Phillip Tarrant
59dea99079
End-to-end passwordless admin auth. /admin/login accepts an email, POSTs
mint a 256-bit magic-link token stored only as SHA-256 in
magic_link_tokens (15-min TTL, single-use via atomic rowcount UPDATE).
Resend delivers the link; in dev with no API key, EmailService logs a
structured magic_link_dev_fallback event with the URL so the flow works
offline. /admin/auth/consume/{token} verifies, upserts a users row
(display_name from email local-part), creates a sessions row, and drops
an itsdangerous-signed cb_session cookie (HttpOnly, SameSite=Lax, Secure
in prod). /admin renders a placeholder "Welcome, <name>" page pending
Phase 4 CMS. /admin/logout flips revoked_at rather than deleting the row
to preserve the audit trail.
Rate limits use SlowAPI's in-memory limiter (5/15min/IP on login,
20/15min/IP on consume) plus a DB per-email count to catch
IP-rotating abuse. ADMIN_EMAILS enforces allowlist; non-allowlisted
submissions return the same "check your inbox" page with no token
inserted and no email sent (anti-enumeration). Every event lands in
auth_events via AuditService: link_requested, link_consumed,
consume_failed, session_created, session_revoked, rate_limited.
Add a production config validator refusing empty RESEND_API_KEY,
RESEND_FROM, or ADMIN_EMAILS; add PUBLIC_BASE_URL for email link
construction. CSRF deferred to Phase 6 per roadmap scoping; logout
handler marked # TODO(phase-6-csrf).
Mark Phase 3 complete in docs/ROADMAP.md.
45 lines
1.7 KiB
Python
45 lines
1.7 KiB
Python
"""SlowAPI rate-limiter wiring for auth endpoints.
|
|
|
|
Only one limiter is used process-wide; it's built in
|
|
:func:`create_limiter` and stored on ``app.state.limiter`` so the
|
|
``@limiter.limit`` decorator can pick it up from the request.
|
|
|
|
Storage is ``memory://``. At this scale (single-digit requests/second,
|
|
single container) a persistent backend is not worth the operational
|
|
cost, and the consequences of losing limiter state on restart are
|
|
acceptable — the DB-side per-email check (in
|
|
:mod:`app.services.auth`) catches sustained abuse across restarts.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from slowapi import Limiter
|
|
from slowapi.util import get_remote_address
|
|
|
|
|
|
# Process-wide singleton. Module-level because SlowAPI's ``@limiter.limit``
|
|
# decorator has to be applied at endpoint-definition time (before the
|
|
# router is wired into the FastAPI app), and that has to reference the
|
|
# same limiter instance that the request path consults via
|
|
# ``request.app.state.limiter``.
|
|
#
|
|
# Storage is ``memory://``: in-process, single-container scale. Restarts
|
|
# drop in-flight counters — acceptable because the DB-side per-email
|
|
# check in :mod:`app.services.auth` backs this up for longer-lived abuse
|
|
# patterns.
|
|
limiter: Limiter = Limiter(
|
|
key_func=get_remote_address,
|
|
storage_uri="memory://",
|
|
)
|
|
|
|
|
|
def create_limiter() -> Limiter:
|
|
"""Return the process-wide :class:`slowapi.Limiter` singleton.
|
|
|
|
Kept as a function (rather than exposing the module-level
|
|
``limiter`` directly) to match the service-factory pattern used by
|
|
:class:`AuditService` / :class:`EmailService` / ... and to give
|
|
tests a hook to monkeypatch if they ever need a per-test limiter.
|
|
"""
|
|
return limiter
|