Open
Conversation
Refactored some existing package structure to better organize things. Updated unit tests and documentation.
Rename SESSION_TYPE enum SessionType.
STS GetCallerIdentity returns an assumed-role ARN that omits IAM role paths, so direct role_arn string equality can fail (e.g., role/foo-path/...). Update the aws_presigned adapter to derive (account_id, role_name) from the STS ARN and match bindings by account + role name while preserving the configured IAM role_arn as the canonical principal for subject/proof.
Add some additional unit tests for error handling in aws_presigned.
… ‘audiences’ -> ‘resources’) to prepare for multi-resource opaque token binding and uniform enforcement via `/session?resource=` across all flows. Hardening and refinements to session_store.py. Rewrite of `is_browser_client` to not use auth cookie (which may not be set yet) and user-agent inspection to detect browser. Use a hash of the principal/realm/adapter as the key for rate limiting on service principal. Update unit tests.
UX: - Styled HTML success page for device authorization Security improvements: - Use secrets.token_hex() for device codes instead of UUID for explicit entropy (128-bit device_code, 32-bit user_code) - Fix race condition in verify_device(): validate flow exists before consuming user_code mapping; return 410 Gone for expired flows - Sanitize error messages in device_flow.py and login_flow.py to not leak exception details to clients; log full errors server-side Code cleanup: - Remove redundant session_data.metadata assignments (dict passed by ref) - Add defensive check with warning log for unlikely flow/user_code TTL race
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refactored some existing package structure to better organize things.
Updated unit tests and documentation.