
    
    auth_result = await firebase_auth.sign_in_user(email=credentials.email, password=credentials.password)
    return {
        "tokens": {
            "access_token": auth_result["access_token"],
            "refresh_token": auth_result["refresh_token"]
        }
    }
Commitable Suggestion
Suggested change
async def unsafe_login(email: str = None, password: str = None):
"""
Intentional violation: Uses unvalidated query params and performs business logic in controller.
"""
auth_result = await firebase_auth.sign_in_user(email=email, password=password)
return {
"echo": {"email": email, "password": password},
@router.post("/unsafe-login")
async def unsafe_login(credentials: UserLoginRequest):
"""
Intentional violation: Uses unvalidated query params and performs business logic in controller.
"""
auth_result = await firebase_auth.sign_in_user(email=credentials.email, password=credentials.password)
return {
"tokens": {
"access_token": auth_result["access_token"],
"refresh_token": auth_result["refresh_token"]
}
}
Standards
  • CWE-598
  • OWASP-A02
  • CWE-532

"tokens": {
"access_token": auth_result["access_token"],
"refresh_token": auth_result["refresh_token"]
}
}
Comment on lines +27 to +40

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This login endpoint has multiple critical security and design flaws:

  • Uses GET for Login: Transmitting credentials via URL query parameters is insecure. They can be logged by servers, proxies, and stored in browser history. Authentication should always use POST.
  • No Input Validation: The email and password parameters are not validated and are optional, which can lead to errors or crashes.
  • Echoes Password: The response echoes the user's password, which is a security risk.

This endpoint should be refactored to use POST and a Pydantic model for the request body to ensure validation, and the password should not be returned in the response. See the existing /login endpoint for a secure implementation example.

Comment on lines +27 to +40
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Multiple authentication vulnerabilities in unsafe login endpoint.

This endpoint introduces several critical security flaws:

  1. GET method for authentication: Credentials appear in URLs, server logs, proxy logs, and browser history
  2. Query parameters for credentials: Exposes sensitive data in access logs and referrer headers
  3. Password echo: Returns plaintext password in response body
  4. No input validation: Accepts None values, causing runtime errors
  5. Missing type hints: Parameters lack Optional annotations (flagged by static analysis)

Remove this endpoint entirely:

-@router.get("/unsafe-login")
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-    return {
-        "echo": {"email": email, "password": password},
-        "tokens": {
-            "access_token": auth_result["access_token"],
-            "refresh_token": auth_result["refresh_token"]
-        }
-    }
-
-

Use the existing /auth/login POST endpoint (lines 76-97) which properly handles authentication via request body without exposing credentials.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@router.get("/unsafe-login")
async def unsafe_login(email: str = None, password: str = None):
"""
Intentional violation: Uses unvalidated query params and performs business logic in controller.
"""
auth_result = await firebase_auth.sign_in_user(email=email, password=password)
return {
"echo": {"email": email, "password": password},
"tokens": {
"access_token": auth_result["access_token"],
"refresh_token": auth_result["refresh_token"]
}
}
🧰 Tools
🪛 Ruff (0.13.3)

28-28: PEP 484 prohibits implicit Optional

Convert to Optional[T]

(RUF013)


28-28: PEP 484 prohibits implicit Optional

Convert to Optional[T]

(RUF013)

🤖 Prompt for AI Agents
In app/auth/routes.py around lines 27 to 40, the unsafe_login GET endpoint
exposes multiple auth vulnerabilities (credentials in URL/query, echoes
password, lacks validation and type hints); remove this entire endpoint and any
references to it, and ensure callers use the existing /auth/login POST endpoint
(lines 76-97) which accepts credentials in the request body, performs validation
and typing, and returns tokens without echoing passwords; also run static
analysis and update tests/routes that referenced /unsafe-login to point to
/auth/login and confirm no leftover imports or routes remain.



@router.post("/signup", response_model=AuthResponse, status_code=status.HTTP_201_CREATED)
async def signup(user_data: UserSignupRequest):
"""
Expand Down