forgejo-mcp-broker

History

Ole-Morten Duesund 8369ec2cc7 sec(oauth): phase-2 attack-path review (forgejo-mcp-broker-wgo) Structured review of every OAuth/auth handler against the standard attack catalog. Findings table added to design.md §8.2. Two real issues found and fixed: - Refresh-token replay race: tokenRefreshGrant read the row, validated it, then minted a new pair before unconditionally revoking the old refresh. Two concurrent /token requests with the same refresh would both pass validation and both mint a fresh pair — token-quota duplication and a hint to a stolen-refresh attacker. Fixed with the same atomic UPDATE rows-affected pattern already used for auth-code single-use. New TestToken_Refresh_ConcurrentReplay_OnlyOneSucceeds races two goroutines and verifies exactly one wins. - Permissive redirect_uri schemes: validateRedirectURI accepted any non-empty scheme, including javascript: and data:. Tightened to require https, http for loopback only, or a reverse-DNS private-use scheme per RFC 8252 §7.1. TestValidateRedirectURI updated to cover each variant including the rejected javascript:/data: cases. Items deferred to backlog (already filed): - Rate limits on /oauth/register and /oauth/token (-ttl) - --token-fd to close the /proc/<pid>/environ window (-1n2) - AES-GCM at-rest encryption of Forgejo tokens (-sd4) Closes forgejo-mcp-broker-wgo. Phase 2 complete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-27 17:37:00 +02:00
..
design.md	sec(oauth): phase-2 attack-path review (forgejo-mcp-broker-wgo)	2026-04-27 17:37:00 +02:00
plan.md	docs: initial planning artifacts for fjmcp-broker	2026-04-24 16:21:01 +02:00

Ole-Morten Duesund 8369ec2cc7 sec(oauth): phase-2 attack-path review (forgejo-mcp-broker-wgo)

Structured review of every OAuth/auth handler against the standard
attack catalog. Findings table added to design.md §8.2.

Two real issues found and fixed:

  - Refresh-token replay race: tokenRefreshGrant read the row, validated
    it, then minted a new pair before unconditionally revoking the old
    refresh. Two concurrent /token requests with the same refresh would
    both pass validation and both mint a fresh pair — token-quota
    duplication and a hint to a stolen-refresh attacker. Fixed with the
    same atomic UPDATE rows-affected pattern already used for auth-code
    single-use. New TestToken_Refresh_ConcurrentReplay_OnlyOneSucceeds
    races two goroutines and verifies exactly one wins.

  - Permissive redirect_uri schemes: validateRedirectURI accepted any
    non-empty scheme, including javascript: and data:. Tightened to
    require https, http for loopback only, or a reverse-DNS private-use
    scheme per RFC 8252 §7.1. TestValidateRedirectURI updated to cover
    each variant including the rejected javascript:/data: cases.

Items deferred to backlog (already filed):
  - Rate limits on /oauth/register and /oauth/token (-ttl)
  - --token-fd to close the /proc/<pid>/environ window (-1n2)
  - AES-GCM at-rest encryption of Forgejo tokens (-sd4)

Closes forgejo-mcp-broker-wgo. Phase 2 complete.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-27 17:37:00 +02:00

design.md

sec(oauth): phase-2 attack-path review (forgejo-mcp-broker-wgo)

2026-04-27 17:37:00 +02:00

plan.md

docs: initial planning artifacts for fjmcp-broker

2026-04-24 16:21:01 +02:00