Files
alro65 7fe7304392 Security hardening: IDOR fixes, rate limiting, secret key, session cookies
- IDOR: ownership checks on WO approve/reject/done, charter update/complete/
  send-contracts/request-insurance, captain-contract PDF, insurance-rider PDF,
  delete accounting entry, delete fuel entry, update vessel
- auth.py: rate limiting (10 req/15min), explicit is_active check
- owner.py: role guard on /owner/dashboard
- __init__.py: random SECRET_KEY if unset, absolute SQLite path, parameterized
  SQL (no f-strings), session cookie HTTPONLY+SameSite, 8h session lifetime,
  db.session.get() replacing deprecated query.get()
- api.py: P&L double-count bug fixed (wo_cost was summed twice), Content-
  Disposition filename quoted, APP_BASE_URL env var replaces hardcoded
  localhost:5010, create_management_company validates password length and
  email uniqueness, dead code removed from sync_all_accounting
- create_admin.py: removed password from console output

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-05 03:01:49 -04:00

58 lines
2.1 KiB
Python

from flask import Blueprint, render_template, redirect, url_for, request, flash
from flask_login import login_user, logout_user, login_required, current_user
from app import db
from app.models import User
from werkzeug.security import generate_password_hash, check_password_hash
import time
bp = Blueprint('auth', __name__)
# ── Rate limiting (dict-based, no external lib) ───────────────────────
_login_attempts: dict = {}
_LOGIN_MAX = 10
_LOGIN_WINDOW = 900 # 15 min
def _is_rate_limited(ip: str) -> bool:
now = time.time()
times = [t for t in _login_attempts.get(ip, []) if now - t < _LOGIN_WINDOW]
_login_attempts[ip] = times
return len(times) >= _LOGIN_MAX
def _record_failed(ip: str):
_login_attempts.setdefault(ip, []).append(time.time())
# ── Routes ────────────────────────────────────────────────────────────
@bp.route('/')
def index():
return redirect(url_for('auth.login'))
@bp.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
ip = request.remote_addr or '0.0.0.0'
if _is_rate_limited(ip):
flash('Demasiados intentos fallidos. Espera 15 minutos.', 'error')
return render_template('login.html')
email = request.form.get('email', '').strip()
password = request.form.get('password', '')
user = User.query.filter_by(email=email).first()
if user and user.is_active and check_password_hash(user.password_hash, password):
login_user(user)
if user.role == 'admin':
return redirect(url_for('admin.dashboard'))
else:
return redirect(url_for('owner.dashboard'))
else:
_record_failed(ip)
flash('Credenciales inválidas', 'error')
return render_template('login.html')
@bp.route('/logout')
@login_required
def logout():
logout_user()
return redirect(url_for('auth.login'))