hyungi/tk-factory-services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
tk-factory-services/system3-nonconformance/api/main.py
Hyungi Ahn 12367dd3a1 fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정 
Phase 1 CRITICAL XSS:
- marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management)
- toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header)
- onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail)

Phase 2 HIGH 인가:
- getUserBalance 본인확인 추가 (tksupport vacationController)

Phase 3 HIGH 토큰+CSP:
- localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스)
- unsafe-eval CSP 제거 (system1 security.js)

Phase 4 MEDIUM:
- nginx 보안 헤더 추가 (8개 서비스)
- 500 에러 메시지 마스킹 (5개 API)
- path traversal 방지 (system3 file_service.py)
- cookie fallback 데드코드 제거 (4개 auth.js)
- /login/form rate limiting 추가 (sso-auth)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:50:00 +09:00

85 lines
2.4 KiB
Python
Raw Permalink Blame History

import os
from contextlib import asynccontextmanager
from fastapi import FastAPI, Request
from fastapi.middleware.cors import CORSMiddleware
from fastapi.responses import JSONResponse
import uvicorn
from database.database import engine, get_db
from database.models import Base
from routers import auth, issues, reports, projects, page_permissions, inbox, management
from services.auth_service import create_admin_user
# 데이터베이스 테이블 생성 (sso_users, projects는 이미 존재하므로 제외)
tables_to_create = [
table for name, table in Base.metadata.tables.items()
if name not in ("sso_users", "projects")
]
Base.metadata.create_all(bind=engine, tables=tables_to_create)
# 앱 시작/종료 lifecycle
@asynccontextmanager
async def lifespan(app: FastAPI):
db = next(get_db())
create_admin_user(db)
db.close()
yield
# FastAPI 앱 생성
app = FastAPI(
title="M-Project API",
description="작업보고서 시스템 API",
version="1.0.0",
lifespan=lifespan
)
ALLOWED_ORIGINS = [
"https://tkfb.technicalkorea.net",
"https://tkreport.technicalkorea.net",
"https://tkqc.technicalkorea.net",
"https://tkuser.technicalkorea.net",
]
if os.getenv("ENV", "production") == "development":
ALLOWED_ORIGINS += ["http://localhost:30080", "http://localhost:30180", "http://localhost:30280"]
app.add_middleware(
CORSMiddleware,
allow_origins=ALLOWED_ORIGINS,
allow_credentials=True,
allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
allow_headers=["*"],
expose_headers=["*"]
)
# 라우터 등록
app.include_router(auth.router)
app.include_router(issues.router)
app.include_router(inbox.router) # 수신함 라우터 추가
app.include_router(reports.router)
app.include_router(projects.router)
app.include_router(page_permissions.router)
app.include_router(management.router) # 관리함 라우터 추가
# 루트 엔드포인트
@app.get("/")
async def root():
return {"message": "M-Project API", "version": "1.0.0"}
# 헬스체크
@app.get("/api/health")
async def health_check():
return {"status": "healthy"}
# 전역 예외 처리
@app.exception_handler(Exception)
async def global_exception_handler(request: Request, exc: Exception):
import traceback
traceback.print_exc()
return JSONResponse(
status_code=500,
content={"detail": "서버 오류가 발생했습니다"}
)
if __name__ == "__main__":
uvicorn.run(app, host="0.0.0.0", port=8000)
Reference in New Issue View Git Blame Copy Permalink