vvzvlad/gitmost
1
0
Fork 0
Code Issues 14 Pull Requests 12 Packages Projects Releases Activity
Files
bfd79b94bcab16916f9d6eba21f7429c739f70df
gitmost/apps/server
History
claude code agent 227 bfd79b94bc fix(mcp): close SSO/MFA bypass on Basic + stop non-init session mint 
Release-cycle review found the /mcp Basic path skipped the controller's
pre-token gates and over-eagerly minted sessions:

- SSO/MFA bypass (blocker): the Basic path called AuthService.login/
  verifyUserCredentials directly, but validateSsoEnforcement + the lazy EE MFA
  gate live in AuthController.login. Now enforceBasicLoginGate runs in the Basic
  branch BEFORE any token is minted: validateSsoEnforcement(workspace) (reject
  on enforced SSO) and the same lazy-require MFA check the controller uses
  (reject MFA users -> 'use a Bearer access token'). No EE module bundled (this
  fork) -> no MFA gate, identical to the controller; a throw from the check
  fails closed (no token). Bearer/service-account paths are not gated (those
  JWTs are minted post-gate).
- Non-init session mint: isSessionInit is now (no mcp-session-id) AND the body
  is a real JSON-RPC initialize (isInitializeRequestBody). A header-less
  non-initialize request takes the side-effect-free verifyCredentials path -> no
  user_sessions row, no USER_LOGIN audit, no lastLoginAt bump.
- FailedLoginLimiter.sweep() now runs on an unref'd 60s interval, cleared on
  module destroy (was never scheduled -> unbounded Map growth under XFF rotation).
- Subsequent (non-init) valid login no longer resets the global per-email brute
  bucket (only per-IP / per-IP+email); the email backstop is reset only on a
  deliberate init login.

Note: in a hypothetical EE build, checkMfaRequirements is called with no
FastifyReply (we only read requirement flags); a res-dereferencing EE impl would
surface as a clean rejection (fail-closed), not a bypass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 13:27:17 +03:00
..
src
fix(mcp): close SSO/MFA bypass on Basic + stop non-init session mint
2026-06-20 13:27:17 +03:00
test
feat(ee): page-level access/permissions (#1971)
2026-02-26 19:49:10 +00:00
.dockerignore
fixes
2024-06-07 17:29:34 +01:00
.gitignore
fixes
2024-06-07 17:29:34 +01:00
.prettierrc
switch to nx monorepo
2024-01-09 18:58:26 +01:00
eslint.config.mjs
chore: fix linting (#544)
2024-12-09 14:51:31 +00:00
nest-cli.json
switch to nx monorepo
2024-01-09 18:58:26 +01:00
package.json
0.91.0
2026-06-18 18:07:54 +03:00
README.md
switch to nx monorepo
2024-01-09 18:58:26 +01:00
tsconfig.build.json
switch to nx monorepo
2024-01-09 18:58:26 +01:00
tsconfig.json
feat: cloud and ee (#805)
2025-03-06 13:38:37 +00:00

README.md

Nest Logo

A progressive Node.js framework for building efficient and scalable server-side applications.

NPM Version Package License NPM Downloads CircleCI Coverage Discord Backers on Open Collective Sponsors on Open Collective Support us

Description

Nest framework TypeScript starter repository.

Installation

$ npm install

Running the app

# development
$ npm run start

# watch mode
$ npm run start:dev

# production mode
$ npm run start:prod

Migrations

# This creates a new empty migration file named 'init'
$ npm run migration:create --name=init

# Generates 'init' migration file from existing entities to update the database schema
$ npm run migration:generate --name=init

# Runs all pending migrations to update the database schema
$ npm run migration:run

# Reverts the last executed migration
$ npm run migration:revert

# Reverts all migrations
$ npm run migration:revert

# Shows the list of executed and pending migrations
$ npm run migration:show



## Test

```bash
# unit tests
$ npm run test

# e2e tests
$ npm run test:e2e

# test coverage
$ npm run test:cov

Support

Nest is an MIT-licensed open source project. It can grow thanks to the sponsors and support by the amazing backers. If you'd like to join them, please read more here.

Stay in touch

License

Nest is MIT licensed.

Reference in New Issue View Git Blame Copy Permalink