Skip to content

feat(security): deprecate weak hash algorithms and enforce strong sec… #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Praying merged 2 commits into from
Jan 8, 2026
Merged

feat(security): deprecate weak hash algorithms and enforce strong sec… #35

Praying merged 2 commits into from
Jan 8, 2026

Conversation

@Praying
Copy link
Owner

@Praying Praying commented Jan 8, 2026

…rets

  • Mark SHA-1 and MD5 as deprecated in HashAlgorithm enum with security warnings
  • Add minimum 32-character requirement for JWT secret keys to prevent brute-force attacks
  • Implement secret length validation in jwt_sign function with detailed error messages
  • Update JWT examples to use strong secrets with at least 32 characters
  • Add comprehensive tests for weak secret rejection and minimum valid secret acceptance
  • Remove deprecated test binary configuration and source file
  • Add request body size validation in HTTP client to prevent DoS attacks
  • Introduce max_request_size configuration with 10MB default and 100MB maximum
  • Add validation for request size limits in HTTP configuration
  • Reduce WebSocket pong timeout from 90 seconds to 30 seconds for faster zombie detection
  • Improve circuit breaker failure recording with atomic state transitions
  • Enhance rate limiter calculations using u128 to prevent overflow for long uptimes
  • Update documentation comments and test descriptions with security considerations

Praying added 2 commits January 8, 2026 23:44
@Praying
feat(security): deprecate weak hash algorithms and enforce strong sec…
2d4317d 
…rets

- Mark SHA-1 and MD5 as deprecated in HashAlgorithm enum with security warnings
- Add minimum 32-character requirement for JWT secret keys to prevent brute-force attacks
- Implement secret length validation in jwt_sign function with detailed error messages
- Update JWT examples to use strong secrets with at least 32 characters
- Add comprehensive tests for weak secret rejection and minimum valid secret acceptance
- Remove deprecated test binary configuration and source file
- Add request body size validation in HTTP client to prevent DoS attacks
- Introduce max_request_size configuration with 10MB default and 100MB maximum
- Add validation for request size limits in HTTP configuration
- Reduce WebSocket pong timeout from 90 seconds to 30 seconds for faster zombie detection
- Improve circuit breaker failure recording with atomic state transitions
- Enhance rate limiter calculations using u128 to prevent overflow for long uptimes
- Update documentation comments and test descriptions with security considerations
@Praying
chore(auth): add deprecated attribute allowances for hash algorithm i…
539dcc6 
…mplementations

- Added #[allow(deprecated)] attribute to HashAlgorithm::from_str method
- Added #[allow(deprecated)] attribute to HashAlgorithm Display implementation
- Added #[allow(deprecated)] attribute to hmac signing function
- Added #[allow(deprecated)] attribute to hash function implementation
@Praying Praying merged commit 41c5c3a into main Jan 8, 2026
9 checks passed
@Praying Praying deleted the 001-fix-critical-security branch January 8, 2026 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Praying