mirrors/lnbits-legend
1
0
Fork 0
mirror of https://github.com/lnbits/lnbits-legend.git synced 2025-02-24 06:48:02 +01:00
Code Issues Projects Releases Packages Wiki Activity
lnbits-legend/lnbits/middleware.py

245 lines
8.9 KiB
Python
Raw Normal View History

Feat: audit (#2779)
2024-11-27 13:06:35 +02:00
import asyncio
import json
from datetime import datetime, timezone
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
from http import HTTPStatus
Feat: audit (#2779)
2024-11-27 13:06:35 +02:00
from typing import Any, List, Optional, Union
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
Feat: audit (#2779)
2024-11-27 13:06:35 +02:00
from fastapi import FastAPI, Request, Response
feat: install wizard on first launch (#1977) * Login form loading * add first install middleware and settings * updates * Login form loading * add first install middleware and settings * updates * only set first install when superuser is created * refactor first install * only show if first install * cleanup * set password * update calls * login superuser on first install * fix * fixup! * fixup! * fixup! * fixup! * fixup! * last fixup! * fix mypy and prettier CI errors * disable first install * add random super user * set first install after startup * remove user id from form * Update lnbits/core/views/auth_api.py Co-authored-by: Vlad Stan <stan.v.vlad@gmail.com> * Update lnbits/core/views/auth_api.py Co-authored-by: Vlad Stan <stan.v.vlad@gmail.com> * Update lnbits/middleware.py Co-authored-by: dni ⚡ <office@dnilabs.com> * addressing Vlad's comments * remove super user * move to transient settings * fix: show `first_install` page even after a server restart * fix: do not add `user_id` in the auth token * fix: `make check` errors * fix: `username` is not optional for `UpdateSuperuserPassword` * feat: nicer error message --------- Co-authored-by: dni ⚡ <office@dnilabs.com> Co-authored-by: Tiago Vasconcelos <talvasconcelos@gmail.com> Co-authored-by: Vlad Stan <stan.v.vlad@gmail.com>
2024-01-25 13:33:40 +00:00
from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
Feat: audit (#2779)
2024-11-27 13:06:35 +02:00
from loguru import logger
Adds security tools, such as a rate limiter, IP block/allow, server logs (#1606) * added ratelimiter * Adds server logs to admin ui * Added IP allow/ban list * fixed remove ips * Split rate limit number and unit * security tab and background tasks for killswitch * fix test for auditor api --------- Co-authored-by: dni ⚡ <office@dnilabs.com>
2023-06-20 10:26:33 +01:00
from slowapi import _rate_limit_exceeded_handler
from slowapi.errors import RateLimitExceeded
from slowapi.middleware import SlowAPIMiddleware
Feat: audit (#2779)
2024-11-27 13:06:35 +02:00
from starlette.middleware.base import BaseHTTPMiddleware
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
from starlette.types import ASGIApp, Receive, Scope, Send
[REFACTOR] core/__init__ to not have circular import issues (#1876) * F541 fix remove unused workflow and combine linters into one add lnbits/static to ruff ignore remote setupnode ignore upgrades for mypy ignore F401 for __init__ files unused noqa ignore upgrades for black F821: undefine name disabled and logged webhook_listener for opennode and lnpay because they are obvisouly not working E402: module level import not at top of file fixup revert breaking changes wait for PR #1876 https://github.com/lnbits/lnbits/pull/1876 E721 fixes, only popped up for python3.9 not 3.10 [REFACTOR] core/__init__ to not have circular import issues WIP add db for backwards compat fix pyright make mypy happy again pyright did not catch those, i think mypy got confused with relative imports. maybe we should use absolute ones everywhere E402: module level import not at top of file dont forget to add core_app rebase on ruff pr f remo format * fix clnrest * ignore E402 in conftest * refactoring issues --------- Co-authored-by: jacksn <jkranawetter05@gmail.com>
2023-09-12 12:25:05 +02:00
from lnbits.core.db import core_app_extra
Feat: audit (#2779)
2024-11-27 13:06:35 +02:00
from lnbits.core.models import AuditEntry
fix: block access admin extensions to normal users
2023-04-05 17:40:08 +03:00
from lnbits.helpers import template_renderer
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
from lnbits.settings import settings
class InstalledExtensionMiddleware:
# This middleware class intercepts calls made to the extensions API and:
# - it blocks the calls if the extension has been disabled or uninstalled.
[CHORE] string formatting default length 88 (#1887) * [CHORE] string formatting default length 88 uses blacks default off 88 and enabled autostringformatting * formatting * nitpicks jackstar fix
2023-08-24 11:26:09 +02:00
# - it redirects the calls to the latest version of the extension
# if the extension has been upgraded.
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
# - otherwise it has no effect
def __init__(self, app: ASGIApp) -> None:
self.app = app
async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
fix: redirect for all paths of the extension (not only for `/api`) (#2120) * fix: redirect for all paths of the extension (not only for `/api`) * refactor: rename variable * fix: corner case for root path * refactor: rename var * doc: update comment * fix: do not redirect for static resources
2023-11-24 22:13:19 +02:00
full_path = scope.get("path", "/")
if full_path == "/":
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
await self.app(scope, receive, send)
return
chore: adhere to ruff's `UP` basically use `list` and `type` instead of `List` and `Type` this is save to use for python3.9 and has been deprecated. also has some performance drawbacks. read more here: https://docs.astral.sh/ruff/rules/non-pep585-annotation/
2024-04-01 18:50:21 +02:00
top_path, *rest = (p for p in full_path.split("/") if p)
feat: show content by accepted type
2023-04-05 18:54:54 +03:00
headers = scope.get("headers", [])
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
# block path for all users if the extension is disabled
fix: redirect for all paths of the extension (not only for `/api`) (#2120) * fix: redirect for all paths of the extension (not only for `/api`) * refactor: rename variable * fix: corner case for root path * refactor: rename var * doc: update comment * fix: do not redirect for static resources
2023-11-24 22:13:19 +02:00
if top_path in settings.lnbits_deactivated_extensions:
feat: show content by accepted type
2023-04-05 18:54:54 +03:00
response = self._response_by_accepted_type(
test: remove warnings for `TemplateResponse` (#2368) * test: remove warnings for `TemplateResponse` removes warnings ``` tests/core/views/test_generic.py::test_core_views_generic tests/core/views/test_generic.py::test_get_wallet_with_user_and_wallet tests/core/views/test_generic.py::test_get_extensions tests/core/views/test_public_api.py::test_core_views_generic /home/dni/.cache/pypoetry/virtualenvs/lnbits-XeqO4Z-j-py3.10/lib/python3.10/site-packages/starlette/templating.py:178: DeprecationWarning: The `name` is not the first para meter anymore. The first parameter should be the `Request` instance. Replace `TemplateResponse(name, {"request": request})` by `TemplateResponse(request, name)`. warnings.warn( ```
2024-03-29 12:22:14 +01:00
scope, headers, f"Extension '{top_path}' disabled", HTTPStatus.NOT_FOUND
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
)
await response(scope, receive, send)
return
fix: redirect for all paths of the extension (not only for `/api`) (#2120) * fix: redirect for all paths of the extension (not only for `/api`) * refactor: rename variable * fix: corner case for root path * refactor: rename var * doc: update comment * fix: do not redirect for static resources
2023-11-24 22:13:19 +02:00
# static resources do not require redirect
if rest[0:1] == ["static"]:
await self.app(scope, receive, send)
return
# re-route all trafic if the extension has been upgraded
Fix overlapping redirect paths (#2671)
2024-09-11 12:41:37 +03:00
if top_path in settings.lnbits_upgraded_extensions:
upgrade_path = (
f"""{settings.lnbits_upgraded_extensions[top_path]}/{top_path}"""
)
fix: redirect for all paths of the extension (not only for `/api`) (#2120) * fix: redirect for all paths of the extension (not only for `/api`) * refactor: rename variable * fix: corner case for root path * refactor: rename var * doc: update comment * fix: do not redirect for static resources
2023-11-24 22:13:19 +02:00
tail = "/".join(rest)
scope["path"] = f"/upgrades/{upgrade_path}/{tail}"
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
await self.app(scope, receive, send)
feat: show content by accepted type
2023-04-05 18:54:54 +03:00
def _response_by_accepted_type(
test: remove warnings for `TemplateResponse` (#2368) * test: remove warnings for `TemplateResponse` removes warnings ``` tests/core/views/test_generic.py::test_core_views_generic tests/core/views/test_generic.py::test_get_wallet_with_user_and_wallet tests/core/views/test_generic.py::test_get_extensions tests/core/views/test_public_api.py::test_core_views_generic /home/dni/.cache/pypoetry/virtualenvs/lnbits-XeqO4Z-j-py3.10/lib/python3.10/site-packages/starlette/templating.py:178: DeprecationWarning: The `name` is not the first para meter anymore. The first parameter should be the `Request` instance. Replace `TemplateResponse(name, {"request": request})` by `TemplateResponse(request, name)`. warnings.warn( ```
2024-03-29 12:22:14 +01:00
self, scope: Scope, headers: List[Any], msg: str, status_code: HTTPStatus
feat: show content by accepted type
2023-04-05 18:54:54 +03:00
) -> Union[HTMLResponse, JSONResponse]:
doc: add comments
2023-04-06 12:32:23 +03:00
"""
[CHORE] string formatting default length 88 (#1887) * [CHORE] string formatting default length 88 uses blacks default off 88 and enabled autostringformatting * formatting * nitpicks jackstar fix
2023-08-24 11:26:09 +02:00
Build an HTTP response containing the `msg` as HTTP body and the `status_code`
as HTTP code. If the `accept` HTTP header is present int the request and
contains the value of `text/html` then return an `HTMLResponse`,
otherwise return an `JSONResponse`.
doc: add comments
2023-04-06 12:32:23 +03:00
"""
feat: show content by accepted type
2023-04-05 18:54:54 +03:00
accept_header: str = next(
(
h[1].decode("UTF-8")
for h in headers
if len(h) >= 2 and h[0].decode("UTF-8") == "accept"
),
"",
)
chore: adhere to ruff's `C` (#2379)
2024-04-03 17:56:05 +02:00
if "text/html" in accept_header.split(","):
feat: show content by accepted type
2023-04-05 18:54:54 +03:00
return HTMLResponse(
status_code=status_code,
content=template_renderer()
test: remove warnings for `TemplateResponse` (#2368) * test: remove warnings for `TemplateResponse` removes warnings ``` tests/core/views/test_generic.py::test_core_views_generic tests/core/views/test_generic.py::test_get_wallet_with_user_and_wallet tests/core/views/test_generic.py::test_get_extensions tests/core/views/test_public_api.py::test_core_views_generic /home/dni/.cache/pypoetry/virtualenvs/lnbits-XeqO4Z-j-py3.10/lib/python3.10/site-packages/starlette/templating.py:178: DeprecationWarning: The `name` is not the first para meter anymore. The first parameter should be the `Request` instance. Replace `TemplateResponse(name, {"request": request})` by `TemplateResponse(request, name)`. warnings.warn( ```
2024-03-29 12:22:14 +01:00
.TemplateResponse(Request(scope), "error.html", {"err": msg})
feat: show content by accepted type
2023-04-05 18:54:54 +03:00
.body,
)
return JSONResponse(
status_code=status_code,
content={"detail": msg},
)
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
class ExtensionsRedirectMiddleware:
[CHORE] string formatting default length 88 (#1887) * [CHORE] string formatting default length 88 uses blacks default off 88 and enabled autostringformatting * formatting * nitpicks jackstar fix
2023-08-24 11:26:09 +02:00
# Extensions are allowed to specify redirect paths. A call to a path outside the
# scope of the extension can be redirected to one of the extension's endpoints.
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
# Eg: redirect `GET /.well-known` to `GET /lnurlp/api/v1/well-known`
def __init__(self, app: ASGIApp) -> None:
self.app = app
async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
if "path" not in scope:
await self.app(scope, receive, send)
return
req_headers = scope["headers"] if "headers" in scope else []
Fix overlapping redirect paths (#2671)
2024-09-11 12:41:37 +03:00
redirect = settings.find_extension_redirect(scope["path"], req_headers)
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
if redirect:
Fix overlapping redirect paths (#2671)
2024-09-11 12:41:37 +03:00
scope["path"] = redirect.new_path_from(scope["path"])
Add redirect paths for extensions (#1532) * feat: basic redirect to extension endpoint * feat: filter by headers * refactor: extract `middleware.py` * fix: do not add twice the same extension to redirects * chore: code clean-up
2023-02-22 11:12:16 +02:00
await self.app(scope, receive, send)
Adds security tools, such as a rate limiter, IP block/allow, server logs (#1606) * added ratelimiter * Adds server logs to admin ui * Added IP allow/ban list * fixed remove ips * Split rate limit number and unit * security tab and background tasks for killswitch * fix test for auditor api --------- Co-authored-by: dni ⚡ <office@dnilabs.com>
2023-06-20 10:26:33 +01:00
Feat: audit (#2779)
2024-11-27 13:06:35 +02:00
class AuditMiddleware(BaseHTTPMiddleware):
def __init__(self, app: ASGIApp, audit_queue: asyncio.Queue) -> None:
super().__init__(app)
self.audit_queue = audit_queue
# delete_time purge after X days
# time, # include pats, exclude paths (regex)
async def dispatch(self, request: Request, call_next) -> Response:
start_time = datetime.now(timezone.utc)
request_details = await self._request_details(request)
response: Optional[Response] = None
try:
response = await call_next(request)
assert response
return response
finally:
duration = (datetime.now(timezone.utc) - start_time).total_seconds()
await self._log_audit(request, response, duration, request_details)
async def _log_audit(
self,
request: Request,
response: Optional[Response],
duration: float,
request_details: Optional[str],
):
try:
http_method = request.scope.get("method", None)
path: Optional[str] = getattr(request.scope.get("route", {}), "path", None)
response_code = str(response.status_code) if response else None
if not settings.audit_http_request(http_method, path, response_code):
return None
ip_address = (
request.client.host
if settings.lnbits_audit_log_ip_address and request.client
else None
)
user_id = request.scope.get("user_id", None)
if settings.is_super_user(user_id):
user_id = "super_user"
component = "core"
if path and not path.startswith("/api"):
component = path.split("/")[1]
data = AuditEntry(
component=component,
ip_address=ip_address,
user_id=user_id,
path=path,
request_type=request.scope.get("type", None),
request_method=http_method,
request_details=request_details,
response_code=response_code,
duration=duration,
)
await self.audit_queue.put(data)
except Exception as ex:
logger.warning(ex)
async def _request_details(self, request: Request) -> Optional[str]:
if not settings.audit_http_request_details():
return None
try:
http_method = request.scope.get("method", None)
path = request.scope.get("path", None)
if not settings.audit_http_request(http_method, path):
return None
details: dict = {}
if settings.lnbits_audit_log_path_params:
details["path_params"] = request.path_params
if settings.lnbits_audit_log_query_params:
details["query_params"] = dict(request.query_params)
if settings.lnbits_audit_log_request_body:
_body = await request.body()
details["body"] = _body.decode("utf-8")
details_str = json.dumps(details)
# Make sure the super_user id is not leaked
return details_str.replace(settings.super_user, "super_user")
except Exception as e:
logger.warning(e)
return None
Adds security tools, such as a rate limiter, IP block/allow, server logs (#1606) * added ratelimiter * Adds server logs to admin ui * Added IP allow/ban list * fixed remove ips * Split rate limit number and unit * security tab and background tasks for killswitch * fix test for auditor api --------- Co-authored-by: dni ⚡ <office@dnilabs.com>
2023-06-20 10:26:33 +01:00
def add_ratelimit_middleware(app: FastAPI):
core_app_extra.register_new_ratelimiter()
chore: update to latest fastapi (#2240) security alert https://github.com/lnbits/lnbits/security/dependabot/46
2024-02-06 15:47:36 +01:00
# latest https://slowapi.readthedocs.io/en/latest/
# shows this as a valid way to add the handler
app.add_exception_handler(
RateLimitExceeded,
_rate_limit_exceeded_handler, # type: ignore
)
Adds security tools, such as a rate limiter, IP block/allow, server logs (#1606) * added ratelimiter * Adds server logs to admin ui * Added IP allow/ban list * fixed remove ips * Split rate limit number and unit * security tab and background tasks for killswitch * fix test for auditor api --------- Co-authored-by: dni ⚡ <office@dnilabs.com>
2023-06-20 10:26:33 +01:00
app.add_middleware(SlowAPIMiddleware)
def add_ip_block_middleware(app: FastAPI):
@app.middleware("http")
async def block_allow_ip_middleware(request: Request, call_next):
if not request.client:
return JSONResponse(
chore: use HTTPStatus for ip middleware (#2792)
2024-12-09 11:44:01 +01:00
status_code=HTTPStatus.FORBIDDEN,
Adds security tools, such as a rate limiter, IP block/allow, server logs (#1606) * added ratelimiter * Adds server logs to admin ui * Added IP allow/ban list * fixed remove ips * Split rate limit number and unit * security tab and background tasks for killswitch * fix test for auditor api --------- Co-authored-by: dni ⚡ <office@dnilabs.com>
2023-06-20 10:26:33 +01:00
content={"detail": "No request client"},
)
ip blocker only call next after validation (#1791) * only call next after validation * lets the blocked ips wait :) * calles suggestion :)
2023-07-03 10:26:35 +02:00
if (
request.client.host in settings.lnbits_blocked_ips
and request.client.host not in settings.lnbits_allowed_ips
):
Adds security tools, such as a rate limiter, IP block/allow, server logs (#1606) * added ratelimiter * Adds server logs to admin ui * Added IP allow/ban list * fixed remove ips * Split rate limit number and unit * security tab and background tasks for killswitch * fix test for auditor api --------- Co-authored-by: dni ⚡ <office@dnilabs.com>
2023-06-20 10:26:33 +01:00
return JSONResponse(
chore: use HTTPStatus for ip middleware (#2792)
2024-12-09 11:44:01 +01:00
status_code=HTTPStatus.FORBIDDEN,
Adds security tools, such as a rate limiter, IP block/allow, server logs (#1606) * added ratelimiter * Adds server logs to admin ui * Added IP allow/ban list * fixed remove ips * Split rate limit number and unit * security tab and background tasks for killswitch * fix test for auditor api --------- Co-authored-by: dni ⚡ <office@dnilabs.com>
2023-06-20 10:26:33 +01:00
content={"detail": "IP is blocked"},
)
[CHORE] cleanup ip block middle workaround for older fastapi (#1981)
2023-10-09 07:57:13 +02:00
return await call_next(request)
Adds security tools, such as a rate limiter, IP block/allow, server logs (#1606) * added ratelimiter * Adds server logs to admin ui * Added IP allow/ban list * fixed remove ips * Split rate limit number and unit * security tab and background tasks for killswitch * fix test for auditor api --------- Co-authored-by: dni ⚡ <office@dnilabs.com>
2023-06-20 10:26:33 +01:00
feat: install wizard on first launch (#1977) * Login form loading * add first install middleware and settings * updates * Login form loading * add first install middleware and settings * updates * only set first install when superuser is created * refactor first install * only show if first install * cleanup * set password * update calls * login superuser on first install * fix * fixup! * fixup! * fixup! * fixup! * fixup! * last fixup! * fix mypy and prettier CI errors * disable first install * add random super user * set first install after startup * remove user id from form * Update lnbits/core/views/auth_api.py Co-authored-by: Vlad Stan <stan.v.vlad@gmail.com> * Update lnbits/core/views/auth_api.py Co-authored-by: Vlad Stan <stan.v.vlad@gmail.com> * Update lnbits/middleware.py Co-authored-by: dni ⚡ <office@dnilabs.com> * addressing Vlad's comments * remove super user * move to transient settings * fix: show `first_install` page even after a server restart * fix: do not add `user_id` in the auth token * fix: `make check` errors * fix: `username` is not optional for `UpdateSuperuserPassword` * feat: nicer error message --------- Co-authored-by: dni ⚡ <office@dnilabs.com> Co-authored-by: Tiago Vasconcelos <talvasconcelos@gmail.com> Co-authored-by: Vlad Stan <stan.v.vlad@gmail.com>
2024-01-25 13:33:40 +00:00
def add_first_install_middleware(app: FastAPI):
@app.middleware("http")
async def first_install_middleware(request: Request, call_next):
if (
settings.first_install
and request.url.path != "/api/v1/auth/first_install"
and request.url.path != "/first_install"
and not request.url.path.startswith("/static")
):
return RedirectResponse("/first_install")
return await call_next(request)
Reference in a new issue Copy permalink