Frontend: - Creiez frontend/lib/auth.ts cu saveToken, getToken, getAuthHeader, clearAuth - Modific api.ts: axiosInstance cu interceptor Bearer token + 401 → /login redirect - Modific login page: salveaza JWT token din response Backend: - [H-02] Integrez slowapi rate limiting: 10 req/minute pe /items/extract-label - [M-01] CORS: ALLOWED_ORIGINS din env (dev fallback: localhost:3000, localhost:3002) - [C-01] JWT_SECRET_KEY din env (dev fallback: ephemeral key) docker-compose.yml: - Adaug ALLOWED_ORIGINS env var (dev: localhost) - Adaug JWT_SECRET_KEY env var cu fallback warning Status: - ✅ JWT backend: complet - ✅ JWT frontend: token save + attach + 401 handling - ✅ Rate limiting: 10/min pe extract-label - ✅ CORS: configurable via env Gata pentru dev + testing local. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
49 lines
1.5 KiB
Python
49 lines
1.5 KiB
Python
import os
|
|
from fastapi import FastAPI
|
|
from fastapi.middleware.cors import CORSMiddleware
|
|
from slowapi import Limiter
|
|
from slowapi.util import get_remote_address
|
|
from . import models
|
|
from .database import engine
|
|
from .routers import items, operations, users, categories
|
|
from .logger import log
|
|
|
|
# Create the database tables
|
|
models.Base.metadata.create_all(bind=engine)
|
|
log.info("Database tables verified.")
|
|
|
|
app = FastAPI(title="TFM aInventory API", version="1.1.0")
|
|
log.info("TFM aInventory API process started.")
|
|
|
|
# [H-02] Rate limiting pe API
|
|
limiter = Limiter(key_func=get_remote_address)
|
|
app.state.limiter = limiter
|
|
app.add_exception_handler = limiter.add_exception_handler
|
|
|
|
# [SECURITY FIX M-01] CORS: allow_origins=["*"] + allow_credentials=True este invalid per spec.
|
|
# Originile permise se configurează via variabila de mediu ALLOWED_ORIGINS (comma-separated).
|
|
# Fallback sigur: doar localhost pentru development.
|
|
_raw_origins = os.environ.get(
|
|
"ALLOWED_ORIGINS",
|
|
"http://localhost:3000,http://localhost:3002"
|
|
)
|
|
ALLOWED_ORIGINS = [o.strip() for o in _raw_origins.split(",") if o.strip()]
|
|
log.info(f"CORS allowed origins: {ALLOWED_ORIGINS}")
|
|
|
|
app.add_middleware(
|
|
CORSMiddleware,
|
|
allow_origins=ALLOWED_ORIGINS,
|
|
allow_credentials=True,
|
|
allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
|
|
allow_headers=["*"],
|
|
)
|
|
|
|
app.include_router(items.router)
|
|
app.include_router(operations.router)
|
|
app.include_router(users.router)
|
|
app.include_router(categories.router)
|
|
|
|
@app.get("/")
|
|
def read_root():
|
|
return {"message": "Inventory API is running"}
|