mirror of
https://github.com/BEDOLAGA-DEV/remnawave-bedolaga-telegram-bot.git
synced 2026-02-27 14:51:19 +00:00
784616b349
Remove the 7,791-line universal_migration.py and 16 incomplete individual Alembic migrations. Replace with a single initial schema migration using Base.metadata.create_all(checkfirst=True). Changes: - Add programmatic Alembic runner (app/database/migrations.py) with auto-stamp logic for existing databases transitioning from universal_migration - Extract ensure_default_web_api_token() to web_api_token_service.py - Extract sync_postgres_sequences() to database.py with SQL injection prevention via _quote_ident() - Add HMAC token hashing support with backward-compatible dual-hash fallback and automatic rehashing - Remove dead init_db() function and unused imports - Add Makefile targets: migrate, migration, migrate-stamp, migrate-history - Fix fileConfig() destroying structlog config (disable_existing_loggers) - Remove duplicate migrations/alembic/alembic.ini with credentials - Add script.py.mako template for future migration generation - Update startup flow: alembic upgrade → sync sequences → ensure token - Harden database.py: ParamSpec for retry decorator, safe URL logging, echo='debug' mode, execute_with_retry validation - Update documentation references 31 files changed, 302 insertions(+), 9,226 deletions(-)
46 lines
1.3 KiB
Python
46 lines
1.3 KiB
Python
"""Утилиты безопасности и генерации ключей."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import hashlib
|
|
import hmac
|
|
import secrets
|
|
from typing import Literal
|
|
|
|
|
|
HashAlgorithm = Literal['sha256', 'sha384', 'sha512']
|
|
|
|
|
|
def hash_api_token(
|
|
token: str,
|
|
algorithm: HashAlgorithm = 'sha256',
|
|
*,
|
|
hmac_secret: str | None = None,
|
|
) -> str:
|
|
"""Возвращает хеш токена в формате hex.
|
|
|
|
If ``hmac_secret`` is provided, uses HMAC with the given secret key
|
|
(recommended for production). Otherwise falls back to plain hash
|
|
(backward-compatible).
|
|
"""
|
|
normalized = (algorithm or 'sha256').lower()
|
|
if normalized not in {'sha256', 'sha384', 'sha512'}:
|
|
raise ValueError(f'Unsupported hash algorithm: {algorithm}')
|
|
|
|
token_bytes = token.encode('utf-8')
|
|
|
|
if hmac_secret:
|
|
return hmac.new(hmac_secret.encode('utf-8'), token_bytes, normalized).hexdigest()
|
|
|
|
digest = getattr(hashlib, normalized)
|
|
return digest(token_bytes).hexdigest()
|
|
|
|
|
|
def generate_api_token(length: int = 48) -> str:
|
|
"""Генерирует криптографически стойкий токен."""
|
|
length = max(24, min(length, 128))
|
|
return secrets.token_urlsafe(length)
|
|
|
|
|
|
__all__ = ['HashAlgorithm', 'generate_api_token', 'hash_api_token']
|