Skip to content

Feat: Implement Global Master Authentication Middleware#145

Open
ArshVermaGit wants to merge 2 commits into
siddu-k:mainfrom
ArshVermaGit:main_2
Open

Feat: Implement Global Master Authentication Middleware#145
ArshVermaGit wants to merge 2 commits into
siddu-k:mainfrom
ArshVermaGit:main_2

Conversation

@ArshVermaGit
Copy link
Copy Markdown
Contributor

@ArshVermaGit ArshVermaGit commented May 28, 2026

Overview

This pull request introduces a highly robust, application-wide Master Lock authentication system to mitigate the critical Missing Authentication & Authorization vulnerability.
Previously, most of the application's sensitive endpoints (e.g., file reading/writing, git operations) were completely unprotected, allowing attackers to bypass script-level locks. This architecture introduces a global security perimeter using the existing PBKDF2-HMAC-SHA256 cryptographic hashing mechanism while maintaining the UI's smooth single-page flow.

Resolved Issue

Resolves #144

Key Changes

Backend (app.py)

  • Global Auth Interceptor: Added an @app.before_request hook that intercepts all traffic to /api/* (excluding the public status endpoint). If the __master__ lock exists in locks.json, the middleware validates the X-Master-Password header.
  • Unauthorized Handling: Explicitly returns 401 Unauthorized with {"master_locked": true} if the authentication header is missing or incorrect.
  • Status Endpoint: Introduced GET /api/master/status to allow the frontend to asynchronously verify if the application is locked.

Frontend (ui/app.js & ui/index.html)

  • Global Fetch Wrapper: Wrapped window.fetch to natively and transparently inject the X-Master-Password header into every outgoing API request.
  • Smart 401 Interception Loop: If the fetch wrapper receives a master_locked: true 401 response, it intercepts the promise, launches the new #master-auth-modal, waits for the user to submit the password, caches it in memory, and automatically replays the original API request without dropping any state or user actions.
  • Master Lock UI: Added a global "Master Lock" icon button to the navigation header, linking to the native lock management modal so users can set, change, or remove the master password effortlessly.

Security Impact

  • Severity: Critical -> Resolved
  • Impact: Provides a unified, impenetrable layer of authorization across all backend routes, completely eliminating vectors for unauthenticated arbitrary file modification or unauthorized git operations.

@ArshVermaGit ArshVermaGit mentioned this pull request May 28, 2026
Open
ArshVermaGit
ArshVermaGit commented May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@ArshVermaGit ArshVermaGit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @siddu-k ! Issue #144 has been resolved. Please review the PR and merge it under GSSoC. Thanks!

@ArshVermaGit
Copy link
Copy Markdown
Contributor Author

ArshVermaGit commented May 31, 2026

@siddu-k conflicts are resolved please review and merge

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

gssoc:approved level:advanced quality:exceptional type:design

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Vulnerability: Missing Global Authentication & Authorization Middleware

2 participants

@ArshVermaGit @siddu-k