Skip to content

fix: resolve security vulnerabilities in auth, registration & config#20

Merged
shibinsp merged 2 commits into
mainfrom
fix/issue-19-security-vulnerabilities
Mar 14, 2026
Merged

fix: resolve security vulnerabilities in auth, registration & config#20
shibinsp merged 2 commits into
mainfrom
fix/issue-19-security-vulnerabilities

Conversation

@shibinsp

Copy link
Copy Markdown
Owner

Summary

  • Password change now verifies current password via sign_in_with_password before allowing update (prevents account takeover with stolen session)
  • Org registration requires valid invite code to join existing org; forces EMPLOYEE role (prevents unauthorized org access)
  • Error messages no longer leak raw Supabase exception details to clients (prevents architecture disclosure)
  • Config redaction is now recursive — nested dicts/lists with secrets are properly masked (prevents secret leakage in automation API)

Test plan

  • Verify password change fails without correct current password
  • Verify registration with org_id requires valid invite_code
  • Verify registration with org_id forces EMPLOYEE role regardless of role field
  • Verify Supabase auth errors return generic messages (no internal details)
  • Verify nested agent configs have secrets redacted in API responses

Fixes #19

- Rewrite README with professional structure: badges, live demo, feature
  categories, tech stack, architecture diagram, getting started guide,
  E2E test results, CI/CD pipeline, project structure, API endpoints,
  security measures, and RBAC matrix
- Create docs/reports/TaskPulse_Project_Overview.xlsx with 6 sheets:
  Features (46), E2E Test Results (113), Security (19), Tech Stack (45),
  API Endpoints (80), Architecture (23)
- Update Playwright config for deployed app testing via E2E_BASE_URL
- Add test:e2e:deployed npm script

Fixes #17
Co-Authored-By: Beeax
1. Password change now verifies current password before allowing update
   via Supabase sign_in_with_password before calling admin API

2. Org registration requires valid invite code to join existing org;
   auto-generates invite codes on org creation; forces EMPLOYEE role

3. Supabase error details no longer leaked to clients — generic error
   messages returned while raw exceptions logged server-side only

4. Config redaction now recursive — nested dicts and lists with
   sensitive keys (password, token, api_key, etc.) are properly masked

Fixes #19
Co-Authored-By: Beeax
@shibinsp shibinsp merged commit f360239 into main Mar 14, 2026
3 checks passed
@github-actions

Copy link
Copy Markdown

🚀 Vercel Preview Deployment

Status URL
✅ Deployed https://relaxed-gates-omnqjqofa-shibinsps-projects.vercel.app

Commit: da4b6bc
Branch: fix/issue-19-security-vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: security vulnerabilities in auth, registration, config redaction, and error handling

1 participant