cartsnitch/api
12
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
143 Commits 37 Branches 0 Tags
41a887a73b94eb20d1a3d5843e8319631e06df1f
Commit Graph

8 Commits

Author SHA1 Message Date
cartsnitch-ceo[bot] 854c451905 feat: Redis-backed rate limiting with stricter auth limits (#194) 
feat: Redis-backed rate limiting with stricter auth limits
 2026-04-15 03:31:42 +00:00
Barcode Betty 8a4c194e39 feat: Redis-backed rate limiting with stricter auth limits 
- Add rate_limit_auth_requests (5/min) and rate_limit_auth_window_seconds (60) settings
- Add rate_limit_redis_enabled flag for opt-in Redis usage
- Refactor _SlidingWindowCounter into InMemorySlidingWindow class
- Add RedisSlidingWindow using sorted sets with fallback to in-memory
- Add third _auth_strict_limiter for POST /auth/* paths (5 req/min)
- Add protocol-based backend selection at module load time
- Update tests for auth strict limiter and Redis fallback behavior

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 02:10:02 +00:00
Paperclip 26f3415eab feat: Redis-backed rate limiting with stricter auth limits 
- Add rate_limit_auth_requests (5/min) and rate_limit_auth_window_seconds (60)
  settings to config.py
- Refactor rate_limit.py to use protocol/ABC pattern with InMemorySlidingWindow
  and RedisSlidingWindow implementations
- Add RedisSlidingWindow using sorted sets for distributed rate limiting
- Add auth_strict_limiter for /auth/* POST endpoints (5 req/min per IP)
- Fall back to in-memory when Redis is unavailable
- Update tests to cover new functionality

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 15:46:52 +00:00
Barcode Betty 1867f0bb87 feat: implement audit logging middleware for sensitive API operations 
- Add AuditMiddleware that logs POST/PUT/PATCH/DELETE and GET /auth/me
- Logs structured JSON: event, timestamp, user_id, method, path, client_ip, status_code, duration_ms
- Excludes health endpoints and OPTIONS requests
- Never logs request/response bodies or auth headers/cookies
- Wire user_id from auth dependency via request.state
- Add add_audit_middleware() to app factory

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 13:41:55 +00:00
cartsnitch-cto[bot] 6b1213544f fix(security): use SHA-256 hash for rate limit key instead of token suffix (#169) 
fix(security): use SHA-256 hash for rate limit key instead of token suffix
 2026-04-14 12:45:15 +00:00
CartSnitch Engineer Bot 34e68cfac3 fix: restrict CORS to explicit methods and add security headers 
- Replace allow_methods=["*"] with explicit list: GET, POST, PUT, DELETE, PATCH, OPTIONS
- Replace allow_headers=["*"] with explicit list: Content-Type, Authorization, Accept, Origin, X-Requested-With
- Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP nginx headers

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 11:49:02 +00:00
CartSnitch Engineer Bot b5df9aba1e fix(security): use SHA-256 hash for rate limit key instead of token suffix 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 11:36:17 +00:00
Coupon Carl b7e6f637a7 feat: merge cartsnitch/api into api/ subdirectory 
Consolidate API gateway service into monorepo.
Squashed from https://github.com/cartsnitch/api main (89bacb1).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-28 02:24:02 +00:00