typefaster-cli 0.1.1__tar.gz → 0.1.2__tar.gz

typefaster_cli-0.1.2/.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: pip
+    directory: "/"           # client (root pyproject)
+    schedule: { interval: weekly }
+    open-pull-requests-limit: 5
+  - package-ecosystem: pip
+    directory: "/server"
+    schedule: { interval: weekly }
+    open-pull-requests-limit: 5
+  - package-ecosystem: pip
+    directory: "/shared"
+    schedule: { interval: weekly }
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule: { interval: weekly }

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/.github/workflows/ci.yml

@@ -66,6 +66,21 @@ jobs:
       - name: Test (pytest)
         run: cd server && pytest
 
+  audit:
+    name: dependency audit (pip-audit)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+      - run: python -m pip install pip-audit
+      - name: Audit client deps
+        run: pip-audit --strict --progress-spinner off . || true
+      - name: Audit server deps
+        run: pip-audit --strict --progress-spinner off ./server || true
+
   build:
     name: build wheel
     runs-on: ubuntu-latest

typefaster_cli-0.1.2/.github/workflows/codeql.yml

@@ -0,0 +1,23 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"   # weekly
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: python
+      - uses: github/codeql-action/analyze@v3

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/.github/workflows/release.yml

@@ -13,6 +13,7 @@ on:
 permissions:
   contents: write   # create the GitHub Release
   id-token: write   # OIDC token for PyPI Trusted Publishing
+  packages: write   # push the server image to GHCR
 
 jobs:
   build:
@@ -53,3 +54,29 @@ jobs:
         with:
           generate_release_notes: true
           files: dist/*
+
+  server-image:
+    name: build & push server image (GHCR)
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/typefaster-server
+          tags: |
+            type=semver,pattern={{version}}
+            type=raw,value=latest
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: server/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: typefaster-cli
-Version: 0.1.1
+Version: 0.1.2
 Summary: A terminal-first typing game inspired by MonkeyType and TypeRacer.
 Project-URL: Homepage, https://github.com/Anoshor/typefaster-cli
 Project-URL: Repository, https://github.com/Anoshor/typefaster-cli

typefaster_cli-0.1.2/SECURITY.md

@@ -0,0 +1,28 @@
+# Security Policy
+
+## Supported versions
+The latest released version on PyPI (`typefaster-cli`) and the `main` branch
+receive security fixes.
+
+## Reporting a vulnerability
+Please **do not open a public issue** for security problems.
+
+Report privately via GitHub's **Security advisories**:
+<https://github.com/Anoshor/typefaster-cli/security/advisories/new>
+
+(or email the maintainer listed on the GitHub profile). Include steps to
+reproduce and impact. We aim to acknowledge within 72 hours and to ship a fix or
+mitigation promptly, crediting reporters who wish to be named.
+
+## Hardening notes (for self-hosters)
+- Run the server only behind TLS (the bundled nginx profile, or a TLS-terminating
+  platform like Fly.io). Never expose Redis publicly — keep it on the internal
+  network (`docker-compose.yml` does not publish 6379).
+- Set a strong `TYPEFASTER_JWT_SECRET` (e.g. `openssl rand -hex 32`); rotating it
+  invalidates all existing sessions.
+- Lock `TYPEFASTER_CORS_ORIGINS` to your real domain in production (default `*`).
+- Credential endpoints (`/auth/register`, `/auth/login`, OAuth start) are
+  per-IP rate limited; keep `--proxy-headers` enabled so the limiter sees real
+  client IPs behind a proxy.
+- Passwords are hashed with bcrypt; results are re-scored server-side with
+  anti-cheat before leaderboard writes.

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/client/typefaster/__init__.py

@@ -1,3 +1,3 @@
 """TYPEFASTER-CLI — a terminal-first typing game."""
 
-__version__ = "0.1.1"
+__version__ = "0.1.2"

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/client/typefaster/net/token_store.py

@@ -15,7 +15,10 @@ def _auth_path() -> Path:
 
 @dataclass(slots=True)
 class Session:
-    server_url: str = "http://localhost:8000"
+    # Default points at the public TYPEFASTER server so a fresh install can
+    # register/play with zero config. Override with `typefaster config set-server`
+    # (e.g. a local server or your own deployment).
+    server_url: str = "https://typefaster-cli.fly.dev"
     token: str | None = None
     username: str | None = None
 

typefaster_cli-0.1.2/docs/deploy-fly.md

@@ -0,0 +1,61 @@
+# Deploy the server to Fly.io (free-tier friendly)
+
+Gives you a permanent `https://<app>.fly.dev` so anyone can play with **zero
+config** (the client already defaults to `https://typefaster-cli.fly.dev`).
+
+## Prereqs
+```bash
+brew install flyctl
+fly auth signup    # or: fly auth login
+```
+
+## 1. Create the app (uses the repo's fly.toml)
+```bash
+cd typefaster-cli
+fly launch --no-deploy --copy-config --name typefaster-cli --region bom
+```
+If `typefaster-cli` is taken, pick another name — then update `app` in
+`fly.toml` **and** the default in `client/typefaster/net/token_store.py`, and
+re-release the client so the baked-in default matches.
+
+## 2. Redis (free Upstash)
+```bash
+fly redis create            # choose the free plan; copy the rediss://… URL it prints
+```
+
+## 3. Secrets
+```bash
+fly secrets set \
+  TYPEFASTER_JWT_SECRET="$(openssl rand -hex 32)" \
+  TYPEFASTER_REDIS_URL="rediss://…from step 2…" \
+  TYPEFASTER_CORS_ORIGINS="*"
+# Optional social login (see online-setup.md):
+# fly secrets set TYPEFASTER_GITHUB_CLIENT_ID=... TYPEFASTER_GOOGLE_CLIENT_ID=... TYPEFASTER_GOOGLE_CLIENT_SECRET=...
+```
+
+## 4. Deploy
+```bash
+fly deploy
+fly status
+curl -s https://typefaster-cli.fly.dev/healthz      # {"status":"ok"}
+curl -s https://typefaster-cli.fly.dev/readyz       # {"status":"ready","redis":"ok"}
+```
+
+## 5. Play (anyone, anywhere)
+```bash
+pipx install typefaster-cli
+typefaster register alice        # uses the Fly server by default — no config needed
+typefaster lobby create --name Friday --time 60
+```
+WebSockets work automatically over Fly's TLS (`wss://`).
+
+## Updating the server later
+- Manually: `fly deploy` from the repo.
+- Automated (optional): the release workflow already builds & pushes the server
+  image to `ghcr.io/anoshor/typefaster-server`; add a `fly deploy --image …`
+  step (or `flyctl deploy` GitHub Action with `FLY_API_TOKEN`) to auto-deploy on
+  each tag.
+
+## Costs
+Fly's free allowance covers one small always-on machine + free Upstash Redis —
+$0 for a hobby server. Heavier usage may incur small charges; check Fly billing.

typefaster_cli-0.1.2/fly.toml

@@ -0,0 +1,38 @@
+# Fly.io deployment for the TYPEFASTER server.
+#   fly launch --no-deploy        # first time (creates the app; keep this file)
+#   fly redis create              # free Upstash Redis -> copy the rediss:// URL
+#   fly secrets set TYPEFASTER_JWT_SECRET=$(openssl rand -hex 32) \
+#                   TYPEFASTER_REDIS_URL='rediss://…' \
+#                   TYPEFASTER_CORS_ORIGINS='*'
+#   fly deploy
+#
+# If the app name below is taken, change it (and the client default in
+# client/typefaster/net/token_store.py) to match your real app URL.
+
+app = "typefaster-cli"
+primary_region = "bom"          # Mumbai; change to your nearest region
+
+[build]
+  dockerfile = "server/Dockerfile"
+
+[env]
+  TYPEFASTER_CORS_ORIGINS = "*"
+
+[http_service]
+  internal_port = 8000
+  force_https = true
+  # Keep one machine warm so WebSocket races aren't dropped by cold starts.
+  auto_stop_machines = false
+  auto_start_machines = true
+  min_machines_running = 1
+
+  [[http_service.checks]]
+    interval = "30s"
+    timeout = "5s"
+    grace_period = "10s"
+    method = "get"
+    path = "/healthz"
+
+[[vm]]
+  size = "shared-cpu-1x"
+  memory = "512mb"

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "typefaster-cli"
-version = "0.1.1"
+version = "0.1.2"
 description = "A terminal-first typing game inspired by MonkeyType and TypeRacer."
 readme = "README.md"
 requires-python = ">=3.11"

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/server/app/deps.py

@@ -23,6 +23,22 @@ SettingsDep = Annotated[Settings, Depends(settings_dep)]
 RepoDep = Annotated[RedisRepository, Depends(repo_dep)]
 
 
+def rate_limiter(bucket: str, limit: int, window_seconds: int):  # type: ignore[no-untyped-def]
+    """Build a per-IP fixed-window rate-limit dependency for a route."""
+
+    async def _dep(request: Request) -> None:
+        ip = request.client.host if request.client else "unknown"
+        repo = repo_dep(request)
+        count = await repo.incr_rate(f"rl:{bucket}:{ip}", window_seconds)
+        if count > limit:
+            raise HTTPException(
+                status.HTTP_429_TOO_MANY_REQUESTS,
+                "Too many requests — please slow down.",
+            )
+
+    return _dep
+
+
 async def current_user(
     repo: RepoDep,
     settings: SettingsDep,

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/server/app/repositories.py

@@ -110,6 +110,14 @@ class RedisRepository:
         if wpm > current:
             await self.r.hset(key, "best_wpm", wpm)
 
+    # ── rate limiting ──────────────────────────────────────────────────
+    async def incr_rate(self, key: str, window_seconds: int) -> int:
+        """Increment a fixed-window counter, returning the new count."""
+        n = int(await self.r.incr(key))
+        if n == 1:
+            await self.r.expire(key, window_seconds)
+        return n
+
     # ── sessions ───────────────────────────────────────────────────────
     async def create_session(self, jti: str, username: str, ttl_seconds: int) -> None:
         await self.r.set(keys.session(jti), username, ex=ttl_seconds)

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/server/app/routers/auth.py

@@ -5,16 +5,24 @@ from __future__ import annotations
 from typing import Annotated
 
 import jwt
-from fastapi import APIRouter, Header, HTTPException, status
+from fastapi import APIRouter, Depends, Header, HTTPException, status
 from typefaster_shared.dto import LoginRequest, RegisterRequest, TokenResponse, UserPublic
 
-from ..deps import CurrentUser, RepoDep, SettingsDep
+from ..deps import CurrentUser, RepoDep, SettingsDep, rate_limiter
 from ..security import create_access_token, hash_password, verify_password
 
 router = APIRouter(prefix="/auth", tags=["auth"])
 
+# Per-IP throttle on credential endpoints (abuse / brute-force protection).
+_auth_limit = Depends(rate_limiter("auth", limit=15, window_seconds=60))
 
-@router.post("/register", response_model=TokenResponse, status_code=status.HTTP_201_CREATED)
+
+@router.post(
+    "/register",
+    response_model=TokenResponse,
+    status_code=status.HTTP_201_CREATED,
+    dependencies=[_auth_limit],
+)
 async def register(body: RegisterRequest, repo: RepoDep, settings: SettingsDep) -> TokenResponse:
     created = await repo.create_user(body.username, hash_password(body.password))
     if not created:
@@ -24,7 +32,7 @@ async def register(body: RegisterRequest, repo: RepoDep, settings: SettingsDep)
     return TokenResponse(access_token=token, username=body.username)
 
 
-@router.post("/login", response_model=TokenResponse)
+@router.post("/login", response_model=TokenResponse, dependencies=[_auth_limit])
 async def login(body: LoginRequest, repo: RepoDep, settings: SettingsDep) -> TokenResponse:
     user = await repo.get_user(body.username)
     if not user or not verify_password(body.password, user["password_hash"]):

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/server/app/routers/oauth.py

@@ -6,9 +6,9 @@ TYPEFASTER JWT. No client secrets live on the user's machine; Google's secret
 stays server-side. Both providers are free.
 
 Endpoints:
-  POST /auth/oauth/{provider}/start  -> { device_code, user_code, verification_uri, interval, expires_in }
-  POST /auth/oauth/{provider}/poll   -> { status: "pending"|"slow_down" } (200) or { access_token, username } (200)
-                                        terminal errors -> 400
+  POST /auth/oauth/{provider}/start -> device_code, user_code, verification_uri, interval
+  POST /auth/oauth/{provider}/poll  -> {status: pending|slow_down} (200), or a
+       TokenResponse (200) when authorized; terminal errors -> 400.
 """
 
 from __future__ import annotations
@@ -16,12 +16,12 @@ from __future__ import annotations
 from typing import Any
 
 import httpx
-from fastapi import APIRouter, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, status
 from pydantic import BaseModel
 from typefaster_shared.dto import TokenResponse
 
 from ..config import Settings
-from ..deps import RepoDep, SettingsDep
+from ..deps import RepoDep, SettingsDep, rate_limiter
 from ..repositories import RedisRepository
 from ..security import create_access_token
 
@@ -63,7 +63,7 @@ def _check_provider(provider: str) -> None:
         raise HTTPException(status.HTTP_404_NOT_FOUND, "Unknown provider")
 
 
-@router.post("/{provider}/start")
+@router.post("/{provider}/start", dependencies=[Depends(rate_limiter("oauth", 20, 60))])
 async def start(provider: str, settings: SettingsDep) -> dict[str, Any]:
     _check_provider(provider)
     cid = _client_id(provider, settings)

{typefaster_cli-0.1.1 → typefaster_cli-0.1.2}/server/tests/test_oauth.py

@@ -4,9 +4,8 @@ from __future__ import annotations
 
 import fakeredis.aioredis
 import pytest
-from starlette.testclient import TestClient
-
 from app.repositories import RedisRepository
+from starlette.testclient import TestClient
 
 
 def test_unknown_provider_404(client: TestClient) -> None: