Work log - 2025-08-03 - Notes




Next

  1. Write up instructions on setting up echo client app as a new launch on your box, etc (for upstairs machine) . For example, .env vars in both projects, and identity-backend's cPanel variables.
  2. Combine into QA Label, working releases, as a single squashed commit, when ready


2025-08-03 - 1:55pm - Ran into an issue, where if i started to issue secrets using 

C:\Users\saad0\Documents\source\echo>python -c "import secrets; print(secrets.token_urlsafe(32))"

Iku9w1tqHqULJheawROL5msrouqwdspQwH8Phx-mDfk

Then I broke things


This was while I also had some code to short cirtcuit in process, and I need to see if that code is actually working as I expected to protect against default client secrets from going to production

[] <dev-client-secret> -> needs to be updated everywhere dev-client-secret is used

[] toggle dev mode on and off, and see if it triggers correctly




 Absolutely! Let’s do this like a principal engineer reviewing a launch candidate.

We’ll go step by step—starting with the most embarrassing and critical, then moving through “still needs work,” then finishing with “would impress a staff/principal at a real company.”

After each, you decide if you want to go deeper or move on.

Step 1: Embarrassing/Critical Security Flaws

1. Hardcoded Secrets

  • Red Flag:

    • Any JWT_SECRET_KEY = "dev-secret" or similar in your code.

  • Fix:

    • Must load all secrets from environment variables. Never ship code with test secrets, ever.

  • Audit:

    • .env and secret injection confirmed in every environment.

  • How to spot:

    • Search for = "secret" or similar strings in all code/config.

2. Dev-Only Endpoints Exposed in Production

  • Red Flag:

    • /test-token, /debug-env, or any “easy testing” endpoints enabled on production servers.

  • Fix:

    • Wrap all dev endpoints:

      if not app.config.get("DEV_MODE"):
    app.view_functions.pop('test_token', None)

    • Or, raise on prod startup if any dev route is still present.

  • Audit:

    • Deploy logs confirm dev endpoints never exposed on prod URLs.

3. No JWT Signature/Audience/Expiry Check

  • Red Flag:

    • Accepting JWTs with jwt.decode(..., options={"verify_signature": False}), or not checking aud and exp.

  • Fix:

    • Always enforce:

      jwt.decode(token, JWT_SECRET_KEY, algorithms=["HS256"], audience="expected-service", issuer="identity-backend")

  • Audit:

    • Try tampering with any token; system must return 401 instantly.

4. Excessive Token Lifetimes

  • Red Flag:

    • Tokens set to live for hours/days (“set and forget”).

  • Fix:

    • Keep expiry ≤ 15 minutes; require refresh/reauth after.

  • Audit:

    • Inspect all JWT exp claims; no “long lived” tokens.

5. Insecure Cookie or Session Handling

  • Red Flag:

    • Storing JWT in localStorage, cookies without HttpOnly/Secure, or leaking session IDs in URLs.

  • Fix:

    • Store tokens in HTTP-only, secure cookies, or server-side session.

  • Audit:

    • Run OWASP ZAP or Burp Suite—no JWT/session leaks or vulnerable cookies.

Pause for Your Input

  • Would you like to see code search tips for these?

  • Want to do a live code scan for these issues, or move to the next level (major but less embarrassing flaws)?

Let me know before we continue!

Comments

Post a Comment

Popular posts from this blog

Feature: Audit log for one login, and identity service

Image
Customer (Product) Page High-Level System Design Diagram (PlantUML) Sequence Diagram: Audit Event Ingestion Sequence Diagram: Orchestration Event For a High-Level System (Component) Diagram The queue is implemented as message_queue (generic), and the audit log service consumes from it, writing to a dedicated audit_log table. The logging service also consumes from the same message_queue and writes to log_store. Orchestration/other services use the same queue. Summary Table: What Writes Where Event Type Goes Into Consumed By Final Storage audit message_queue Audit Log Service audit_log table log message_queue Logging Service log_store table doc_uploaded message_queue Orchestration Worker (business DB, or triggers next event) ocr_ready message_queue Notification Worker, etc. (notification log, etc.)  Core Tables message_queue – universal event bus (temp buffer) audit_log – immutable audit/compliance events log_store – application logs (op...
Read more

Getting started - Build your data science lab environment

This guide explains how to set up a complete data science environment for the udemy program. A proper setup ensures compatibility and avoids recurring environment issues.  1. Overview Goal : Create a full-featured environment with sufficient resources for all course exercises. Recommendation : Use Anaconda for the most reliable setup. Alternative : Use a Python virtual environment with pip if Anaconda isn’t working. 2. Setup Options Primary (Recommended) Create a dedicated Anaconda environment (isolated, compatible). Alternative Use a standard Python virtualenv + pip (faster but less reliable). 3. Windows Setup Steps Clone Course Repository git clone https://github.com/ed-donner/llm_engineering/ Follow the repository’s README.md instructions for additional setup details. Create Anaconda Environment Inside the llm_engineering folder: conda env create -f environment.yml ⏳ This may take several minutes. Activate the environment: conda activate llms Deactivat...
Read more

QA - Run #1 - Results

Image
# QA Report for Tag QA_July2025_A - **Tag/Commit:** QA_July2025_A (`f32abc1`) - **Date:** 2025-08-01 - **QA Outcomes:** All tests passed except for file upload (see below)... - **Environment:** Windows 10, Python 3.12, requirements.txt as of tag - **Notes:** See log for detailed results. ## Issue Found - **Step:** - **Bug:** - **Log excerpt:** - **Screenshot:** For this QA run, we begin with pristine state by: Stop all services Delete logs.db, and jobs.db Delete all files in doc_store folder Start all services Test, you should see no data on index page, and query should result in no data found error Next, go ahead and upload new1.txt, and after that new2.txt Issue the query: "can you summarize all of the todo items you can find, seperating each one on a single line, with due date first, then title, and description with any details you can augment" Expected Answer: - August 1, 2025: Respond to Amira and discuss weekend plans - August 3, 2025: Go to Somesh class and finish ta...
Read more