Spaces:

superxu520
/

Paper_Trading

Running

superxuu commited on Feb 18

Commit

d36190a

1 Parent(s): f3f02a5

feat: add rate limiting to register and login endpoints (10/sec)

Files changed (4) hide show

backend/app/api.py CHANGED Viewed

@@ -36,6 +36,7 @@ from .database_user import (
     match_pending_payment_order,
     register_user,
 )
 VMQ_GATEWAY_URL = os.getenv("VMQ_GATEWAY_URL", "")
@@ -177,7 +178,8 @@ async def health_check():
 @router.post("/v1/auth/register", response_model=AuthResponse)
-async def register(payload: RegisterRequest, db: Session = Depends(get_user_db)):
     username = payload.username.strip()
     if len(username) < 3 or len(payload.password) < 6:
         raise HTTPException(status_code=400, detail="用户名至少3位，密码至少6位")
@@ -201,7 +203,8 @@ async def register(payload: RegisterRequest, db: Session = Depends(get_user_db))
 @router.post("/v1/auth/login", response_model=AuthResponse)
-async def login(payload: LoginRequest, db: Session = Depends(get_user_db)):
     user = db.query(User).filter(User.username == payload.username.strip()).first()
     if not user or not verify_password(payload.password, user.password_hash):
         raise HTTPException(status_code=401, detail="用户名或密码错误")

     match_pending_payment_order,
     register_user,
 )
+from .limiter import limiter
 VMQ_GATEWAY_URL = os.getenv("VMQ_GATEWAY_URL", "")
 @router.post("/v1/auth/register", response_model=AuthResponse)
+@limiter.limit("10/second")
+async def register(request: Request, payload: RegisterRequest, db: Session = Depends(get_user_db)):
     username = payload.username.strip()
     if len(username) < 3 or len(payload.password) < 6:
         raise HTTPException(status_code=400, detail="用户名至少3位，密码至少6位")
 @router.post("/v1/auth/login", response_model=AuthResponse)
+@limiter.limit("10/second")
+async def login(request: Request, payload: LoginRequest, db: Session = Depends(get_user_db)):
     user = db.query(User).filter(User.username == payload.username.strip()).first()
     if not user or not verify_password(payload.password, user.password_hash):
         raise HTTPException(status_code=401, detail="用户名或密码错误")

backend/app/limiter.py ADDED Viewed

+from slowapi import Limiter
+from slowapi.util import get_remote_address
+# 创建全局限制器
+# 使用远程 IP 作为限制标识
+limiter = Limiter(key_func=get_remote_address)

backend/app/main.py CHANGED Viewed

@@ -10,6 +10,10 @@ from contextlib import asynccontextmanager
 from fastapi import FastAPI
 from fastapi.staticfiles import StaticFiles
 from fastapi.middleware.cors import CORSMiddleware
 from .api import router
 from .database import get_db
@@ -78,6 +82,10 @@ app = FastAPI(
     lifespan=lifespan
 )
 # CORS 配置
 app.add_middleware(
     CORSMiddleware,

 from fastapi import FastAPI
 from fastapi.staticfiles import StaticFiles
 from fastapi.middleware.cors import CORSMiddleware
+from slowapi.errors import RateLimitExceeded
+from slowapi import _rate_limit_exceeded_handler
+from .limiter import limiter
 from .api import router
 from .database import get_db
     lifespan=lifespan
 )
+# 注册限制器
+app.state.limiter = limiter
+app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
 # CORS 配置
 app.add_middleware(
     CORSMiddleware,

backend/requirements.txt CHANGED Viewed

@@ -10,4 +10,5 @@ yfinance>=0.2.36
 apscheduler>=3.10.4
 pytz>=2024.1
 sqlalchemy>=2.0.35

 apscheduler>=3.10.4
 pytz>=2024.1
 sqlalchemy>=2.0.35
+slowapi>=0.1.9