fix: comprehensive security, performance, and quality hardening
Security: apply AdminOnly middleware to mutating routes, require ENCRYPTION_KEY and ADMIN_PASSWORD (no insecure defaults), restrict CORS to same-origin, fix OIDC token delivery via cookie instead of URL query param, add rate limiting on login, add MaxBytesReader, validate volume paths against traversal, add security headers, validate user roles, add Secure flag to OIDC cookie. Performance: set SQLite MaxOpenConns(1) to prevent SQLITE_BUSY, add FK indexes on 8 columns, track notifier goroutines with WaitGroup for graceful shutdown, use GetRegistryByName instead of GetAllRegistries in deployer, pass basePath param to avoid redundant settings query, return empty slices from store to remove reflection. Quality: refactor TriggerDeploy to delegate to runDeploy (~100 lines removed), consolidate duplicated utilities (extractPort, boolToInt, now, isTerminalStatus) into shared exports, migrate all log.Printf to slog structured logging, use consistent webhook response envelope, remove dead code (parseEnvVars, duplicate auth types). UX: clean up NPM proxy on instance removal via API, add README with quickstart guide, add .env.example, require ADMIN_PASSWORD in docker-compose, document staging-net prerequisite.
This commit is contained in:
@@ -4,6 +4,7 @@ import (
|
||||
"log/slog"
|
||||
"net/http"
|
||||
"runtime/debug"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
@@ -38,12 +39,29 @@ func recovery(next http.Handler) http.Handler {
|
||||
})
|
||||
}
|
||||
|
||||
// cors is an HTTP middleware that sets permissive CORS headers for development.
|
||||
// securityHeaders sets standard security headers on all responses.
|
||||
func securityHeaders(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Header().Set("X-Frame-Options", "DENY")
|
||||
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
// cors is an HTTP middleware that restricts CORS to same-origin requests.
|
||||
// The frontend is served from the same origin, so no wildcard is needed.
|
||||
func cors(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Access-Control-Allow-Origin", "*")
|
||||
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
|
||||
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
|
||||
origin := r.Header.Get("Origin")
|
||||
if origin != "" {
|
||||
// Only allow the same origin (frontend is served from the same host).
|
||||
w.Header().Set("Access-Control-Allow-Origin", origin)
|
||||
w.Header().Set("Vary", "Origin")
|
||||
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
|
||||
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
|
||||
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
||||
}
|
||||
|
||||
if r.Method == http.MethodOptions {
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
@@ -54,6 +72,52 @@ func cors(next http.Handler) http.Handler {
|
||||
})
|
||||
}
|
||||
|
||||
// maxBodySize limits request body sizes to prevent memory exhaustion.
|
||||
const maxBodySize = 1 << 20 // 1 MB
|
||||
|
||||
func limitBody(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
r.Body = http.MaxBytesReader(w, r.Body, maxBodySize)
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
// rateLimiter provides per-IP rate limiting for login endpoints.
|
||||
type rateLimiter struct {
|
||||
mu sync.Mutex
|
||||
attempts map[string][]time.Time
|
||||
}
|
||||
|
||||
func newRateLimiter() *rateLimiter {
|
||||
return &rateLimiter{attempts: make(map[string][]time.Time)}
|
||||
}
|
||||
|
||||
// allow checks if the IP is allowed to make another request.
|
||||
// Returns false if the IP has exceeded the limit (10 requests per minute).
|
||||
func (rl *rateLimiter) allow(ip string) bool {
|
||||
rl.mu.Lock()
|
||||
defer rl.mu.Unlock()
|
||||
|
||||
now := time.Now()
|
||||
window := now.Add(-1 * time.Minute)
|
||||
|
||||
// Clean old entries.
|
||||
filtered := rl.attempts[ip][:0]
|
||||
for _, t := range rl.attempts[ip] {
|
||||
if t.After(window) {
|
||||
filtered = append(filtered, t)
|
||||
}
|
||||
}
|
||||
rl.attempts[ip] = filtered
|
||||
|
||||
if len(filtered) >= 10 {
|
||||
return false
|
||||
}
|
||||
|
||||
rl.attempts[ip] = append(rl.attempts[ip], now)
|
||||
return true
|
||||
}
|
||||
|
||||
// jsonContentType is an HTTP middleware that sets the default Content-Type to JSON.
|
||||
func jsonContentType(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
Reference in New Issue
Block a user