fix(security): Close review follow-up gaps

Rate-limit the optional agent bearer path after user auth resolution so mixed user/agent routes no longer leave an unthrottled PBKDF2 path. Stop logging token prefixes on agent auth failures and require a locally supplied token for backend/.env.test instead of committing one. Update tests and docs to cover agent bearer fallback, configurable webhook signature headers, and the operator-facing security settings added by the hardening work. Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-07 23:40:50 +05:30
parent 355bed1b40
commit fb8a932923
11 changed files with 268 additions and 42 deletions
--- a/backend/.env.test
+++ b/backend/.env.test
@@ -1,5 +1,6 @@
 # Commit-safe backend test environment.
 # Usage:
+#   export LOCAL_AUTH_TOKEN="$(python3 -c 'import secrets; print(secrets.token_urlsafe(48))')"
 #   cd backend
 #   uv run --env-file .env.test uvicorn app.main:app --reload --port 8000

@@ -17,9 +18,9 @@ BASE_URL=http://localhost:8000

 # Auth mode: local for test/dev
 AUTH_MODE=local
+# Set in your shell before starting the backend.
 # Must be non-placeholder and >= 50 chars.
-# Generate with: python3 -c "import secrets; print(secrets.token_urlsafe(48))"
-LOCAL_AUTH_TOKEN=local-auth-test-token-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+LOCAL_AUTH_TOKEN=

 # Clerk settings kept empty in local auth mode
 CLERK_SECRET_KEY=