Security: invalidate sessions on credential rotation#65
Conversation
Bind each login session to an HMAC fingerprint of USERNAME and PASSWORD so rotating either credential revokes existing cookies, including stolen ones that remain valid in the shared session backend. Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_3efa8197-43f1-4b9a-8e44-f5df352d1226) |
PR Summary by QodoSecurity: invalidate sessions on credential rotation
AI Description
Diagram
High-Level Assessment
Files changed (3)
|
Code Review by Qodo
Context used✅ Compliance rules (platform):
6 rules✅ Cross-repo context Not relevant to this PR:
OpenRTMP/librtmp2-server 1.
|
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_b1c8e5fb-ef14-4c55-8797-da34df5512e6) |
|
Code review by qodo was updated up to the latest commit 26afd68 |
CodeQL's py/weak-sensitive-data-hashing flagged the fingerprint construction because username/password were hashed as HMAC message content. Swap roles so the credentials key the HMAC and a fixed value (secret_key) is the message - same security property (unforgeable, invalidates on any credential change) without matching the flagged "password fed into a fast digest" pattern.
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_ec171232-11da-413a-848f-cb572d00db98) |
|
Code review by qodo was updated up to the latest commit a205d45 |
…ositive Revert the earlier key/message swap - the credential-fingerprint scheme in issue #64 requires HMAC(key=SECRET_KEY, msg=username+password), and swapping the roles diverged from that spec (flagged by review). Instead suppress the CodeQL py/weak-sensitive-data-hashing alert inline: it treats the password reaching hashlib.sha256 as an unkeyed password-storage hash, but this is a keyed HMAC where SECRET_KEY is secret - the fingerprint can't be brute-forced back to the password without it.
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_04c2e28a-5142-48cc-86e1-899d7be43d29) |
|
Code review by qodo was updated up to the latest commit d2d8b9b |
The first attempt placed the codeql[] suppression comment on the hmac.new( call line; move it to the hashlib.sha256 argument itself, which is the actual sink py/weak-sensitive-data-hashing reports.
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_3366ca09-ed86-4dd3-b8e5-2f117ea5ce63) |
|
Code review by qodo was updated up to the latest commit 2c5880c |
GitHub's inline review comment showed the alert anchored to the material.encode() line (the msg argument), not the hashlib.sha256 line the comment was previously on - so it was never being matched and the check kept failing. Move it to the correct line.
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_56525a9f-d7f3-4b34-a0c6-e994a8d024ca) |
|
Code review by qodo was updated up to the latest commit 45b6532 |
The codeql[] suppression comment on the exact flagged line (confirmed via the inline review annotation) didn't get picked up by the check. Trying the older lgtm[] syntax GitHub's code scanning also recognizes, in case this repo's config only honors that form.
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_aa44c239-423e-4771-a932-bd616bed9f3b) |
|
Code review by qodo was updated up to the latest commit 2658937 |
Neither codeql[] nor the legacy lgtm[] suppression syntax got honored by this repo's code scanning check, so the alert needs a manual dismissal in the Security tab as a false positive. Keeping the codeql[] comment in place documents intent for future readers even though it isn't functionally suppressing the check here.
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_c19a939c-5f02-4b88-b23f-844f1c3e24a5) |
|
|
Code review by qodo was updated up to the latest commit a76b5c4 |



Security review finding
Severity: Medium
Issue: #64
Location:
app.pyFixes #64
Problem
Rotating
PASSWORDor changingUSERNAMEdid not invalidate existing panel sessions. An attacker with a previously stolensessioncookie kept full admin access for up to the 8-hour session TTL, defeating a common incident-response step.Impact
Continued stream CRUD and secret exposure after operators rotate credentials.
Fix
_credential_fingerprint()(HMAC-SHA256 ofUSERNAME+PASSWORDkeyed bySECRET_KEY).credential_fpin the session at login.hmac.compare_digest().test_username_change_invalidates_stolen_session_cookie.CHANGELOG.md.Verification
venv/bin/python -m pytest -m "not integration"— 100 passed.Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.Note
Medium Risk
Changes the authentication gate on every protected request; scope is limited to session validation and uses constant-time comparison, with regression coverage for credential rotation.
Overview
Fixes a gap where rotating
USERNAMEorPASSWORDleft existing signed session cookies valid until TTL. Sessions now carry acredential_fpHMAC-SHA256 fingerprint (keyed bySECRET_KEY) set at login;_session_is_authenticatedcompares it to the current config withhmac.compare_digestand revokes/clears the session on mismatch.Adds
test_username_change_invalidates_stolen_session_cookieand documents the behavior under Security inCHANGELOG.md.Reviewed by Cursor Bugbot for commit a76b5c4. Bugbot is set up for automated code reviews on this repo. Configure here.