7fe7304392
- IDOR: ownership checks on WO approve/reject/done, charter update/complete/ send-contracts/request-insurance, captain-contract PDF, insurance-rider PDF, delete accounting entry, delete fuel entry, update vessel - auth.py: rate limiting (10 req/15min), explicit is_active check - owner.py: role guard on /owner/dashboard - __init__.py: random SECRET_KEY if unset, absolute SQLite path, parameterized SQL (no f-strings), session cookie HTTPONLY+SameSite, 8h session lifetime, db.session.get() replacing deprecated query.get() - api.py: P&L double-count bug fixed (wo_cost was summed twice), Content- Disposition filename quoted, APP_BASE_URL env var replaces hardcoded localhost:5010, create_management_company validates password length and email uniqueness, dead code removed from sync_all_accounting - create_admin.py: removed password from console output Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
58 lines
2.1 KiB
Python
58 lines
2.1 KiB
Python
from flask import Blueprint, render_template, redirect, url_for, request, flash
|
|
from flask_login import login_user, logout_user, login_required, current_user
|
|
from app import db
|
|
from app.models import User
|
|
from werkzeug.security import generate_password_hash, check_password_hash
|
|
import time
|
|
|
|
bp = Blueprint('auth', __name__)
|
|
|
|
# ── Rate limiting (dict-based, no external lib) ───────────────────────
|
|
_login_attempts: dict = {}
|
|
_LOGIN_MAX = 10
|
|
_LOGIN_WINDOW = 900 # 15 min
|
|
|
|
def _is_rate_limited(ip: str) -> bool:
|
|
now = time.time()
|
|
times = [t for t in _login_attempts.get(ip, []) if now - t < _LOGIN_WINDOW]
|
|
_login_attempts[ip] = times
|
|
return len(times) >= _LOGIN_MAX
|
|
|
|
def _record_failed(ip: str):
|
|
_login_attempts.setdefault(ip, []).append(time.time())
|
|
|
|
# ── Routes ────────────────────────────────────────────────────────────
|
|
@bp.route('/')
|
|
def index():
|
|
return redirect(url_for('auth.login'))
|
|
|
|
@bp.route('/login', methods=['GET', 'POST'])
|
|
def login():
|
|
if request.method == 'POST':
|
|
ip = request.remote_addr or '0.0.0.0'
|
|
if _is_rate_limited(ip):
|
|
flash('Demasiados intentos fallidos. Espera 15 minutos.', 'error')
|
|
return render_template('login.html')
|
|
|
|
email = request.form.get('email', '').strip()
|
|
password = request.form.get('password', '')
|
|
user = User.query.filter_by(email=email).first()
|
|
|
|
if user and user.is_active and check_password_hash(user.password_hash, password):
|
|
login_user(user)
|
|
if user.role == 'admin':
|
|
return redirect(url_for('admin.dashboard'))
|
|
else:
|
|
return redirect(url_for('owner.dashboard'))
|
|
else:
|
|
_record_failed(ip)
|
|
flash('Credenciales inválidas', 'error')
|
|
|
|
return render_template('login.html')
|
|
|
|
@bp.route('/logout')
|
|
@login_required
|
|
def logout():
|
|
logout_user()
|
|
return redirect(url_for('auth.login'))
|