Skip to content

Credential hash: constant-time comparison + HMAC-SHA-256 with pepper#98

Merged
codemountains merged 1 commit into
mainfrom
cursor/credential-hash-constant-time-a182
Jul 12, 2026
Merged

Credential hash: constant-time comparison + HMAC-SHA-256 with pepper#98
codemountains merged 1 commit into
mainfrom
cursor/credential-hash-constant-time-a182

Conversation

@codemountains

@codemountains codemountains commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Summary

Addresses credential-hashing review feedback for #78.

  • HMAC-SHA-256 (spec §25): Replaced PBKDF2 with HMAC-SHA-256(server pepper, raw secret). Stored hashes use hmac-sha256$<64 lowercase hex> and verification uses constant-time comparison.
  • Required deployment pepper: Deployed Workers fail closed when BARESTASH_CREDENTIAL_PEPPER is missing or empty. OpenTofu requires the secret, while local Wrangler uses a development-only value.
  • Explicit pre-release transition: D1 migration 0002 deletes unsupported token hashes and non-active unsupported endpoint-secret hashes. Active unsupported endpoint secrets remain as invalidated guard rows so private ingest stays fail-closed until senders move to a new secret.
  • Legacy token IDs: PAT authentication read paths continue to accept stored 24-character token-id suffixes containing - or _; generation and public parsing remain alphanumeric-only.
  • Operator guidance: Deployment docs now cover one-time pepper generation, per-environment reuse, the credential replacement sequence, and the lack of online pepper rotation.

Verification

  • just ci — passed (typecheck, Biome, Markdown lint, 324 unit tests, coverage, Wrangler dry-run, and OpenTofu validation)
  • just test-e2e — passed (5 CLI/API smoke tests)
  • Focused auth, migration, and ingest tests — passed (14 tests)
  • Repository code-reviewer review — no remaining findings after the fail-open migration risk was fixed

Migration and residual risk

  • Unsupported token hashes are deleted. If staging loses every token, use the staging-only bootstrap flow to create a new initial PAT.
  • Active unsupported endpoint secrets intentionally reject ingest until a canonical HMAC secret is created, deployed to the sender, verified, and the invalidated row is revoked.
  • The Worker supports one active pepper. Changing it invalidates all HMAC credentials; online rotation is not supported.
  • This pre-release transition assumes there is no existing production deployment containing legacy credentials.
Open in Web Open in Cursor 

@cursor

cursor Bot commented Jul 12, 2026

Copy link
Copy Markdown

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
Learn more about Cursor Agents

@codemountains codemountains marked this pull request as ready for review July 12, 2026 07:17
@codemountains

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7c2cd842a3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/api/src/application/endpoints.ts
@codemountains

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4cdb16135d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/api/src/application/credential-hash.ts Outdated
Comment thread apps/api/src/container.ts
@cursor cursor Bot changed the title User stashes listing Credential hash: constant-time comparison + HMAC-SHA-256 with pepper Jul 12, 2026
@codemountains

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 195460a55c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/api/src/application/credential-hash.ts
Comment thread apps/api/src/application/auth.ts Outdated
Comment thread infra/cloudflare/main.tf Outdated
@codemountains codemountains force-pushed the cursor/credential-hash-constant-time-a182 branch from b90fde5 to 1abee12 Compare July 12, 2026 09:04

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b90fde5fc7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread infra/cloudflare/main.tf Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1abee129bc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread infra/cloudflare/main.tf Outdated
Store API token and endpoint secret credentials as peppered HMAC-SHA-256 hashes and verify them with constant-time comparisons. Require the credential pepper in deployed environments and thread it through authentication and secret-management flows.

Explicitly invalidate unsupported stored credential formats during migration while retaining active endpoint-secret guard rows so private ingest remains fail-closed. Preserve legacy bearer token ID parsing for existing tokens.

Add migration, authentication, routing, repository, rate-limit, and smoke coverage, plus deployment guidance for provisioning and replacing credentials.
@codemountains codemountains force-pushed the cursor/credential-hash-constant-time-a182 branch from 1abee12 to 2821eb9 Compare July 12, 2026 09:21

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2821eb99e5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread apps/api/migrations/0002_invalidate_non_hmac_credentials.sql
@codemountains codemountains merged commit 51c5ef5 into main Jul 12, 2026
3 checks passed
@codemountains codemountains deleted the cursor/credential-hash-constant-time-a182 branch July 12, 2026 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant