rezidir/GeoShare
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Dev #4

Merged
rezidir merged 3 commits from dev into release 2026-06-25 11:56:49 +03:00
Conversation 0 Commits 3 Files Changed 7
+173 -23
7 changed files with 173 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+2 -2
View File
@@ -11,5 +11,5 @@ POSTGRES_USER="user"
POSTGRES_PASSWORD="pwd"
# TOKEN_LIFETIME in minutes
TOKEN_LIFETIME=600
# Secret key for registration (MD5 hash of this key must be sent by the user)
REGISTRATION_SECRET_KEY=reg
# Secret key for registration (bcrypt hash, client sends plaintext key)
REGISTRATION_SECRET_KEY=$2a$10$example.bcrypt.hash.here
api.yaml
+8 -3
View File
@@ -241,16 +241,21 @@ components:
required:
- login
- password
- secret_key
properties:
login:
type: string
description: Desired login / username
description: Desired login / username (minimum 5 characters)
example: "john_doe"
password:
type: string
format: password
description: Desired password (will be hashed with bcrypt)
example: "secret123"
description: Desired password (minimum 9 characters, will be hashed with bcrypt)
example: "securePass123"
secret_key:
type: string
description: Plaintext registration secret key (REGISTRATION_SECRET_KEY from server .env)
example: "FtracKer*1405."
LoginResponse:
type: object
bin/.env
+2 -2
View File
@@ -11,5 +11,5 @@ POSTGRES_USER="postgres"
POSTGRES_PASSWORD="postgres"
# TOKEN_LIFETIME in minutes
TOKEN_LIFETIME=600
# Secret key for registration (MD5 hash of this key must be sent by the user)
REGISTRATION_SECRET_KEY=FtracKer*1405.
# Secret key for registration (bcrypt hash, client sends plaintext)
REGISTRATION_SECRET_KEY=$2a$10$mSo1MvV6U7GazfxceLFDl.gBNPm6lnjClWYsFQesx0SalObvBLIF6
bin/database/database_provider.dart
+5
View File
@@ -127,6 +127,11 @@ class DatabaseProvider {
}
Future<User> createUser(String login, String password) async {
final existingUser = await findUserByLogin(login);
if (existingUser != null) {
throw Exception('User already exists');
}
final hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt());
final results = await _dbConnection.execute(
bin/routes/auth_routes.dart
+69 -6
View File
@@ -1,8 +1,8 @@
import 'package:bcrypt/bcrypt.dart';
import 'package:dotenv/dotenv.dart';
import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
import 'package:shelf/shelf.dart';
import 'package:shelf_router/shelf_router.dart';
import 'package:bcrypt/bcrypt.dart';
import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
import 'package:dotenv/dotenv.dart';
import '../database/database_provider.dart';
import '../middleware/auth_middleware.dart';
import '../middleware/request_logger.dart';
@@ -11,6 +11,7 @@ import 'dart:io';
class AuthRoutes {
final DatabaseProvider database;
final Map<String, DateTime> _lastRequest = {};
AuthRoutes(this.database);
@@ -23,7 +24,34 @@ class AuthRoutes {
return router;
}
String _getClientIp(Request request) {
final forwarded = request.headers['x-forwarded-for'];
if (forwarded != null) {
return forwarded.split(',').first.trim();
}
final xRealIp = request.headers['x-real-ip'];
if (xRealIp != null) {
return xRealIp;
}
return '127.0.0.1';
}
Future<Response?> _rateLimitCheck(Request request, String key) async {
final ip = _getClientIp(request);
final rateKey = '$key:$ip';
final now = DateTime.now();
final lastRequest = _lastRequest[rateKey];
if (lastRequest != null && now.difference(lastRequest).inSeconds < 10) {
return Response(429, body: jsonEncode({'error': 'Too many requests. Please wait 10 seconds.'}), headers: {'Content-Type': 'application/json'});
}
_lastRequest[rateKey] = now;
return null;
}
Future<Response> _login(Request request) async {
final rateLimit = await _rateLimitCheck(request, 'login');
if (rateLimit != null) return rateLimit;
final body = await request.readAsString();
final data = jsonDecode(body);
@@ -58,6 +86,9 @@ class AuthRoutes {
}
Future<Response> _register(Request request) async {
final rateLimit = await _rateLimitCheck(request, 'reg');
if (rateLimit != null) return rateLimit;
final stopwatch = Stopwatch()..start();
final body = await request.readAsString();
logRequest(method: 'POST', url: '/reg', status: 444, duration: stopwatch.elapsed, body: body);
@@ -65,9 +96,41 @@ class AuthRoutes {
final login = data['login'];
final password = data['password'];
final secretKey = data['secret_key'];
await database.createUser(login, password);
await database.createLog(login, 'User registration');
if (login is! String || login.length <= 4) {
stopwatch.stop();
final response = Response(400, body: jsonEncode({'error': 'Login must be more than 4 characters'}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
return response;
}
if (password is! String || password.length <= 8) {
stopwatch.stop();
final response = Response(400, body: jsonEncode({'error': 'Password must be more than 8 characters'}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
return response;
}
final envDotenv = DotEnv();
final storedHash = envDotenv['REGISTRATION_SECRET_KEY'] ?? '';
if (!BCrypt.checkpw(secretKey, storedHash)) {
stopwatch.stop();
final response = Response(403, body: jsonEncode({'error': 'Invalid registration key'}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 403, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
return response;
}
try {
await database.createUser(login, password);
await database.createLog(login, 'User registration');
} catch (e) {
stopwatch.stop();
final response = Response(400, body: jsonEncode({'error': e.toString()}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 400, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
return response;
}
stopwatch.stop();
final response = Response(201, body: jsonEncode({'message': 'User registered'}), headers: {'Content-Type': 'application/json'});
logRequest(method: 'POST', url: '/reg', status: 201, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);
@@ -123,4 +186,4 @@ class AuthRoutes {
final response = Response(200, body: html, headers: {'Content-Type': 'text/html'});
return response;
}
}
}
docker-compose.yml
+1 -4
View File
@@ -5,11 +5,8 @@ services:
image: postgres:16-alpine
container_name: family_safety_db
restart: unless-stopped
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: family_safety
volumes:
- postgres_data:/var/lib/postgresql/data
- ./data:/var/lib/postgresql/data
app:
test/server_test.dart
+86 -6
View File
@@ -1,6 +1,7 @@
import 'dart:convert';
import 'dart:io';
import 'package:dotenv/dotenv.dart';
import 'package:http/http.dart' as http;
import 'package:test/test.dart';
@@ -9,20 +10,25 @@ void main() {
final host = 'http://localhost:$port';
late Process p;
String? authToken;
late String registrationSecretKey;
Future<String?> getAuthToken() async {
if (authToken != null) return authToken;
final regResponse = await http.post(
await Future.delayed(Duration(seconds: 11));
await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'testuser', 'password': 'testpass'}),
body: jsonEncode({'login': 'testuser', 'password': 'testpassword', 'secret_key': registrationSecretKey}),
);
await Future.delayed(Duration(seconds: 11));
final loginResponse = await http.post(
Uri.parse('$host/login'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'testuser', 'password': 'testpass'}),
body: jsonEncode({'login': 'testuser', 'password': 'testpassword'}),
);
if (loginResponse.statusCode == 200) {
@@ -33,6 +39,10 @@ void main() {
}
setUpAll(() async {
final env = DotEnv();
env.load(['bin/.env']);
registrationSecretKey = 'FtracKer*1405.';
stdout.writeln("Starting server...");
p = await Process.start(
'dart',
@@ -75,11 +85,59 @@ void main() {
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'newuser', 'password': 'newpass'}),
body: jsonEncode({'login': 'newuser', 'password': 'newpassword', 'secret_key': registrationSecretKey}),
);
expect(response.statusCode, 201);
final data = jsonDecode(response.body);
expect(data['login'], 'newuser');
expect(data['message'], 'User registered');
});
test('POST /reg - Invalid secret key', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'baduser', 'password': 'badpassword', 'secret_key': 'wrong_key'}),
);
expect(response.statusCode, 403);
});
test('POST /reg - Login too short', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'abc', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response.statusCode, 400);
});
test('POST /reg - Password too short', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'validuser', 'password': 'short', 'secret_key': registrationSecretKey}),
);
expect(response.statusCode, 400);
});
test('POST /reg - Duplicate user', () async {
await Future.delayed(Duration(seconds: 11));
final response1 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'dupuser', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response1.statusCode, 201);
await Future.delayed(Duration(seconds: 11));
final response2 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'dupuser', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response2.statusCode, 400);
});
});
@@ -90,6 +148,7 @@ void main() {
});
test('POST /login - Invalid credentials', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/login'),
headers: {'Content-Type': 'application/json'},
@@ -99,9 +158,29 @@ void main() {
});
});
group('Rate limiting', () {
test('POST /reg - Too many requests', () async {
await Future.delayed(Duration(seconds: 11));
final response1 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'ratetest1', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response1.statusCode, 201);
final response2 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'ratetest2', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response2.statusCode, 429);
});
});
group('Geo operations', () {
test('POST /share - Create share link', () async {
await getAuthToken();
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/share'),
headers: {
@@ -116,6 +195,7 @@ void main() {
});
test('POST /share - No auth token', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/share'),
headers: {'Content-Type': 'application/json'},
@@ -133,4 +213,4 @@ void main() {
expect(response.statusCode, 404);
});
});
}
}