Kyle Pope
0a8e163e47
C-01: Initialize config=None before conditional in auth/status to prevent NameError on fresh instance (setup_required=True path) C-02: Use generic "Authentication failed" on passkey lockout trigger instead of leaking lockout state (consistent with F-02 remediation) W-01: Add nginx rate limit for /api/auth/passkeys/passwordless endpoints (enable accepts password — brute force protection) W-02: Call record_successful_login in passkey unlock path to reset failed_login_count (prevents unexpected lockout accumulation) W-05: Auto-clear must_change_password on passkey login — user can't provide old password in forced-change form after passkey auth S-01: Pin webauthn to >=2.1.0,<3 (prevent major version breakage) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
19 lines
353 B
Plaintext
19 lines
353 B
Plaintext
fastapi==0.115.6
|
|
uvicorn[standard]==0.34.0
|
|
sqlalchemy[asyncio]==2.0.36
|
|
asyncpg==0.30.0
|
|
alembic==1.14.1
|
|
pydantic==2.10.4
|
|
pydantic-settings==2.7.1
|
|
bcrypt==4.2.1
|
|
argon2-cffi>=23.1.0
|
|
pyotp>=2.9.0
|
|
qrcode[pil]>=7.4.0
|
|
cryptography>=42.0.0
|
|
python-multipart==0.0.20
|
|
python-dateutil==2.9.0
|
|
itsdangerous==2.2.0
|
|
httpx==0.27.2
|
|
apscheduler==3.10.4
|
|
webauthn>=2.1.0,<3
|