brianhansonxyz/rspade_system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add comprehensive security audit (86 findings across 10 areas)

Browse Source 
Secure dev auth with signed tokens, add email support for --user
Simplify breakpoint variables, suppress Sass deprecation warnings

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
root
2025-12-19 01:14:31 +00:00
parent ee87bc6297
commit f67c88a4f1
10 changed files with 270 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
app/RSpade/man/rsx_debug.txt
View File

@@ -21,9 +21,11 @@ Examples:
CORE OPTIONS
--user=<id> | --user-id=<id>
Test as a specific user ID, bypassing authentication. Uses backdoor
authentication that only works in development environments.
--user=<id|email>
Test as a specific user, bypassing authentication. Accepts either a
numeric user ID or an email address. Validates user exists before
running test. Uses backdoor authentication that only works in
development environments.
--no-body
Suppress HTTP response body output. Useful when you only want to see
@@ -201,14 +203,24 @@ JAVASCRIPT EVALUATION
AUTHENTICATION & BACKDOOR
The --user and --user-id options use backdoor authentication that only works
in development/testing environments. The tool sends an X-Dev-Auth-User-Id
header that the framework recognizes and uses to authenticate as that user
without requiring login credentials.
The --user option accepts either a numeric user ID or email address. When
an email is provided, it is resolved to the user ID before testing. The
user must exist in the database or the command will fail with an error.
SECURITY: Authentication is protected by a signed token (HMAC-SHA256) using
the application's APP_KEY. The token is generated by rsx:debug and verified
by the framework before any user override occurs. This prevents:
- External requests from hijacking sessions by sending headers directly
- Attackers from authenticating as arbitrary users even in development
The framework silently ignores authentication headers without a valid token.
Raw curl requests with X-Dev-Auth-User-Id will NOT authenticate.
This feature is:
- Only available in local/development/testing environments
- Automatically disabled in production
- Requires valid signed token (generated from APP_KEY)
- Automatically disabled in production (APP_KEY is cleared in .env.dist)
- Useful for testing protected routes
- Does not require modifying session state
@@ -251,6 +263,9 @@ COMMON PATTERNS
Test a protected route as user ID 1:
php artisan rsx:debug /admin/users --user=1
Test a protected route by email:
php artisan rsx:debug /admin/users --user=admin@example.com
Check if JavaScript errors occur:
php artisan rsx:debug /page
# Console errors are always shown