0eb0660d41
Replace name-based bouncer validation with actual LAPI authentication testing. The previous implementation checked if a bouncer NAME existed but never validated if the API KEY was accepted by CrowdSec LAPI. Key changes: - Add testKeyAgainstLAPI() with real HTTP authentication against /v1/decisions/stream endpoint - Implement exponential backoff retry (500ms → 5s cap) for transient connection errors while failing fast on 403 authentication failures - Add mutex protection to prevent concurrent registration race conditions - Use atomic file writes (temp → rename) for key persistence - Mask API keys in all log output (CWE-312 compliance) Breaking behavior: Invalid env var keys now auto-recover by registering a new bouncer instead of failing silently with stale credentials. Includes temporary acceptance of 7 Debian HIGH CVEs with documented mitigation plan (Alpine migration in progress - issue #631).
29 KiB
29 KiB