Spaces:

dotandru
/

BuddyMath

Sleeping

App Files Files Community

dotandru commited on Mar 11

Commit

6daa01f

1 Parent(s): 137ff4e

Security Hardening: Firebase Auth + Quota V2 Enforcement

Browse files

Files changed (2) hide show

firebase_manager.py +28 -1
main.py +41 -2

firebase_manager.py CHANGED Viewed

@@ -1,7 +1,7 @@
 import logging
 import os
 import firebase_admin
-from firebase_admin import credentials, storage
 # Initialize logging
 logger = logging.getLogger("BIT-LOG")
@@ -14,6 +14,7 @@ class FirebaseManager:
     _instance = None
     _bucket = None
     def __new__(cls):
         if cls._instance is None:
@@ -56,9 +57,35 @@ class FirebaseManager:
                 logger.info(f"SUCCESS: [FIREBASE] Initialized successfully for {'PROD' if IS_PRODUCTION else 'DEV'}.")
             self._bucket = storage.bucket()
         except Exception as e:
             logger.error(f"ERROR: [FIREBASE] Initialization failed: {e}")
     def upload_file(self, local_path: str, destination_blob_name: str) -> str:
         """
         V273.1: Uploads local file and returns a Signed URL (CORS proof).

 import logging
 import os
 import firebase_admin
+from firebase_admin import credentials, storage, firestore, auth
 # Initialize logging
 logger = logging.getLogger("BIT-LOG")
     _instance = None
     _bucket = None
+    _db = None
     def __new__(cls):
         if cls._instance is None:
                 logger.info(f"SUCCESS: [FIREBASE] Initialized successfully for {'PROD' if IS_PRODUCTION else 'DEV'}.")
             self._bucket = storage.bucket()
+            self._db = firestore.client()
         except Exception as e:
             logger.error(f"ERROR: [FIREBASE] Initialization failed: {e}")
+    def get_db(self):
+        """V2: Returns the initialized Firestore client."""
+        if not self._db:
+            logger.error("❌ [FIREBASE] DB not initialized.")
+            return None
+        return self._db
+    def verify_token(self, id_token: str):
+        """
+        V2: Verifies a Firebase Auth ID token.
+        Returns the decoded token dictionary (including 'uid') if valid, else None.
+        """
+        try:
+            decoded_token = auth.verify_id_token(id_token)
+            return decoded_token
+        except auth.ExpiredIdTokenError:
+            logger.warning("⚠️ [FIREBASE] Token expired.")
+            return None
+        except auth.InvalidIdTokenError:
+            logger.error("❌ [FIREBASE] Invalid token.")
+            return None
+        except Exception as e:
+            logger.error(f"❌ [FIREBASE] Error verifying token: {e}")
+            return None
     def upload_file(self, local_path: str, destination_blob_name: str) -> str:
         """
         V273.1: Uploads local file and returns a Signed URL (CORS proof).

main.py CHANGED Viewed

@@ -21,6 +21,7 @@ class AskQuestionRequest(BaseModel):
     context_data: dict | Any
     question: str
     student_name: str = "תלמיד"
 # --- HEALTH CHECK : Top-level Dependency Verification ---
 # We do this before standard imports to ensure a clear error message
@@ -340,12 +341,50 @@ async def solve_stream_v2(
 @app.post("/explain_step")
 async def explain_step(request: Request):
     data = await request.json()
     res = await orchestrator.explain_specific_step(data.get("context"), data.get("step_text"), data.get("student_name"))
     return JSONResponse(content=res)
 @app.post("/ask_question")
-async def ask_question(request: AskQuestionRequest):
-    data = request.dict()
     res = await orchestrator.ask_question(data.get("context_data"), data.get("question"), data.get("student_name"))
     return JSONResponse(content=res)

     context_data: dict | Any
     question: str
     student_name: str = "תלמיד"
+    id_token: Optional[str] = None
 # --- HEALTH CHECK : Top-level Dependency Verification ---
 # We do this before standard imports to ensure a clear error message
 @app.post("/explain_step")
 async def explain_step(request: Request):
     data = await request.json()
+    # Auth Hardening (V3.1)
+    auth_header = request.headers.get('Authorization')
+    token = (data.get("id_token") or (auth_header.split('Bearer ')[1] if auth_header and auth_header.startswith('Bearer ') else None))
+    if not token:
+        return JSONResponse(status_code=401, content={"error": "Unauthorized: Missing Token"})
+    decoded_token = firebase_manager.verify_token(token)
+    if not decoded_token:
+        return JSONResponse(status_code=401, content={"error": "Unauthorized: Invalid Token"})
+    uid = decoded_token.get('uid')
+    # Quota check (Gate only, no increment for simple explanations yet)
+    is_allowed, msg, _, _ = quota_manager_v2.check_limit(uid)
+    if not is_allowed:
+        return JSONResponse(status_code=403, content={"error": "QUOTA_EXCEEDED", "message": msg})
     res = await orchestrator.explain_specific_step(data.get("context"), data.get("step_text"), data.get("student_name"))
     return JSONResponse(content=res)
 @app.post("/ask_question")
+async def ask_question(request: Request, ask_req: AskQuestionRequest):
+    data = ask_req.dict()
+    # Auth Hardening (V3.1)
+    auth_header = request.headers.get('Authorization')
+    token = (data.get("id_token") or (auth_header.split('Bearer ')[1] if auth_header and auth_header.startswith('Bearer ') else None))
+    if not token:
+        return JSONResponse(status_code=401, content={"error": "Unauthorized: Missing Token"})
+    decoded_token = firebase_manager.verify_token(token)
+    if not decoded_token:
+        return JSONResponse(status_code=401, content={"error": "Unauthorized: Invalid Token"})
+    uid = decoded_token.get('uid')
+    # Quota check
+    is_allowed, msg, _, _ = quota_manager_v2.check_limit(uid)
+    if not is_allowed:
+        return JSONResponse(status_code=403, content={"error": "QUOTA_EXCEEDED", "message": msg})
     res = await orchestrator.ask_question(data.get("context_data"), data.get("question"), data.get("student_name"))
     return JSONResponse(content=res)