rohskiddo/UMBRA
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Address QA review warnings for pentest remediation

Browse Source 
- Clear IP failure counter on successful /change-password (W-01)
- Add nginx rate limiting for /api/auth/totp-verify (W-02)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle 2026-02-25 20:15:21 +08:00
parent f372e7bd99
commit 72075b7b71
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
backend/app/routers/auth.py
View File

@ -424,6 +424,7 @@ async def change_password(
await _record_failed_login(db, current_user) await _record_failed_login(db, current_user)
raise HTTPException(status_code=401, detail="Invalid current password") raise HTTPException(status_code=401, detail="Invalid current password")
_failed_attempts.pop(client_ip, None)
current_user.password_hash = hash_password(data.new_password) current_user.password_hash = hash_password(data.new_password)
await db.commit() await db.commit()

12
frontend/nginx.conf
View File

@ -46,6 +46,18 @@ server {
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
location /api/auth/totp-verify {
limit_req zone=auth_limit burst=5 nodelay;
limit_req_status 429;
proxy_pass http://backend:8000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /api/auth/change-password { location /api/auth/change-password {
limit_req zone=auth_limit burst=5 nodelay; limit_req zone=auth_limit burst=5 nodelay;
limit_req_status 429; limit_req_status 429;