From 88962d3f8fbc95d7a34858cf207f94f14e116ebf Mon Sep 17 00:00:00 2001 From: rezidir Date: Mon, 22 Jun 2026 11:09:23 +0300 Subject: [PATCH 1/2] =?UTF-8?q?=D0=9E=D0=B1=D0=BD=D0=BE=D0=B2=D0=B8=D1=82?= =?UTF-8?q?=D1=8C=20docker-compose.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker-compose.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index f8de694..ffd4ef0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,18 +5,8 @@ services: image: postgres:16-alpine container_name: family_safety_db restart: unless-stopped - environment: - POSTGRES_USER: postgres - POSTGRES_PASSWORD: postgres - POSTGRES_DB: family_safety volumes: - postgres_data:/var/lib/postgresql/data - healthcheck: - test: ["CMD-SHELL", "pg_isready -U postgres"] - interval: 5s - timeout: 5s - retries: 5 - start_period: 10s app: build: . From 6797f3d3c8d3160ae8316a96f453d9d3b1d95fee Mon Sep 17 00:00:00 2001 From: "dmit.b" Date: Thu, 25 Jun 2026 11:55:55 +0300 Subject: [PATCH 2/2] add registration security: bcrypt secret key, length validation, duplicate check, rate limiting --- .env.example | 4 +- api.yaml | 11 +++- bin/.env | 4 +- bin/database/database_provider.dart | 5 ++ bin/routes/auth_routes.dart | 75 +++++++++++++++++++++-- test/server_test.dart | 92 +++++++++++++++++++++++++++-- 6 files changed, 172 insertions(+), 19 deletions(-) diff --git a/.env.example b/.env.example index df693f1..69beb91 100644 --- a/.env.example +++ b/.env.example @@ -11,5 +11,5 @@ POSTGRES_USER="user" POSTGRES_PASSWORD="pwd" # TOKEN_LIFETIME in minutes TOKEN_LIFETIME=600 -# Secret key for registration (MD5 hash of this key must be sent by the user) -REGISTRATION_SECRET_KEY=reg +# Secret key for registration (bcrypt hash, client sends plaintext key) +REGISTRATION_SECRET_KEY=$2a$10$example.bcrypt.hash.here diff --git a/api.yaml b/api.yaml index 8cd9f68..9617a39 100644 --- a/api.yaml +++ b/api.yaml @@ -241,16 +241,21 @@ components: required: - login - password + - secret_key properties: login: type: string - description: Desired login / username + description: Desired login / username (minimum 5 characters) example: "john_doe" password: type: string format: password - description: Desired password (will be hashed with bcrypt) - example: "secret123" + description: Desired password (minimum 9 characters, will be hashed with bcrypt) + example: "securePass123" + secret_key: + type: string + description: Plaintext registration secret key (REGISTRATION_SECRET_KEY from server .env) + example: "FtracKer*1405." LoginResponse: type: object diff --git a/bin/.env b/bin/.env index b5001f1..0936a4f 100644 --- a/bin/.env +++ b/bin/.env @@ -11,5 +11,5 @@ POSTGRES_USER="postgres" POSTGRES_PASSWORD="postgres" # TOKEN_LIFETIME in minutes TOKEN_LIFETIME=600 -# Secret key for registration (MD5 hash of this key must be sent by the user) -REGISTRATION_SECRET_KEY=FtracKer*1405. \ No newline at end of file +# Secret key for registration (bcrypt hash, client sends plaintext) +REGISTRATION_SECRET_KEY=$2a$10$mSo1MvV6U7GazfxceLFDl.gBNPm6lnjClWYsFQesx0SalObvBLIF6 \ No newline at end of file diff --git a/bin/database/database_provider.dart b/bin/database/database_provider.dart index 31de68f..767830e 100644 --- a/bin/database/database_provider.dart +++ b/bin/database/database_provider.dart @@ -127,6 +127,11 @@ class DatabaseProvider { } Future createUser(String login, String password) async { + final existingUser = await findUserByLogin(login); + if (existingUser != null) { + throw Exception('User already exists'); + } + final hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt()); final results = await _dbConnection.execute( diff --git a/bin/routes/auth_routes.dart b/bin/routes/auth_routes.dart index 55ec773..6111df0 100644 --- a/bin/routes/auth_routes.dart +++ b/bin/routes/auth_routes.dart @@ -1,8 +1,8 @@ +import 'package:bcrypt/bcrypt.dart'; +import 'package:dotenv/dotenv.dart'; +import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart'; import 'package:shelf/shelf.dart'; import 'package:shelf_router/shelf_router.dart'; -import 'package:bcrypt/bcrypt.dart'; -import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart'; -import 'package:dotenv/dotenv.dart'; import '../database/database_provider.dart'; import '../middleware/auth_middleware.dart'; import '../middleware/request_logger.dart'; @@ -11,6 +11,7 @@ import 'dart:io'; class AuthRoutes { final DatabaseProvider database; + final Map _lastRequest = {}; AuthRoutes(this.database); @@ -23,7 +24,34 @@ class AuthRoutes { return router; } + String _getClientIp(Request request) { + final forwarded = request.headers['x-forwarded-for']; + if (forwarded != null) { + return forwarded.split(',').first.trim(); + } + final xRealIp = request.headers['x-real-ip']; + if (xRealIp != null) { + return xRealIp; + } + return '127.0.0.1'; + } + + Future _rateLimitCheck(Request request, String key) async { + final ip = _getClientIp(request); + final rateKey = '$key:$ip'; + final now = DateTime.now(); + final lastRequest = _lastRequest[rateKey]; + if (lastRequest != null && now.difference(lastRequest).inSeconds < 10) { + return Response(429, body: jsonEncode({'error': 'Too many requests. Please wait 10 seconds.'}), headers: {'Content-Type': 'application/json'}); + } + _lastRequest[rateKey] = now; + return null; + } + Future _login(Request request) async { + final rateLimit = await _rateLimitCheck(request, 'login'); + if (rateLimit != null) return rateLimit; + final body = await request.readAsString(); final data = jsonDecode(body); @@ -58,6 +86,9 @@ class AuthRoutes { } Future _register(Request request) async { + final rateLimit = await _rateLimitCheck(request, 'reg'); + if (rateLimit != null) return rateLimit; + final stopwatch = Stopwatch()..start(); final body = await request.readAsString(); logRequest(method: 'POST', url: '/reg', status: 444, duration: stopwatch.elapsed, body: body); @@ -65,9 +96,41 @@ class AuthRoutes { final login = data['login']; final password = data['password']; + final secretKey = data['secret_key']; - await database.createUser(login, password); - await database.createLog(login, 'User registration'); + if (login is! String || login.length <= 4) { + stopwatch.stop(); + final response = Response(400, body: jsonEncode({'error': 'Login must be more than 4 characters'}), headers: {'Content-Type': 'application/json'}); + logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers); + return response; + } + + if (password is! String || password.length <= 8) { + stopwatch.stop(); + final response = Response(400, body: jsonEncode({'error': 'Password must be more than 8 characters'}), headers: {'Content-Type': 'application/json'}); + logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers); + return response; + } + + final envDotenv = DotEnv(); + final storedHash = envDotenv['REGISTRATION_SECRET_KEY'] ?? ''; + + if (!BCrypt.checkpw(secretKey, storedHash)) { + stopwatch.stop(); + final response = Response(403, body: jsonEncode({'error': 'Invalid registration key'}), headers: {'Content-Type': 'application/json'}); + logRequest(method: 'POST', url: '/reg', status: 403, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers); + return response; + } + + try { + await database.createUser(login, password); + await database.createLog(login, 'User registration'); + } catch (e) { + stopwatch.stop(); + final response = Response(400, body: jsonEncode({'error': e.toString()}), headers: {'Content-Type': 'application/json'}); + logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers); + return response; + } stopwatch.stop(); final response = Response(201, body: jsonEncode({'message': 'User registered'}), headers: {'Content-Type': 'application/json'}); logRequest(method: 'POST', url: '/reg', status: 201, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers); @@ -123,4 +186,4 @@ class AuthRoutes { final response = Response(200, body: html, headers: {'Content-Type': 'text/html'}); return response; } -} \ No newline at end of file +} diff --git a/test/server_test.dart b/test/server_test.dart index 377da8d..e03f371 100644 --- a/test/server_test.dart +++ b/test/server_test.dart @@ -1,6 +1,7 @@ import 'dart:convert'; import 'dart:io'; +import 'package:dotenv/dotenv.dart'; import 'package:http/http.dart' as http; import 'package:test/test.dart'; @@ -9,20 +10,25 @@ void main() { final host = 'http://localhost:$port'; late Process p; String? authToken; + late String registrationSecretKey; Future getAuthToken() async { if (authToken != null) return authToken; - final regResponse = await http.post( + await Future.delayed(Duration(seconds: 11)); + + await http.post( Uri.parse('$host/reg'), headers: {'Content-Type': 'application/json'}, - body: jsonEncode({'login': 'testuser', 'password': 'testpass'}), + body: jsonEncode({'login': 'testuser', 'password': 'testpassword', 'secret_key': registrationSecretKey}), ); + await Future.delayed(Duration(seconds: 11)); + final loginResponse = await http.post( Uri.parse('$host/login'), headers: {'Content-Type': 'application/json'}, - body: jsonEncode({'login': 'testuser', 'password': 'testpass'}), + body: jsonEncode({'login': 'testuser', 'password': 'testpassword'}), ); if (loginResponse.statusCode == 200) { @@ -33,6 +39,10 @@ void main() { } setUpAll(() async { + final env = DotEnv(); + env.load(['bin/.env']); + registrationSecretKey = 'FtracKer*1405.'; + stdout.writeln("Starting server..."); p = await Process.start( 'dart', @@ -75,11 +85,59 @@ void main() { final response = await http.post( Uri.parse('$host/reg'), headers: {'Content-Type': 'application/json'}, - body: jsonEncode({'login': 'newuser', 'password': 'newpass'}), + body: jsonEncode({'login': 'newuser', 'password': 'newpassword', 'secret_key': registrationSecretKey}), ); expect(response.statusCode, 201); final data = jsonDecode(response.body); - expect(data['login'], 'newuser'); + expect(data['message'], 'User registered'); + }); + + test('POST /reg - Invalid secret key', () async { + await Future.delayed(Duration(seconds: 11)); + final response = await http.post( + Uri.parse('$host/reg'), + headers: {'Content-Type': 'application/json'}, + body: jsonEncode({'login': 'baduser', 'password': 'badpassword', 'secret_key': 'wrong_key'}), + ); + expect(response.statusCode, 403); + }); + + test('POST /reg - Login too short', () async { + await Future.delayed(Duration(seconds: 11)); + final response = await http.post( + Uri.parse('$host/reg'), + headers: {'Content-Type': 'application/json'}, + body: jsonEncode({'login': 'abc', 'password': 'longpassword', 'secret_key': registrationSecretKey}), + ); + expect(response.statusCode, 400); + }); + + test('POST /reg - Password too short', () async { + await Future.delayed(Duration(seconds: 11)); + final response = await http.post( + Uri.parse('$host/reg'), + headers: {'Content-Type': 'application/json'}, + body: jsonEncode({'login': 'validuser', 'password': 'short', 'secret_key': registrationSecretKey}), + ); + expect(response.statusCode, 400); + }); + + test('POST /reg - Duplicate user', () async { + await Future.delayed(Duration(seconds: 11)); + final response1 = await http.post( + Uri.parse('$host/reg'), + headers: {'Content-Type': 'application/json'}, + body: jsonEncode({'login': 'dupuser', 'password': 'longpassword', 'secret_key': registrationSecretKey}), + ); + expect(response1.statusCode, 201); + + await Future.delayed(Duration(seconds: 11)); + final response2 = await http.post( + Uri.parse('$host/reg'), + headers: {'Content-Type': 'application/json'}, + body: jsonEncode({'login': 'dupuser', 'password': 'longpassword', 'secret_key': registrationSecretKey}), + ); + expect(response2.statusCode, 400); }); }); @@ -90,6 +148,7 @@ void main() { }); test('POST /login - Invalid credentials', () async { + await Future.delayed(Duration(seconds: 11)); final response = await http.post( Uri.parse('$host/login'), headers: {'Content-Type': 'application/json'}, @@ -99,9 +158,29 @@ void main() { }); }); + group('Rate limiting', () { + test('POST /reg - Too many requests', () async { + await Future.delayed(Duration(seconds: 11)); + final response1 = await http.post( + Uri.parse('$host/reg'), + headers: {'Content-Type': 'application/json'}, + body: jsonEncode({'login': 'ratetest1', 'password': 'longpassword', 'secret_key': registrationSecretKey}), + ); + expect(response1.statusCode, 201); + + final response2 = await http.post( + Uri.parse('$host/reg'), + headers: {'Content-Type': 'application/json'}, + body: jsonEncode({'login': 'ratetest2', 'password': 'longpassword', 'secret_key': registrationSecretKey}), + ); + expect(response2.statusCode, 429); + }); + }); + group('Geo operations', () { test('POST /share - Create share link', () async { await getAuthToken(); + await Future.delayed(Duration(seconds: 11)); final response = await http.post( Uri.parse('$host/share'), headers: { @@ -116,6 +195,7 @@ void main() { }); test('POST /share - No auth token', () async { + await Future.delayed(Duration(seconds: 11)); final response = await http.post( Uri.parse('$host/share'), headers: {'Content-Type': 'application/json'}, @@ -133,4 +213,4 @@ void main() { expect(response.statusCode, 404); }); }); -} \ No newline at end of file +}