Security + E-Mail-HTML + Quartalsbericht + Registrierungspflicht
Registrierung & Login: - E-Mail-Verifikation jetzt Pflicht vor erstem Login - Register gibt keinen Token mehr zurück → "Postfach prüfen"-Screen - Login blockt mit EMAIL_NOT_VERIFIED (403) wenn unverifiziert - Resend-Verification ohne Auth (email-basiert) - Frontend: _renderVerifyPending() nach Register und Login-Fehler - Account-Lockout: 5 Fehlversuche → 15 Min gesperrt (ratelimit.py) - Login Rate-Limit zusätzlich per E-Mail-Adresse (5/5 Min) - Fehler-Tracking wird bei erfolgreichem Login zurückgesetzt E-Mail-Templates (alle Mails jetzt HTML): - email_html() Shared-Template in mailer.py (Gradient-Header, Warm-Beige) - Verifikations-Mail, Passwort-Reset → HTML mit CTA-Button - Admin-Outreach: plain text auto-wrapped in HTML - Züchter-Mails (Antrag/Genehmigung/Ablehnung) → Template - Tierschutz-Alert (litters.py) → Template - send_support_mail → HTML - outreach._build_message() + _send_smtp() unterstützen jetzt html= Parameter Forum-Schutz: - Post-Cooldown: 30 Sek zwischen beliebigen Posts (DB-Check) - Stunden-Limit: 5 Threads / 20 Antworten pro User/Stunde - Duplikat-Erkennung: gleicher Text in 5 Min blockiert (in-memory) - content_filter.py: Spam-Keywords, URL-Sperre für Accounts < 7 Tage, Sonderzeichen-Ratio-Check Security-Headers: - HSTS: max-age=31536000; includeSubDomains - Content-Security-Policy: frame-ancestors none, base-uri self, … - X-Frame-Options entfernt (CSP frame-ancestors ist moderner) Honeypot-Fallen (13 Scanner-Pfade → 24h IP-Sperre): - /api/admin/users, /api/v1/users, /api/.env, /api/config, /api/setup, /api/install, /api/phpinfo, /api/debug, /api/actuator, /api/swagger, /api/graphql u.a. Quartalsbericht-System: - backend/scripts/generate_reports.py: 6 Sections (Sicherheit, Funktionsumfang, Dateien, Nutzer, Partner, Server) - make reports: generiert alle Berichte aus dem Container, committed - Scheduler: quarterly_report Job (1. Feb/Mai/Aug/Nov 07:00) → vollständige HTML-Mail an ADMIN_EMAIL - quarterly_report erscheint im täglichen Status-Report Admin-Panel: - "Forum & Meldungen" → "Forum"
This commit is contained in:
parent
c1bb728153
commit
de1677154f
15 changed files with 1363 additions and 141 deletions
|
|
@ -15,7 +15,7 @@ from auth import (
|
|||
get_current_user
|
||||
)
|
||||
from username_blocklist import is_username_blocked
|
||||
from ratelimit import check as rl_check
|
||||
from ratelimit import check as rl_check, record_login_failure, is_account_locked, clear_login_failures
|
||||
|
||||
router = APIRouter()
|
||||
COOKIE_NAME = "by_token"
|
||||
|
|
@ -27,17 +27,22 @@ def _send_verification_email(email: str, name: str, token: str):
|
|||
if not _SMTP_READY:
|
||||
return
|
||||
from routes.outreach import _send_smtp
|
||||
from mailer import email_html
|
||||
url = f"{_APP_URL}/api/auth/verify-email/{token}"
|
||||
subject = "Ban Yaro — bitte bestätige deine E-Mail-Adresse"
|
||||
body = (
|
||||
f"Hallo {name},\n\n"
|
||||
"willkommen bei Ban Yaro! Bitte bestätige deine E-Mail-Adresse mit diesem Link:\n\n"
|
||||
f"{_APP_URL}/api/auth/verify-email/{token}\n\n"
|
||||
"Der Link ist 7 Tage gültig.\n\n"
|
||||
"Falls du dich nicht bei Ban Yaro registriert hast, kannst du diese Mail ignorieren.\n\n"
|
||||
"Viele Grüße,\nDas Ban Yaro Team\nbanyaro.app"
|
||||
)
|
||||
body_html = f"""
|
||||
<p style="margin:0 0 16px">Hallo <b>{name}</b>,</p>
|
||||
<p style="margin:0 0 16px">
|
||||
willkommen bei Ban Yaro! Bitte bestätige deine E-Mail-Adresse, damit dein Konto aktiv wird.
|
||||
</p>
|
||||
<p style="margin:0;font-size:13px;color:#888">Der Link ist 7 Tage gültig.</p>
|
||||
<p style="margin:12px 0 0;font-size:12px;color:#bbb">
|
||||
Falls du dich nicht bei Ban Yaro registriert hast, ignoriere diese E-Mail einfach.
|
||||
</p>"""
|
||||
html = email_html(body_html, cta_url=url, cta_label="E-Mail bestätigen")
|
||||
plain = f"Hallo {name},\n\nbitte bestätige deine E-Mail:\n{url}\n\nLink ist 7 Tage gültig.\n"
|
||||
try:
|
||||
_send_smtp(email, subject, body, "support")
|
||||
_send_smtp(email, subject, plain, "support", html=html)
|
||||
except Exception:
|
||||
pass # Nicht blockieren wenn SMTP fehlschlägt
|
||||
|
||||
|
|
@ -139,24 +144,32 @@ async def register(data: RegisterRequest, response: Response, request: Request):
|
|||
conn.execute("UPDATE users SET referred_by=? WHERE id=?",
|
||||
(referrer['id'], new_user_id))
|
||||
|
||||
token = create_token(user["id"], user["rolle"])
|
||||
_set_cookie(response, token)
|
||||
_send_verification_email(data.email, name, verify_token)
|
||||
return {"token": token, "name": name, "email_verified": 0}
|
||||
return {"pending_verification": True}
|
||||
|
||||
|
||||
@router.post("/login")
|
||||
async def login(data: LoginRequest, response: Response, request: Request):
|
||||
rl_check(request, max_requests=10, window_seconds=300, key="login")
|
||||
rl_check(request, max_requests=5, window_seconds=300, key=f"login_email:{data.email.lower()}")
|
||||
|
||||
if is_account_locked(data.email):
|
||||
raise HTTPException(429, "Zu viele Fehlversuche. Bitte warte 15 Minuten und versuche es erneut.")
|
||||
|
||||
with db() as conn:
|
||||
user = conn.execute(
|
||||
"SELECT id, pw_hash, name, rolle, is_premium FROM users WHERE email=?",
|
||||
"SELECT id, pw_hash, name, rolle, is_premium, email_verified FROM users WHERE email=?",
|
||||
(data.email,)
|
||||
).fetchone()
|
||||
|
||||
if not user or not verify_password(data.password, user["pw_hash"]):
|
||||
record_login_failure(data.email)
|
||||
raise HTTPException(401, "E-Mail oder Passwort falsch.")
|
||||
|
||||
if not user["email_verified"]:
|
||||
raise HTTPException(403, "EMAIL_NOT_VERIFIED")
|
||||
|
||||
clear_login_failures(data.email)
|
||||
token = create_token(user["id"], user["rolle"])
|
||||
_set_cookie(response, token)
|
||||
|
||||
|
|
@ -249,23 +262,24 @@ async def verify_email(token: str):
|
|||
return RedirectResponse(f"{_APP_URL}/#settings?verified=1", status_code=302)
|
||||
|
||||
|
||||
class ResendVerificationRequest(BaseModel):
|
||||
email: EmailStr
|
||||
|
||||
@router.post("/resend-verification")
|
||||
async def resend_verification(request: Request, user=Depends(get_current_user)):
|
||||
rl_check(request, max_requests=3, window_seconds=3600, key="resend_verify")
|
||||
async def resend_verification(data: ResendVerificationRequest, request: Request):
|
||||
rl_check(request, max_requests=3, window_seconds=3600, key=f"resend_verify_{data.email}")
|
||||
with db() as conn:
|
||||
row = conn.execute(
|
||||
"SELECT email, name, email_verified FROM users WHERE id=?", (user["id"],)
|
||||
"SELECT id, name, email_verified FROM users WHERE email=?", (data.email,)
|
||||
).fetchone()
|
||||
if not row:
|
||||
raise HTTPException(404)
|
||||
if row["email_verified"]:
|
||||
return {"ok": True, "already_verified": True}
|
||||
if not row or row["email_verified"]:
|
||||
return {"ok": True}
|
||||
token = secrets.token_urlsafe(32)
|
||||
with db() as conn:
|
||||
conn.execute(
|
||||
"UPDATE users SET verification_token=? WHERE id=?", (token, user["id"])
|
||||
"UPDATE users SET verification_token=? WHERE id=?", (token, row["id"])
|
||||
)
|
||||
_send_verification_email(row["email"], row["name"], token)
|
||||
_send_verification_email(data.email, row["name"], token)
|
||||
return {"ok": True}
|
||||
|
||||
|
||||
|
|
@ -293,18 +307,23 @@ async def forgot_password(data: ForgotPasswordRequest, request: Request):
|
|||
(token, expires, user["id"])
|
||||
)
|
||||
app_url = os.getenv("APP_URL", "https://banyaro.app")
|
||||
url = f"{app_url}/#reset-password?token={token}"
|
||||
subject = "Ban Yaro — Passwort zurücksetzen"
|
||||
body = (
|
||||
f"Hallo {user['name']},\n\n"
|
||||
"du hast eine Passwort-Zurücksetzen-Anfrage gestellt.\n\n"
|
||||
f"Klicke hier um ein neues Passwort zu setzen:\n"
|
||||
f"{app_url}/#reset-password?token={token}\n\n"
|
||||
"Der Link ist 2 Stunden gültig. Falls du keine Anfrage gestellt hast, ignoriere diese Mail.\n\n"
|
||||
"Viele Grüße,\nDas Ban Yaro Team"
|
||||
)
|
||||
from routes.outreach import _send_smtp
|
||||
from mailer import email_html
|
||||
body_html = f"""
|
||||
<p style="margin:0 0 16px">Hallo <b>{user['name']}</b>,</p>
|
||||
<p style="margin:0 0 16px">
|
||||
du hast eine Passwort-Zurücksetzen-Anfrage gestellt. Klicke auf den Button, um ein neues Passwort zu setzen.
|
||||
</p>
|
||||
<p style="margin:0;font-size:13px;color:#888">Der Link ist 2 Stunden gültig.</p>
|
||||
<p style="margin:12px 0 0;font-size:12px;color:#bbb">
|
||||
Falls du keine Anfrage gestellt hast, ignoriere diese E-Mail einfach.
|
||||
</p>"""
|
||||
html = email_html(body_html, cta_url=url, cta_label="Passwort zurücksetzen")
|
||||
plain = f"Hallo {user['name']},\n\nPasswort zurücksetzen:\n{url}\n\nLink ist 2h gültig.\n"
|
||||
try:
|
||||
_send_smtp(data.email, subject, body, "support")
|
||||
_send_smtp(data.email, subject, plain, "support", html=html)
|
||||
except Exception:
|
||||
pass
|
||||
return {"ok": True}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue