Implement security hardening, notification pipeline, and CI test suite

Security hardening: - Added IP/user rate limiting with Redis-backed counters and fail-open behavior. - Added message anti-spam controls (per-chat rate + duplicate cooldown). - Implemented refresh token rotation with JTI tracking and revoke support. Notification pipeline: - Added Celery app and async notification tasks for mention/offline delivery. - Added Redis-based presence tracking and integrated it into realtime connect/disconnect. - Added notification dispatch from message flow and notifications listing endpoint. Quality gates and CI: - Added pytest async integration tests for auth and chat/message lifecycle. - Added pytest config, test fixtures, and GitHub Actions CI workflow. - Fixed bcrypt/passlib compatibility by pinning bcrypt version. - Documented worker and quality-gate commands in README.
2026-03-07 21:46:30 +03:00
parent a879ba7b50
commit 85631b566a
29 changed files with 723 additions and 11 deletions
--- a/app/utils/rate_limit.py
+++ b/app/utils/rate_limit.py
@@ -0,0 +1,54 @@
+from fastapi import HTTPException, Request, status
+from redis.exceptions import RedisError
+
+from app.utils.redis_client import get_redis_client
+
+
+def _safe_ip(request: Request) -> str:
+    if not request.client or not request.client.host:
+        return "unknown"
+    return request.client.host
+
+
+async def enforce_ip_rate_limit(
+    request: Request,
+    *,
+    scope: str,
+    limit: int,
+    window_seconds: int = 60,
+) -> None:
+    if limit <= 0:
+        return
+    key = f"rl:{scope}:ip:{_safe_ip(request)}"
+    await _enforce(key=key, limit=limit, window_seconds=window_seconds)
+
+
+async def enforce_user_rate_limit(
+    user_id: int,
+    *,
+    scope: str,
+    limit: int,
+    window_seconds: int = 60,
+) -> None:
+    if limit <= 0:
+        return
+    key = f"rl:{scope}:user:{user_id}"
+    await _enforce(key=key, limit=limit, window_seconds=window_seconds)
+
+
+async def _enforce(*, key: str, limit: int, window_seconds: int) -> None:
+    try:
+        redis = get_redis_client()
+        current = await redis.incr(key)
+        if current == 1:
+            await redis.expire(key, window_seconds)
+        if current > limit:
+            ttl = await redis.ttl(key)
+            retry_after = max(1, ttl if ttl and ttl > 0 else window_seconds)
+            raise HTTPException(
+                status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+                detail=f"Rate limit exceeded. Retry in {retry_after} seconds.",
+            )
+    except RedisError:
+        # Fail-open in case of Redis outage to keep core API available.
+        return
--- a/app/utils/redis_client.py
+++ b/app/utils/redis_client.py
@@ -0,0 +1,19 @@
+from redis.asyncio import Redis
+
+from app.config.settings import settings
+
+_redis_client: Redis | None = None
+
+
+def get_redis_client() -> Redis:
+    global _redis_client
+    if _redis_client is None:
+        _redis_client = Redis.from_url(settings.redis_url, decode_responses=True)
+    return _redis_client
+
+
+async def close_redis_client() -> None:
+    global _redis_client
+    if _redis_client is not None:
+        await _redis_client.aclose()
+        _redis_client = None
--- a/app/utils/security.py
+++ b/app/utils/security.py
@@ -1,5 +1,6 @@
 from datetime import datetime, timedelta, timezone
 from secrets import token_urlsafe
+from uuid import uuid4

 from jose import JWTError, jwt
 from passlib.context import CryptContext
@@ -18,9 +19,11 @@ def verify_password(password: str, hashed_password: str) -> bool:
    return pwd_context.verify(password, hashed_password)


-def _create_token(subject: str, token_type: str, expires_delta: timedelta) -> str:
+def _create_token(subject: str, token_type: str, expires_delta: timedelta, jti: str | None = None) -> str:
+    now = datetime.now(timezone.utc)
    expire = datetime.now(timezone.utc) + expires_delta
-    payload = {"sub": subject, "type": token_type, "exp": expire}
+    payload = {"sub": subject, "type": token_type, "exp": expire, "iat": now}
+    payload["jti"] = jti or str(uuid4())
    return jwt.encode(payload, settings.secret_key, algorithm=settings.jwt_algorithm)


@@ -32,11 +35,12 @@ def create_access_token(subject: str) -> str:
    )


-def create_refresh_token(subject: str) -> str:
+def create_refresh_token(subject: str, *, jti: str | None = None) -> str:
    return _create_token(
        subject=subject,
        token_type="refresh",
        expires_delta=timedelta(days=settings.refresh_token_expire_days),
+        jti=jti,
    )