Fix weak asset ID entropy, GPS PII console exposure, missing password policy, and upload queue auth gaps

[Copilot]

Four medium-severity security issues: non-cryptographic PRNG for asset IDs, GPS coordinates logged as PII, no password strength enforcement on signup, and upload queue processing without auth token validation.

Changes

Asset ID entropy (src/background/service-worker.ts)

• Replaced Math.random().toString(36).slice(2, 11) with crypto.randomUUID().slice(0, 8) in both capture paths (selection + full-page)

// Before
const assetId = `screenshot_${captureTime.getTime()}_${Math.random().toString(36).slice(2, 11)}`;

// After
const assetId = `screenshot_${captureTime.getTime()}_${crypto.randomUUID().slice(0, 8)}`;

GPS PII in console (src/background/service-worker.ts)

• Removed gpsLocation.latitude / gpsLocation.longitude from both console.log calls; logs now confirm capture without exposing coordinates

Password policy (src/services/AuthService.ts, src/popup/AuthForm.tsx)

• AuthService.signup() now calls validatePasswordStrength() before the API call — enforces min 8 chars, upper, lower, digit, special character; throws a user-facing error on failure
• AuthForm adds a password strength bar + label (signup mode only), a requirements hint, and progressive login rate limiting: 0 → 5 → 10 → 30 → 60s delays on consecutive failures with submit button disabled during cooldown

Upload queue auth validation (src/services/UploadService.ts)

• processQueue() now checks apiClient.getAuthToken() before dequeuing; if absent, pauses the queue and broadcasts AUTH_STATUS_CHANGED { authenticated: false, reason: 'no_token' }
• handleUploadError() detects statusCode === 401, pauses the queue, broadcasts AUTH_STATUS_CHANGED { reason: 'token_expired' }, and tags the asset with errorType: 'auth_expired'

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][Medium] Weak asset ID entropy, PII leaks via GPS logging, missing password policy, and upload queue auth gaps</issue_title>
<issue_description>## Summary

Four medium-severity security findings affecting credential handling, privacy compliance, asset ID predictability, and upload resilience.

Finding 1: Math.random() Used for Asset ID Generation

File: src/background/service-worker.ts, lines 298, 504

Asset IDs are generated using Math.random().toString(36).slice(2, 11), a non-cryptographic PRNG. Combined with known millisecond timestamps, an attacker can enumerate possible asset IDs. ID collision could cause one asset to silently overwrite another in IndexedDB.

Fix: Replace with crypto.randomUUID() (available in service workers):

const assetId = `screenshot_${captureTime.getTime()}_${crypto.randomUUID().slice(0, 8)}`;

Finding 2: GPS Coordinates (PII) Logged and Stored Without Adequate Disclosure

Files: src/background/service-worker.ts lines 274, 478; src/services/UploadService.ts lines 457-460

Exact GPS latitude/longitude are:

1. Logged to browser console in plaintext
2. Embedded in upload metadata sent to Numbers Protocol API
3. Permanently recorded on a public blockchain (immutable, cannot be deleted)

GPS coordinates are PII under GDPR and CCPA. Users are not informed that their precise location will be permanently and immutably committed to blockchain.

Fix:

• Remove GPS coordinates from console logging entirely
• Add explicit disclosure: "Your precise GPS coordinates will be permanently recorded on a public blockchain and cannot be deleted"
• Offer precision levels: Exact, City-level (2 decimal places), Region (1 decimal place)
• Add per-capture confirmation when location is included

Finding 3: No Password Strength Enforcement on Signup

Files: src/services/AuthService.ts lines 45-57, 62-73; src/popup/AuthForm.tsx lines 21-41

The signup flow performs no password strength validation (no minimum length, no complexity check). No client-side rate limiting exists to prevent brute-force attempts through the extension popup.

Fix:

• Add client-side password validation: minimum 8 characters, mixed case, numbers, special characters
• Implement progressive rate limiting on login: disable submit button for increasing intervals after consecutive failures
• Display password strength indicator on signup

Finding 4: Upload Queue Processes Items Without Auth Token Validation

Files: src/services/UploadService.ts lines 207-229, 235-253

processQueue() never validates auth token before uploads. When restoreQueue() runs on service worker startup, it immediately processes queued uploads using whatever token exists. If the token has expired, each upload fails with 401, but handleUploadError() does not distinguish auth failures from other errors — assets are marked "failed" with no indication that re-authentication is needed.

Fix:

• Pre-check this.apiClient.getAuthToken() before processing each queue item
• In handleUploadError(), detect 401 responses and pause the queue, then send AUTH_STATUS_CHANGED to the popup
• Implement pre-flight token validation before starting a batch

Differentiation from Existing Issues

• Finding 1: No existing issue covers asset ID entropy (distinct from [Security][Medium] Unsafe JSON.parse, overly broad permissions, and race conditions #21 JSON.parse, [Security][High] Service worker state management: init race, singleton leak, and selection deadlock #29 state management)
• Finding 2: [Security][High] Verbose logging, unvalidated URL params, and missing payload validation #20 covers verbose logging broadly but not GPS-specific GDPR/CCPA implications or blockchain immutability concerns
• Finding 3: [Security][Medium] Missing token refresh mechanism and client-side auth hardening #11 covers token lifecycle, not signup credential policy or brute-force prevention
• Finding 4: [Security][Medium] Missing token refresh mechanism and client-side auth hardening #11 covers token refresh generally; this is specifically about the upload queue's blind processing and missing 401 handling

---

Generated by Health Monitor with Omni</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][Medium] Weak asset ID entropy, PII leaks via GPS logging, missing password policy, and upload queue auth gaps #36

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.