Implement security hardening, notification pipeline, and CI test suite

Security hardening: - Added IP/user rate limiting with Redis-backed counters and fail-open behavior. - Added message anti-spam controls (per-chat rate + duplicate cooldown). - Implemented refresh token rotation with JTI tracking and revoke support. Notification pipeline: - Added Celery app and async notification tasks for mention/offline delivery. - Added Redis-based presence tracking and integrated it into realtime connect/disconnect. - Added notification dispatch from message flow and notifications listing endpoint. Quality gates and CI: - Added pytest async integration tests for auth and chat/message lifecycle. - Added pytest config, test fixtures, and GitHub Actions CI workflow. - Fixed bcrypt/passlib compatibility by pinning bcrypt version. - Documented worker and quality-gate commands in README.
2026-03-07 21:46:30 +03:00
parent a879ba7b50
commit 85631b566a
29 changed files with 723 additions and 11 deletions
--- a/app/auth/router.py
+++ b/app/auth/router.py
@@ -1,10 +1,11 @@
-from fastapi import APIRouter, Depends, status
+from fastapi import APIRouter, Depends, Request, status
 from sqlalchemy.ext.asyncio import AsyncSession

 from app.auth.schemas import (
    AuthUserResponse,
    LoginRequest,
    MessageResponse,
+    RefreshTokenRequest,
    RegisterRequest,
    RequestPasswordResetRequest,
    ResendVerificationRequest,
@@ -16,6 +17,7 @@ from app.auth.service import (
    get_current_user,
    get_email_sender,
    login_user,
+    refresh_tokens,
    register_user,
    request_password_reset,
    resend_verification_email,
@@ -24,6 +26,8 @@ from app.auth.service import (
 )
 from app.database.session import get_db
 from app.email.service import EmailService
+from app.config.settings import settings
+from app.utils.rate_limit import enforce_ip_rate_limit
 from app.users.models import User

 router = APIRouter(prefix="/auth", tags=["auth"])
@@ -32,18 +36,43 @@ router = APIRouter(prefix="/auth", tags=["auth"])
@router.post("/register", response_model=MessageResponse, status_code=status.HTTP_201_CREATED)
 async def register(
    payload: RegisterRequest,
+    request: Request,
    db: AsyncSession = Depends(get_db),
    email_service: EmailService = Depends(get_email_sender),
 ) -> MessageResponse:
+    await enforce_ip_rate_limit(
+        request,
+        scope="auth_register",
+        limit=settings.register_rate_limit_per_minute,
+    )
    await register_user(db, payload, email_service)
    return MessageResponse(message="Registration successful. Verification email sent.")


@router.post("/login", response_model=TokenResponse)
-async def login(payload: LoginRequest, db: AsyncSession = Depends(get_db)) -> TokenResponse:
+async def login(payload: LoginRequest, request: Request, db: AsyncSession = Depends(get_db)) -> TokenResponse:
+    await enforce_ip_rate_limit(
+        request,
+        scope="auth_login",
+        limit=settings.login_rate_limit_per_minute,
+    )
    return await login_user(db, payload)


+@router.post("/refresh", response_model=TokenResponse)
+async def refresh(
+    payload: RefreshTokenRequest,
+    request: Request,
+    db: AsyncSession = Depends(get_db),
+) -> TokenResponse:
+    await enforce_ip_rate_limit(
+        request,
+        scope="auth_refresh",
+        limit=settings.refresh_rate_limit_per_minute,
+    )
+    return await refresh_tokens(db, payload)
+
+
@router.post("/verify-email", response_model=MessageResponse)
 async def verify_email_endpoint(payload: VerifyEmailRequest, db: AsyncSession = Depends(get_db)) -> MessageResponse:
    await verify_email(db, payload)
@@ -53,9 +82,15 @@ async def verify_email_endpoint(payload: VerifyEmailRequest, db: AsyncSession =
@router.post("/resend-verification", response_model=MessageResponse)
 async def resend_verification(
    payload: ResendVerificationRequest,
+    request: Request,
    db: AsyncSession = Depends(get_db),
    email_service: EmailService = Depends(get_email_sender),
 ) -> MessageResponse:
+    await enforce_ip_rate_limit(
+        request,
+        scope="auth_resend_verification",
+        limit=settings.reset_rate_limit_per_minute,
+    )
    await resend_verification_email(db, payload, email_service)
    return MessageResponse(message="If the account exists, a verification email was sent.")

@@ -63,9 +98,15 @@ async def resend_verification(
@router.post("/request-password-reset", response_model=MessageResponse)
 async def request_password_reset_endpoint(
    payload: RequestPasswordResetRequest,
+    request: Request,
    db: AsyncSession = Depends(get_db),
    email_service: EmailService = Depends(get_email_sender),
 ) -> MessageResponse:
+    await enforce_ip_rate_limit(
+        request,
+        scope="auth_request_reset",
+        limit=settings.reset_rate_limit_per_minute,
+    )
    await request_password_reset(db, payload, email_service)
    return MessageResponse(message="If the account exists, a reset email was sent.")

--- a/app/auth/schemas.py
+++ b/app/auth/schemas.py
@@ -14,6 +14,10 @@ class LoginRequest(BaseModel):
    password: str = Field(min_length=8, max_length=128)


+class RefreshTokenRequest(BaseModel):
+    refresh_token: str = Field(min_length=16)
+
+
 class VerifyEmailRequest(BaseModel):
    token: str = Field(min_length=16, max_length=512)

--- a/app/auth/service.py
+++ b/app/auth/service.py
@@ -1,12 +1,15 @@
 from datetime import datetime, timedelta, timezone
+from uuid import uuid4

 from fastapi import Depends, HTTPException, status
 from fastapi.security import OAuth2PasswordBearer
 from sqlalchemy.ext.asyncio import AsyncSession

 from app.auth import repository as auth_repository
+from app.auth.token_store import get_refresh_token_user_id, revoke_refresh_token_jti, store_refresh_token_jti
 from app.auth.schemas import (
    LoginRequest,
+    RefreshTokenRequest,
    RegisterRequest,
    RequestPasswordResetRequest,
    ResendVerificationRequest,
@@ -31,6 +34,10 @@ from app.utils.security import (
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl=f"{settings.api_v1_prefix}/auth/login")


+def _refresh_ttl_seconds() -> int:
+    return settings.refresh_token_expire_days * 24 * 60 * 60
+
+
 async def register_user(
    db: AsyncSession,
    payload: RegisterRequest,
@@ -105,9 +112,46 @@ async def login_user(db: AsyncSession, payload: LoginRequest) -> TokenResponse:
    if not user.email_verified:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Email not verified")

+    refresh_jti = str(uuid4())
+    refresh_token = create_refresh_token(str(user.id), jti=refresh_jti)
+    await store_refresh_token_jti(user_id=user.id, jti=refresh_jti, ttl_seconds=_refresh_ttl_seconds())
    return TokenResponse(
        access_token=create_access_token(str(user.id)),
-        refresh_token=create_refresh_token(str(user.id)),
+        refresh_token=refresh_token,
+    )
+
+
+async def refresh_tokens(db: AsyncSession, payload: RefreshTokenRequest) -> TokenResponse:
+    credentials_error = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Invalid refresh token",
+    )
+    try:
+        token_payload = decode_token(payload.refresh_token)
+    except ValueError as exc:
+        raise credentials_error from exc
+
+    if token_payload.get("type") != "refresh":
+        raise credentials_error
+
+    user_id = token_payload.get("sub")
+    refresh_jti = token_payload.get("jti")
+    if not user_id or not str(user_id).isdigit() or not refresh_jti:
+        raise credentials_error
+
+    active_user_id = await get_refresh_token_user_id(jti=refresh_jti)
+    if active_user_id is None or active_user_id != int(user_id):
+        raise credentials_error
+    user = await get_user_by_id(db, int(user_id))
+    if not user:
+        raise credentials_error
+
+    await revoke_refresh_token_jti(jti=refresh_jti)
+    new_jti = str(uuid4())
+    await store_refresh_token_jti(user_id=int(user_id), jti=new_jti, ttl_seconds=_refresh_ttl_seconds())
+    return TokenResponse(
+        access_token=create_access_token(str(user_id)),
+        refresh_token=create_refresh_token(str(user_id), jti=new_jti),
    )


--- a/app/auth/token_store.py
+++ b/app/auth/token_store.py
@@ -0,0 +1,46 @@
+import time
+
+from redis.exceptions import RedisError
+
+from app.utils.redis_client import get_redis_client
+
+_fallback_tokens: dict[str, tuple[int, float]] = {}
+
+
+def _cleanup_fallback() -> None:
+    now = time.time()
+    expired = [jti for jti, (_, exp_at) in _fallback_tokens.items() if exp_at <= now]
+    for jti in expired:
+        _fallback_tokens.pop(jti, None)
+
+
+async def store_refresh_token_jti(*, user_id: int, jti: str, ttl_seconds: int) -> None:
+    try:
+        redis = get_redis_client()
+        await redis.set(f"auth:refresh:{jti}", str(user_id), ex=ttl_seconds)
+    except RedisError:
+        _cleanup_fallback()
+        _fallback_tokens[jti] = (user_id, time.time() + ttl_seconds)
+
+
+async def get_refresh_token_user_id(*, jti: str) -> int | None:
+    try:
+        redis = get_redis_client()
+        value = await redis.get(f"auth:refresh:{jti}")
+        if not value or not str(value).isdigit():
+            return None
+        return int(value)
+    except RedisError:
+        _cleanup_fallback()
+        data = _fallback_tokens.get(jti)
+        if not data:
+            return None
+        return data[0]
+
+
+async def revoke_refresh_token_jti(*, jti: str) -> None:
+    try:
+        redis = get_redis_client()
+        await redis.delete(f"auth:refresh:{jti}")
+    except RedisError:
+        _fallback_tokens.pop(jti, None)