mirror of
https://github.com/escalante29/WealthySmart.git
synced 2026-07-17 18:48:47 +02:00
Both login endpoints now share verify_admin_credentials (hmac compare_digest, SEC-02) and a 5/min/IP sliding-window rate limit that returns 429 with Retry-After (SEC-03). CORS is pinned to the prod domain and localhost dev origins instead of '*' (SEC-04). The session cookie's Secure flag is driven by COOKIE_SECURE instead of hardcoded false (SEC-08). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
25 lines
745 B
Python
25 lines
745 B
Python
from fastapi import APIRouter, Depends, Request
|
|
from fastapi.security import OAuth2PasswordRequestForm
|
|
|
|
from app.auth import (
|
|
check_login_rate_limit,
|
|
create_access_token,
|
|
get_current_user_cookie_or_bearer,
|
|
verify_admin_credentials,
|
|
)
|
|
|
|
router = APIRouter(prefix="/auth", tags=["auth"])
|
|
|
|
|
|
@router.post("/login")
|
|
def login(request: Request, form_data: OAuth2PasswordRequestForm = Depends()):
|
|
check_login_rate_limit(request)
|
|
verify_admin_credentials(form_data.username, form_data.password)
|
|
token = create_access_token(form_data.username)
|
|
return {"access_token": token, "token_type": "bearer"}
|
|
|
|
|
|
@router.get("/me")
|
|
def me(username: str = Depends(get_current_user_cookie_or_bearer)):
|
|
return {"username": username}
|