Credential hash: constant-time comparison + HMAC-SHA-256 with pepper#98
Conversation
|
Cursor Agent can help with this pull request. Just |
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7c2cd842a3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4cdb16135d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 195460a55c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
b90fde5 to
1abee12
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b90fde5fc7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1abee129bc
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Store API token and endpoint secret credentials as peppered HMAC-SHA-256 hashes and verify them with constant-time comparisons. Require the credential pepper in deployed environments and thread it through authentication and secret-management flows. Explicitly invalidate unsupported stored credential formats during migration while retaining active endpoint-secret guard rows so private ingest remains fail-closed. Preserve legacy bearer token ID parsing for existing tokens. Add migration, authentication, routing, repository, rate-limit, and smoke coverage, plus deployment guidance for provisioning and replacing credentials.
1abee12 to
2821eb9
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2821eb99e5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Summary
Addresses credential-hashing review feedback for #78.
HMAC-SHA-256(server pepper, raw secret). Stored hashes usehmac-sha256$<64 lowercase hex>and verification uses constant-time comparison.BARESTASH_CREDENTIAL_PEPPERis missing or empty. OpenTofu requires the secret, while local Wrangler uses a development-only value.0002deletes unsupported token hashes and non-active unsupported endpoint-secret hashes. Active unsupported endpoint secrets remain as invalidated guard rows so private ingest stays fail-closed until senders move to a new secret.-or_; generation and public parsing remain alphanumeric-only.Verification
just ci— passed (typecheck, Biome, Markdown lint, 324 unit tests, coverage, Wrangler dry-run, and OpenTofu validation)just test-e2e— passed (5 CLI/API smoke tests)code-reviewerreview — no remaining findings after the fail-open migration risk was fixedMigration and residual risk