Spaces:

Phoe2004
/

Recap-shan

Running

App Files Files

Phoe2004 commited on about 14 hours ago

Commit

ca66794

verified ·

1 Parent(s): 97008cc

Upload 2 files

Browse files

Files changed (2) hide show

app.py +93 -28
index.html +8 -2

app.py CHANGED Viewed

@@ -347,23 +347,66 @@ def save_payments_db(db):
 def hp(p): return hashlib.sha256(p.encode()).hexdigest()
-# ── BRUTE-FORCE PROTECTION — login rate limit ──
-_login_attempts  = {}   # ip → [timestamp, ...]
-_login_lock      = threading.Lock()
-LOGIN_MAX_TRIES  = 10   # max attempts per window
-LOGIN_WINDOW     = 300  # 5-minute rolling window
-def _check_login_rate(ip):
-    """Return True if allowed, False if rate-limited."""
     now = time.time()
-    with _login_lock:
-        times = _login_attempts.get(ip, [])
-        times = [t for t in times if now - t < LOGIN_WINDOW]
-        if len(times) >= LOGIN_MAX_TRIES:
-            _login_attempts[ip] = times
             return False
         times.append(now)
-        _login_attempts[ip] = times
     return True
 ADJ  = ['Red','Blue','Gold','Star','Sky','Fire','Moon','Cool','Ice','Dark','Neon','Wild']
@@ -518,7 +561,7 @@ GEMINI_MODELS_TRANSCRIPT = [
     'gemini-2.5-flash',  # primary
     'gemini-3-flash',    # fallback
 ]
-# ── Caption: 2.5-flash-lite primary → 3.1-flash-lite fallback (lucky spinner)
 GEMINI_MODELS_CAPTION = [
     'gemini-2.5-flash-lite-preview-06-17',  # primary
     'gemini-3.1-flash-lite',                # fallback
@@ -529,15 +572,14 @@ _mdl_cap_idx = 0
 _mdl_lock    = threading.Lock()
 def next_model(purpose='transcript'):
-    """Lucky spinner — random API key, model order fixed: 2.5-flash first, 3-flash fallback."""
     models = GEMINI_MODELS_TRANSCRIPT if purpose == 'transcript' else GEMINI_MODELS_CAPTION
     return list(models)
 def call_api(msgs, api='Gemini', purpose='transcript'):
     """
-    purpose='transcript' → 2.5-flash primary, 3-flash fallback
-    purpose='caption'    → 2.5-flash-lite primary, 3.1-flash-lite fallback
-    API keys: random shuffle (lucky spinner) every call.
     """
     if api == 'DeepSeek':
         keys, base = DEEPSEEK_KEYS, 'https://api.deepseek.com'
@@ -547,8 +589,7 @@ def call_api(msgs, api='Gemini', purpose='transcript'):
         models = next_model(purpose)   # spinner: returns rotation-ordered list
     valid = [(i+1, k) for i, k in enumerate(keys) if k]
     if not valid: raise Exception('No API Key available')
-    # Lucky spinner — random key order every call
-    random.shuffle(valid)
     last_err = None
     for n, k in valid:
         for mdl in models:
@@ -1010,20 +1051,44 @@ def sitemap():
 @app.route('/api/login', methods=['POST'])
 def api_login():
     try:
-        d = request.get_json(force=True) or {}
-        ok, msg, coins = login_user(d.get('username',''), d.get('password',''))
-        return jsonify(ok=ok, msg=msg, coins=coins, is_admin=(d.get('username','')==ADMIN_U and ok))
     except Exception as e:
         return jsonify(ok=False, msg=str(e))
 @app.route('/api/register', methods=['POST'])
 def api_register():
     try:
-        d = request.get_json(force=True) or {}
         uname = (d.get('username') or '').strip() or gen_uname()
-        pw = d.get('password', '')
-        db = load_db()
-        if uname in db['users']: return jsonify(ok=False, msg='❌ Already exists')
         db['users'][uname] = {'password': hp(pw) if pw else '', 'coins': 1,
             'created_at': datetime.now().isoformat(), 'last_login': None,
             'total_transcripts': 0, 'total_videos': 0,

 def hp(p): return hashlib.sha256(p.encode()).hexdigest()
+# ══════════════════════════════════════════════════════════════
+#  SECURITY: Brute-force & rate-limit protection
+#  (1) Wrong login → fail counter per IP → lock 5 min after 5 fails
+#  (2) Register  → max 1 account per IP per 24 hours
+# ══════════════════════════════════════════════════════════════
+import threading as _thr
+_pw_fails    = {}          # ip -> {'count':int, 'locked_until':float}
+_pw_lock     = _thr.Lock()
+PW_MAX_FAILS = 5
+PW_LOCK_SECS = 300         # 5 minutes
+_reg_log     = {}          # ip -> [ts, ...]
+_reg_lock    = _thr.Lock()
+REG_WINDOW   = 86400       # 24 hours
+REG_MAX      = 1           # accounts per IP per day
+def _ip(req):
+    return (req.headers.get('X-Forwarded-For') or req.remote_addr or '').split(',')[0].strip()
+def _pw_check(ip):
+    """(allowed:bool, wait_secs:int)"""
     now = time.time()
+    with _pw_lock:
+        rec = _pw_fails.get(ip, {})
+        lu  = rec.get('locked_until', 0)
+        if lu > now:
+            return False, int(lu - now)
+    return True, 0
+def _pw_fail(ip):
+    """Record one failed attempt; lock if threshold reached."""
+    now = time.time()
+    with _pw_lock:
+        rec = _pw_fails.get(ip, {'count': 0, 'locked_until': 0})
+        if rec.get('locked_until', 0) < now:   # not currently locked
+            rec['count'] = rec.get('count', 0) + 1
+            if rec['count'] >= PW_MAX_FAILS:
+                rec['locked_until'] = now + PW_LOCK_SECS
+                rec['count'] = 0
+        _pw_fails[ip] = rec
+def _pw_remaining(ip):
+    with _pw_lock:
+        return max(0, PW_MAX_FAILS - _pw_fails.get(ip, {}).get('count', 0))
+def _pw_clear(ip):
+    with _pw_lock:
+        _pw_fails.pop(ip, None)
+def _reg_check(ip):
+    """True = allowed to register."""
+    now = time.time()
+    with _reg_lock:
+        times = [t for t in _reg_log.get(ip, []) if now - t < REG_WINDOW]
+        if len(times) >= REG_MAX:
+            _reg_log[ip] = times
             return False
         times.append(now)
+        _reg_log[ip] = times
     return True
 ADJ  = ['Red','Blue','Gold','Star','Sky','Fire','Moon','Cool','Ice','Dark','Neon','Wild']
     'gemini-2.5-flash',  # primary
     'gemini-3-flash',    # fallback
 ]
+# ── Caption: 2.5-flash-lite primary → 3.1-flash-lite fallback
 GEMINI_MODELS_CAPTION = [
     'gemini-2.5-flash-lite-preview-06-17',  # primary
     'gemini-3.1-flash-lite',                # fallback
 _mdl_lock    = threading.Lock()
 def next_model(purpose='transcript'):
+    """Lucky spinner — 2.5-flash first, 3-flash fallback."""
     models = GEMINI_MODELS_TRANSCRIPT if purpose == 'transcript' else GEMINI_MODELS_CAPTION
     return list(models)
 def call_api(msgs, api='Gemini', purpose='transcript'):
     """
+    purpose='transcript' → GEMINI_MODELS_TRANSCRIPT round-robin (gemini-3-flash ↔ gemini-2.5-flash)
+    purpose='caption'    → GEMINI_MODELS_CAPTION    round-robin (gemini-3.1-flash-lite ↔ gemini-2.5-flash-lite)
     """
     if api == 'DeepSeek':
         keys, base = DEEPSEEK_KEYS, 'https://api.deepseek.com'
         models = next_model(purpose)   # spinner: returns rotation-ordered list
     valid = [(i+1, k) for i, k in enumerate(keys) if k]
     if not valid: raise Exception('No API Key available')
+    random.shuffle(valid)   # lucky spinner — random key order every call
     last_err = None
     for n, k in valid:
         for mdl in models:
 @app.route('/api/login', methods=['POST'])
 def api_login():
     try:
+        ip = _ip(request)
+        # ── (1) Check lockout ──
+        allowed, wait = _pw_check(ip)
+        if not allowed:
+            m, s = divmod(wait, 60)
+            return jsonify(ok=False,
+                msg=f'❌ {PW_MAX_FAILS} ကြိမ် မှားသောကြောင့် {m} မိနစ် {s} စက္ကန့် စောင့်ပါ။'), 429
+        d     = request.get_json(force=True) or {}
+        uname = d.get('username', '')
+        pw    = d.get('password', '')
+        ok, msg, coins = login_user(uname, pw)
+        if ok:
+            _pw_clear(ip)   # reset on success
+        else:
+            _pw_fail(ip)
+            rem = _pw_remaining(ip)
+            if rem == 0:
+                msg = f'❌ {PW_MAX_FAILS} ကြိမ် မှားသောကြောင့် 5 မိနစ် စောင့်ပါ။'
+            else:
+                msg = f'❌ Username (သို့) Password မှားသည်။ ({rem} ကြိမ် ကျန်သည်)'
+        return jsonify(ok=ok, msg=msg, coins=coins, is_admin=(uname==ADMIN_U and ok))
     except Exception as e:
         return jsonify(ok=False, msg=str(e))
 @app.route('/api/register', methods=['POST'])
 def api_register():
     try:
+        ip = _ip(request)
+        # ── (2) 1 account per IP per day ──
+        if not _reg_check(ip):
+            return jsonify(ok=False,
+                msg='❌ တစ်ရက်တွင် account တစ်ခုသာ ဖန်တီးနိုင်သည်။ မနက်ဖြန် ထပ်ကြိုးစားပါ။'), 429
+        d     = request.get_json(force=True) or {}
         uname = (d.get('username') or '').strip() or gen_uname()
+        pw    = d.get('password', '')
+        db    = load_db()
+        if uname in db['users']:
+            return jsonify(ok=False, msg='❌ Already exists')
         db['users'][uname] = {'password': hp(pw) if pw else '', 'coins': 1,
             'created_at': datetime.now().isoformat(), 'last_login': None,
             'total_transcripts': 0, 'total_videos': 0,

index.html CHANGED Viewed

@@ -1639,7 +1639,10 @@ async function doLogin(){
       sam(d.msg||'❌ Login failed',false);
       if(btn){btn.disabled=false;btn.textContent='Login';}
     }
-  }catch{sam('❌ Connection error',false);if(btn){btn.disabled=false;btn.textContent='Login';}}
 }
 async function doReg(){
   const u=document.getElementById('r-u').value.trim(),p=document.getElementById('r-p').value;
@@ -1655,7 +1658,10 @@ async function doReg(){
       sam(d.msg||'❌ Failed',false);
       if(btn){btn.disabled=false;btn.textContent='Register';}
     }
-  }catch{sam('❌ Connection error',false);if(btn){btn.disabled=false;btn.textContent='Register';}}
 }
 async function fetchAndUpdateCoins(){
   if(!U||ISADM)return;

       sam(d.msg||'❌ Login failed',false);
       if(btn){btn.disabled=false;btn.textContent='Login';}
     }
+  } catch{
+    sam('❌ Connection error',false);
+    if(btn){btn.disabled=false;btn.textContent='Login';}
+  }
 }
 async function doReg(){
   const u=document.getElementById('r-u').value.trim(),p=document.getElementById('r-p').value;
       sam(d.msg||'❌ Failed',false);
       if(btn){btn.disabled=false;btn.textContent='Register';}
     }
+  } catch{
+    sam('❌ Connection error',false);
+    if(btn){btn.disabled=false;btn.textContent='Register';}
+  }
 }
 async function fetchAndUpdateCoins(){
   if(!U||ISADM)return;