Logflare / logflare / 14a214d0cacbfbddf8a9baadd5e07ffbe6cf91d6

coverage: 79.194% (+0.05%) from 79.146%
14a214d0cacbfbddf8a9baadd5e07ffbe6cf91d6

push

github

web-flow 
Fix authentication bypass in node shutdown endpoint (#3422)

* Fix authentication bypass in node shutdown endpoint

- Fail closed: deny the request when LOGFLARE_NODE_SHUTDOWN_CODE is
  unset or empty (previously nil == nil allowed unauthenticated shutdown)
- Read the shutdown code from the X-Logflare-Shutdown-Code request
  header instead of a query parameter to prevent secret leakage in
  access logs and browser history
- Use Plug.Crypto.secure_compare/2 for constant-time comparison to
  prevent timing attacks
- Add tests covering each bypass scenario

https://claude.ai/code/session_01FTArwTBUZpCbanBxaViw8i

* Refactor shutdown auth: extract header arg, rename header

- valid_shutdown_code?/1 now takes the provided value directly rather
  than the conn, making it easier to unit test in isolation
- Rename header from x-logflare-shutdown-code to lf-shutdown-code

Closes PRODSEC-44

https://claude.ai/code/session_01FTArwTBUZpCbanBxaViw8i

* Centralise shutdown code env cleanup in test file setup

Save and restore the pre-existing :node_shutdown_code value in a
file-level setup/on_exit so individual tests don't each manage teardown.
Clear the key before each test so the unconfigured case is the default.

https://claude.ai/code/session_01FTArwTBUZpCbanBxaViw8i

* Use in guard for nil/empty provided code check

https://claude.ai/code/session_01FTArwTBUZpCbanBxaViw8i

* Use is_non_empty_binary guard in valid_shutdown_code?/1

Cleaner clause-based dispatch replaces the case tuple pattern match.

https://claude.ai/code/session_01FTArwTBUZpCbanBxaViw8i

* Update test/logflare_web/controllers/admin_controller_test.exs

Co-authored-by: Adam Mokan <amokan@gmail.com>

* Add happy-path shutdown test with Mimic expect

https://claude.ai/code/session_01FTArwTBUZpCbanBxaViw8i

* Let Mimic expectation be the sole assertion in shutdown success test

https://claude.ai/code/session_01FTArwTBUZpCbanBxaViw8i

* Assert log and 200 response in shutdown success test

Log "Nod... (continued)

7 of 8 new or added lines in 1 file covered. (87.5%)

3 existing lines in 3 files now uncovered.

12279 of 15505 relevant lines covered (79.19%)

4835.91 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

54.72
/lib/logflare_web/controllers/admin_controller.ex


Source Not Available