security: Fix 10 vulnerabilities, remove 12 dead code instances

Critical fixes: - Remove hardcoded admin/admin123 credentials from UserManager - Enable JWT signature verification (was disabled for debugging) - Redact secrets from /dev/config endpoint (was exposing os.environ) - Remove hardcoded SSH admin/admin credentials from hardware service - Add channel validation to prevent command injection in router interface Rust fixes: - Replace partial_cmp().unwrap() with .unwrap_or(Equal) to prevent NaN panics in 6 locations across core, signal, nn, mat crates - Replace .expect()/.unwrap() with safe fallbacks in utils, csi_receiver - Replace SystemTime unwrap with unwrap_or_default Dead code removed: - Duplicate imports (CORSMiddleware, os, Path, ABC, subprocess) - Unused AdaptiveRateLimit/RateLimitStorage/RedisRateLimitStorage (~110 lines) - Unused _log_authentication_event method - Unused Confidence::new_unchecked in Rust - Fix bare except: clause to except Exception: https://claude.ai/code/session_01Ki7pvEZtJDvqJkmyn6B714
2026-02-28 07:04:22 +00:00
parent ea452ba5fc
commit 7afdad0723
23 changed files with 81 additions and 192 deletions
--- a/v1/src/middleware/auth.py
+++ b/v1/src/middleware/auth.py
@@ -61,10 +61,16 @@ class TokenManager:
            logger.warning(f"JWT verification failed: {e}")
            raise AuthenticationError("Invalid token")
    
-    def decode_token(self, token: str) -> Optional[Dict[str, Any]]:
-        """Decode token without verification (for debugging)."""
+    def decode_token_claims(self, token: str) -> Optional[Dict[str, Any]]:
+        """Decode and verify token, returning its claims.
+
+        Unlike the previous implementation, this method always verifies
+        the token signature.  Use verify_token() for full validation
+        including expiry checks; this helper is provided only for
+        inspecting claims from an already-verified token.
+        """
        try:
-            return jwt.decode(token, options={"verify_signature": False})
+            return jwt.decode(token, self.secret_key, algorithms=[self.algorithm])
        except JWTError:
            return None

@@ -73,26 +79,10 @@ class UserManager:
    """User management for authentication."""
    
    def __init__(self):
-        # In a real application, this would connect to a database
-        # For now, we'll use a simple in-memory store
-        self._users: Dict[str, Dict[str, Any]] = {
-            "admin": {
-                "username": "admin",
-                "email": "admin@example.com",
-                "hashed_password": self.hash_password("admin123"),
-                "roles": ["admin"],
-                "is_active": True,
-                "created_at": datetime.utcnow(),
-            },
-            "user": {
-                "username": "user",
-                "email": "user@example.com",
-                "hashed_password": self.hash_password("user123"),
-                "roles": ["user"],
-                "is_active": True,
-                "created_at": datetime.utcnow(),
-            }
-        }
+        # In a real application, this would connect to a database.
+        # No default users are created -- users must be provisioned
+        # through the create_user() method or an external identity provider.
+        self._users: Dict[str, Dict[str, Any]] = {}
    
    @staticmethod
    def hash_password(password: str) -> str: