fix: security hardening across platform

- Disable open /api/auth/register endpoint (gateway) - Require gateway session auth on Immich and Karakeep hooks proxies - Replace SHA-256 with bcrypt in fitness service (auth + seed) - Remove hardcoded Telegram user IDs from fitness seed - Add Secure flag to session cookie - Add domain allowlist and content-type validation to image proxy - Strengthen .gitignore (env variants, runtime data, test artifacts)
2026-03-29 08:25:50 -05:00
parent d1801540ae
commit 6bd23e7e8b
8 changed files with 111 additions and 27 deletions
--- a/services/fitness/Dockerfile.backend
+++ b/services/fitness/Dockerfile.backend
@@ -1,5 +1,7 @@
 FROM python:3.12-slim
 WORKDIR /app
+RUN pip install bcrypt
 COPY server.py .
 EXPOSE 8095
+ENV PYTHONUNBUFFERED=1
 CMD ["python3", "server.py"]
--- a/services/fitness/server.py
+++ b/services/fitness/server.py
@@ -8,8 +8,8 @@ import os
 import json
 import sqlite3
 import uuid
-import hashlib
 import secrets
+import bcrypt
 import re
 import unicodedata
 from http.server import HTTPServer, BaseHTTPRequestHandler
@@ -517,21 +517,21 @@ def seed_default_users():
            "username": os.environ.get("USER1_USERNAME", "yusuf"),
            "password": os.environ.get("USER1_PASSWORD", "changeme"),
            "display_name": os.environ.get("USER1_DISPLAY_NAME", "Yusuf"),
-            "telegram_user_id": os.environ.get("USER1_TELEGRAM_ID", "5878604567"),
+            "telegram_user_id": os.environ.get("USER1_TELEGRAM_ID"),
        },
        {
            "id": str(uuid.uuid4()),
            "username": os.environ.get("USER2_USERNAME", "madiha"),
            "password": os.environ.get("USER2_PASSWORD", "changeme"),
            "display_name": os.environ.get("USER2_DISPLAY_NAME", "Madiha"),
-            "telegram_user_id": os.environ.get("USER2_TELEGRAM_ID", "6389024883"),
+            "telegram_user_id": os.environ.get("USER2_TELEGRAM_ID"),
        },
    ]

    for user in users:
        existing = cursor.execute("SELECT id FROM users WHERE username = ?", (user["username"],)).fetchone()
        if not existing:
-            password_hash = hashlib.sha256(user["password"].encode()).hexdigest()
+            password_hash = bcrypt.hashpw(user["password"].encode(), bcrypt.gensalt()).decode()
            cursor.execute(
                "INSERT INTO users (id, username, password_hash, display_name, telegram_user_id) VALUES (?, ?, ?, ?, ?)",
                (user["id"], user["username"], password_hash, user["display_name"], user["telegram_user_id"])
@@ -2208,16 +2208,14 @@ class CalorieHandler(BaseHTTPRequestHandler):
            data = self._read_body()
            username = data.get('username', '').strip().lower()
            password = data.get('password', '')
-            password_hash = hashlib.sha256(password.encode()).hexdigest()
-
            conn = get_db()
            user = conn.execute(
-                "SELECT * FROM users WHERE username = ? AND password_hash = ?",
-                (username, password_hash)
+                "SELECT * FROM users WHERE username = ?",
+                (username,)
            ).fetchone()
            conn.close()

-            if not user:
+            if not user or not bcrypt.checkpw(password.encode(), user['password_hash'].encode()):
                return self._send_json({'error': 'Invalid credentials'}, 401)

            token = create_session(user['id'])