fix(auth): prevent DNS prefix attacks and enforce single-slash rule

Add proper boundary validation to prevent domains like micro.com from
claiming permissions for com.microsoft/* through prefix overlap attacks.

Changes:
- Add delimiter checking after domain prefix (must be . or /)
- Enforce single-slash rule for server names per PR #476
- Add comprehensive test cases for prefix attack scenarios
- Update existing tests to align with new validation rules

The validation now ensures name patterns have proper delimiters and
follow the established server naming conventions.

Author: jalateras

internal/api/handlers/v0/auth/dns.go

@@ -233,9 +233,30 @@ func (h *DNSAuthHandler) buildPermissions(domain string, namePattern string) []a
 
 	// For specific name patterns, grant permission only for the specified pattern
 	// This allows DNS controllers to scope permissions to specific prefixes
+	// The name pattern MUST be scoped to the domain it is on.
+	// We need to ensure proper delimiter checking to prevent prefix attacks
+	// e.g., micro.com should not be able to claim com.microsoft/*
 	if !strings.HasPrefix(namePattern, reverseDomain) {
-		// The name pattern MUST be scoped to the domain it is on.
-		// If it's not, we return no permissions.
+		return []auth.Permission{}
+	}
+
+	// Check that after the reverse domain, there's either:
+	// - nothing (exact match)
+	// - a '.' (subdomain like com.example.api)
+	// - a '/' (path like com.example/foo)
+	if len(namePattern) > len(reverseDomain) {
+		delimiter := namePattern[len(reverseDomain)]
+		if delimiter != '.' && delimiter != '/' {
+			// Invalid pattern - doesn't have proper delimiter after domain
+			return []auth.Permission{}
+		}
+	}
+
+	// Validate server name format: should have exactly one slash
+	// This aligns with PR #476 requirements
+	slashCount := strings.Count(namePattern, "/")
+	if slashCount > 1 {
+		// Invalid pattern - multiple slashes not allowed in server names
 		return []auth.Permission{}
 	}
 

internal/api/handlers/v0/auth/dns_test.go

@@ -300,13 +300,23 @@ func TestDNSAuthHandler_NamePatternScoping(t *testing.T) {
 			expectError:      false,
 		},
 		{
-			name:   "complex pattern with multiple path segments",
+			name:   "pattern with multiple slashes should be rejected",
 			domain: "example.com",
 			txtRecords: []string{
 				fmt.Sprintf("v=MCPv1; k=ed25519; p=%s; n=com.example/services/auth/*", publicKeyB64_1),
 			},
 			usePrivateKey:    privateKey1,
-			expectedPatterns: []string{"com.example/services/auth/*"},
+			expectError:      true,
+			errorContains:    "no valid permissions found",
+		},
+		{
+			name:   "valid single slash pattern",
+			domain: "example.com",
+			txtRecords: []string{
+				fmt.Sprintf("v=MCPv1; k=ed25519; p=%s; n=com.example/my-server", publicKeyB64_1),
+			},
+			usePrivateKey:    privateKey1,
+			expectedPatterns: []string{"com.example/my-server"},
 			expectedNumPerms: 1,
 			expectError:      false,
 		},
@@ -332,6 +342,26 @@ func TestDNSAuthHandler_NamePatternScoping(t *testing.T) {
 			expectError:      true,
 			errorContains:    "no valid permissions found",
 		},
+		{
+			name:   "malicious prefix overlap - micro.com trying to claim microsoft",
+			domain: "micro.com",
+			txtRecords: []string{
+				fmt.Sprintf("v=MCPv1; k=ed25519; p=%s; n=com.microsoft/*", publicKeyB64_1),
+			},
+			usePrivateKey:    privateKey1,
+			expectError:      true,
+			errorContains:    "no valid permissions found",
+		},
+		{
+			name:   "malicious prefix overlap - example.com trying to claim example.org",
+			domain: "example.com",
+			txtRecords: []string{
+				fmt.Sprintf("v=MCPv1; k=ed25519; p=%s; n=com.examplecorp/*", publicKeyB64_1),
+			},
+			usePrivateKey:    privateKey1,
+			expectError:      true,
+			errorContains:    "no valid permissions found",
+		},
 		{
 			name:   "name pattern is a subdomain",
 			domain: "example.com",