Mirrors/wireguard_webadmin
1
0
Fork 0
mirror of https://github.com/eduardogsilva/wireguard_webadmin.git synced 2026-03-17 14:26:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

enhance security by adding HTTP security headers and disabling OpenAPI documentation

Browse Source
This commit is contained in:
Eduardo Silva
2026-03-16 19:49:11 -03:00
parent 76048593f1
commit 4c109957e9
2 changed files with 26 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
containers/auth-gateway/auth_gateway/main.py
View File

@@ -32,7 +32,13 @@ async def lifespan(app: FastAPI):
yield yield
app = FastAPI(title="Auth Gateway", lifespan=lifespan) app = FastAPI(
title="Auth Gateway",
lifespan=lifespan,
docs_url=None,
redoc_url=None,
openapi_url=None,
)
app.state.limiter = limiter app.state.limiter = limiter
@@ -61,6 +67,19 @@ async def _rate_limit_handler(request: Request, exc: RateLimitExceeded) -> HTMLR
app.add_exception_handler(RateLimitExceeded, _rate_limit_handler) app.add_exception_handler(RateLimitExceeded, _rate_limit_handler)
@app.middleware("http")
async def security_headers(request: Request, call_next):
response = await call_next(request)
response.headers["X-Frame-Options"] = "DENY"
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
response.headers["Content-Security-Policy"] = (
"default-src 'self'; script-src 'none'; style-src 'self'; "
"img-src 'self' data:; frame-ancestors 'none'"
)
return response
@app.middleware("http") @app.middleware("http")
async def access_log(request: Request, call_next): async def access_log(request: Request, call_next):
start = time.monotonic() start = time.monotonic()

10
containers/auth-gateway/auth_gateway/services/oidc_service.py
View File

@@ -38,13 +38,15 @@ class OIDCService:
client = self._client(method_name, method) client = self._client(method_name, method)
token = await client.authorize_access_token(request) token = await client.authorize_access_token(request)
claims = {} claims = {}
# Always parse and validate the ID token (validates nonce, signature, issuer, audience)
if "id_token" in token:
claims = dict(await client.parse_id_token(request, token, nonce=nonce))
# Merge userinfo on top for richer claims — core identity is from the validated ID token
if "userinfo" in token and isinstance(token["userinfo"], dict): if "userinfo" in token and isinstance(token["userinfo"], dict):
claims = token["userinfo"] claims.update(token["userinfo"])
elif "id_token" in token:
claims = await client.parse_id_token(request, token, nonce=nonce)
email = claims.get("email") email = claims.get("email")
subject = claims.get("sub") subject = claims.get("sub")
return OIDCIdentity(subject=subject, email=email, claims=dict(claims)) return OIDCIdentity(subject=subject, email=email, claims=claims)
def is_oidc_identity_allowed(method: OIDCMethodModel, email: str | None) -> bool: def is_oidc_identity_allowed(method: OIDCMethodModel, email: str | None) -> bool: