Implement security hardening, notification pipeline, and CI test suite
All checks were successful
CI / test (push) Successful in 9m2s
All checks were successful
CI / test (push) Successful in 9m2s
Security hardening: - Added IP/user rate limiting with Redis-backed counters and fail-open behavior. - Added message anti-spam controls (per-chat rate + duplicate cooldown). - Implemented refresh token rotation with JTI tracking and revoke support. Notification pipeline: - Added Celery app and async notification tasks for mention/offline delivery. - Added Redis-based presence tracking and integrated it into realtime connect/disconnect. - Added notification dispatch from message flow and notifications listing endpoint. Quality gates and CI: - Added pytest async integration tests for auth and chat/message lifecycle. - Added pytest config, test fixtures, and GitHub Actions CI workflow. - Fixed bcrypt/passlib compatibility by pinning bcrypt version. - Documented worker and quality-gate commands in README.
This commit is contained in:
@@ -1,10 +1,11 @@
|
||||
from fastapi import APIRouter, Depends, status
|
||||
from fastapi import APIRouter, Depends, Request, status
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
|
||||
from app.auth.schemas import (
|
||||
AuthUserResponse,
|
||||
LoginRequest,
|
||||
MessageResponse,
|
||||
RefreshTokenRequest,
|
||||
RegisterRequest,
|
||||
RequestPasswordResetRequest,
|
||||
ResendVerificationRequest,
|
||||
@@ -16,6 +17,7 @@ from app.auth.service import (
|
||||
get_current_user,
|
||||
get_email_sender,
|
||||
login_user,
|
||||
refresh_tokens,
|
||||
register_user,
|
||||
request_password_reset,
|
||||
resend_verification_email,
|
||||
@@ -24,6 +26,8 @@ from app.auth.service import (
|
||||
)
|
||||
from app.database.session import get_db
|
||||
from app.email.service import EmailService
|
||||
from app.config.settings import settings
|
||||
from app.utils.rate_limit import enforce_ip_rate_limit
|
||||
from app.users.models import User
|
||||
|
||||
router = APIRouter(prefix="/auth", tags=["auth"])
|
||||
@@ -32,18 +36,43 @@ router = APIRouter(prefix="/auth", tags=["auth"])
|
||||
@router.post("/register", response_model=MessageResponse, status_code=status.HTTP_201_CREATED)
|
||||
async def register(
|
||||
payload: RegisterRequest,
|
||||
request: Request,
|
||||
db: AsyncSession = Depends(get_db),
|
||||
email_service: EmailService = Depends(get_email_sender),
|
||||
) -> MessageResponse:
|
||||
await enforce_ip_rate_limit(
|
||||
request,
|
||||
scope="auth_register",
|
||||
limit=settings.register_rate_limit_per_minute,
|
||||
)
|
||||
await register_user(db, payload, email_service)
|
||||
return MessageResponse(message="Registration successful. Verification email sent.")
|
||||
|
||||
|
||||
@router.post("/login", response_model=TokenResponse)
|
||||
async def login(payload: LoginRequest, db: AsyncSession = Depends(get_db)) -> TokenResponse:
|
||||
async def login(payload: LoginRequest, request: Request, db: AsyncSession = Depends(get_db)) -> TokenResponse:
|
||||
await enforce_ip_rate_limit(
|
||||
request,
|
||||
scope="auth_login",
|
||||
limit=settings.login_rate_limit_per_minute,
|
||||
)
|
||||
return await login_user(db, payload)
|
||||
|
||||
|
||||
@router.post("/refresh", response_model=TokenResponse)
|
||||
async def refresh(
|
||||
payload: RefreshTokenRequest,
|
||||
request: Request,
|
||||
db: AsyncSession = Depends(get_db),
|
||||
) -> TokenResponse:
|
||||
await enforce_ip_rate_limit(
|
||||
request,
|
||||
scope="auth_refresh",
|
||||
limit=settings.refresh_rate_limit_per_minute,
|
||||
)
|
||||
return await refresh_tokens(db, payload)
|
||||
|
||||
|
||||
@router.post("/verify-email", response_model=MessageResponse)
|
||||
async def verify_email_endpoint(payload: VerifyEmailRequest, db: AsyncSession = Depends(get_db)) -> MessageResponse:
|
||||
await verify_email(db, payload)
|
||||
@@ -53,9 +82,15 @@ async def verify_email_endpoint(payload: VerifyEmailRequest, db: AsyncSession =
|
||||
@router.post("/resend-verification", response_model=MessageResponse)
|
||||
async def resend_verification(
|
||||
payload: ResendVerificationRequest,
|
||||
request: Request,
|
||||
db: AsyncSession = Depends(get_db),
|
||||
email_service: EmailService = Depends(get_email_sender),
|
||||
) -> MessageResponse:
|
||||
await enforce_ip_rate_limit(
|
||||
request,
|
||||
scope="auth_resend_verification",
|
||||
limit=settings.reset_rate_limit_per_minute,
|
||||
)
|
||||
await resend_verification_email(db, payload, email_service)
|
||||
return MessageResponse(message="If the account exists, a verification email was sent.")
|
||||
|
||||
@@ -63,9 +98,15 @@ async def resend_verification(
|
||||
@router.post("/request-password-reset", response_model=MessageResponse)
|
||||
async def request_password_reset_endpoint(
|
||||
payload: RequestPasswordResetRequest,
|
||||
request: Request,
|
||||
db: AsyncSession = Depends(get_db),
|
||||
email_service: EmailService = Depends(get_email_sender),
|
||||
) -> MessageResponse:
|
||||
await enforce_ip_rate_limit(
|
||||
request,
|
||||
scope="auth_request_reset",
|
||||
limit=settings.reset_rate_limit_per_minute,
|
||||
)
|
||||
await request_password_reset(db, payload, email_service)
|
||||
return MessageResponse(message="If the account exists, a reset email was sent.")
|
||||
|
||||
|
||||
Reference in New Issue
Block a user