protection de l'application contre les attaques numériques

backend/app/core/config.py

@@ -1,6 +1,8 @@
 from pydantic_settings import BaseSettings
-from typing import Optional
+from pydantic import field_validator
+from typing import Optional, List, Union
 import os
+import secrets
 
 class Settings(BaseSettings):
     """Configuration de l'application"""
@@ -10,20 +12,44 @@ class Settings(BaseSettings):
     API_VERSION: str = "0.1.0"
     API_DESCRIPTION: str = "Interface d'administration légère pour Debian"
     
-    # JWT
-    SECRET_KEY: str = os.getenv("SECRET_KEY", "your-super-secret-key-change-in-production")
-    ALGORITHM: str = "HS256"
-    ACCESS_TOKEN_EXPIRE_MINUTES: int = 480  # 8 heures
+    # Sécurité
+    DEBUG: bool = False
     
-    # CORS
-    ALLOWED_ORIGINS: list = [
-        "http://localhost:3000",
-        "http://localhost:3010",
-        "http://localhost:5173",
-        "http://127.0.0.1:3000",
-        "http://127.0.0.1:3010",
-        "http://127.0.0.1:5173",
-    ]
+    # JWT - ATTENTION: Changer SECRET_KEY en production !
+    SECRET_KEY: str = secrets.token_urlsafe(64)
+    ALGORITHM: str = "HS256"
+    ACCESS_TOKEN_EXPIRE_MINUTES: int = 60
+    
+    # Limite de tentatives de connexion
+    MAX_LOGIN_ATTEMPTS: int = 5
+    LOGIN_ATTEMPT_WINDOW: int = 900  # 15 minutes en secondes
+    
+    # CORS - Liste blanche stricte (chaîne qui sera parsée)
+    ALLOWED_ORIGINS: Union[str, List[str]] = "http://localhost:3000,http://localhost:5173"
+    
+    @field_validator('ALLOWED_ORIGINS', mode='before')
+    @classmethod
+    def parse_origins(cls, v):
+        if isinstance(v, str):
+            return [origin.strip() for origin in v.split(',')]
+        return v
+    
+    # Hôtes de confiance
+    ALLOWED_HOSTS: Union[str, List[str]] = "localhost,127.0.0.1"
+    
+    @field_validator('ALLOWED_HOSTS', mode='before')
+    @classmethod
+    def parse_hosts(cls, v):
+        if isinstance(v, str):
+            return [host.strip() for host in v.split(',')]
+        return v
+    
+    @field_validator('DEBUG', mode='before')
+    @classmethod
+    def parse_debug(cls, v):
+        if isinstance(v, str):
+            return v.lower() == 'true'
+        return v
     
     # Docker
     DOCKER_SOCKET: str = "/var/run/docker.sock"
@@ -31,6 +57,9 @@ class Settings(BaseSettings):
     # Frontend
     FRONTEND_URL: str = os.getenv("FRONTEND_URL", "http://localhost:3000")
     
+    # Rate Limiting
+    RATE_LIMIT_PER_MINUTE: int = int(os.getenv("RATE_LIMIT_PER_MINUTE", "200"))
+    
     class Config:
         env_file = ".env"