Merge pull request #92 from MyElectricalData/develop

Develop

Author: m4dm4rtig4n

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [1.4.1-dev.3](https://github.com/MyElectricalData/myelectricaldata_new/compare/1.4.1-dev.2...1.4.1-dev.3) (2025-12-21)
+
+### Bug Fixes
+
+* normalize API base URL to prevent double slashes ([1edeb1d](https://github.com/MyElectricalData/myelectricaldata_new/commit/1edeb1d0ddac287242348d542c16dc7c50f7e954))
+
+## [1.4.1-dev.2](https://github.com/MyElectricalData/myelectricaldata_new/compare/1.4.1-dev.1...1.4.1-dev.2) (2025-12-21)
+
+### Bug Fixes
+
+* address Copilot code review feedback ([57f4da5](https://github.com/MyElectricalData/myelectricaldata_new/commit/57f4da598a23030b236fe9b0e18fcfd57031c183))
+
 ## [1.4.1-dev.1](https://github.com/MyElectricalData/myelectricaldata_new/compare/1.4.0...1.4.1-dev.1) (2025-12-21)
 
 ### Bug Fixes

apps/api/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "myelectricaldata-api"
-version = "1.4.1-dev.1"
+version = "1.4.1-dev.3"
 description = "MyElectricalData API Gateway for Enedis data"
 authors = [{name = "m4dm4rtig4n"}]
 license = {text = "Apache-2.0"}

apps/api/src/config/settings.py

@@ -1,5 +1,7 @@
-from typing import Literal
+import secrets
+from typing import Literal, Self
 
+from pydantic import model_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -33,7 +35,9 @@ def database_type(self) -> str:
     RTE_BASE_URL: str = "https://digital.iservices.rte-france.com"
 
     # API Security
-    SECRET_KEY: str = "dev-secret-key-change-in-production"
+    # SECRET_KEY is required in production (no default value for security)
+    # In DEBUG mode, a random key is generated if not provided
+    SECRET_KEY: str = ""
     ALGORITHM: str = "HS256"
     ACCESS_TOKEN_EXPIRE_MINUTES: int = 43200
 
@@ -94,5 +98,46 @@ def enedis_authorize_url(self) -> str:
             return "https://mon-compte-particulier.enedis.fr/dataconnect/v1/oauth2/authorize"
         return f"{self.enedis_base_url}/dataconnect/v1/oauth2/authorize"
 
+    @model_validator(mode="after")
+    def validate_secret_key(self) -> Self:
+        """Validate SECRET_KEY configuration.
+
+        - Production (DEBUG=False): SECRET_KEY is required and must be secure
+        - Development (DEBUG=True): Generate a random key if not provided (with warning)
+        """
+        insecure_patterns = ["dev-", "changeme", "secret", "password", "test", "example"]
+
+        if not self.SECRET_KEY:
+            if self.DEBUG:
+                # Generate random key for development (will change on restart)
+                object.__setattr__(self, "SECRET_KEY", secrets.token_urlsafe(32))
+                import warnings
+                warnings.warn(
+                    "SECRET_KEY not configured - using random key (sessions will be invalidated on restart). "
+                    "Set SECRET_KEY environment variable for persistent sessions.",
+                    UserWarning,
+                    stacklevel=2,
+                )
+            else:
+                raise ValueError(
+                    "SECRET_KEY environment variable is required in production (DEBUG=False). "
+                    "Generate a secure key with: python -c \"import secrets; print(secrets.token_urlsafe(32))\""
+                )
+        elif any(pattern in self.SECRET_KEY.lower() for pattern in insecure_patterns):
+            if not self.DEBUG:
+                raise ValueError(
+                    "SECRET_KEY appears to be insecure (contains common patterns). "
+                    "Generate a secure key with: python -c \"import secrets; print(secrets.token_urlsafe(32))\""
+                )
+            else:
+                import warnings
+                warnings.warn(
+                    "SECRET_KEY appears to be insecure. Use a strong random key in production.",
+                    UserWarning,
+                    stacklevel=2,
+                )
+
+        return self
+
 
 settings = Settings()

apps/api/src/middleware/auth.py

@@ -1,4 +1,6 @@
+import secrets
 from typing import Optional
+
 from fastapi import Security, HTTPException, status, Depends, Request
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from fastapi.security import OAuth2
@@ -92,11 +94,16 @@ async def get_current_user(
             else:
                 logger.error("[AUTH] User not found in database")
 
-    # Try API key (client_secret)
+    # Try API key (client_secret) - iterate to use constant-time comparison
     logger.debug("[AUTH] Trying API key authentication")
-    result = await db.execute(select(User).where(User.client_secret == token))
-    user = result.scalar_one_or_none()
-    if user and user.is_active:
+    result = await db.execute(select(User).where(User.is_active == True))  # noqa: E712
+    users = result.scalars().all()
+    user = None
+    for u in users:
+        if secrets.compare_digest(u.client_secret, token):
+            user = u
+            break
+    if user:
         if settings.REQUIRE_EMAIL_VERIFICATION and not user.email_verified:
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
@@ -145,11 +152,12 @@ async def get_current_user_optional(
             if user and user.is_active:
                 return user
 
-    # Try API key (client_secret)
-    result = await db.execute(select(User).where(User.client_secret == token))
-    user = result.scalar_one_or_none()
-    if user and user.is_active:
-        return user
+    # Try API key (client_secret) - iterate to use constant-time comparison
+    result = await db.execute(select(User).where(User.is_active == True))  # noqa: E712
+    users = result.scalars().all()
+    for u in users:
+        if secrets.compare_digest(u.client_secret, token):
+            return u
 
     return None
 

apps/api/src/routers/accounts.py

@@ -225,10 +225,6 @@ async def get_token(
 
     Accepts credentials either in form data or in Authorization header (Basic Auth).
     """
-    logger.debug(f"[TOKEN] Received request - Content-Type: {request.headers.get('content-type')}")
-    logger.debug(f"[TOKEN] Authorization header: {request.headers.get('authorization', 'None')[:50] if request.headers.get('authorization') else 'None'}")
-    logger.debug(f"[TOKEN] Form client_id: {client_id}, client_secret: {'***' if client_secret else None}")
-
     # Try to get credentials from Authorization header (Basic Auth)
     if not client_id or not client_secret:
         auth_header = request.headers.get('authorization')
@@ -238,35 +234,31 @@ async def get_token(
                 encoded = auth_header.split(' ')[1]
                 decoded = base64.b64decode(encoded).decode('utf-8')
                 client_id, client_secret = decoded.split(':', 1)
-                logger.debug(f"[TOKEN] From Basic Auth - client_id: {client_id}, client_secret: ***")
-            except Exception as e:
-                logger.error(f"[TOKEN] Failed to parse Basic Auth: {e}")
+            except Exception:
+                pass  # Invalid Basic Auth format, will try form data next
 
     # If still not found, try form data
     if not client_id or not client_secret:
         try:
             form_data = await request.form()
-            logger.debug(f"[TOKEN] Form data keys: {list(form_data.keys())}")
             client_id_form = form_data.get('client_id')
             client_secret_form = form_data.get('client_secret')
             # Only use if it's a string (not UploadFile)
             if isinstance(client_id_form, str):
                 client_id = client_id_form or client_id
             if isinstance(client_secret_form, str):
                 client_secret = client_secret_form or client_secret
-            logger.debug(f"[TOKEN] After form parse - client_id: {client_id}, client_secret: {'***' if client_secret else None}")
-        except Exception as e:
-            logger.error(f"[TOKEN] Failed to parse form: {e}")
+        except Exception:
+            pass  # Form parsing failed, credentials may still be from Basic Auth
 
     if not client_id or not client_secret:
-        logger.debug(f"[TOKEN] Missing credentials - client_id: {client_id}, client_secret: {'***' if client_secret else None}")
         raise HTTPException(status_code=422, detail="client_id and client_secret are required (provide in form data or Basic Auth header)")
 
     # Find user by client_id
     result = await db.execute(select(User).where(User.client_id == client_id))
     user = result.scalar_one_or_none()
 
-    if not user or user.client_secret != client_secret:
+    if not user or not secrets.compare_digest(user.client_secret, client_secret):
         raise HTTPException(status_code=401, detail="Invalid client credentials")
 
     if not user.is_active:

apps/api/src/schemas/requests.py

@@ -1,12 +1,33 @@
+import re
 from typing import Optional
-from pydantic import BaseModel, EmailStr, Field
+
+from pydantic import BaseModel, EmailStr, Field, field_validator
 
 
 class UserCreate(BaseModel):
     email: EmailStr
     password: str = Field(..., min_length=8)
     turnstile_token: Optional[str] = None
 
+    @field_validator("password")
+    @classmethod
+    def validate_password_strength(cls, v: str) -> str:
+        """Validate password meets security requirements.
+
+        Requirements:
+        - Minimum 8 characters (enforced by Field)
+        - At least one uppercase letter
+        - At least one lowercase letter
+        - At least one digit
+        """
+        if not re.search(r"[A-Z]", v):
+            raise ValueError("Password must contain at least one uppercase letter")
+        if not re.search(r"[a-z]", v):
+            raise ValueError("Password must contain at least one lowercase letter")
+        if not re.search(r"\d", v):
+            raise ValueError("Password must contain at least one digit")
+        return v
+
 
 class UserLogin(BaseModel):
     email: EmailStr

apps/web/nginx.conf

@@ -26,4 +26,14 @@ server {
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    # HSTS - Force HTTPS for 1 year (enable in production behind HTTPS proxy)
+    # Uncomment when served over HTTPS:
+    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # Content Security Policy
+    # Allows inline styles (Tailwind), scripts from self, and API connections
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://logo.clearbit.com; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
 }

apps/web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "myelectricaldata-web",
-  "version": "1.4.1-dev.1",
+  "version": "1.4.1-dev.3",
   "type": "module",
   "scripts": {
     "dev": "vite",

apps/web/src/pages/ApiDocs.tsx

@@ -18,7 +18,9 @@ declare global {
 export default function ApiDocs() {
   const { isDark } = useThemeStore()
   // Use runtime config first, then build-time env, then default
-  const apiBaseUrl = window.__ENV__?.VITE_API_BASE_URL || import.meta.env.VITE_API_BASE_URL || '/api'
+  // Remove trailing slash to avoid double slashes in URLs
+  const rawApiBaseUrl = window.__ENV__?.VITE_API_BASE_URL || import.meta.env.VITE_API_BASE_URL || '/api'
+  const apiBaseUrl = rawApiBaseUrl.replace(/\/+$/, '')
 
   useEffect(() => {
     // Hide the "Explore" link and customize Swagger UI colors

apps/web/src/pages/ConsentRedirect.tsx

@@ -12,7 +12,9 @@ declare global {
 }
 
 // Use runtime config first, then build-time env, then default
-const API_BASE_URL = window.__ENV__?.VITE_API_BASE_URL || import.meta.env.VITE_API_BASE_URL || '/api'
+// Remove trailing slash to avoid double slashes in URLs
+const rawApiBaseUrl = window.__ENV__?.VITE_API_BASE_URL || import.meta.env.VITE_API_BASE_URL || '/api'
+const API_BASE_URL = rawApiBaseUrl.replace(/\/+$/, '')
 
 export default function ConsentRedirect() {
   const [searchParams] = useSearchParams()