504b490d3b
Canalul web trece de la 100% deschis (hardcodat cont 1) la autentificat si multi-tenant. Un service nou se inregistreaza din browser, primeste o cheie API (o singura data) si o sesiune; contul se creeaza "in asteptare" (active=0) si nu trimite la RAR pana la activarea de catre admin (tools/account.py activate). - users + app/users.py: parole scrypt (salt per-user, eticheta parametri onorata la verify pentru migrare cost), email unic case-insensitive - sesiune: SessionMiddleware (same_site=strict, https_only config) + app/web/session.py (current_account/web_account/require_login->LoginRequired, set_session clear-inainte) - CSRF (app/web/csrf.py) enforce in prod inclusiv pe login/signup + rate-limit in-proces (app/web/ratelimit.py) pe signup si login - signup/login/logout (app/web/auth_routes.py): signup tranzactie atomica, cheie-o-data, log SIGNUP pentru descoperire admin - dashboard + import scoped pe contul sesiunii (regula NULL->cont 1); toate rutele web care ating date sensibile sub require_login; nomenclator ramane global - banner "cont in asteptare" pentru conturi active=0 - gate worker: claim_one LEFT JOIN accounts COALESCE(active,1)=1 (account_id NULL=activ) VERIFY context curat (2 runde): leak cross-account /_fragments/mapari prins+reparat. /code-review high: csrf_token lipsa pe re-randari de eroare, scrypt_params ignorat, login fara rate-limit -- toate reparate. 361 teste pass (de la 313). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
52 lines
1.9 KiB
Python
52 lines
1.9 KiB
Python
"""CSRF token per-sesiune + validare. US-009 PRD 3.3.
|
|
|
|
Contract pentru rutele POST web:
|
|
- Formulare HTML includ: <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
|
|
- Handler-ul POST apeleaza: verify_csrf(request, form.get("csrf_token"))
|
|
- La nepotrivire/lipsa: CsrfError -> @app.exception_handler(CsrfError) -> 403
|
|
|
|
Token e per-sesiune (stabil pana la logout), generat lazy la primul acces.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import hmac
|
|
import secrets
|
|
|
|
from starlette.requests import Request
|
|
|
|
from ..config import get_settings
|
|
|
|
|
|
class CsrfError(Exception):
|
|
"""Token CSRF lipsa sau invalid. Prins de exception_handler in main.py -> 403."""
|
|
|
|
|
|
def get_csrf_token(request: Request) -> str:
|
|
"""Intoarce tokenul CSRF al sesiunii, generandu-l daca lipseste."""
|
|
token = request.session.get("csrf_token")
|
|
if not token:
|
|
token = secrets.token_urlsafe(32)
|
|
request.session["csrf_token"] = token
|
|
return token
|
|
|
|
|
|
def verify_csrf(request: Request, submitted: str | None) -> None:
|
|
"""Verifica tokenul CSRF trimis in formular.
|
|
|
|
Gateaza pe MOD, nu pe account_id:
|
|
- prod (web_auth_required=True): enforce pe TOATE rutele POST, inclusiv /login si
|
|
/signup unde atacatorul ar putea forta victima sa se logheze in contul sau
|
|
(login CSRF). GET-urile de formular genereaza token in sesiune via get_csrf_token.
|
|
- dev/test (web_auth_required=False, fara account_id): skip transparent, testele
|
|
existente raman verzi fara sa fie nevoie de token.
|
|
- sesiune autentificata (account_id in sesiune): enforce indiferent de mod.
|
|
"""
|
|
settings = get_settings()
|
|
enforce = settings.web_auth_required or request.session.get("account_id") is not None
|
|
if not enforce:
|
|
return # dev fara auth: CSRF neaplicabil
|
|
expected = request.session.get("csrf_token")
|
|
if not expected or not submitted or not hmac.compare_digest(expected.encode(), submitted.encode()):
|
|
raise CsrfError("token CSRF invalid")
|