fix: address CodeQL findings — sha512 for token hashing, secure tempfile

tests/e2e/test_idp_seed.py

@@ -166,8 +166,10 @@ async def test_seed_preserves_providers_not_in_yaml(clean_config, monkeypatch):
 
 
 async def test_seed_invalid_yaml(clean_config, monkeypatch):
-    path = Path(tempfile.mktemp(suffix=".yaml"))
-    path.write_text(": : : invalid yaml [[[")
+    f = tempfile.NamedTemporaryFile(suffix=".yaml", delete=False, mode="w")
+    f.write(": : : invalid yaml [[[")
+    f.close()
+    path = Path(f.name)
     monkeypatch.setattr("wiregui.auth.seed.get_settings", lambda: type("S", (), {"idp_config_file": str(path)})())
     await seed_idp_providers()
     async with async_session() as session:

tests/test_api.py

@@ -15,7 +15,7 @@ from wiregui.utils.time import utcnow
 def test_generate_api_token():
     plaintext, token_hash = generate_api_token()
     assert len(plaintext) > 20
-    assert token_hash == hashlib.sha256(plaintext.encode()).hexdigest()
+    assert token_hash == hashlib.sha512(plaintext.encode()).hexdigest()
 
 
 def test_generate_api_token_unique():

wiregui/auth/api_token.py

@@ -15,13 +15,13 @@ from wiregui.utils.time import utcnow
 def generate_api_token() -> tuple[str, str]:
     """Generate a new API token. Returns (plaintext_token, token_hash)."""
     plaintext = secrets.token_urlsafe(32)
-    token_hash = hashlib.sha256(plaintext.encode()).hexdigest()
+    token_hash = hashlib.sha512(plaintext.encode()).hexdigest()
     return plaintext, token_hash
 
 
 async def resolve_bearer_token(session: AsyncSession, token: str) -> User | None:
     """Look up a Bearer token and return the associated user, or None."""
-    token_hash = hashlib.sha256(token.encode()).hexdigest()
+    token_hash = hashlib.sha512(token.encode()).hexdigest()
     result = await session.execute(
         select(ApiToken).where(ApiToken.token_hash == token_hash)
     )