Harden auth, redaction, upload size checks, and compose token requirements

2026-02-21 13:48:55 -03:00
parent 5792586a90
commit 3cbad053cc
21 changed files with 1168 additions and 85 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -2,6 +2,17 @@ APP_ENV=development
 DATABASE_URL=postgresql+psycopg://dcm:dcm@db:5432/dcm
 REDIS_URL=redis://redis:6379/0
 STORAGE_ROOT=/data/storage
+ADMIN_API_TOKEN=replace-with-random-admin-token
+USER_API_TOKEN=replace-with-random-user-token
+MAX_UPLOAD_FILES_PER_REQUEST=50
+MAX_UPLOAD_FILE_SIZE_BYTES=26214400
+MAX_UPLOAD_REQUEST_SIZE_BYTES=104857600
+MAX_ZIP_MEMBER_UNCOMPRESSED_BYTES=26214400
+MAX_ZIP_TOTAL_UNCOMPRESSED_BYTES=157286400
+MAX_ZIP_COMPRESSION_RATIO=120
+PROVIDER_BASE_URL_ALLOWLIST=["api.openai.com"]
+PROVIDER_BASE_URL_ALLOW_HTTP=false
+PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK=false
 DEFAULT_OPENAI_BASE_URL=https://api.openai.com/v1
 DEFAULT_OPENAI_MODEL=gpt-4.1-mini
 DEFAULT_OPENAI_TIMEOUT_SECONDS=45