patrick
06bb1c1664
FZA Einzelstunden:
- Absence.fza_hours (Numeric 5,2) — FZA in Stunden statt Tagen
- Migration 0032: fza_hours Spalte in absences
- AbsenceCreate/AbsenceOut Schema um fza_hours erweitert
- absence_service: _deduct/_refund_overtime nutzt fza_hours direkt wenn gesetzt
- Frontend: Tage/Stunden-Toggle im FZA-Antrag-Modal
Security K-1: Privilege Escalation via PATCH /users/{id}.role
- user_service: Whitelist für Rollenänderungen, SUPER_ADMIN nur durch SUPER_ADMIN
- Letzter COMPANY_ADMIN gegen Selbst-Demotion gesichert
Security K-2: Kiosk-IP-Whitelist hinter nginx
- kiosk_security: _get_client_ip() liest X-Real-IP statt request.client.host
Security K-3: Kiosk-PIN Brute-Force-Schutz
- kiosk_auth_service: Redis-Lockout nach 5 Fehlversuchen (15 min)
Security K-4: TOTP-Setup-Hijacking
- auth router: /totp/setup abgelehnt wenn TOTP bereits aktiv
Security K-5: Separater Fernet-Key
- config: SECRET_KEY_DATA Feld (optional, Fallback auf SECRET_KEY)
- crypto: get_fernet_key() mit Warning bei fehlendem SECRET_KEY_DATA
Security H-2: Vacation Balance nur HR/Admin
- absences router: PATCH /balance nur noch HR/COMPANY_ADMIN/SUPER_ADMIN + AuditLog
Security H-3: Rate-Limits auf /auth/refresh + /auth/logout
- auth router: 30/min auf refresh, 60/min auf logout
Security H-4: Login-Failure-Logging + Lockout
- auth_service: Redis-Counter, Lockout nach 10 Versuchen (15 min)
- AuditLog für login_success und login_failed
Security M-1: Nginx Security-Header
- nginx.conf: X-Frame-Options, X-Content-Type-Options, CSP, Referrer-Policy, X-XSS-Protection, Permissions-Policy
Security M-3: AuditLog bei Rollenänderungen
- user_service: action=role_changed mit old/new role
Security M-6: create_all nur in Development
- main.py: Base.metadata.create_all nur wenn not settings.is_production
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
98 lines
4.0 KiB
Python
98 lines
4.0 KiB
Python
from contextlib import asynccontextmanager
|
||
|
||
from fastapi import FastAPI
|
||
from fastapi.middleware.cors import CORSMiddleware
|
||
from fastapi.middleware.trustedhost import TrustedHostMiddleware
|
||
from slowapi import _rate_limit_exceeded_handler
|
||
from slowapi.errors import RateLimitExceeded
|
||
|
||
from app.core.config import settings
|
||
from app.core.database import engine, Base
|
||
from app.core.limiter import limiter
|
||
from app.routers import auth, users, companies
|
||
from app.routers import time_entries, absences, reports, ldap, smtp, caldav
|
||
from app.routers import import_kimai
|
||
from app.routers import kiosk
|
||
from app.routers import busylight
|
||
from app.routers import audit
|
||
from app.routers import special_assignments
|
||
from app.routers import hours_payouts
|
||
|
||
|
||
@asynccontextmanager
|
||
async def lifespan(app: FastAPI):
|
||
# Startup: Tabellen anlegen nur in Development/Test.
|
||
# In Production verwaltet Alembic das Schema – create_all würde mit Migrationen kollidieren.
|
||
import logging
|
||
_log = logging.getLogger(__name__)
|
||
if not settings.is_production:
|
||
async with engine.begin() as conn:
|
||
await conn.run_sync(Base.metadata.create_all)
|
||
_log.info("Development-Modus: create_all ausgeführt.")
|
||
else:
|
||
_log.info("Production-Modus: create_all übersprungen — Alembic verwaltet das Schema.")
|
||
yield
|
||
# Shutdown
|
||
await engine.dispose()
|
||
|
||
|
||
app = FastAPI(
|
||
title=settings.app_name,
|
||
version="0.1.0",
|
||
docs_url="/docs" if not settings.is_production else None,
|
||
redoc_url="/redoc" if not settings.is_production else None,
|
||
lifespan=lifespan,
|
||
)
|
||
|
||
app.state.limiter = limiter
|
||
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
|
||
|
||
# ── Middleware ────────────────────────────────────────────────────────────────
|
||
|
||
app.add_middleware(
|
||
CORSMiddleware,
|
||
allow_origins=[settings.frontend_url],
|
||
allow_credentials=True,
|
||
allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
|
||
allow_headers=[
|
||
"Content-Type",
|
||
"Authorization",
|
||
"X-Kiosk-Key-Id",
|
||
"X-Kiosk-Timestamp",
|
||
"X-Kiosk-Nonce",
|
||
"X-Kiosk-Signature",
|
||
],
|
||
)
|
||
|
||
# TrustedHostMiddleware: aktiv sobald ALLOWED_HOSTS gesetzt (Development: leer = deaktiviert)
|
||
# Production: ALLOWED_HOSTS=timemaster.example.com in .env setzen
|
||
if settings.allowed_hosts:
|
||
app.add_middleware(TrustedHostMiddleware, allowed_hosts=settings.allowed_hosts)
|
||
|
||
# ── Routers ───────────────────────────────────────────────────────────────────
|
||
|
||
API_PREFIX = "/api/v1"
|
||
|
||
app.include_router(auth.router, prefix=API_PREFIX)
|
||
app.include_router(users.router, prefix=API_PREFIX)
|
||
app.include_router(companies.router, prefix=API_PREFIX)
|
||
app.include_router(time_entries.router, prefix=API_PREFIX)
|
||
app.include_router(absences.router, prefix=API_PREFIX)
|
||
app.include_router(reports.router, prefix=API_PREFIX)
|
||
app.include_router(ldap.router, prefix=API_PREFIX)
|
||
app.include_router(smtp.router, prefix=API_PREFIX)
|
||
app.include_router(caldav.router, prefix=API_PREFIX)
|
||
app.include_router(import_kimai.router, prefix=API_PREFIX)
|
||
app.include_router(kiosk.router, prefix=API_PREFIX)
|
||
app.include_router(busylight.router, prefix=API_PREFIX)
|
||
app.include_router(audit.router, prefix=API_PREFIX)
|
||
app.include_router(special_assignments.router, prefix=API_PREFIX)
|
||
app.include_router(hours_payouts.router, prefix=API_PREFIX)
|
||
|
||
|
||
# ── Health ────────────────────────────────────────────────────────────────────
|
||
|
||
@app.get("/health", tags=["System"])
|
||
async def health():
|
||
return {"status": "ok", "app": settings.app_name, "env": settings.app_env}
|