Skip to content

Restore intentional fail-fast auth ordering; harden keyId and config validation#1

Draft
bwachter with Copilot wants to merge 3 commits into
masterfrom
copilot/review-header-auth-implementation
Draft

Restore intentional fail-fast auth ordering; harden keyId and config validation#1
bwachter with Copilot wants to merge 3 commits into
masterfrom
copilot/review-header-auth-implementation

Conversation

Copilot AI commented Mar 14, 2026

Copy link
Copy Markdown

The previous review reordered auth middleware to verify the Ed25519 signature before zone/method authorization checks. This was intentional design: cheap authorization lookups run first to reject unauthorized requests without paying cryptographic cost.

Middleware ordering (restored)

Both zoneAuthMiddleware and dataAuthMiddleware now follow the original fail-fast sequence:

  1. Parse header → timestamp check → key lookup
  2. Authorization checks (zone membership, method flags) → 403 fast on denial
  3. Signature verification (Ed25519) → 401 only for authenticated-but-invalid requests

The previous session had inverted steps 2 and 3.

Retained from previous review

  • Normalized path in canonical stringzoneAuthMiddleware now verifies the signature against /zones/<lowercase-zone> rather than the raw r.URL.Path, eliminating a case-sensitivity inconsistency between authorization and verification.
  • keyId character validationParseAuthHeader rejects keyIds containing /, \, spaces, or other characters unsafe in map keys and filesystem paths (^[a-zA-Z0-9._-]+$).
  • Config format validationserver.format and per-key format must be "", "yaml", or "raw"; invalid values now cause a startup error.

Tests

Replaced the three "sig-before-authz" tests with "authz-before-sig" equivalents that assert 403 (not 401) is returned when zone/method authorization fails, even with a bad signature. Renamed TestZoneAuth_InvalidKeyIDCharsTestAuth_InvalidKeyIDChars since keyId parsing applies to both middlewares.


💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

Copilot AI self-assigned this Mar 14, 2026
…on, config format validation

Co-authored-by: bwachter <767461+bwachter@users.noreply.github.com>
Copilot AI changed the title [WIP] Review codebase security for header-based auth implementation Security hardening: TinyDNS-Sig header-based auth Mar 14, 2026
Copilot AI requested a review from bwachter March 14, 2026 09:06
Co-authored-by: bwachter <767461+bwachter@users.noreply.github.com>
Copilot AI changed the title Security hardening: TinyDNS-Sig header-based auth Restore intentional fail-fast auth ordering; harden keyId and config validation Mar 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants