184 Commits

Author SHA1 Message Date
dextmorgn
f38d5d500d Merge pull request #174 from reconurge/chore/security-dependency-upgrades
fix(deps): upgrade Python dependencies to patch 27 known vulnerabilities
2026-06-05 13:21:03 +02:00
dextmorgn
9fcc60ca63 fix(deps): upgrade Python dependencies to patch 27 known vulnerabilities
pip-audit reported 27 vulnerabilities across 12 packages, including
cryptography PYSEC-2026-36 (CVSS 9.8) used by the vault, a starlette
Host-header path bypass, and python-multipart arbitrary file write.

- cryptography 45.0.7 -> 46.0.7 (pin was capped at <46)
- fastapi 0.115 -> 0.136, pulling starlette 0.46 -> 1.2
- python-multipart 0.0.20 -> 0.0.32
- pyjwt, urllib3, aiohttp, lxml, idna, mako and transitive bumps
- dev tools: pytest 8 -> 9 (requires pytest-httpx >=0.36), black 25 -> 26

All four module test suites pass (458 tests). pip-audit now reports
no known vulnerabilities.
2026-06-05 08:57:19 +02:00
Melih Daskiran
25eb3a0400 Fix zip alignment mismatch, phone validation return value, and vault owner_id type matching 2026-06-04 21:46:44 +03:00
dextmorgn
b317e08e57 feat(api): authenticate SSE via header, drop query-param auth and dead route 2026-06-03 11:28:41 +02:00
dextmorgn
9db1e675d6 test(api): SSE auth-gate and endpoint-removal tests (red) 2026-06-03 11:22:58 +02:00
dextmorgn
1d409d7929 fix(scan): persist results to existing details column, errors to error column
The Scan model exposes details (JSON) and error (Text) columns, but the
enricher/flow tasks assigned to scan.results — a non-mapped attribute.
SQLAlchemy accepted the assignment silently, so commit() never persisted
it and the data was lost. Success paths now write scan.details; failure
paths write scan.error. ScanCreate.results renamed to details to match.

Scan repository tests pass.
2026-05-30 19:02:14 +02:00
dextmorgn
ee06d6cf3e fix(api): restrict CORS origins via ALLOWED_ORIGINS env
allow_origins was ["*"] together with allow_credentials=True, which is
both insecure and rejected by browsers for credentialed requests. Read a
comma-separated ALLOWED_ORIGINS env var instead, defaulting to the Vite
dev origin http://localhost:5173. Documented in .env.example.
2026-05-30 18:49:44 +02:00
dextmorgn
dd00bae9ce fix(api): run production container as non-root flowsint user
The production stage created the flowsint user and chowned all app
files to it, but the USER directive was commented out, so the API
ran as root. Uncommented it. Verified: image builds, container reports
whoami=flowsint and /health returns 200.
2026-05-30 18:49:43 +02:00
dextmorgn
c9d594a8e7 fix(api): load AUTH_SECRET from validated core.auth source
deps.py read AUTH_SECRET via os.getenv() before load_dotenv() ran,
yielding None when the secret was only present in .env. Import the
already-validated AUTH_SECRET from core.auth (loads dotenv first and
raises if unset) instead of re-reading it. Removes the dup + ordering bug.
2026-05-30 18:44:07 +02:00
z3rodaycve
f79403d361 Fixed to_ssl enricher to use httpX Docker Tool 2026-04-24 19:49:20 +02:00
z3rodaycve
0d04423b59 Release of DeHashed, httpX, veriphone, scamalytics enrichers 2026-04-21 16:49:12 +02:00
dextmorgn
bb502379bd feat(api): add collaborator endpoints, profile update, user search and backfill migration
- Add GET/POST/PUT/DELETE /investigations/{id}/collaborators endpoints
- Inject current_user_role in all investigation responses
- Add GET/PUT /auth/me for profile management
- Add GET /auth/users/search for share dialog autocomplete
- Add ProfileUpdate schema with extra=forbid
- Add email to ProfileRead
- Add backfill migration for existing investigations missing owner role entries
2026-04-11 14:44:28 +02:00
dextmorgn
400b21a7d1 feat(api): install uv Dockerfile 2026-04-11 14:42:39 +02:00
dextmorgn
5569a2f9b7 feat(api): switch to uv 2026-04-11 13:14:16 +02:00
dextmorgn
972763343e feat(api): add type detection route and service
Add POST /api/types/detect endpoint that detects the type of a text input
by iterating registered types and calling their detect() classmethod.
Returns detected type with fields and primary field pre-filled.
Falls back to Phrase when no type matches.
2026-03-15 12:35:46 +01:00
dextmorgn
2ea40c4eae feat(api): add input and output type to enricher template 2026-03-09 19:38:42 +01:00
gustavorps
b2cfc67117 fix(app): removing slashes 2026-02-17 04:49:46 -03:00
gustavorps
5ee7bf24e0 fix(api): added redirect_slashes=False to face 307 redirect reverse proxy issue 2026-02-17 04:27:13 -03:00
gustavorps
da0280506e fix(api): added ignore_trailing_slash=True to face 307 redirect reverse proxy issue 2026-02-17 04:21:01 -03:00
gustavorps
d52669740b feat(api): added fastapi standard 2026-02-17 04:04:07 -03:00
dextmorgn
6494cee2d0 feat(api): update key service 2026-02-16 09:16:05 +01:00
dextmorgn
eef214bdfa feat(api): custom types updates 2026-02-14 15:34:28 +01:00
dextmorgn
599fc8353d feat(api): increate prompt chat length 2026-02-12 23:40:12 +01:00
dextmorgn
a764704fbe feat(api): progress on templates 2026-02-12 22:04:28 +01:00
dextmorgn
19ee40c46d feat(app): chat context 2026-02-12 22:04:28 +01:00
dextmorgn
07f32c983a feat: use ai sdk useChat 2026-02-12 22:04:21 +01:00
dextmorgn
a461f9997d feat: progress on enricher templates 2026-02-12 22:03:28 +01:00
dextmorgn
53a03575cd feat(api): enrichers from templates 2026-02-12 22:03:04 +01:00
dextmorgn
177953b216 feat(api): use repositories in services 2026-02-07 17:23:16 +01:00
dextmorgn
2372678bda feat(api): use dedicated services for business logic 2026-02-05 22:37:31 +01:00
dextmorgn
20a3d35909 fix(api): keep docker user as root for now 2026-01-30 22:19:43 +01:00
dextmorgn
a178ef1bcd feat(chore): update deploy components 2026-01-25 20:45:22 +01:00
dextmorgn
7d33b813de chore(license): migrate from AGPL-3.0 to Apache License 2.0 2026-01-25 16:19:28 +01:00
dextmorgn
5977832a1a feat(api): refactor to use nodeLabel, and proper usage of graphService 2026-01-21 17:19:24 +01:00
dextmorgn
be0880e77d feat(api) update export json schema 2026-01-11 19:30:38 +01:00
dextmorgn
27c9e91c92 feat(api): add json import support 2026-01-10 18:07:14 +01:00
dextmorgn
1d184bae3b feat(api): update export schema 2026-01-07 22:03:31 +01:00
dextmorgn
6cc8bf25c0 feat(api): export route 2026-01-07 21:44:02 +01:00
dextmorgn
c4408c2f3e feat(api): update edge label 2026-01-05 21:45:53 +01:00
dextmorgn
e812f3c855 feat(app): get_current_user_sse 2025-12-17 10:17:42 +01:00
dextmorgn
a15ce33df4 fix(api): patch missing permissions on api routes 2025-12-17 10:16:54 +01:00
dextmorgn
0577080b4e feat(api): add DNSRecord to raw_material 2025-12-15 16:07:59 +01:00
dextmorgn
6633cc5f4a fix(api): returned parsed node after insert 2025-12-10 15:15:30 +01:00
dextmorgn
5bb7fae4bd refactor(api): better batch import 2025-12-05 15:47:43 +01:00
dextmorgn
152a30c92a feat(api): update flowsint_enrichers registry 2025-11-30 12:50:01 +01:00
dextmorgn
f039d92234 fix(api): typo in icon for social account 2025-11-29 14:08:58 +01:00
dextmorgn
7692fc76f6 feat(api): type registry + better import 2025-11-28 20:08:09 +01:00
dextmorgn
6412b1afe8 feat(api): dedicated sketch event route for refresh 2025-11-27 22:20:28 +01:00
dextmorgn
653b319b22 feat(api): 2.0.0 2025-11-27 17:32:27 +01:00
dextmorgn
2123ea5b8d feat: complete refactor 2025-11-27 17:16:41 +01:00