CooperandGoodman/homeschool
1
0
Fork 0
Code Issues Pull Requests Activity
Files
3022bc328b622d84ad33b953eb32e67a38b0568e
homeschool/backend/app/routers/children.py
derekc 3022bc328b Security hardening: go-live review fixes 
- TV tokens upgraded from 4 to 6 digits; Regen Token button in Admin
- Nginx rate limiting on TV dashboard and WebSocket endpoints
- Login lockout after 5 failed attempts (15 min); clears on admin password reset
- HSTS header added; CSP unsafe-inline removed from script-src; CORS restricted to explicit methods/headers
- Dependency CVE fixes: PyJWT 2.12.0, aiomysql 0.3.0, cryptography 46.0.5, python-multipart 0.0.22
- datetime.utcnow() replaced with datetime.now(timezone.utc) throughout
- SQL identifier whitelist for startup migration queries
- README updated: security notes section, lockout docs, token regen, NPM proxy guidance

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 00:00:14 -07:00

169 lines
5.3 KiB
Python
Raw Blame History

import random
from datetime import datetime, timezone
from zoneinfo import ZoneInfo, ZoneInfoNotFoundError
from fastapi import APIRouter, Depends, HTTPException, status
from pydantic import BaseModel, Field
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select
from app.dependencies import get_db, get_current_user
from app.models.child import Child
from app.models.strike import StrikeEvent
from app.models.user import User
from app.schemas.child import ChildCreate, ChildOut, ChildUpdate
from app.websocket.manager import manager
router = APIRouter(prefix="/api/children", tags=["children"])
def _today_in_tz(tz_name: str):
"""Return today's date in the given IANA timezone, falling back to UTC."""
try:
tz = ZoneInfo(tz_name)
except (ZoneInfoNotFoundError, Exception):
tz = timezone.utc
return datetime.now(tz).date()
@router.get("", response_model=list[ChildOut])
async def list_children(
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
):
result = await db.execute(
select(Child).where(Child.user_id == current_user.id).order_by(Child.name)
)
children = result.scalars().all()
today = _today_in_tz(current_user.timezone)
needs_commit = False
for child in children:
if child.strikes != 0 and child.strikes_last_reset != today:
child.strikes = 0
child.strikes_last_reset = today
needs_commit = True
await manager.broadcast(child.id, {"event": "strikes_update", "strikes": 0})
if needs_commit:
await db.commit()
return children
async def _generate_tv_token(db: AsyncSession) -> int:
while True:
token = random.randint(100000, 999999)
result = await db.execute(select(Child).where(Child.tv_token == token))
if not result.scalar_one_or_none():
return token
@router.post("", response_model=ChildOut, status_code=status.HTTP_201_CREATED)
async def create_child(
body: ChildCreate,
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
):
tv_token = await _generate_tv_token(db)
child = Child(**body.model_dump(), user_id=current_user.id, tv_token=tv_token)
db.add(child)
await db.commit()
await db.refresh(child)
return child
@router.get("/{child_id}", response_model=ChildOut)
async def get_child(
child_id: int,
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
):
result = await db.execute(
select(Child).where(Child.id == child_id, Child.user_id == current_user.id)
)
child = result.scalar_one_or_none()
if not child:
raise HTTPException(status_code=404, detail="Child not found")
return child
@router.patch("/{child_id}", response_model=ChildOut)
async def update_child(
child_id: int,
body: ChildUpdate,
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
):
result = await db.execute(
select(Child).where(Child.id == child_id, Child.user_id == current_user.id)
)
child = result.scalar_one_or_none()
if not child:
raise HTTPException(status_code=404, detail="Child not found")
for field, value in body.model_dump(exclude_none=True).items():
setattr(child, field, value)
await db.commit()
await db.refresh(child)
return child
class StrikesBody(BaseModel):
strikes: int = Field(..., ge=0, le=3)
@router.patch("/{child_id}/strikes", response_model=ChildOut)
async def update_strikes(
child_id: int,
body: StrikesBody,
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
):
result = await db.execute(
select(Child).where(Child.id == child_id, Child.user_id == current_user.id)
)
child = result.scalar_one_or_none()
if not child:
raise HTTPException(status_code=404, detail="Child not found")
prev = child.strikes
child.strikes = body.strikes
db.add(StrikeEvent(child_id=child.id, prev_strikes=prev, new_strikes=body.strikes))
await db.commit()
await db.refresh(child)
await manager.broadcast(child_id, {"event": "strikes_update", "strikes": child.strikes})
return child
@router.post("/{child_id}/regenerate-token", response_model=ChildOut)
async def regenerate_tv_token(
child_id: int,
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
):
result = await db.execute(
select(Child).where(Child.id == child_id, Child.user_id == current_user.id)
)
child = result.scalar_one_or_none()
if not child:
raise HTTPException(status_code=404, detail="Child not found")
child.tv_token = await _generate_tv_token(db)
await db.commit()
await db.refresh(child)
return child
@router.delete("/{child_id}", status_code=status.HTTP_204_NO_CONTENT)
async def delete_child(
child_id: int,
current_user: User = Depends(get_current_user),
db: AsyncSession = Depends(get_db),
):
result = await db.execute(
select(Child).where(Child.id == child_id, Child.user_id == current_user.id)
)
child = result.scalar_one_or_none()
if not child:
raise HTTPException(status_code=404, detail="Child not found")
await db.delete(child)
await db.commit()
Reference in New Issue View Git Blame Copy Permalink