mortenVChristiansen
/
k_card
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
k_card/tests
History
Morten V. Christiansen 592af0c314 Guard against cross-server token replay in _verify_assertion_token 
_verify_assertion_token now takes expected_host and rejects any token
whose bundle["host"] does not match — closing the cross-server replay
path where a token issued for server-a could have passed on server-b.

ServerState gains protected_host (default 127.0.0.1); k_server exposes
--protected-host CLI flag so operators declare which host they protect.

New abuse tests (unit + round-trip):
  test_cross_server_replay_rejected
  test_cross_server_replay_case_insensitive
  test_roundtrip_cross_server_replay_rejected
  test_roundtrip_cross_server_replay_accepted_on_correct_server

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 		2026-05-09 23:57:28 +02:00
..
card_emulator.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
card_emulator_bridge.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
k_client_portal.spec.js Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
k_phone_android.spec.js Fix Android Playwright tests: connectOverCDP + card reconnect 2026-05-09 21:41:36 +02:00
k_phone_portal.spec.js Add Playwright acceptance tests for k_phone proxy routing 2026-05-08 12:43:40 +02:00
k_phone_proxy.spec.js Add Playwright acceptance tests for k_phone proxy routing 2026-05-08 12:43:40 +02:00
test_k_proxy.py Initial commit: chromecard workspace snapshot 2026-04-29 22:06:14 +02:00
test_k_server.py Guard against cross-server token replay in _verify_assertion_token 2026-05-09 23:57:28 +02:00