| Version | Supported |
|---|---|
| 1.x | Yes |
Please do not report security vulnerabilities through public GitHub issues.
Send a private email to abhilash@gmail.com with:
- A description of the vulnerability
- Steps to reproduce (if known)
- Potential impact
You should receive a response within 72 hours. If you do not, please follow up.
We ask that you give us a reasonable timeframe to address the issue before any public disclosure. We will credit you for the discovery once the fix is released.
This project handles authentication credentials (passwords, tokens, API keys). The following practices are followed:
- Passwords are hashed with BCrypt (cost factor 10) - never stored in plain text
- API keys and refresh tokens are stored as SHA-256 hashes - the raw values are irrecoverable
- JWT HMAC secrets are configurable via environment variables - never hardcoded
- CSRF is disabled (stateless service, no browser session management)
- Service-to-service authentication between Gateway and Auth Platform is not yet implemented - internal endpoints are
permitAll()