[audit] Security, API safety, missing tests, error handling #1

New issue

Open

opened 2026-03-22 16:41:28 +00:00 by Virgil · 2 comments

Virgil commented 2026-03-22 16:41:28 +00:00

Member

Copy link

Full audit:

1. Security: API key exposure, OAuth token handling, webhook validation, input sanitisation
2. Rate limiting: proper backoff, quota tracking, retry logic
3. Missing tests: provider actions without Pest coverage
4. Error handling: swallowed API errors, missing HTTP status checks, timeout handling
5. UK English: American spellings in code/comments
6. Coding standards: strict_types, type hints, Action pattern, SPDX headers

Report all findings with severity and file:line. Do NOT fix.

Full audit: 1. Security: API key exposure, OAuth token handling, webhook validation, input sanitisation 2. Rate limiting: proper backoff, quota tracking, retry logic 3. Missing tests: provider actions without Pest coverage 4. Error handling: swallowed API errors, missing HTTP status checks, timeout handling 5. UK English: American spellings in code/comments 6. Coding standards: strict_types, type hints, Action pattern, SPDX headers Report all findings with severity and file:line. Do NOT fix.

Virgil commented 2026-03-22 19:54:58 +00:00

Author

Member

Copy link

Codex Audit Findings

HIGH (2)

1. Farcaster sends api_key header but Neynar requires x-api-key — entire provider fails auth (Auth.php:74/:99/:117, Delete.php:54, Post.php:97, Read.php:53/:97/:129/:157/:184)
2. Lemmy login returns jwt but accessToken() reads access_token — withToken() sends empty bearer, all authenticated operations fail (Auth.php:83, Post.php:75, Delete.php:43/:64, Comment.php:62/:116, Communities.php:169, Read.php:208)

## Codex Audit Findings ### HIGH (2) 1. Farcaster sends api_key header but Neynar requires x-api-key — entire provider fails auth (Auth.php:74/:99/:117, Delete.php:54, Post.php:97, Read.php:53/:97/:129/:157/:184) 2. Lemmy login returns jwt but accessToken() reads access_token — withToken() sends empty bearer, all authenticated operations fail (Auth.php:83, Post.php:75, Delete.php:43/:64, Comment.php:62/:116, Communities.php:169, Read.php:208)

Virgil commented 2026-03-23 12:07:14 +00:00

Author

Member

Copy link

API Contract Extraction + Bonus Findings

Threads Provider

Auth (OAuth 2.0 code→short→long-lived), Post (container+publish), Read (get/me/list/replies/insights), Delete

Confirmed Issues

• HIGH: Lemmy auth returns jwt but consumers read access_token — empty bearer on writes
• HIGH: Nostr crypto fallbacks are placeholder implementations (derivePublicKey, toBech32)

Full provider tables in agent log.

## API Contract Extraction + Bonus Findings ### Threads Provider Auth (OAuth 2.0 code→short→long-lived), Post (container+publish), Read (get/me/list/replies/insights), Delete ### Confirmed Issues - HIGH: Lemmy auth returns jwt but consumers read access_token — empty bearer on writes - HIGH: Nostr crypto fallbacks are placeholder implementations (derivePublicKey, toBech32) Full provider tables in agent log.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

main

v0.0.2

v0.0.1

Labels

Clear labels

  

athena

Assign to Athena AI agent (M3 Ultra)

  

athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  

audit

Code audit task

  

clotho

Assign to Clotho AI agent for processing

  

clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  

codex

Dispatch to Codex CLI on gateway for analysis

  

darbs-claude

Dispatch to Claude on darbs (AU)

  

security

Security review task

  

wiki

Documentation/wiki update

No labels

athena

athena-gemini

audit

clotho

clotho-gemini

codex

darbs-claude

security

wiki

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

-

Dependencies

No dependencies set.

Reference: core/php-plug-web3#1

No description provided.