Skip to content

🛡️ Sentinel: [security improvement] Move staff verification to backend #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LVT-ENG wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: [security improvement] Move staff verification to backend #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,8 @@ LVT_SECRET_KEY=your_secure_secret_here
# Allowed CORS origins (comma-separated list, e.g., https://yourdomain.com,http://localhost:3000)
LVT_ALLOWED_ORIGINS=*

# Staff password for access to the private bunker area
STAFF_PASSWORD=your_secure_staff_password_here

# Google Gemini API Key for Jules AI advice
GEMINI_API_KEY=your_gemini_api_key_here
Binary file removed backend/__pycache__/jules_engine.cpython-312.pyc
View file
Open in desktop
Binary file not shown.
Binary file removed backend/__pycache__/main.cpython-312.pyc
View file
Open in desktop
Binary file not shown.
Binary file removed backend/__pycache__/models.cpython-312.pyc
View file
Open in desktop
Binary file not shown.
Binary file removed backend/__pycache__/test_jules.cpython-312-pytest-9.0.2.pyc
View file
Open in desktop
Binary file not shown.
11 changes: 10 additions & 1 deletion backend/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
from fastapi.responses import JSONResponse
from fastapi.middleware.cors import CORSMiddleware
from dotenv import load_dotenv
from models import UserScan, SHOPIFY_INVENTORY
from models import UserScan, StaffLogin, SHOPIFY_INVENTORY
from jules_engine import get_jules_advice

# Load .env file
Expand All @@ -28,6 +28,7 @@

# 🛡️ Configuración Maestra (abvetos.com) - Secrets moved to environment variables
SECRET_KEY = os.getenv("LVT_SECRET_KEY", "DEVELOPMENT_SECRET_DO_NOT_USE_IN_PROD")
STAFF_PASSWORD = os.getenv("STAFF_PASSWORD", "DEVELOPMENT_STAFF_PASS")
PATENT = "PCT/EP2025/067317"

def verify_auth(user_id: str, token: str) -> bool:
Expand All @@ -49,6 +50,14 @@ def calculate_fit(user_waist: float, item_id: str):
is_perfect = 0.95 <= fit_index <= 1.05
return is_perfect, round(fit_index, 3), item

@app.post("/api/verify-staff")
async def verify_staff(login: StaffLogin):
# 🛡️ Use hmac.compare_digest to prevent timing attacks
if hmac.compare_digest(login.password, STAFF_PASSWORD):
return {"status": "SUCCESS", "message": "Access granted"}
else:
raise HTTPException(status_code=401, detail="Access denied")
Comment on lines +56 to +59
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

There's a potential security vulnerability here if the STAFF_PASSWORD environment variable is set to an empty string. In that case, if an attacker sends a request with an empty password, hmac.compare_digest('', '') would return True, granting them unauthorized access.

To mitigate this, you should ensure that an empty password is never considered valid by checking that STAFF_PASSWORD is not an empty string before performing the comparison.

For more robust testing, you could also add a test case where STAFF_PASSWORD is monkey-patched to an empty string to verify that access is denied for any provided password.

Suggested change
if hmac.compare_digest(login.password, STAFF_PASSWORD):
return {"status": "SUCCESS", "message": "Access granted"}
else:
raise HTTPException(status_code=401, detail="Access denied")
if STAFF_PASSWORD and hmac.compare_digest(login.password, STAFF_PASSWORD):
return {"status": "SUCCESS", "message": "Access granted"}
else:
raise HTTPException(status_code=401, detail="Access denied")


@app.post("/api/recommend")
async def recommend_garment(scan: UserScan, garment_id: str = "BALMAIN_SS26_SLIM"):
# 1. Seguridad y Handshake
Expand Down
3 changes: 3 additions & 0 deletions backend/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ class UserScan(BaseModel):
waist: float
event_type: str # e.g., 'Gala', 'Business', 'Cocktail'

class StaffLogin(BaseModel):
password: str

class Garment(BaseModel):
id: str
name: str
Expand Down
Binary file removed backend/tests/__pycache__/test_main.cpython-312-pytest-9.0.2.pyc
View file
Open in desktop
Binary file not shown.
36 changes: 36 additions & 0 deletions backend/tests/test_staff.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
import pytest
from fastapi.testclient import TestClient
from backend.main import app

client = TestClient(app)

def test_verify_staff_success(monkeypatch):
"""Test successful staff verification."""
# Mock STAFF_PASSWORD in main module
monkeypatch.setattr("backend.main.STAFF_PASSWORD", "TEST_STAFF_PASS")

payload = {"password": "TEST_STAFF_PASS"}
response = client.post("/api/verify-staff", json=payload)

assert response.status_code == 200
assert response.json() == {"status": "SUCCESS", "message": "Access granted"}

def test_verify_staff_failure(monkeypatch):
"""Test failed staff verification."""
# Mock STAFF_PASSWORD in main module
monkeypatch.setattr("backend.main.STAFF_PASSWORD", "TEST_STAFF_PASS")

payload = {"password": "WRONG_PASS"}
response = client.post("/api/verify-staff", json=payload)

assert response.status_code == 401
assert response.json()["detail"] == "Access denied"

def test_verify_staff_empty_password(monkeypatch):
"""Test verification with empty password."""
monkeypatch.setattr("backend.main.STAFF_PASSWORD", "TEST_STAFF_PASS")

payload = {"password": ""}
response = client.post("/api/verify-staff", json=payload)

assert response.status_code == 401
28 changes: 21 additions & 7 deletions js/main.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,14 +232,28 @@ class TryOnYouBunker {
modal.style.display = 'none';
}

verifyPrivatePass() {
async verifyPrivatePass() {
const input = document.getElementById('private-pass-input');
if (input.value === "SAC_MUSEUM_2026") {
this.showNotification('ACCESO CONCEDIDO', 'success');
setTimeout(() => { window.location.href = "/staff-dashboard"; }, 1500);
} else {
this.showNotification('ACCESO DENEGADO', 'error');
input.value = "";
const password = input.value;

try {
// 🛡️ Verify credentials via backend to avoid hardcoded secrets in JS
const response = await fetch('/api/verify-staff', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ password })
});

if (response.ok) {
this.showNotification('ACCESO CONCEDIDO', 'success');
setTimeout(() => { window.location.href = "/staff-dashboard"; }, 1500);
} else {
this.showNotification('ACCESO DENEGADO', 'error');
input.value = "";
}
} catch (error) {
console.error('Staff verification failed:', error);
this.showNotification('ERROR DE CONEXIÓN AL BÚNKER', 'error');
}
}
}
Expand Down
12 changes: 12 additions & 0 deletions vite.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
import { defineConfig } from 'vite';

export default defineConfig({
server: {
proxy: {
'/api': {
target: 'http://localhost:8000',
changeOrigin: true,
},
},
},
});