enhance security by adding cache control headers, validating password length, and rejecting encoded slashes in path processing

containers/auth-gateway/auth_gateway/services/password_service.py

@@ -7,7 +7,12 @@ from auth_gateway.models.auth import UserModel
 password_hasher = PasswordHasher()
 
 
+MAX_PASSWORD_LENGTH = 1024
+
+
 def verify_user_password(username: str, password: str, users: dict[str, UserModel]) -> UserModel | None:
+    if not password or len(password) > MAX_PASSWORD_LENGTH:
+        return None
     user = users.get(username)
     if not user or not user.password_hash:
         return None

containers/auth-gateway/auth_gateway/web/auth_routes.py

@@ -57,6 +57,7 @@ async def auth_check(request: Request):
         return re.sub(r"[\r\n\x00]", "", value)
 
     response = PlainTextResponse("OK", status_code=200)
+    response.headers["Cache-Control"] = "no-store"
     if session:
         if session.username:
             response.headers["X-Auth-User"] = _safe_header(session.username)

containers/auth-gateway/auth_gateway/web/login_routes.py

@@ -317,6 +317,7 @@ async def login_oidc_start(request: Request, next: str = "/"):
 
 
 @router.get("/login/oidc/callback")
+@limiter.limit(AUTH_RATE_LIMIT)
 async def login_oidc_callback(request: Request, state: str):
     runtime_config = get_runtime_config(request)
     oidc_state = request.app.state.session_service.consume_oidc_state(state)
@@ -352,10 +353,12 @@ async def login_oidc_callback(request: Request, state: str):
 
 
 def _safe_redirect_path(url: str | None) -> str:
-    """Accept only relative paths to prevent open redirects."""
-    if not url or "://" in url or not url.startswith("/"):
+    """Accept only relative paths to prevent open redirects, including protocol-relative URLs."""
+    if not url:
         return "/"
-    return url
+    from urllib.parse import urlsplit
+    path = urlsplit(url).path or "/"
+    return path if path.startswith("/") else "/"
 
 
 def _do_logout(request: Request, next_url: str = "/") -> RedirectResponse: