Security hardening: IDOR fixes, rate limiting, secret key, session cookies

- IDOR: ownership checks on WO approve/reject/done, charter update/complete/
  send-contracts/request-insurance, captain-contract PDF, insurance-rider PDF,
  delete accounting entry, delete fuel entry, update vessel
- auth.py: rate limiting (10 req/15min), explicit is_active check
- owner.py: role guard on /owner/dashboard
- __init__.py: random SECRET_KEY if unset, absolute SQLite path, parameterized
  SQL (no f-strings), session cookie HTTPONLY+SameSite, 8h session lifetime,
  db.session.get() replacing deprecated query.get()
- api.py: P&L double-count bug fixed (wo_cost was summed twice), Content-
  Disposition filename quoted, APP_BASE_URL env var replaces hardcoded
  localhost:5010, create_management_company validates password length and
  email uniqueness, dead code removed from sync_all_accounting
- create_admin.py: removed password from console output

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-05-05 03:01:49 -04:00
parent 5b7b41aa50
commit 7fe7304392
5 changed files with 159 additions and 54 deletions
+30 -7
View File
@@ -1,11 +1,27 @@
from flask import Blueprint, render_template, redirect, url_for, request, flash
from flask import Blueprint, render_template, redirect, url_for, request, flash
from flask_login import login_user, logout_user, login_required, current_user
from app import db
from app.models import User
from werkzeug.security import generate_password_hash, check_password_hash
import time
bp = Blueprint('auth', __name__)
# ── Rate limiting (dict-based, no external lib) ───────────────────────
_login_attempts: dict = {}
_LOGIN_MAX = 10
_LOGIN_WINDOW = 900 # 15 min
def _is_rate_limited(ip: str) -> bool:
now = time.time()
times = [t for t in _login_attempts.get(ip, []) if now - t < _LOGIN_WINDOW]
_login_attempts[ip] = times
return len(times) >= _LOGIN_MAX
def _record_failed(ip: str):
_login_attempts.setdefault(ip, []).append(time.time())
# ── Routes ────────────────────────────────────────────────────────────
@bp.route('/')
def index():
return redirect(url_for('auth.login'))
@@ -13,18 +29,25 @@ def index():
@bp.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
email = request.form['email']
password = request.form['password']
user = User.query.filter_by(email=email).first()
if user and check_password_hash(user.password_hash, password):
ip = request.remote_addr or '0.0.0.0'
if _is_rate_limited(ip):
flash('Demasiados intentos fallidos. Espera 15 minutos.', 'error')
return render_template('login.html')
email = request.form.get('email', '').strip()
password = request.form.get('password', '')
user = User.query.filter_by(email=email).first()
if user and user.is_active and check_password_hash(user.password_hash, password):
login_user(user)
if user.role == 'admin':
return redirect(url_for('admin.dashboard'))
else:
return redirect(url_for('owner.dashboard'))
else:
flash('Credenciales inválidas')
_record_failed(ip)
flash('Credenciales inválidas', 'error')
return render_template('login.html')
@bp.route('/logout')