busya
2bc8ad87e1
security: rate limiter, is_admin flag, password policy, log masking
M-3: Role.name == 'Admin' string comparison → Role.is_admin boolean flag.
Admin role created with is_admin=True. has_permission checks getattr(role,
'is_admin', False) instead of comparing role names.
M-2: In-memory rate limiter on /api/auth/login. Tracks failed attempts
per IP (10 in 5 min window, 15 min ban). Thread-safe via threading.Lock.
M-5: Password policy — UserCreate.password: min_length=8, must include
uppercase, lowercase, and digit.
L-1: log_security_event details dict now masks sensitive fields:
password, secret, token, api_key, authorization. Recursive masking
for nested dicts. Sensitive field names matched via regex.
OTHER:
- 4 rate limiter tests (under limit, ban, success clears, IP isolation)
- 4 password policy tests (too short, no upper, no digit, valid)
- 2 log masking tests (flat keys, nested)
2026-05-26 15:17:19 +03:00
..
2026-05-26 14:58:49 +03:00
2026-03-10 09:11:26 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 14:58:49 +03:00
2026-05-26 14:58:49 +03:00
2026-05-25 11:35:27 +03:00
2026-05-25 11:35:27 +03:00
2026-05-25 11:35:27 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 14:58:49 +03:00
2026-05-25 08:36:33 +03:00
2026-05-26 14:58:49 +03:00
2026-05-26 09:30:41 +03:00
2026-05-20 23:54:53 +03:00
2026-05-26 11:14:25 +03:00
2026-05-26 14:58:49 +03:00
2026-05-26 11:14:25 +03:00
2026-05-26 09:30:41 +03:00
2026-05-25 11:35:27 +03:00
2026-05-26 14:58:49 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-20 23:54:53 +03:00
2026-05-26 15:17:19 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 14:58:49 +03:00
2026-05-26 09:30:41 +03:00
2026-05-25 08:36:33 +03:00
2026-05-25 08:36:33 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 14:58:49 +03:00
2026-05-26 09:30:41 +03:00
2026-05-14 11:20:17 +03:00
2026-05-26 09:30:41 +03:00
2026-05-26 09:30:41 +03:00
2026-05-14 11:20:17 +03:00
2026-05-14 11:20:17 +03:00
2026-05-26 09:30:41 +03:00