fix(crypto): validare fail-fast a cheii Fernet la startup

O cheie AUTOPASS_CREDS_KEY setata dar invalida (format Fernet gresit) arunca ValueError abia la primul encrypt_creds -> 500 brut pe POST /v1/prezentari, fara mesaj util (cazul reprodus din client VFP). crypto.validate_creds_key() valideaza cheia, apelata in main.lifespan: o cheie invalida opreste pornirea cu mesaj clar + comanda de generare, in loc sa explodeze la prima cerere. Cheie nesetata = OK (model efemer). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-23 13:55:12 +00:00
parent 5dc963a02c
commit 90603609a1
2 changed files with 26 additions and 0 deletions
--- a/app/crypto.py
+++ b/app/crypto.py
@@ -39,6 +39,28 @@ def reset_cache() -> None:
    _fernet.cache_clear()


+def validate_creds_key() -> None:
+    """Fail-fast la startup: o cheie `creds_key` setata DAR invalida trebuie sa
+    opreasca pornirea, nu sa explodeze abia la primul POST /v1/prezentari (500
+    brut, fara mesaj util pentru client — cazul real reprodus din ROAAUTO/VFP).
+
+    Cheie nesetata = OK (modelul efemer, vezi _fernet). Cheie setata si invalida
+    (lungime/padding gresit) -> RuntimeError cu instructiunea de generare.
+    """
+    key = get_settings().creds_key
+    if not key:
+        return
+    try:
+        Fernet(key.encode() if isinstance(key, str) else key)
+    except (ValueError, TypeError) as exc:
+        raise RuntimeError(
+            "AUTOPASS_CREDS_KEY este setata dar invalida (Fernet cere 32 bytes "
+            "url-safe base64, 44 caractere terminate in '='). Genereaza una cu:\n"
+            "  python3 -c \"from cryptography.fernet import Fernet; "
+            "print(Fernet.generate_key().decode())\""
+        ) from exc
+
+
 def encrypt_creds(creds: dict) -> str:
    """Cripteaza un dict de creds -> token Fernet (str). Compact, fara spatii."""
    blob = json.dumps(creds, separators=(",", ":"), ensure_ascii=False).encode("utf-8")
--- a/app/main.py
+++ b/app/main.py
@@ -25,6 +25,7 @@ from .api.v1.import_router import router as import_v1_router
 from .api.v1.integrare_router import router as integrare_v1_router
 from .api.v1.router import router as api_v1_router
 from .config import get_settings
+from .crypto import validate_creds_key
 from .db import get_connection, init_db, queue_depth, read_heartbeat
 from .security import install_log_redaction
 from .web.routes import router as web_router
@@ -37,6 +38,9 @@ from .web.session import AdminRequired, LoginRequired
@asynccontextmanager
 async def lifespan(app: FastAPI):
    install_log_redaction()
+    # Fail-fast: o cheie Fernet setata dar invalida opreste pornirea cu mesaj clar,
+    # in loc de 500 brut la primul POST /v1/prezentari (cazul reprodus din VFP).
+    validate_creds_key()
    init_db()
    yield