Hermes WebUI < 0.51.368 - Profile-Scoped Authorization Bypass via Forged hermes_profile Cookie

An authenticated attacker who holds a valid session cookie can forge the `hermes_profile` cookie value to any arbitrary profile name (e.g., `alice`) because the old code did not cryptographically bind the profile cookie to the session token [ref_id=1]. By sending a request with a legitimate `hermes_session` cookie alongside a tampered `hermes_profile` cookie, the attacker bypasses profile-scoped authorization checks and gains access to sessions, files, and resources belonging to other profiles. The fix requires the profile cookie to carry an HMAC signature that is verified against the current session, preventing this forgery.

The vulnerability resides in the `get_profile_cookie()` function in `api/helpers.py`. When authentication is enabled, the function previously accepted any profile name from the `hermes_profile` cookie without verifying that the value was cryptographically bound to the current session. The patch adds a signature verification step via `verify_profile_cookie_value()` that ties the profile cookie to the active `hermes_session` token.

The patch introduces two new functions — `sign_profile_cookie_value()` and `verify_profile_cookie_value()` — that HMAC-sign the profile name with a key derived from the active session token [patch_id=6466846]. When authentication is enabled, `get_profile_cookie()` now calls `verify_profile_cookie_value()` to ensure the profile cookie was issued for the same session that is presenting it. The new tests confirm that an unsigned profile cookie, a profile signed for a different session, and a profile signed with an expired session are all rejected. This closes the authorization bypass by making the profile cookie unforgeable without knowledge of the session secret.