Jason Woltje 3bba2f1c33 feat(#284): Reduce timestamp validation window to 60s with replay attack prevention ...

Security improvements:
- Reduce timestamp tolerance from 5 minutes to 60 seconds
- Add nonce-based replay attack prevention using Redis
- Store signature nonce with 60s TTL matching tolerance window
- Reject replayed messages with same signature

Changes:
- Update SignatureService.TIMESTAMP_TOLERANCE_MS to 60s
- Add Redis client injection to SignatureService
- Make verifyConnectionRequest async for nonce checking
- Create RedisProvider for shared Redis client
- Update ConnectionService to await signature verification
- Add comprehensive test coverage for replay prevention

Part of M7.1 Remediation Sprint P1 security fixes.

Fixes #284

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-03 21:43:01 -06:00

2.4 KiB

Raw Blame History

View Raw