Files
WealthySmart/backend/app/api/v1/endpoints/auth.py
Carlos Escalante b4123703ef Rate-limit logins, constant-time creds, pin CORS, secure cookie
Both login endpoints now share verify_admin_credentials (hmac
compare_digest, SEC-02) and a 5/min/IP sliding-window rate limit that
returns 429 with Retry-After (SEC-03). CORS is pinned to the prod
domain and localhost dev origins instead of '*' (SEC-04). The session
cookie's Secure flag is driven by COOKIE_SECURE instead of hardcoded
false (SEC-08).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-09 19:13:19 -06:00

25 lines
745 B
Python

from fastapi import APIRouter, Depends, Request
from fastapi.security import OAuth2PasswordRequestForm
from app.auth import (
check_login_rate_limit,
create_access_token,
get_current_user_cookie_or_bearer,
verify_admin_credentials,
)
router = APIRouter(prefix="/auth", tags=["auth"])
@router.post("/login")
def login(request: Request, form_data: OAuth2PasswordRequestForm = Depends()):
check_login_rate_limit(request)
verify_admin_credentials(form_data.username, form_data.password)
token = create_access_token(form_data.username)
return {"access_token": token, "token_type": "bearer"}
@router.get("/me")
def me(username: str = Depends(get_current_user_cookie_or_bearer)):
return {"username": username}