PyPI - dccd - Versions diffs - 3.2.0__tar.gz → 3.3.0__tar.gz - Mend

dccd 3.2.0tar.gz → 3.3.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

{dccd-3.2.0 → dccd-3.3.0}/CHANGELOG.md RENAMED Viewed

@@ -16,6 +16,47 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Removed
+## [3.3.0] - 2026-06-10
+### Added
+- Threat-model section in `how-to/expose-remote` (trust boundaries: localhost / tailnet
+  / public; what the token+cookie session protect and don't; residual risks; a
+  recommended-postures table) — completing **Epic B** (view the UI remotely). (#110)
+- API hardening for remote exposure (all opt-in, off by default): `ui_rate_limit`
+  (token-bucket per client on `/api/*`, over budget → `429` + `Retry-After`),
+  `ui_readonly` (block mutating methods → `403`, view-only share), and
+  `ui_trusted_proxy` (trust `X-Forwarded-For` as the rate-limit key only behind a
+  vetted proxy). Regression tests prove CORS is never wildcard and every mutating
+  route is `401` without a token. Verified live over Tailscale. (#108)
+- Browser login + session: when `ui_auth_token` is set, the web UI now serves a
+  `/login` page and an `HttpOnly`, `SameSite=Lax` session cookie (marked `Secure`
+  behind an HTTPS proxy), with a Logout control. Page routes are gated (an
+  unauthenticated load is redirected to `/login`, no longer served), and the API
+  accepts the cookie alongside `Bearer`/`?token=`. Verified live over Tailscale. (#107)
+- How-to guide `how-to/expose-remote` for reaching the UI from a laptop/phone behind
+  TLS (Caddy/nginx/Cloudflare Tunnel) or a private Tailscale overlay — never the API
+  plaintext off-box. Verified on a real server (Tailscale path reached live; Caddy
+  installs + reverse-proxies). (#106)
+### Changed
+- Responsive layout for the web UI on narrow (mobile) viewports: wide/dense tables
+  scroll inside their own box (a `MutationObserver` wraps tables built after fetch),
+  bigger tap targets, and tighter nav/chrome under 640px — desktop layout unchanged.
+  `ui_smoke.py` gains a 390px mobile pass asserting no page-wide horizontal overflow.
+  Verified: 27/27 smoke steps, Δ=0px overflow on every page. (#109)
+### Fixed
+- The web UI no longer injects the raw `ui_auth_token` into served pages (it was
+  templated into `base.html`); a remotely reachable UI could leak the token to anyone
+  who loaded a page. The browser now holds only an opaque session cookie. (#107)
+### Deprecated
+### Removed
 ## [3.2.0] - 2026-06-10
 ### Added

{dccd-3.2.0 → dccd-3.3.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dccd
-Version: 3.2.0
+Version: 3.3.0
 Summary: Download Crypto Currency Data — hexagonal architecture, async-first.
 Author-email: Arthur Bernard <arthur.bernard.92@gmail.com>
 License: MIT

{dccd-3.2.0 → dccd-3.3.0}/dccd/application/config.py RENAMED Viewed

@@ -37,19 +37,38 @@ SUPPORTED_EXCHANGES: frozenset[str] = frozenset(
 class SettingsConfig(BaseModel):
-    """Global settings: data path, timezone, and web-UI bind/auth."""
+    """Global settings: data path, timezone, and web-UI bind/auth.
+    Hardening knobs (all off by default, i.e. localhost-safe):
+    - ``ui_readonly`` — block mutating HTTP methods on ``/api/*`` (read-only share).
+    - ``ui_rate_limit`` — requests/sec per client on ``/api/*`` (``0`` disables).
+    - ``ui_trusted_proxy`` — trust ``X-Forwarded-For`` as the rate-limit client key.
+      Enable **only** behind a reverse proxy that overwrites the header, else a direct
+      client can forge it and bypass the limit.
+    """
     data_path: str = "./data/crypto"
     timezone: str = "local"
     ui_host: str = "127.0.0.1"
     ui_port: int = 8080
     ui_auth_token: str | None = None
     ui_allow_origins: list[str] = Field(default_factory=list)
+    ui_readonly: bool = False
+    ui_rate_limit: int = 0
+    ui_trusted_proxy: bool = False
     @field_validator("data_path")
     @classmethod
     def _expand(cls, v: str) -> str:
         return str(pathlib.Path(v).expanduser())
+    @field_validator("ui_rate_limit")
+    @classmethod
+    def _non_negative(cls, v: int) -> int:
+        if v < 0:
+            raise ValueError("ui_rate_limit must be >= 0")
+        return v
     @field_validator("timezone")
     @classmethod
     def _validate_tz(cls, v: str) -> str:

{dccd-3.2.0 → dccd-3.3.0}/dccd/interfaces/api/app.py RENAMED Viewed

@@ -24,8 +24,11 @@ import asyncio
 import contextlib
 import logging
 import pathlib
+import secrets
+import time
 from collections.abc import Coroutine
 from typing import Any, cast
+from urllib.parse import parse_qs
 from fastapi import FastAPI, HTTPException, Request
 from fastapi.middleware.cors import CORSMiddleware
@@ -56,6 +59,14 @@ _UI_DIR = pathlib.Path(__file__).parent.parent / "ui"
 _TEMPLATES_DIR = _UI_DIR / "templates"
 _STATIC_DIR = _UI_DIR / "static"
+# Browser session cookie (set on /login when ui_auth_token is configured). The
+# cookie is opaque and HttpOnly; the raw token is never sent to the browser.
+_SESSION_COOKIE = "dccd_session"
+_SESSION_TTL_SECONDS = 7 * 24 * 3600
+_SESSION_TTL_NS = _SESSION_TTL_SECONDS * 1_000_000_000
+# Paths reachable without a session (so the login flow itself is not gated).
+_OPEN_PREFIXES = ("/login", "/logout", "/static", "/health")
 __all__ = ["create_app"]
 logger = logging.getLogger(__name__)
@@ -219,6 +230,73 @@ def create_app(
     app = FastAPI(title="dccd v3", version="3.0.0", lifespan=lifespan)
+    # Browser sessions: sid -> creation time (ns). Opaque, in-process; reset on
+    # restart (acceptable for a single-node daemon). Populated by POST /login.
+    app.state.sessions = {}
+    # --- session / auth helpers (closures over app.state) ---
+    def _configured_token() -> str | None:
+        cfg = getattr(app.state, "config", None)
+        return getattr(getattr(cfg, "settings", None), "ui_auth_token", None)
+    def _prune_sessions() -> None:
+        cutoff = time.time_ns() - _SESSION_TTL_NS
+        for sid in [s for s, ts in app.state.sessions.items() if ts < cutoff]:
+            app.state.sessions.pop(sid, None)
+    def _new_session() -> str:
+        sid = secrets.token_urlsafe(32)
+        app.state.sessions[sid] = time.time_ns()
+        return sid
+    def _valid_session(request: Request) -> bool:
+        sid = request.cookies.get(_SESSION_COOKIE)
+        if not sid:
+            return False
+        _prune_sessions()
+        return sid in app.state.sessions
+    def _request_is_https(request: Request) -> bool:
+        """True over real HTTPS or behind a proxy that sets X-Forwarded-Proto."""
+        if request.url.scheme == "https":
+            return True
+        fwd = request.headers.get("x-forwarded-proto", "")
+        return fwd.split(",", 1)[0].strip() == "https"
+    def _safe_next(nxt: str | None) -> str:
+        """Local-path-only redirect target (blocks //evil.com and absolute URLs)."""
+        if nxt and nxt.startswith("/") and not nxt.startswith("//") and "\\" not in nxt:
+            return nxt
+        return "/"
+    # --- hardening helpers (rate limit + read-only) ---
+    # key -> (tokens, last monotonic). Non-blocking token bucket: over budget ->
+    # 429 immediately (unlike transport.ratelimit which sleeps for outbound calls).
+    app.state.rate_buckets = {}
+    def _client_key(request: Request, settings: Any) -> str:
+        """Rate-limit key. Trust X-Forwarded-For only behind a vetted proxy, else
+        a direct client could forge it and mint unlimited keys."""
+        if getattr(settings, "ui_trusted_proxy", False):
+            xff = request.headers.get("x-forwarded-for", "")
+            if xff:
+                return xff.split(",", 1)[0].strip()
+        client = request.client
+        return client.host if client else "unknown"
+    def _rate_allow(key: str, limit: int) -> bool:
+        buckets = app.state.rate_buckets
+        now = time.monotonic()
+        tokens, last = buckets.get(key, (float(limit), now))
+        tokens = min(float(limit), tokens + (now - last) * limit)
+        if tokens < 1.0:
+            buckets[key] = (tokens, now)
+            return False
+        buckets[key] = (tokens - 1.0, now)
+        return True
     # CORS: no wildcard. The UI is served same-origin, so it needs no CORS at
     # all; allowing every origin let any website's JS drive the local API
     # (reachable on 127.0.0.1 from the user's browser). Cross-origin access is
@@ -234,24 +312,51 @@ def create_app(
     @app.middleware("http")
     async def _auth_guard(request: Request, call_next):
-        """Require a Bearer token on /api/* when settings.ui_auth_token is set.
-        Page routes are intentionally not gated (browsers can't send Bearer on
-        navigation); for untrusted networks, front the UI with a reverse proxy.
+        """Rate-limit, authenticate and (optionally) read-only-gate requests.
+        Order matters: rate limit ``/api/*`` first (cheap rejection, before any
+        auth work), then authenticate, then enforce read-only — so an
+        unauthenticated mutating call still gets ``401`` (auth wins) rather than
+        ``403``. ``/api/*`` accepts a Bearer header, a ``?token=`` query (non-browser
+        SSE) or the session cookie; page routes accept only the cookie and otherwise
+        redirect to ``/login``. With no token configured everything authenticates,
+        but rate-limit and read-only still apply if enabled.
         """
-        cfg = getattr(request.app.state, "config", None)
-        token = getattr(getattr(cfg, "settings", None), "ui_auth_token", None)
+        settings = getattr(getattr(app.state, "config", None), "settings", None)
+        path = request.url.path
+        method = request.method
+        is_api = path.startswith("/api/")
+        # 1) Rate limit /api/* (independent of auth), opt-in via ui_rate_limit.
+        limit = int(getattr(settings, "ui_rate_limit", 0) or 0)
+        if is_api and method != "OPTIONS" and limit > 0:
+            if not _rate_allow(_client_key(request, settings), limit):
+                return JSONResponse(
+                    {"detail": "rate limited"}, status_code=429,
+                    headers={"Retry-After": "1"},
+                )
+        # 2) Authenticate (when a token is configured).
+        token = _configured_token()
+        if token and method != "OPTIONS":
+            if is_api:
+                bearer = request.headers.get("Authorization") == f"Bearer {token}"
+                query = request.query_params.get("token") == token
+                if not (bearer or query or _valid_session(request)):
+                    return JSONResponse({"detail": "Unauthorized"}, status_code=401)
+            elif templates is not None and not path.startswith(_OPEN_PREFIXES):
+                # Page route: only the session cookie authenticates a browser.
+                if not _valid_session(request):
+                    return RedirectResponse(f"/login?next={path}", status_code=303)
+        # 3) Read-only gate (after auth): block mutating /api/* when ui_readonly.
         if (
-            token
-            and request.url.path.startswith("/api/")
-            and request.method != "OPTIONS"
+            is_api
+            and getattr(settings, "ui_readonly", False)
+            and method in ("POST", "PUT", "PATCH", "DELETE")
         ):
-            # Header for normal calls; query param for EventSource (SSE), which
-            # cannot set Authorization headers.
-            bearer = request.headers.get("Authorization") == f"Bearer {token}"
-            query = request.query_params.get("token") == token
-            if not (bearer or query):
-                return JSONResponse({"detail": "Unauthorized"}, status_code=401)
+            return JSONResponse({"detail": "read-only"}, status_code=403)
         return await call_next(request)
     if _STATIC_DIR.exists():
@@ -718,13 +823,64 @@ def create_app(
                 ver = "dev"
             cfg = getattr(request.app.state, "config", None)
             settings = getattr(cfg, "settings", None)
-            token = getattr(settings, "ui_auth_token", None)
             tz = getattr(settings, "timezone", None) or "local"
+            # `authed` drives the Logout affordance; only meaningful when a token
+            # is configured. The raw token is never injected into the page.
+            authed = bool(_configured_token()) and _valid_session(request)
             return {
                 "active": request.url.path, "version": ver, "page": page,
-                "auth_token": token or "", "timezone": tz,
+                "authed": authed, "timezone": tz,
             }
+        @app.get("/login")
+        async def ui_login(request: Request):
+            # No token configured, or already authenticated → nothing to log into.
+            if not _configured_token() or _valid_session(request):
+                return RedirectResponse("/", status_code=303)
+            try:
+                ver = _pkg_version("dccd")
+            except Exception:
+                ver = "dev"
+            return templates.TemplateResponse(
+                request, "login.html",
+                {"version": ver, "next": _safe_next(request.query_params.get("next")),
+                 "error": False},
+            )
+        @app.post("/login")
+        async def ui_login_post(request: Request):
+            token = _configured_token()
+            # Parse the urlencoded form by hand to avoid a python-multipart dep.
+            fields = parse_qs((await request.body()).decode("utf-8", "replace"))
+            submitted = (fields.get("token") or [""])[0]
+            nxt = _safe_next((fields.get("next") or ["/"])[0])
+            if not token or not secrets.compare_digest(submitted, token):
+                try:
+                    ver = _pkg_version("dccd")
+                except Exception:
+                    ver = "dev"
+                return templates.TemplateResponse(
+                    request, "login.html",
+                    {"version": ver, "next": nxt, "error": True},
+                    status_code=401,
+                )
+            sid = _new_session()
+            resp = RedirectResponse(nxt, status_code=303)
+            resp.set_cookie(
+                _SESSION_COOKIE, sid, httponly=True, samesite="lax",
+                secure=_request_is_https(request), max_age=_SESSION_TTL_SECONDS, path="/",
+            )
+            return resp
+        @app.post("/logout")
+        async def ui_logout(request: Request):
+            sid = request.cookies.get(_SESSION_COOKIE)
+            if sid:
+                app.state.sessions.pop(sid, None)
+            resp = RedirectResponse("/login", status_code=303)
+            resp.delete_cookie(_SESSION_COOKIE, path="/")
+            return resp
         # Starlette >= 0.29 / 1.x signature: TemplateResponse(request, name, context)
         @app.get("/")
         async def ui_dashboard(request: Request):

{dccd-3.2.0 → dccd-3.3.0}/dccd/interfaces/ui/templates/base.html RENAMED Viewed

@@ -27,6 +27,7 @@
     nav a:hover { background:var(--border); color:var(--fg); }
     nav a.active { color:var(--accent); background:rgba(74,158,255,.12);
             font-weight:600; }
+    nav .nav-logout { margin:0; margin-left:auto; }
     nav .nav-menu { position:relative; }
     nav .nav-menu-btn { color:var(--muted); background:transparent; border:0;
             padding:.4rem .8rem; border-radius:6px; cursor:pointer; font:inherit; }
@@ -128,6 +129,24 @@
                           to { opacity:1; transform:none; } }
     .j-key { color:#4a9eff; } .j-str { color:#3fb950; }
     .j-num { color:#d2a8ff; } .j-bool { color:#f0883e; } .j-null { color:#8b98a5; }
+    /* Wide/dense tables scroll horizontally inside their own box instead of
+       pushing the whole page wide (wrapper added by wrapTables(), below). */
+    .table-scroll { overflow-x:auto; -webkit-overflow-scrolling:touch; max-width:100%; }
+    /* Mobile / narrow viewport: bigger tap targets, tighter chrome, no page-wide
+       horizontal scroll. Desktop layout above the breakpoint is untouched. */
+    @media (max-width: 640px) {
+      nav { padding:.4rem .6rem; gap:.15rem; }
+      nav a, nav .nav-menu-btn, nav .nav-logout button { padding:.55rem .7rem; }
+      nav .brand-group .ver { display:none; }
+      nav .nav-menu-items { max-width:calc(100vw - 1.2rem); }
+      main { padding:.8rem .7rem; }
+      h1 { font-size:1.15rem; }
+      h2 { font-size:1rem; }
+      button, .tab { min-height:40px; }
+      details.ex > summary { padding:.7rem .8rem; }
+      .inline-form { gap:.5rem; }
+      .modal { min-width:0; width:calc(100vw - 2rem); }
+    }
   </style>
 </head>
 <body>
@@ -159,6 +178,11 @@
         {% endfor %}
       </div>
     </div>
+    {% if authed %}
+    <form method="post" action="/logout" class="nav-logout">
+      <button type="submit" class="nav-menu-btn" title="Sign out">Logout</button>
+    </form>
+    {% endif %}
   </nav>
   <main>
     {% block content %}{% endblock %}
@@ -305,10 +329,29 @@
       root.appendChild(el);
       setTimeout(function () { el.remove(); }, kind === 'err' ? 6000 : 3500);
     }
-    const DCCD_TOKEN = "{{ auth_token }}";
+    // Keep wide tables inside a horizontally-scrollable box so a narrow viewport
+    // never scrolls the whole page sideways. Idempotent; a MutationObserver re-runs
+    // it for tables that pages build after fetching data.
+    function wrapTables(root) {
+      (root || document).querySelectorAll('main table').forEach(function (t) {
+        if (!t.parentElement.classList.contains('table-scroll')) {
+          var w = document.createElement('div');
+          w.className = 'table-scroll';
+          t.parentNode.insertBefore(w, t);
+          w.appendChild(t);
+        }
+      });
+    }
+    document.addEventListener('DOMContentLoaded', function () {
+      wrapTables();
+      var main = document.querySelector('main') || document.body;
+      new MutationObserver(function () { wrapTables(); })
+        .observe(main, { childList: true, subtree: true });
+    });
+    // Auth is carried by the HttpOnly `dccd_session` cookie (set at /login); the
+    // raw token is never exposed to JS. `same-origin` ensures the cookie is sent.
     async function api(method, url, body) {
-      const opts = { method, headers: {} };
-      if (DCCD_TOKEN) opts.headers['Authorization'] = 'Bearer ' + DCCD_TOKEN;
+      const opts = { method, headers: {}, credentials: 'same-origin' };
       if (body !== undefined) {
         opts.headers['Content-Type'] = 'application/json';
         opts.body = JSON.stringify(body);

{dccd-3.2.0 → dccd-3.3.0}/dccd/interfaces/ui/templates/live.html RENAMED Viewed

@@ -278,7 +278,7 @@ async function createNew() {
 let es;
 function connectSSE() {
   if (es) es.close();
-  es = new EventSource('/api/events' + (DCCD_TOKEN ? '?token='+encodeURIComponent(DCCD_TOKEN) : ''));
+  es = new EventSource('/api/events');
   const st = document.getElementById('sse-status');
   es.onopen = () => { st.innerHTML = '<span class="ok">● connected</span>'; };
   es.onmessage = (e) => {

dccd-3.3.0/dccd/interfaces/ui/templates/login.html ADDED Viewed

@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Sign in — dccd UI</title>
+  <link rel="icon" type="image/svg+xml" href="/static/favicon.svg">
+  <style>
+    :root { --bg:#0f1419; --fg:#e6e6e6; --muted:#8b98a5; --accent:#4a9eff;
+            --border:#2a3038; --card:#161b22; --ok:#3fb950; --err:#f85149; }
+    * { box-sizing: border-box; }
+    body { margin:0; font:14px/1.5 system-ui, sans-serif; background:var(--bg);
+           color:var(--fg); display:flex; min-height:100vh; align-items:center;
+           justify-content:center; }
+    .card { background:var(--card); border:1px solid var(--border); border-radius:10px;
+            padding:2rem; width:min(92vw, 360px); }
+    .brand { display:flex; align-items:center; gap:.5rem; margin-bottom:1.25rem; }
+    .brand img { height:32px; width:auto; }
+    .brand .name { font-size:1.2rem; font-weight:700; }
+    .brand .ver { color:var(--muted); font-size:.78rem; }
+    label { display:block; font-size:.85rem; color:var(--muted); margin-bottom:.35rem; }
+    input[type=password] { width:100%; padding:.6rem .7rem; border-radius:8px;
+            border:1px solid var(--border); background:var(--bg); color:var(--fg);
+            font-size:1rem; }
+    button { margin-top:1rem; width:100%; padding:.65rem; border:0; border-radius:8px;
+            background:var(--accent); color:#06121f; font-weight:700; font-size:1rem;
+            cursor:pointer; }
+    button:hover { filter:brightness(1.08); }
+    .err { margin-top:.9rem; color:var(--err); font-size:.85rem; }
+  </style>
+</head>
+<body>
+  <form class="card" method="post" action="/login">
+    <div class="brand">
+      <img src="/static/logo.svg" alt="dccd">
+      <span class="name">dccd</span>
+      <span class="ver">v{{ version }}</span>
+    </div>
+    <input type="hidden" name="next" value="{{ next }}">
+    <label for="token">Access token</label>
+    <input id="token" name="token" type="password" autocomplete="current-password"
+           autofocus required>
+    <button type="submit">Sign in</button>
+    {% if error %}<div class="err">Invalid token — try again.</div>{% endif %}
+  </form>
+</body>
+</html>

{dccd-3.2.0 → dccd-3.3.0}/dccd/interfaces/ui/templates/logs.html RENAMED Viewed

@@ -50,7 +50,7 @@ function clearLive() { logEl.textContent = 'Waiting for events…\n'; eventCount
 function connect() {
   if (es) es.close();
-  es = new EventSource('/api/events' + (DCCD_TOKEN ? '?token=' + encodeURIComponent(DCCD_TOKEN) : ''));
+  es = new EventSource('/api/events');
   es.onopen = () => { statusEl.innerHTML = '<span class="ok">● connected</span>'; };
   es.onmessage = (e) => {
     if (e.data.startsWith(':')) return;

{dccd-3.2.0 → dccd-3.3.0}/dccd/tests/v3/test_api.py RENAMED Viewed

@@ -66,6 +66,186 @@ class TestAuth:
     def test_no_token_means_open(self, client):
         assert client.get("/api/inventory").status_code == 200
+    def test_api_accepts_query_token(self, auth_client):
+        # SSE/EventSource path: ?token= still authorises (non-browser clients).
+        r = auth_client.get("/api/inventory?token=s3cret")
+        assert r.status_code == 200
+class TestAuthSession:
+    """Browser login/session: page routes gated, token never templated."""
+    @pytest.fixture
+    def cfg(self, tmp_data_path):
+        cfg = AppConfig()
+        cfg.settings.data_path = tmp_data_path
+        cfg.storage.local_path = tmp_data_path
+        cfg.settings.ui_auth_token = "s3cret"
+        return cfg
+    @pytest.fixture
+    def auth_client(self, cfg):
+        with TestClient(create_app(config=cfg)) as c:
+            yield c
+    def test_page_redirects_to_login_when_unauthenticated(self, auth_client):
+        r = auth_client.get("/", follow_redirects=False)
+        assert r.status_code == 303
+        assert r.headers["location"] == "/login?next=/"
+    def test_login_page_renders(self, auth_client):
+        r = auth_client.get("/login")
+        assert r.status_code == 200
+        assert "token" in r.text.lower()
+    def test_login_wrong_token_401(self, auth_client):
+        r = auth_client.post(
+            "/login", data={"token": "nope", "next": "/"}, follow_redirects=False
+        )
+        assert r.status_code == 401
+    def test_login_sets_httponly_lax_cookie_and_grants_access(self, cfg):
+        with TestClient(create_app(config=cfg)) as c:
+            r = c.post(
+                "/login", data={"token": "s3cret", "next": "/"}, follow_redirects=False
+            )
+            assert r.status_code == 303
+            set_cookie = r.headers["set-cookie"].lower()
+            assert "dccd_session=" in set_cookie
+            assert "httponly" in set_cookie
+            assert "samesite=lax" in set_cookie
+            assert "samesite=none" not in set_cookie  # CSRF: never cross-site
+            # The session cookie now drives both pages and the API.
+            assert c.get("/", follow_redirects=False).status_code == 200
+            assert c.get("/api/inventory").status_code == 200
+    def test_api_rejects_without_cookie_or_bearer(self, auth_client):
+        # Fresh client (no cookie) cannot reach the API.
+        assert auth_client.get("/api/inventory").status_code == 401
+    def test_logout_clears_session(self, cfg):
+        with TestClient(create_app(config=cfg)) as c:
+            c.post("/login", data={"token": "s3cret", "next": "/"})
+            assert c.get("/", follow_redirects=False).status_code == 200
+            c.post("/logout", follow_redirects=False)
+            assert c.get("/", follow_redirects=False).status_code == 303
+    def test_token_never_in_page(self, cfg):
+        with TestClient(create_app(config=cfg)) as c:
+            c.post("/login", data={"token": "s3cret", "next": "/"})
+            body = c.get("/").text
+            assert "s3cret" not in body  # regression: token must not leak into HTML
+    def test_open_redirect_blocked(self, cfg):
+        for bad in ("//evil.com", "https://evil", "/\\evil"):
+            with TestClient(create_app(config=cfg)) as c:
+                r = c.post(
+                    "/login", data={"token": "s3cret", "next": bad},
+                    follow_redirects=False,
+                )
+                assert r.headers["location"] == "/", bad
+        with TestClient(create_app(config=cfg)) as c:
+            r = c.post(
+                "/login", data={"token": "s3cret", "next": "/data"},
+                follow_redirects=False,
+            )
+            assert r.headers["location"] == "/data"
+    def test_no_token_pages_open(self, client):
+        # Default localhost (no token): pages render without a login.
+        assert client.get("/", follow_redirects=False).status_code == 200
+class TestHardening:
+    """Rate limit, CORS-never-wildcard, read-only mode, mutating-routes-need-auth."""
+    def _cfg(self, tmp_data_path, **over):
+        cfg = AppConfig()
+        cfg.settings.data_path = tmp_data_path
+        cfg.storage.local_path = tmp_data_path
+        for k, v in over.items():
+            setattr(cfg.settings, k, v)
+        return cfg
+    # --- CORS: never wildcard ---
+    def test_cors_no_origin_when_unconfigured(self, tmp_data_path):
+        cfg = self._cfg(tmp_data_path)  # ui_allow_origins=[]
+        with TestClient(create_app(config=cfg)) as c:
+            r = c.get("/api/inventory", headers={"Origin": "http://evil.test"})
+            assert "access-control-allow-origin" not in {k.lower() for k in r.headers}
+    def test_cors_echoes_allowed_origin_never_star(self, tmp_data_path):
+        cfg = self._cfg(tmp_data_path, ui_allow_origins=["http://good.test"])
+        with TestClient(create_app(config=cfg)) as c:
+            ok = c.get("/api/inventory", headers={"Origin": "http://good.test"})
+            assert ok.headers.get("access-control-allow-origin") == "http://good.test"
+            evil = c.get("/api/inventory", headers={"Origin": "http://evil.test"})
+            assert evil.headers.get("access-control-allow-origin") != "*"
+    # --- Rate limit ---
+    def test_rate_limit_trips_429(self, tmp_data_path):
+        cfg = self._cfg(tmp_data_path, ui_rate_limit=2)
+        with TestClient(create_app(config=cfg)) as c:
+            responses = [c.get("/api/inventory") for _ in range(8)]
+            codes = [r.status_code for r in responses]
+            assert 429 in codes
+            # every 429 must carry Retry-After
+            assert all("retry-after" in {k.lower() for k in r.headers}
+                       for r in responses if r.status_code == 429)
+    def test_rate_limit_off_never_429(self, tmp_data_path):
+        cfg = self._cfg(tmp_data_path, ui_rate_limit=0)
+        with TestClient(create_app(config=cfg)) as c:
+            assert all(c.get("/api/inventory").status_code == 200 for _ in range(12))
+    def test_xff_not_trusted_by_default(self, tmp_data_path):
+        # Forged X-Forwarded-For must not mint fresh buckets when proxy not trusted.
+        cfg = self._cfg(tmp_data_path, ui_rate_limit=2)
+        with TestClient(create_app(config=cfg)) as c:
+            codes = [c.get("/api/inventory", headers={"X-Forwarded-For": f"9.9.9.{i}"}).status_code
+                     for i in range(8)]
+            assert 429 in codes  # all share the real peer key despite forged XFF
+    def test_xff_trusted_gives_distinct_buckets(self, tmp_data_path):
+        cfg = self._cfg(tmp_data_path, ui_rate_limit=2, ui_trusted_proxy=True)
+        with TestClient(create_app(config=cfg)) as c:
+            codes = [c.get("/api/inventory", headers={"X-Forwarded-For": f"9.9.9.{i}"}).status_code
+                     for i in range(8)]
+            assert codes.count(200) == 8  # each distinct client has its own bucket
+    # --- Read-only ---
+    def test_readonly_blocks_mutating(self, tmp_data_path):
+        cfg = self._cfg(tmp_data_path, ui_readonly=True)
+        with TestClient(create_app(config=cfg)) as c:
+            assert c.post("/api/jobs/create", json={}).status_code == 403
+            assert c.get("/api/jobs").status_code == 200
+    def test_readonly_401_wins_for_unauth_mutating(self, tmp_data_path):
+        # token + readonly: an unauthenticated mutating call is 401, not 403.
+        cfg = self._cfg(tmp_data_path, ui_readonly=True, ui_auth_token="s3cret")
+        with TestClient(create_app(config=cfg)) as c:
+            assert c.post("/api/jobs/create", json={}).status_code == 401
+            # authenticated mutating call is then blocked by read-only (403).
+            r = c.post("/api/jobs/create", json={},
+                       headers={"Authorization": "Bearer s3cret"})
+            assert r.status_code == 403
+    # --- Mutating routes require auth ---
+    @pytest.mark.parametrize("method,path", [
+        ("post", "/api/jobs/create"), ("post", "/api/jobs/delete"),
+        ("post", "/api/jobs/update"), ("post", "/api/jobs/run"),
+        ("post", "/api/jobs/run-all"), ("post", "/api/streams/start"),
+        ("post", "/api/streams/stop"), ("delete", "/api/backfill/x"),
+    ])
+    def test_mutating_routes_require_token(self, tmp_data_path, method, path):
+        cfg = self._cfg(tmp_data_path, ui_auth_token="s3cret")
+        with TestClient(create_app(config=cfg)) as c:
+            assert getattr(c, method)(path).status_code == 401
 class _OkRemote:
     """In-test remote that reports success without invoking rclone."""

{dccd-3.2.0 → dccd-3.3.0}/dccd.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dccd
-Version: 3.2.0
+Version: 3.3.0
 Summary: Download Crypto Currency Data — hexagonal architecture, async-first.
 Author-email: Arthur Bernard <arthur.bernard.92@gmail.com>
 License: MIT

{dccd-3.2.0 → dccd-3.3.0}/dccd.egg-info/SOURCES.txt RENAMED Viewed

@@ -44,6 +44,7 @@ dccd/interfaces/ui/templates/dashboard.html
 dccd/interfaces/ui/templates/data.html
 dccd/interfaces/ui/templates/historical.html
 dccd/interfaces/ui/templates/live.html
+dccd/interfaces/ui/templates/login.html
 dccd/interfaces/ui/templates/logs.html
 dccd/interfaces/ui/templates/storage.html
 dccd/sources/__init__.py

{dccd-3.2.0 → dccd-3.3.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "dccd"
-version = "3.2.0"
+version = "3.3.0"
 description = "Download Crypto Currency Data — hexagonal architecture, async-first."
 readme = "README.md"
 license = { text = "MIT" }