T-005: Security hardening - CORS, Rate Limit, CSRF
- CORS: Restrict allowed origins to specific frontend URLs, limit methods and headers - Rate Limit: Add fine-grained endpoint-specific rate limits for sensitive operations - Login: 5 requests/minute - Register: 3 requests/hour - Password change: 3 requests/5 minutes - Payment: 20 requests/minute - Admin: 30 requests/minute - CSRF: Add CSRF protection middleware with double-submit cookie pattern - New app/core/csrf.py module with CSRFMiddleware - Require CSRF tokens on sensitive endpoints (auth, payment, profile) - Skip webhook endpoints for CSRF validation - Fix pydantic-settings import in config.py
This commit is contained in:
TradeMate Dev
@@ -1,4 +1,4 @@
|
||||
from fastapi import APIRouter, Depends, HTTPException, Request
|
||||
from fastapi import APIRouter, Depends, HTTPException, Request, Header
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
from pydantic import BaseModel
|
||||
from typing import Optional
|
||||
@@ -6,6 +6,7 @@ from app.database import get_db
|
||||
from app.services.payment import PaymentService
|
||||
from app.services.wechat_pay import WeChatPayService
|
||||
from app.api.v1.deps import get_current_user_id
|
||||
from app.core.csrf import require_csrf_token
|
||||
|
||||
router = APIRouter()
|
||||
|
||||
@@ -40,6 +41,7 @@ async def create_order(
|
||||
data: CreateOrderRequest,
|
||||
user_id: str = Depends(get_current_user_id),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
_csrf: str = Depends(require_csrf_token),
|
||||
):
|
||||
svc = PaymentService(db)
|
||||
try:
|
||||
@@ -52,6 +54,7 @@ async def create_order(
|
||||
async def payment_callback(
|
||||
data: PaymentCallbackRequest,
|
||||
db: AsyncSession = Depends(get_db),
|
||||
_csrf: str = Depends(require_csrf_token),
|
||||
):
|
||||
svc = PaymentService(db)
|
||||
success = await svc.handle_payment_callback(data.payment_id, data.success)
|
||||
|
||||
Reference in New Issue
Block a user