From 013091255553a85923ab96a3dc56e9f54b61e138 Mon Sep 17 00:00:00 2001 From: Noloquideus Date: Fri, 17 Apr 2026 12:02:26 +0300 Subject: [PATCH] feat: add csrf --- src/presentation/routing/auth.py | 6 +++++- src/presentation/routing/jwt.py | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/presentation/routing/auth.py b/src/presentation/routing/auth.py index 01c8897..612e570 100644 --- a/src/presentation/routing/auth.py +++ b/src/presentation/routing/auth.py @@ -12,7 +12,7 @@ from src.application.contracts import ILogger from src.application.domain.dto import UserLoginDto from src.infrastructure.config import settings from src.infrastructure.logger import get_logger -from src.presentation.decorators import rate_limit, email_rl_key +from src.presentation.decorators import csrf_protect,rate_limit,email_rl_key from src.presentation.dependencies import ( get_user_registration_complete_command, get_user_logout_command, @@ -44,6 +44,7 @@ async def registration_start( @auth_router.post(path='/registration/complete', response_class=ORJSONResponse, status_code=status.HTTP_201_CREATED) @rate_limit(limit=10, window_seconds=300, scope='ip') +@csrf_protect() async def registration( request: Request, user: RegistrationComplete, @@ -105,6 +106,7 @@ async def registration( @auth_router.post(path='/login/start', response_class=ORJSONResponse, status_code=status.HTTP_200_OK) @rate_limit(limit=5, window_seconds=60, scope='ip') @rate_limit(limit=3, window_seconds=600, scope='key', key_prefix='rl:login_start', key_builder=email_rl_key) +@csrf_protect() async def login_start( request: Request, body: LoginStart, @@ -116,6 +118,7 @@ async def login_start( @auth_router.post(path='/login/compete', response_class=ORJSONResponse, status_code=status.HTTP_200_OK) @rate_limit(limit=10, window_seconds=300, scope='ip') +@csrf_protect() async def login( request: Request, user: UserLogin, @@ -197,6 +200,7 @@ async def login( @auth_router.post(path='/logout', response_class=ORJSONResponse, status_code=status.HTTP_200_OK) @rate_limit(limit=settings.RATE_LIMIT_REQUESTS, window_seconds=settings.RATE_LIMIT_WINDOW, scope='ip') +@csrf_protect() async def logout_current( request: Request, command: UserLogoutCommand = Depends(get_user_logout_command), diff --git a/src/presentation/routing/jwt.py b/src/presentation/routing/jwt.py index b140d58..e12349c 100644 --- a/src/presentation/routing/jwt.py +++ b/src/presentation/routing/jwt.py @@ -4,7 +4,7 @@ from starlette import status from src.application.commands import JwtRefreshCommand from src.application.domain.exceptions import ApplicationException from src.infrastructure.config import settings -from src.presentation.decorators import rate_limit +from src.presentation.decorators import csrf_protect,rate_limit from src.presentation.dependencies import get_jwt_refresh_command @@ -13,6 +13,7 @@ jwt_router = APIRouter(prefix='/jwt', tags=['Jwt']) @jwt_router.post('/refresh', response_class=ORJSONResponse, status_code=status.HTTP_200_OK) @rate_limit(limit=settings.RATE_LIMIT_REQUESTS, window_seconds=settings.RATE_LIMIT_WINDOW, scope='ip') +@csrf_protect() async def refresh_tokens( request: Request, command: JwtRefreshCommand = Depends(get_jwt_refresh_command)