Security/codeql fixes#24
Conversation
Replace scrypt for new password hashes while keeping legacy verification, tighten auth rate limits with env overrides, and use generic login failure messages.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3eda386306
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| } | ||
|
|
||
| function createLimiter(max: number, windowMs: number) { | ||
| const windowMs = parseEnvInt("SOURCEDRAFT_RATE_LIMIT_WINDOW_MS", DEFAULT_WINDOW_MS); |
There was a problem hiding this comment.
Defer rate-limit env reads until after dotenv loads
When these overrides are set in the app’s supported .env/.env.local files, they are ignored because rateLimit.ts is statically imported by server/index.ts before the loadDotenv loop runs, so this module-level parseEnvInt executes against the pre-dotenv environment. The docs now advertise SOURCEDRAFT_RATE_LIMIT_WINDOW_MS, SOURCEDRAFT_AUTH_RATE_LIMIT_MAX, and SOURCEDRAFT_WRITE_RATE_LIMIT_MAX, but they only work if exported by the parent process; compute these values after dotenv initialization or when creating the app/limiter.
Useful? React with 👍 / 👎.
| @@ -0,0 +1 @@ | |||
| Subproject commit e791f54723e8a630ae5316dbd6a14e0763924b51 | |||
There was a problem hiding this comment.
Remove the stray worktree gitlink
This path is committed as a submodule gitlink, but the commit does not add a matching .gitmodules entry; in this checkout git submodule status .claude/worktrees/project-guidance fails with no submodule mapping found. Any tooling or contributor workflow that initializes/checks submodules will now fail on an internal Claude worktree artifact, so this should be removed or converted to a real tracked file.
Useful? React with 👍 / 👎.
No description provided.