auth: Sprint 02 — auth hardening (Pydantic models, challenge binding, admin gates)
- Add max_length validation to LoginRequest (username 128, password 1024) - Replace raw request.json() with Pydantic models in RBAC override/update endpoints - Replace raw request.json() with Pydantic models in passkey register/login/delete - Bind passkey challenges to session-bound challenge_id (prevents cross-session replay) - Gate audit log and security log endpoints behind admin role - Fix fragile opc_db.json.dumps() → import json directly - Add COOKIE_SECURE=False startup warning (suppress with ALLOW_INSECURE_COOKIES) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -5,8 +5,9 @@ import time
|
||||
|
||||
import httpx
|
||||
import psutil
|
||||
from fastapi import APIRouter, HTTPException, Query, Request
|
||||
from fastapi import APIRouter, Depends, HTTPException, Query, Request
|
||||
|
||||
import auth_service as auth
|
||||
import config
|
||||
from config import OPENCLAW_GATEWAY_TOKEN, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, VOLUME_ROOT
|
||||
|
||||
@@ -79,7 +80,9 @@ def system_stats():
|
||||
|
||||
|
||||
@router.get("/audit-log")
|
||||
def audit_log(lines: int = Query(100, le=500)):
|
||||
def audit_log(lines: int = Query(100, le=500), current_user=Depends(auth.get_current_user)):
|
||||
if current_user.role != "admin":
|
||||
raise HTTPException(status_code=403, detail="Admin only")
|
||||
log_path = os.path.join(VOLUME_ROOT, "docker/nas-dashboard/audit.log")
|
||||
if not os.path.exists(log_path):
|
||||
return {"entries": []}
|
||||
|
||||
Reference in New Issue
Block a user