Security + E-Mail-HTML + Quartalsbericht + Registrierungspflicht
Registrierung & Login: - E-Mail-Verifikation jetzt Pflicht vor erstem Login - Register gibt keinen Token mehr zurück → "Postfach prüfen"-Screen - Login blockt mit EMAIL_NOT_VERIFIED (403) wenn unverifiziert - Resend-Verification ohne Auth (email-basiert) - Frontend: _renderVerifyPending() nach Register und Login-Fehler - Account-Lockout: 5 Fehlversuche → 15 Min gesperrt (ratelimit.py) - Login Rate-Limit zusätzlich per E-Mail-Adresse (5/5 Min) - Fehler-Tracking wird bei erfolgreichem Login zurückgesetzt E-Mail-Templates (alle Mails jetzt HTML): - email_html() Shared-Template in mailer.py (Gradient-Header, Warm-Beige) - Verifikations-Mail, Passwort-Reset → HTML mit CTA-Button - Admin-Outreach: plain text auto-wrapped in HTML - Züchter-Mails (Antrag/Genehmigung/Ablehnung) → Template - Tierschutz-Alert (litters.py) → Template - send_support_mail → HTML - outreach._build_message() + _send_smtp() unterstützen jetzt html= Parameter Forum-Schutz: - Post-Cooldown: 30 Sek zwischen beliebigen Posts (DB-Check) - Stunden-Limit: 5 Threads / 20 Antworten pro User/Stunde - Duplikat-Erkennung: gleicher Text in 5 Min blockiert (in-memory) - content_filter.py: Spam-Keywords, URL-Sperre für Accounts < 7 Tage, Sonderzeichen-Ratio-Check Security-Headers: - HSTS: max-age=31536000; includeSubDomains - Content-Security-Policy: frame-ancestors none, base-uri self, … - X-Frame-Options entfernt (CSP frame-ancestors ist moderner) Honeypot-Fallen (13 Scanner-Pfade → 24h IP-Sperre): - /api/admin/users, /api/v1/users, /api/.env, /api/config, /api/setup, /api/install, /api/phpinfo, /api/debug, /api/actuator, /api/swagger, /api/graphql u.a. Quartalsbericht-System: - backend/scripts/generate_reports.py: 6 Sections (Sicherheit, Funktionsumfang, Dateien, Nutzer, Partner, Server) - make reports: generiert alle Berichte aus dem Container, committed - Scheduler: quarterly_report Job (1. Feb/Mai/Aug/Nov 07:00) → vollständige HTML-Mail an ADMIN_EMAIL - quarterly_report erscheint im täglichen Status-Report Admin-Panel: - "Forum & Meldungen" → "Forum"
This commit is contained in:
parent
c1bb728153
commit
de1677154f
15 changed files with 1363 additions and 141 deletions
|
|
@ -84,7 +84,7 @@ def _imap_save_sent(msg_bytes: bytes, account: str):
|
|||
_log.error("IMAP Sent-Speicherung fehlgeschlagen (%s): %s", account, e)
|
||||
|
||||
|
||||
def _build_message(to: str, subject: str, body: str, account: str) -> MIMEMultipart:
|
||||
def _build_message(to: str, subject: str, body: str, account: str, html: str = None) -> MIMEMultipart:
|
||||
acc = _ACCOUNTS.get(account) or _ACCOUNTS["partner"]
|
||||
msg = MIMEMultipart("alternative")
|
||||
msg["Subject"] = subject
|
||||
|
|
@ -92,14 +92,16 @@ def _build_message(to: str, subject: str, body: str, account: str) -> MIMEMultip
|
|||
msg["To"] = to
|
||||
msg["Reply-To"] = acc["from"]
|
||||
msg.attach(MIMEText(body, "plain", "utf-8"))
|
||||
if html:
|
||||
msg.attach(MIMEText(html, "html", "utf-8"))
|
||||
return msg
|
||||
|
||||
|
||||
def _send_smtp(to: str, subject: str, body: str, account: str = "partner"):
|
||||
def _send_smtp(to: str, subject: str, body: str, account: str = "partner", html: str = None):
|
||||
acc = _ACCOUNTS.get(account) or _ACCOUNTS["partner"]
|
||||
if not acc["user"] or not acc["pass"]:
|
||||
raise RuntimeError(f"SMTP-Account '{account}' nicht konfiguriert.")
|
||||
msg = _build_message(to, subject, body, account)
|
||||
msg = _build_message(to, subject, body, account, html=html)
|
||||
msg_bytes = msg.as_bytes()
|
||||
ctx = ssl.create_default_context()
|
||||
with smtplib.SMTP(_SMTP_HOST, _SMTP_PORT, timeout=15) as s:
|
||||
|
|
@ -189,6 +191,16 @@ def delete_template(tpl_id: int, user=Depends(require_admin)):
|
|||
# Senden
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
def _plain_to_html_body(text: str) -> str:
|
||||
import html as h
|
||||
paragraphs = text.strip().split("\n\n")
|
||||
parts = []
|
||||
for p in paragraphs:
|
||||
escaped = h.escape(p).replace("\n", "<br>")
|
||||
parts.append(f'<p style="margin:0 0 14px;color:#444">{escaped}</p>')
|
||||
return "".join(parts)
|
||||
|
||||
|
||||
@router.post("/send")
|
||||
def send_mail(data: SendRequest, user=Depends(require_admin)):
|
||||
if not data.to:
|
||||
|
|
@ -196,13 +208,19 @@ def send_mail(data: SendRequest, user=Depends(require_admin)):
|
|||
if not data.subject.strip() or not data.body.strip():
|
||||
raise HTTPException(400, "Betreff und Text dürfen nicht leer sein.")
|
||||
|
||||
from mailer import email_html
|
||||
html = email_html(
|
||||
_plain_to_html_body(data.body),
|
||||
footer_text=f"Ban Yaro · banyaro.app · {data.subject}",
|
||||
)
|
||||
|
||||
sent, failed = [], []
|
||||
for addr in data.to:
|
||||
addr = addr.strip()
|
||||
if not addr:
|
||||
continue
|
||||
try:
|
||||
_send_smtp(addr, data.subject, data.body, data.from_account)
|
||||
_send_smtp(addr, data.subject, data.body, data.from_account, html=html)
|
||||
sent.append(addr)
|
||||
with db() as conn:
|
||||
conn.execute(
|
||||
|
|
@ -224,7 +242,9 @@ def send_mail(data: SendRequest, user=Depends(require_admin)):
|
|||
|
||||
def send_support_mail(to: str, subject: str, body: str):
|
||||
"""Intern aufrufbar ohne HTTP-Request — z.B. aus Moderations-Logik."""
|
||||
_send_smtp(to, subject, body, "support")
|
||||
from mailer import email_html
|
||||
html = email_html(_plain_to_html_body(body))
|
||||
_send_smtp(to, subject, body, "support", html=html)
|
||||
|
||||
|
||||
# ------------------------------------------------------------------
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue