romfast/roa2web-service-auto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
706062dc0f396be53794334d7eb39912fa3f975c
roa2web-service-auto/reports-app/backend/.env.example
Marius Mutu 706062dc0f Implement email-based 2FA authentication for Telegram bot with Oracle integration fixes 
This commit adds a complete email authentication flow for the Telegram bot, allowing users to login with email + password instead of web app linking codes. Includes critical bug fixes for Oracle integration.

**New Features:**
- Email-based 2FA authentication with 6-digit codes sent via SMTP
- Backend endpoints: verify-email and login-with-email
- ConversationHandler for email authentication flow in Telegram bot
- Session token verification to prevent user ID spoofing
- Rate limiting (5 attempts per 5 minutes)
- Email code expiry (5 minutes) with automatic cleanup

**Bug Fixes:**
- Fixed Oracle column name: ACTIV → INACTIV (with inverted logic)
- Fixed Oracle password verification: verificautilizator returns checksum, not user_id
- Fixed username case sensitivity: Oracle usernames must be uppercase
- Fixed SMTP connection: use start_tls parameter instead of manual STARTTLS
- Added middleware exclusions for public email auth endpoints

**Backend Changes:**
- Added verify-email endpoint (public) in telegram.py
- Added login-with-email endpoint (public) with rate limiting and session verification
- Updated middleware exclusions in main.py and auth_middleware_wrapper.py
- Added AUTH_SESSION_SECRET configuration for session token signing

**Telegram Bot Changes:**
- New modules: app/auth/email_auth.py, app/bot/email_handlers.py
- New utilities: app/utils/email_service.py (SMTP email sending)
- Updated handlers.py: ignore callbacks handled by ConversationHandler
- Updated menus.py: show Login button for unauthenticated users
- Updated API client: verify_email() and login_with_email() methods
- Database: email_auth_codes table with cleanup task

**Configuration:**
- Added SMTP configuration to telegram-bot .env.example
- Added AUTH_SESSION_SECRET to backend .env.example
- Updated .gitignore: exclude temporary files (*.pid, *.checksum, test scripts)

**Dependencies:**
- Added aiosmtplib for async SMTP email sending

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-11 12:00:46 +02:00

51 lines
1.8 KiB
Plaintext
Raw Blame History

# Oracle Database Configuration (prin SSH tunnel)
# IMPORTANT: Conectare la schema CONTAFIN_ORACLE pentru authentication
# Schema CONTAFIN_ORACLE conține utilizatorii și pack_drepturi.verificautilizator
# Fiecare firmă este o schema separată în Oracle
ORACLE_USER=CONTAFIN_ORACLE
ORACLE_PASSWORD=SET_IN_PRODUCTION_ENV
ORACLE_HOST=localhost
ORACLE_PORT=1526
ORACLE_SID=ROA
# Authentication Flow Information:
# 1. Conectare la CONTAFIN_ORACLE schema
# 2. Verificare user/pass prin pack_drepturi.verificautilizator(username, password)
# 3. Citire drepturi/firme din vdef_util_grup WHERE id_util = user_id
# 4. User selectează firma/schema pentru acces la date
# Test User Credentials (pentru dezvoltare):
# 🔐 SECURITY: Nu pune credențiale reale în acest fișier!
# Username: "SET_IN_PRODUCTION"
# Password: "SET_IN_PRODUCTION"
# Are acces la 66+ firme/scheme Oracle
# SSH Tunnel Setup Required:
# Rulează: ./ssh_tunnel.sh start
# Verifică: ./ssh_tunnel.sh status
# JWT Configuration
# 🔐 SECURITY: Generate a strong secret key in production!
JWT_SECRET_KEY=GENERATE_STRONG_SECRET_IN_PRODUCTION
ACCESS_TOKEN_EXPIRE_MINUTES=30
REFRESH_TOKEN_EXPIRE_DAYS=7
# Session Security (Email Authentication)
# Must match telegram-bot AUTH_SESSION_SECRET for email login flow
# Generate with: python3 -c "import secrets; print(secrets.token_urlsafe(32))"
AUTH_SESSION_SECRET=your-secure-random-secret-here-min-32-chars
# Application Configuration
API_HOST=0.0.0.0
API_PORT=8000
DEBUG=True
# CORS Configuration
FRONTEND_URLS=http://localhost:3000,http://localhost:5173
# Telegram Bot Integration
# Internal API URL for telegram bot service (auth code management)
# Development (with SSH tunnel): http://localhost:8002
# Windows Production (local): http://localhost:8002
# Docker Production: http://telegram-bot:8002
TELEGRAM_BOT_INTERNAL_API=http://localhost:8002
Reference in New Issue View Git Blame Copy Permalink