Provisioning bodies are tiny; set MAX_CONTENT_LENGTH=16 KiB so oversized POSTs
are rejected with 413 rather than buffered. Tests: +1; 99 pass.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
/api/export returns every subscriber's Ki/OPc and was reachable unauthenticated
by any WiFi client (and directly, since Flask binds 0.0.0.0). It now requires
server.admin_token via the X-Admin-Token header (constant-time compare) and is
disabled entirely when no token is configured.
Add admin_token to config.yaml.example. Tests: +2 (disabled/401/200); 86 pass.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- get_connection sets PRAGMA busy_timeout so concurrent writers under a
threaded server wait instead of hitting "database is locked".
- Provision retries credential generation on IMSI/ICCID collision (up to 5x)
instead of surfacing a duplicate as a 500.
- Guard the module-level profile cache with a threading.Lock.
- Captive portal disables the activate button while a request is in flight to
avoid double provisioning.
Tests: +2 (collision retry + give-up); 84 pass.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Security:
- Serve generated profiles at /api/profile/<random-token> instead of
/api/profile/<sequential-int>. Profiles carry Ki/OPc, so the enumerable id
scheme allowed anyone on the WiFi to harvest all subscriber keys. Unknown
tokens return a plain 404 so they can't be probed.
Robustness:
- Open5GS/free5gc adapters use short MongoDB timeouts so an unreachable core
fails provisioning fast instead of blocking ~30s on the default.
- Profile cache is now a size-capped LRU (OrderedDict) to prevent unbounded
memory growth.
- load_config rejects empty/non-mapping YAML and validates network.op_key is a
16-byte hex string.
Tests: +25 (test_app.py API coverage, test_utils.py); 78 pass.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>