Pin versions, add resource limits, and harden config
- Pin all Docker image tags (mysql 8.0.40, python 3.12.13-slim, node 20.20.1-alpine, nginx 1.29.6-alpine) - Pin all frontend npm dependencies to exact versions (remove ^ ranges) - Add mem_limit and cpus resource limits to all three containers - Add non-root appuser to backend Dockerfile - Migrate JWT from python-jose to PyJWT - Remove default admin_password in config.py — must be explicitly set in .env - Add DOCS_ENABLED flag to config and .env.example (default false) - Add indexes on session_date, is_active, event_type in session models - Add limit/offset pagination to all log endpoints Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
FROM python:3.12-slim
|
||||
FROM python:3.12.13-slim
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
@@ -11,6 +11,11 @@ RUN pip install --no-cache-dir -r requirements.txt
|
||||
|
||||
COPY . .
|
||||
|
||||
RUN adduser --disabled-password --gecos '' --uid 1000 appuser \
|
||||
&& chown -R appuser /app
|
||||
|
||||
USER appuser
|
||||
|
||||
EXPOSE 8000
|
||||
|
||||
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
from datetime import datetime, timedelta, timezone
|
||||
from typing import Any
|
||||
|
||||
from jose import JWTError, jwt
|
||||
import jwt
|
||||
from jwt import PyJWTError
|
||||
from passlib.context import CryptContext
|
||||
|
||||
from app.config import get_settings
|
||||
@@ -43,5 +44,5 @@ def create_refresh_token(data: dict[str, Any]) -> str:
|
||||
def decode_token(token: str) -> dict[str, Any]:
|
||||
try:
|
||||
return jwt.decode(token, settings.secret_key, algorithms=[settings.algorithm])
|
||||
except JWTError:
|
||||
except PyJWTError:
|
||||
raise ValueError("Invalid or expired token")
|
||||
|
||||
@@ -10,7 +10,8 @@ class Settings(BaseSettings):
|
||||
refresh_token_expire_days: int = 30
|
||||
cors_origins: str = "http://localhost:8054"
|
||||
admin_username: str = "admin"
|
||||
admin_password: str = "change_me_admin_password"
|
||||
admin_password: str # no default — must be explicitly set in .env
|
||||
docs_enabled: bool = False
|
||||
|
||||
@property
|
||||
def cors_origins_list(self) -> list[str]:
|
||||
|
||||
@@ -21,8 +21,8 @@ class DailySession(TimestampMixin, Base):
|
||||
template_id: Mapped[int | None] = mapped_column(
|
||||
ForeignKey("schedule_templates.id", ondelete="SET NULL"), nullable=True
|
||||
)
|
||||
session_date: Mapped[date] = mapped_column(Date, nullable=False)
|
||||
is_active: Mapped[bool] = mapped_column(default=True)
|
||||
session_date: Mapped[date] = mapped_column(Date, nullable=False, index=True)
|
||||
is_active: Mapped[bool] = mapped_column(default=True, index=True)
|
||||
current_block_id: Mapped[int | None] = mapped_column(
|
||||
ForeignKey("schedule_blocks.id", ondelete="SET NULL"), nullable=True
|
||||
)
|
||||
@@ -48,7 +48,7 @@ class TimerEvent(Base):
|
||||
block_id: Mapped[int | None] = mapped_column(
|
||||
ForeignKey("schedule_blocks.id", ondelete="SET NULL"), nullable=True
|
||||
)
|
||||
event_type: Mapped[str] = mapped_column(String(20), nullable=False)
|
||||
event_type: Mapped[str] = mapped_column(String(20), nullable=False, index=True)
|
||||
occurred_at: Mapped[datetime] = mapped_column(DateTime, default=func.now(), server_default=func.now())
|
||||
|
||||
session: Mapped["DailySession"] = relationship("DailySession", back_populates="timer_events")
|
||||
|
||||
@@ -24,6 +24,8 @@ async def get_timeline(
|
||||
log_date: date | None = None,
|
||||
date_from: date | None = None,
|
||||
date_to: date | None = None,
|
||||
limit: int = 500,
|
||||
offset: int = 0,
|
||||
current_user: User = Depends(get_current_user),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
):
|
||||
@@ -51,6 +53,7 @@ async def get_timeline(
|
||||
if date_to:
|
||||
query = query.where(DailySession.session_date <= date_to)
|
||||
|
||||
query = query.limit(limit).offset(offset)
|
||||
result = await db.execute(query)
|
||||
events = result.scalars().all()
|
||||
|
||||
@@ -133,6 +136,8 @@ async def get_strike_events(
|
||||
log_date: date | None = None,
|
||||
date_from: date | None = None,
|
||||
date_to: date | None = None,
|
||||
limit: int = 500,
|
||||
offset: int = 0,
|
||||
current_user: User = Depends(get_current_user),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
):
|
||||
@@ -152,6 +157,7 @@ async def get_strike_events(
|
||||
if date_to:
|
||||
query = query.where(func.date(StrikeEvent.occurred_at) <= date_to)
|
||||
|
||||
query = query.limit(limit).offset(offset)
|
||||
result = await db.execute(query)
|
||||
events = result.scalars().all()
|
||||
return [
|
||||
@@ -192,6 +198,8 @@ async def list_logs(
|
||||
log_date: date | None = None,
|
||||
date_from: date | None = None,
|
||||
date_to: date | None = None,
|
||||
limit: int = 500,
|
||||
offset: int = 0,
|
||||
current_user: User = Depends(get_current_user),
|
||||
db: AsyncSession = Depends(get_db),
|
||||
):
|
||||
@@ -210,7 +218,7 @@ async def list_logs(
|
||||
if date_to:
|
||||
query = query.where(ActivityLog.log_date <= date_to)
|
||||
|
||||
result = await db.execute(query)
|
||||
result = await db.execute(query.limit(limit).offset(offset))
|
||||
return result.scalars().all()
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user