security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
Deploy Dashboard / deploy (push) Successful in 3m37s
Deploy Dashboard / deploy (push) Successful in 3m37s
Remove SSH private keys from git, add SECRET_KEY validation, move WS auth from query string to first message, add session limits/idle timeout, PBKDF2 Fernet key, refresh token rotation, TOTP replay protection, file upload size limit + filename sanitization, symlink safety check, restrict CORS methods, IP-gate OpenClaw token, run container as non-root, rate-limit refresh/passkey endpoints, sanitize Gitea path params. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,5 +1,6 @@
|
||||
from datetime import datetime, timedelta
|
||||
from datetime import datetime, timedelta, timezone
|
||||
from typing import Optional
|
||||
import time
|
||||
import jwt
|
||||
from passlib.context import CryptContext
|
||||
import pyotp
|
||||
@@ -19,14 +20,14 @@ def get_password_hash(password):
|
||||
|
||||
def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
|
||||
to_encode = data.copy()
|
||||
expire = datetime.utcnow() + (expires_delta or timedelta(minutes=15))
|
||||
expire = datetime.now(timezone.utc) + (expires_delta or timedelta(minutes=15))
|
||||
to_encode.update({"exp": expire, "type": "access"})
|
||||
return jwt.encode(to_encode, config.SECRET_KEY, algorithm=config.ALGORITHM)
|
||||
|
||||
def create_refresh_token(data: dict):
|
||||
to_encode = data.copy()
|
||||
expire = datetime.utcnow() + timedelta(minutes=config.REFRESH_TOKEN_EXPIRE_MINUTES)
|
||||
to_encode.update({"exp": expire, "type": "refresh"})
|
||||
expire = datetime.now(timezone.utc) + timedelta(minutes=config.REFRESH_TOKEN_EXPIRE_MINUTES)
|
||||
to_encode.update({"exp": expire, "type": "refresh", "tv": _load_token_version()})
|
||||
return jwt.encode(to_encode, config.SECRET_KEY, algorithm=config.ALGORITHM)
|
||||
|
||||
async def get_current_user(token: str = Depends(oauth2_scheme)):
|
||||
@@ -70,6 +71,13 @@ import hashlib
|
||||
from cryptography.fernet import Fernet
|
||||
|
||||
def _get_fernet():
|
||||
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
|
||||
from cryptography.hazmat.primitives import hashes
|
||||
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(), length=32, salt=b"nas-dashboard-fernet", iterations=480000)
|
||||
key = base64.urlsafe_b64encode(kdf.derive(config.SECRET_KEY.encode()))
|
||||
return Fernet(key)
|
||||
|
||||
def _get_legacy_fernet():
|
||||
key = base64.urlsafe_b64encode(hashlib.sha256(config.SECRET_KEY.encode()).digest())
|
||||
return Fernet(key)
|
||||
|
||||
@@ -83,6 +91,11 @@ def _decrypt(ciphertext: str) -> str:
|
||||
return ""
|
||||
try:
|
||||
return _get_fernet().decrypt(ciphertext.encode()).decode()
|
||||
except Exception:
|
||||
pass
|
||||
# Fallback: try legacy SHA256-based key
|
||||
try:
|
||||
return _get_legacy_fernet().decrypt(ciphertext.encode()).decode()
|
||||
except Exception:
|
||||
return ciphertext # fallback for unencrypted legacy values
|
||||
|
||||
@@ -125,7 +138,16 @@ def verify_totp(token: str, secret: str = None):
|
||||
if not secret:
|
||||
return True # 2FA not enabled
|
||||
totp = pyotp.TOTP(secret)
|
||||
return totp.verify(token)
|
||||
if not totp.verify(token):
|
||||
return False
|
||||
# Replay protection: reject reuse within same 30s window
|
||||
current_ts = int(time.time()) // 30
|
||||
data = _load_auth_data()
|
||||
if data.get("last_totp_ts") == current_ts:
|
||||
return False
|
||||
data["last_totp_ts"] = current_ts
|
||||
_save_auth_data(data)
|
||||
return True
|
||||
|
||||
# Passkey credentials
|
||||
def load_passkey_credentials():
|
||||
@@ -142,3 +164,17 @@ def clear_passkey_credentials():
|
||||
data = _load_auth_data()
|
||||
data["passkey_credentials"] = []
|
||||
_save_auth_data(data)
|
||||
|
||||
# Token version for refresh token rotation
|
||||
def _load_token_version() -> int:
|
||||
return _load_auth_data().get("token_version", 0)
|
||||
|
||||
def increment_token_version() -> int:
|
||||
data = _load_auth_data()
|
||||
v = data.get("token_version", 0) + 1
|
||||
data["token_version"] = v
|
||||
_save_auth_data(data)
|
||||
return v
|
||||
|
||||
def verify_token_version(tv: int) -> bool:
|
||||
return tv == _load_token_version()
|
||||
|
||||
Reference in New Issue
Block a user