pelmen/baton
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

kin: BATON-SEC-002-backend_dev

Browse source
This commit is contained in:
Gros Frumos 2026-03-21 07:36:33 +02:00
parent 9a450d2a84
commit 4ab2f04de6
2 changed files with 28 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
backend/main.py
View file

@ -15,7 +15,7 @@ from fastapi.middleware.cors import CORSMiddleware
from fastapi.responses import JSONResponse from fastapi.responses import JSONResponse
from backend import config, db, telegram from backend import config, db, telegram
from backend.middleware import rate_limit_register, verify_admin_token, verify_webhook_secret from backend.middleware import rate_limit_register, rate_limit_signal, verify_admin_token, verify_webhook_secret
from backend.models import ( from backend.models import (
AdminBlockRequest, AdminBlockRequest,
AdminCreateUserRequest, AdminCreateUserRequest,
@ -123,7 +123,7 @@ async def register(body: RegisterRequest, _: None = Depends(rate_limit_register)
@app.post("/api/signal", response_model=SignalResponse) @app.post("/api/signal", response_model=SignalResponse)
async def signal(body: SignalRequest) -> SignalResponse: async def signal(body: SignalRequest, _: None = Depends(rate_limit_signal)) -> SignalResponse:
if await db.is_user_blocked(body.user_id): if await db.is_user_blocked(body.user_id):
raise HTTPException(status_code=403, detail="User is blocked") raise HTTPException(status_code=403, detail="User is blocked")

27
backend/middleware.py
View file

@ -14,6 +14,17 @@ _bearer = HTTPBearer(auto_error=False)
_RATE_LIMIT = 5 _RATE_LIMIT = 5
_RATE_WINDOW = 600 # 10 minutes _RATE_WINDOW = 600 # 10 minutes
_SIGNAL_RATE_LIMIT = 10
_SIGNAL_RATE_WINDOW = 60 # 1 minute
def _get_client_ip(request: Request) -> str:
return (
request.headers.get("X-Real-IP")
or request.headers.get("X-Forwarded-For", "").split(",")[0].strip()
or (request.client.host if request.client else "unknown")
)
async def verify_webhook_secret( async def verify_webhook_secret(
x_telegram_bot_api_secret_token: str = Header(default=""), x_telegram_bot_api_secret_token: str = Header(default=""),
@ -35,7 +46,7 @@ async def verify_admin_token(
async def rate_limit_register(request: Request) -> None: async def rate_limit_register(request: Request) -> None:
counters = request.app.state.rate_counters counters = request.app.state.rate_counters
client_ip = request.client.host if request.client else "unknown" client_ip = _get_client_ip(request)
now = time.time() now = time.time()
count, window_start = counters.get(client_ip, (0, now)) count, window_start = counters.get(client_ip, (0, now))
if now - window_start >= _RATE_WINDOW: if now - window_start >= _RATE_WINDOW:
@ -45,3 +56,17 @@ async def rate_limit_register(request: Request) -> None:
counters[client_ip] = (count, window_start) counters[client_ip] = (count, window_start)
if count > _RATE_LIMIT: if count > _RATE_LIMIT:
raise HTTPException(status_code=429, detail="Too Many Requests") raise HTTPException(status_code=429, detail="Too Many Requests")
async def rate_limit_signal(request: Request) -> None:
counters = request.app.state.rate_counters
key = f"sig:{_get_client_ip(request)}"
now = time.time()
count, window_start = counters.get(key, (0, now))
if now - window_start >= _SIGNAL_RATE_WINDOW:
count = 0
window_start = now
count += 1
counters[key] = (count, window_start)
if count > _SIGNAL_RATE_LIMIT:
raise HTTPException(status_code=429, detail="Too Many Requests")