security: M-2 HttpOnly-Cookie + M-4 TrustedHost-Warning + M-5 TOTP-Lockout + M-7 zentraler get_client_ip()
M-2: Refresh-Token als HttpOnly SameSite=Strict Cookie - auth.py: _set_refresh_cookie/_delete_refresh_cookie Helpers - Alle Auth-Endpoints (login, totp/login, refresh, logout) nutzen Cookie - schemas/auth.py: refresh_token in Request/Response optional - AuthContext.tsx: kein refresh_token in localStorage - api/client.ts: credentials:include, kein Token-Body beim Refresh M-4: TrustedHostMiddleware Warning in Production - main.py: Startup-Warning wenn is_production + kein ALLOWED_HOSTS M-5: TOTP-Fehlversuche Redis-Lockout - auth.py: _check/_record/_clear_totp_lockout; 5 Versuche → 15 min Sperre M-7: Zentraler get_client_ip()-Helper - core/dependencies.py: get_client_ip() mit X-Real-IP → X-Forwarded-For → client.host - hours_payouts.py, absences.py, busylight.py: request.client.host ersetzt Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+104
-12
@@ -1,4 +1,4 @@
|
||||
from fastapi import APIRouter, Depends, HTTPException, Request
|
||||
from fastapi import APIRouter, Depends, HTTPException, Request, Response
|
||||
from pydantic import BaseModel, Field
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
|
||||
@@ -31,6 +31,29 @@ class ChangePasswordRequest(BaseModel):
|
||||
|
||||
router = APIRouter(prefix="/auth", tags=["Auth"])
|
||||
|
||||
_COOKIE_NAME = "refresh_token"
|
||||
_COOKIE_PATH = "/"
|
||||
_COOKIE_MAX_AGE = 30 * 24 * 60 * 60 # 30 Tage
|
||||
|
||||
|
||||
def _set_refresh_cookie(response: Response, token: str) -> None:
|
||||
"""Setzt den Refresh-Token als HttpOnly+SameSite=Strict Cookie."""
|
||||
from app.core.config import settings
|
||||
response.set_cookie(
|
||||
key=_COOKIE_NAME,
|
||||
value=token,
|
||||
httponly=True,
|
||||
secure=settings.is_production,
|
||||
samesite="strict",
|
||||
max_age=_COOKIE_MAX_AGE,
|
||||
path=_COOKIE_PATH,
|
||||
)
|
||||
|
||||
|
||||
def _delete_refresh_cookie(response: Response) -> None:
|
||||
"""Löscht den Refresh-Token-Cookie."""
|
||||
response.delete_cookie(key=_COOKIE_NAME, path=_COOKIE_PATH)
|
||||
|
||||
|
||||
@router.post("/register", response_model=TokenResponse, status_code=201)
|
||||
@limiter.limit("3/hour")
|
||||
@@ -41,20 +64,40 @@ async def register(request: Request, data: RegisterRequest, db: AsyncSession = D
|
||||
|
||||
@router.post("/login", response_model=TokenResponse)
|
||||
@limiter.limit("10/minute")
|
||||
async def login(request: Request, data: LoginRequest, db: AsyncSession = Depends(get_db)):
|
||||
return await auth_service.login(data, db, request)
|
||||
async def login(request: Request, response: Response, data: LoginRequest, db: AsyncSession = Depends(get_db)):
|
||||
result = await auth_service.login(data, db, request)
|
||||
if result.refresh_token:
|
||||
_set_refresh_cookie(response, result.refresh_token)
|
||||
result.refresh_token = None # Nicht im JSON-Body zurückgeben
|
||||
return result
|
||||
|
||||
|
||||
@router.post("/refresh", response_model=TokenResponse)
|
||||
@limiter.limit("30/minute")
|
||||
async def refresh(request: Request, data: RefreshRequest, db: AsyncSession = Depends(get_db)):
|
||||
return await auth_service.refresh(data.refresh_token, db)
|
||||
async def refresh(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)):
|
||||
# Cookie bevorzugen, Body als Fallback (Rückwärtskompatibilität für API-Clients)
|
||||
token = request.cookies.get(_COOKIE_NAME)
|
||||
if not token and data:
|
||||
token = data.refresh_token
|
||||
if not token:
|
||||
raise HTTPException(status_code=401, detail="Kein Refresh-Token")
|
||||
result = await auth_service.refresh(token, db)
|
||||
if result.refresh_token:
|
||||
_set_refresh_cookie(response, result.refresh_token)
|
||||
result.refresh_token = None # Nicht im JSON-Body zurückgeben
|
||||
return result
|
||||
|
||||
|
||||
@router.post("/logout", response_model=MessageResponse)
|
||||
@limiter.limit("60/minute")
|
||||
async def logout(request: Request, data: RefreshRequest, db: AsyncSession = Depends(get_db)):
|
||||
await auth_service.logout(data.refresh_token, db)
|
||||
async def logout(request: Request, response: Response, data: RefreshRequest | None = None, db: AsyncSession = Depends(get_db)):
|
||||
# Cookie bevorzugen, Body als Fallback
|
||||
token = request.cookies.get(_COOKIE_NAME)
|
||||
if not token and data:
|
||||
token = data.refresh_token
|
||||
if token:
|
||||
await auth_service.logout(token, db)
|
||||
_delete_refresh_cookie(response)
|
||||
return MessageResponse(message="Logged out successfully")
|
||||
|
||||
|
||||
@@ -221,16 +264,49 @@ async def totp_disable(
|
||||
return MessageResponse(message="Zwei-Faktor-Authentifizierung deaktiviert")
|
||||
|
||||
|
||||
TOTP_MAX_ATTEMPTS = 5
|
||||
TOTP_LOCKOUT_SECONDS = 900 # 15 Minuten
|
||||
|
||||
|
||||
async def _check_totp_lockout(user_id: str, redis) -> None:
|
||||
"""Wirft HTTP 429 wenn TOTP-Login wegen zu vieler Fehlversuche gesperrt ist."""
|
||||
key = f"totp_lockout:{user_id}"
|
||||
if await redis.exists(key):
|
||||
ttl = await redis.ttl(key)
|
||||
wait_min = ttl // 60 + 1
|
||||
raise HTTPException(429, detail=f"TOTP gesperrt. Bitte {wait_min} Minute(n) warten.")
|
||||
|
||||
|
||||
async def _record_totp_failure(user_id: str, redis) -> None:
|
||||
"""Zählt TOTP-Fehlversuch und setzt Lockout nach TOTP_MAX_ATTEMPTS Fehlversuchen."""
|
||||
fail_key = f"totp_fails:{user_id}"
|
||||
lock_key = f"totp_lockout:{user_id}"
|
||||
fails = await redis.incr(fail_key)
|
||||
await redis.expire(fail_key, TOTP_LOCKOUT_SECONDS)
|
||||
if fails >= TOTP_MAX_ATTEMPTS:
|
||||
await redis.set(lock_key, "1", ex=TOTP_LOCKOUT_SECONDS)
|
||||
await redis.delete(fail_key)
|
||||
|
||||
|
||||
async def _clear_totp_failures(user_id: str, redis) -> None:
|
||||
"""Löscht TOTP-Fehlversuche nach erfolgreichem Login."""
|
||||
await redis.delete(f"totp_fails:{user_id}")
|
||||
await redis.delete(f"totp_lockout:{user_id}")
|
||||
|
||||
|
||||
@router.post("/totp/login", response_model=TokenResponse)
|
||||
@limiter.limit("10/minute")
|
||||
async def totp_login(
|
||||
request: Request,
|
||||
response: Response,
|
||||
data: TotpLoginRequest,
|
||||
db: AsyncSession = Depends(get_db),
|
||||
):
|
||||
"""Zweiter Login-Schritt: partial_token + TOTP-Code → volle Tokens."""
|
||||
import pyotp
|
||||
import redis.asyncio as aioredis
|
||||
from uuid import UUID
|
||||
from app.core.config import settings
|
||||
from app.core.security import decode_partial_token
|
||||
from app.models.user import User
|
||||
from jose import JWTError
|
||||
@@ -246,11 +322,27 @@ async def totp_login(
|
||||
if not user.totp_enabled or not user.totp_secret:
|
||||
raise HTTPException(400, "2FA nicht aktiv")
|
||||
|
||||
plain_secret = _totp_plain(user)
|
||||
totp = pyotp.TOTP(plain_secret or "")
|
||||
if not totp.verify(data.code, valid_window=1):
|
||||
raise HTTPException(400, "Ungültiger Code")
|
||||
redis_client = aioredis.from_url(settings.redis_url, decode_responses=True)
|
||||
try:
|
||||
# M-5: Lockout-Check vor TOTP-Verifikation
|
||||
await _check_totp_lockout(user_id, redis_client)
|
||||
|
||||
plain_secret = _totp_plain(user)
|
||||
totp = pyotp.TOTP(plain_secret or "")
|
||||
if not totp.verify(data.code, valid_window=1):
|
||||
# M-5: Fehlversuch zählen
|
||||
await _record_totp_failure(user_id, redis_client)
|
||||
raise HTTPException(400, "Ungültiger Code")
|
||||
|
||||
# M-5: Erfolg → Fehlversuche zurücksetzen
|
||||
await _clear_totp_failures(user_id, redis_client)
|
||||
finally:
|
||||
await redis_client.aclose()
|
||||
|
||||
from datetime import datetime, timezone
|
||||
user.last_login = datetime.now(timezone.utc)
|
||||
return await auth_service._create_session(user, db, request=request)
|
||||
result = await auth_service._create_session(user, db, request=request)
|
||||
if result.refresh_token:
|
||||
_set_refresh_cookie(response, result.refresh_token)
|
||||
result.refresh_token = None # Nicht im JSON-Body zurückgeben
|
||||
return result
|
||||
|
||||
Reference in New Issue
Block a user