Skip to content

v0.3.1

Latest
Latest
Compare
Choose a tag to compare
@jaschadub jaschadub released this 10 Aug 21:27
· 3 commits to main since this release
v0.3.1
e04bf2d

Added

🔒 Security Enhancements

  • Centralized Configuration Management: New config.rs module for secure configuration handling
    • Environment variable abstraction layer with validation
    • Multiple secret key providers (environment, file, external services)
    • Centralized configuration access patterns
  • Enhanced CI/CD Security: Automated security scanning in GitHub Actions
    • Daily cargo audit vulnerability scanning
    • Clippy security lints integration
    • Secret leak detection in build pipeline

📋 API Documentation

  • SwaggerUI Integration: Interactive API documentation for HTTP endpoints
    • Auto-generated OpenAPI specifications
    • Interactive API testing interface
    • Complete endpoint documentation with examples

Security Fixes

🛡️ Critical Vulnerability Resolutions

  • RUSTSEC-2022-0093: Fixed ed25519-dalek Double Public Key Signing Oracle Attack
    • Updated from v1.0.1 → v2.2.0
  • RUSTSEC-2024-0344: Resolved curve25519-dalek timing variability vulnerability
    • Updated from v3.2.0 → v4.1.3 (transitive dependency)
  • RUSTSEC-2025-0009: Fixed ring AES panic vulnerability
    • Updated from v0.16 → v0.17.12
  • Timing Attack Prevention: Implemented constant-time token comparison
    • Replaced vulnerable string comparison in authentication middleware
    • Added subtle crate for constant-time operations
    • Enhanced authentication logging and error handling

Improved

Configuration Management

  • Environment Variable Security: Eliminated direct env::var usage throughout codebase
  • Secret Handling: Secure configuration management with validation
  • Error Handling: Enhanced configuration error reporting and validation

Authentication & Security

  • Middleware Security: Updated authentication middleware to use configuration management
  • Request Logging: Enhanced security logging for authentication failures
  • Token Validation: Improved bearer token validation with timing attack prevention

Dependencies

Security Updates

  • Updated: ed25519-dalek from v1.0.1 to v2.2.0 (critical security fix)
  • Updated: reqwest from v0.11 to v0.12 (security and performance)
  • Updated: ring from v0.16 to v0.17.12 (AES panic fix)
  • Added: subtle v2.5 for constant-time cryptographic operations

Documentation & Tooling

  • Added: utoipa and utoipa-swagger-ui for API documentation generation
  • Enhanced: CI/CD security workflow with automated vulnerability scanning
Assets 2
Loading