Harden auth and security controls with session auth and docs

2026-03-01 15:29:09 -03:00
parent 7a19f22f41
commit 0242e061c2
36 changed files with 1794 additions and 505 deletions
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -21,12 +21,24 @@ class Settings(BaseSettings):
    redis_url: str = "redis://redis:6379/0"
    redis_security_mode: str = "auto"
    redis_tls_mode: str = "auto"
-    allow_development_anonymous_user_access: bool = True
+    auth_bootstrap_admin_username: str = "admin"
+    auth_bootstrap_admin_password: str = ""
+    auth_bootstrap_user_username: str = ""
+    auth_bootstrap_user_password: str = ""
+    auth_session_ttl_minutes: int = 720
+    auth_password_pbkdf2_iterations: int = 390000
+    auth_session_token_bytes: int = 32
+    auth_session_pepper: str = ""
    storage_root: Path = Path("/data/storage")
    upload_chunk_size: int = 4 * 1024 * 1024
    max_upload_files_per_request: int = 50
    max_upload_file_size_bytes: int = 25 * 1024 * 1024
    max_upload_request_size_bytes: int = 100 * 1024 * 1024
+    content_export_max_documents: int = 250
+    content_export_max_total_bytes: int = 50 * 1024 * 1024
+    content_export_rate_limit_per_minute: int = 6
+    content_export_stream_chunk_bytes: int = 256 * 1024
+    content_export_spool_max_memory_bytes: int = 2 * 1024 * 1024
    max_zip_members: int = 250
    max_zip_depth: int = 2
    max_zip_descendants_per_root: int = 1000
@@ -34,8 +46,6 @@ class Settings(BaseSettings):
    max_zip_total_uncompressed_bytes: int = 150 * 1024 * 1024
    max_zip_compression_ratio: float = 120.0
    max_text_length: int = 500_000
-    admin_api_token: str = ""
-    user_api_token: str = ""
    provider_base_url_allowlist: list[str] = Field(default_factory=lambda: ["api.openai.com"])
    provider_base_url_allow_http: bool = False
    provider_base_url_allow_private_network: bool = False
@@ -43,6 +53,8 @@ class Settings(BaseSettings):
    processing_log_max_unbound_entries: int = 400
    processing_log_max_payload_chars: int = 4096
    processing_log_max_text_chars: int = 12000
+    processing_log_store_model_io_text: bool = False
+    processing_log_store_payload_text: bool = False
    default_openai_base_url: str = "https://api.openai.com/v1"
    default_openai_model: str = "gpt-4.1-mini"
    default_openai_timeout_seconds: int = 45
@@ -60,6 +72,7 @@ class Settings(BaseSettings):
    typesense_num_retries: int = 0
    public_base_url: str = "http://localhost:8000"
    cors_origins: list[str] = Field(default_factory=lambda: ["http://localhost:5173", "http://localhost:3000"])
+    cors_allow_credentials: bool = False


 LOCAL_HOSTNAME_SUFFIXES = (".local", ".internal", ".home.arpa")