security: harden dashboard (SSH keys, auth, uploads, CORS, non-root)
Deploy Dashboard / deploy (push) Successful in 3m37s
Deploy Dashboard / deploy (push) Successful in 3m37s
Remove SSH private keys from git, add SECRET_KEY validation, move WS auth from query string to first message, add session limits/idle timeout, PBKDF2 Fernet key, refresh token rotation, TOTP replay protection, file upload size limit + filename sanitization, symlink safety check, restrict CORS methods, IP-gate OpenClaw token, run container as non-root, rate-limit refresh/passkey endpoints, sanitize Gitea path params. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -4,7 +4,7 @@ import psutil
|
||||
import platform
|
||||
import time
|
||||
import httpx
|
||||
from fastapi import APIRouter, Query
|
||||
from fastapi import APIRouter, Query, Request, HTTPException
|
||||
from config import TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, VOLUME_ROOT, OPENCLAW_GATEWAY_TOKEN
|
||||
|
||||
router = APIRouter()
|
||||
@@ -115,5 +115,8 @@ def _classify(method, path, status, user):
|
||||
|
||||
|
||||
@router.get("/openclaw-token")
|
||||
def openclaw_token():
|
||||
def openclaw_token(request: Request):
|
||||
ip = request.headers.get("x-forwarded-for", "").split(",")[0].strip() or request.client.host
|
||||
if not (ip.startswith("192.168.31.") or ip.startswith("100.")):
|
||||
raise HTTPException(status_code=403, detail="Access denied")
|
||||
return {"token": OPENCLAW_GATEWAY_TOKEN}
|
||||
|
||||
Reference in New Issue
Block a user