Codebase review: high-priority security, reliability, maintainability, and bloat findings

[lovasoa]

Summary

• A deep review of the current codebase found several high-impact issues across security, reliability, maintainability, and code bloat/duplication. This issue tracks the highest-priority items with concrete references.

High priority

1) Sensitive auth/material is logged in plaintext (token/cookie/response leakage)

Current code logs OIDC secrets and arbitrary HTTP response bodies:

• OIDC access token secret log
• OIDC auth cookie (ID token) log
• OIDC ID token verification log
• OIDC raw HTTP response body log
• OIDC token response object log
• sqlpage.fetch raw response body log

Why this matters:

• Tokens and identity claims can leak into logs and downstream observability pipelines.
• Any log access then becomes auth/session compromise risk.

Suggested fix:

• Never log token/cookie values or raw OIDC responses.
• Redact or hash sensitive values ([REDACTED]).
• Keep only metadata: status code, endpoint host/path class, payload size, elapsed time.

2) Dependency security advisories in lockfile/dependency graph

cargo audit reports:

• RUSTSEC-2023-0071 on rsa 0.9.10 (Marvin timing side-channel)
• Unmaintained warnings:
  • RUSTSEC-2024-0436 (paste 1.0.15)
  • RUSTSEC-2025-0134 (rustls-pemfile 2.2.0)

Dependency entrypoints:

• Dependency manifest
• Resolved lockfile

Why this matters:

• Security debt accumulates in auth and DB-critical dependency paths.

Suggested fix:

• Plan migration away from sqlx-oldapi 0.6.x line to maintained upstream.
• Re-resolve OIDC stack and lockfile to versions without advisory hits when available.
• Add cargo audit (or equivalent) to CI as informational gate at minimum.

Medium priority

3) Incorrect HTTP caching semantics for static files

• Last-Modified currently uses SystemTime::now()
• Local FS comparison uses >
• DB FS comparison uses >=

Why this matters:

• Weak/incorrect cache validation and inconsistent behavior between local FS and DB-backed FS.
• Causes unnecessary cache misses and confusing revalidation behavior.

Suggested fix:

• Set Last-Modified from actual source mtime (or omit if unknown).
• Align local/db modified comparison semantics (> vs >=) to one consistent contract.

4) 404 fallback behavior returns 200 for custom 404.sql

• Custom not-found route keeps 200

Why this matters:

• API clients, crawlers, and monitoring receive incorrect status codes for missing resources.

Suggested fix:

• Preserve the custom body but set status code to 404 for custom not-found handlers.

5) Crash/panic edges in request path and response finalization

• UTF-8 unwrap() in Serve path
• unwrap() in response close path

Why this matters:

• A panic in request handling can take down worker tasks and create unstable behavior under malformed edge inputs.

Suggested fix:

• Replace unwrap() with structured error propagation and explicit 400/500 mapping.

Maintainability / bloat / duplication

6) Very large multi-responsibility modules increase change risk

Key files:

• src/webserver/database/sql.rs
• src/webserver/oidc.rs
• src/render.rs
• src/webserver/database/sqlpage_functions/functions.rs
• src/app_config.rs

Also note duplicated fetch pipelines:

• fetch
• fetch_with_meta

Why this matters:

• High cognitive load, difficult reviews, and increased regression risk.

Suggested fix:

• Split by responsibility boundaries (parsing/rewrite/validation/execution; OIDC callback/logout/token; renderer header/body/format adapters).
• Extract shared HTTP fetch execution into one reusable helper returning a structured internal response object.

Proposed execution plan

• Security patch pass
  • Remove/redact sensitive logs in OIDC + fetch paths.
  • Add regression tests asserting no token value appears in logs for auth flow failures.
• HTTP correctness pass
  • Fix Last-Modified source and local/db comparison contract.
  • Return proper 404 status for custom 404 handlers.
• Stability pass
  • Eliminate production unwrap() in request/response hot paths.
• Dependency/risk pass
  • Open follow-up migration issue for sqlx-oldapi and dependency audit remediation.
• Refactor pass
  • Break down oversized files and deduplicate fetch logic with targeted tests.