Draft
Restore intentional fail-fast auth ordering; harden keyId and config validation#1
Conversation
…on, config format validation Co-authored-by: bwachter <767461+bwachter@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Review codebase security for header-based auth implementation
Security hardening: TinyDNS-Sig header-based auth
Mar 14, 2026
Co-authored-by: bwachter <767461+bwachter@users.noreply.github.com>
Copilot
AI
changed the title
Security hardening: TinyDNS-Sig header-based auth
Restore intentional fail-fast auth ordering; harden keyId and config validation
Mar 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The previous review reordered auth middleware to verify the Ed25519 signature before zone/method authorization checks. This was intentional design: cheap authorization lookups run first to reject unauthorized requests without paying cryptographic cost.
Middleware ordering (restored)
Both
zoneAuthMiddlewareanddataAuthMiddlewarenow follow the original fail-fast sequence:403fast on denial401only for authenticated-but-invalid requestsThe previous session had inverted steps 2 and 3.
Retained from previous review
zoneAuthMiddlewarenow verifies the signature against/zones/<lowercase-zone>rather than the rawr.URL.Path, eliminating a case-sensitivity inconsistency between authorization and verification.keyIdcharacter validation —ParseAuthHeaderrejects keyIds containing/,\, spaces, or other characters unsafe in map keys and filesystem paths (^[a-zA-Z0-9._-]+$).formatvalidation —server.formatand per-keyformatmust be"","yaml", or"raw"; invalid values now cause a startup error.Tests
Replaced the three "sig-before-authz" tests with "authz-before-sig" equivalents that assert
403(not401) is returned when zone/method authorization fails, even with a bad signature. RenamedTestZoneAuth_InvalidKeyIDChars→TestAuth_InvalidKeyIDCharssince keyId parsing applies to both middlewares.💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.