harden telegram webapp production readiness

2026-05-12 19:14:21 +09:00
parent e75697f83e
commit 2ba2e88432
27 changed files with 931 additions and 155 deletions
--- a/app/api/service_centers.py
+++ b/app/api/service_centers.py
@@ -1,7 +1,8 @@
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, Header, HTTPException, status
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession

+from app.api.deps import require_internal_api_token
 from app.db.session import get_session
 from app.models.car import Car, CarServiceLink, ServiceCenter, ServiceInboxMessage
 from app.schemas.service_center import (
@@ -18,8 +19,11 @@ router = APIRouter(prefix="/service-centers", tags=["service-centers"])

@router.post("", response_model=ServiceCenterRead, status_code=status.HTTP_201_CREATED)
 async def create_service_center(
-    payload: ServiceCenterCreate, session: AsyncSession = Depends(get_session)
+    payload: ServiceCenterCreate,
+    session: AsyncSession = Depends(get_session),
+    x_internal_api_token: str | None = Header(default=None, alias="X-Internal-API-Token"),
 ) -> ServiceCenter:
+    require_internal_api_token(x_internal_api_token)
    center = ServiceCenter(**payload.model_dump())
    session.add(center)
    await session.commit()
@@ -28,15 +32,22 @@ async def create_service_center(


@router.get("", response_model=list[ServiceCenterRead])
-async def list_service_centers(session: AsyncSession = Depends(get_session)) -> list[ServiceCenter]:
+async def list_service_centers(
+    session: AsyncSession = Depends(get_session),
+    x_internal_api_token: str | None = Header(default=None, alias="X-Internal-API-Token"),
+) -> list[ServiceCenter]:
+    require_internal_api_token(x_internal_api_token)
    result = await session.execute(select(ServiceCenter).order_by(ServiceCenter.name))
    return list(result.scalars())


@router.post("/links", response_model=CarServiceLinkRead, status_code=status.HTTP_201_CREATED)
 async def link_car_to_service(
-    payload: CarServiceLinkCreate, session: AsyncSession = Depends(get_session)
+    payload: CarServiceLinkCreate,
+    session: AsyncSession = Depends(get_session),
+    x_internal_api_token: str | None = Header(default=None, alias="X-Internal-API-Token"),
 ) -> CarServiceLink:
+    require_internal_api_token(x_internal_api_token)
    if await session.get(Car, payload.car_id) is None:
        raise HTTPException(status_code=404, detail="Car not found")
    if await session.get(ServiceCenter, payload.service_center_id) is None:
@@ -50,8 +61,11 @@ async def link_car_to_service(

@router.post("/inbox", response_model=ServiceInboxRead, status_code=status.HTTP_201_CREATED)
 async def receive_service_message(
-    payload: ServiceInboxCreate, session: AsyncSession = Depends(get_session)
+    payload: ServiceInboxCreate,
+    session: AsyncSession = Depends(get_session),
+    x_internal_api_token: str | None = Header(default=None, alias="X-Internal-API-Token"),
 ) -> ServiceInboxMessage:
+    require_internal_api_token(x_internal_api_token)
    service_center_id = payload.service_center_id
    if not service_center_id and payload.source_chat_id:
        result = await session.execute(