nik/newdwh2021
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ミドルウェア実装

Browse Source
This commit is contained in:
nik.n 2024-01-29 16:50:31 +09:00
parent 46fa3844ab
commit 3feca4d25c
7 changed files with 52 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
ecs/jskult-webapp/src/controller/bio_api.py
View File

@ -80,15 +80,6 @@ def search_bio_data(
'count': bio_sales_lot_count 'count': bio_sales_lot_count
}) })
# X-Frame-Optionsヘッダー追加
json_response.headers['X-Frame-Options'] = 'DENY'
# X-Content-Type-Optionsヘッダー追加
json_response.headers['X-Content-Type-Options'] = 'nosniff'
# Strict-Transport-Securityヘッダー追加
json_response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
# Cache-Controlヘッダー追加
json_response.headers['Cache-Control'] = 'private'
# クッキーも書き換え # クッキーも書き換え
json_response.set_cookie( json_response.set_cookie(
key='session', key='session',
@ -163,15 +154,6 @@ async def download_bio_data(
'download_url': download_file_url 'download_url': download_file_url
}) })
# X-Frame-Optionsヘッダー追加
json_response.headers['X-Frame-Options'] = 'DENY'
# X-Content-Type-Optionsヘッダー追加
json_response.headers['X-Content-Type-Options'] = 'nosniff'
# Strict-Transport-Securityヘッダー追加
json_response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
# Cache-Controlヘッダー追加
json_response.headers['Cache-Control'] = 'private'
json_response.set_cookie( json_response.set_cookie(
key='session', key='session',
value=session.session_key, value=session.session_key,

18
ecs/jskult-webapp/src/controller/login.py
View File

@ -114,15 +114,6 @@ def login(
headers={'session_key': session_key} headers={'session_key': session_key}
) )
# X-Frame-Optionsヘッダー追加
response.headers['X-Frame-Options'] = 'DENY'
# X-Content-Type-Optionsヘッダー追加
response.headers['X-Content-Type-Options'] = 'nosniff'
# Strict-Transport-Securityヘッダー追加
response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
# Cache-Controlヘッダー追加
response.headers['Cache-Control'] = 'private'
return response return response
@ -181,13 +172,4 @@ def sso_authorize(
headers={'session_key': session_key} headers={'session_key': session_key}
) )
# X-Frame-Optionsヘッダー追加
response.headers['X-Frame-Options'] = 'DENY'
# X-Content-Type-Optionsヘッダー追加
response.headers['X-Content-Type-Options'] = 'nosniff'
# Strict-Transport-Securityヘッダー追加
response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
# Cache-Controlヘッダー追加
response.headers['Cache-Control'] = 'private'
return response return response

9
ecs/jskult-webapp/src/controller/logout.py
View File

@ -54,13 +54,4 @@ def logout_view(
if session: if session:
session_service.delete_session(session) session_service.delete_session(session)
# X-Frame-Optionsヘッダー追加
template_response.headers['X-Frame-Options'] = 'DENY'
# X-Content-Type-Optionsヘッダー追加
template_response.headers['X-Content-Type-Options'] = 'nosniff'
# Strict-Transport-Securityヘッダー追加
template_response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
# Cache-Controlヘッダー追加
template_response.headers['Cache-Control'] = 'private'
return template_response return template_response

5
ecs/jskult-webapp/src/main.py
View File

@ -10,6 +10,7 @@ from src.controller import (bio, bio_api, healthcheck, login, logout,
from src.core import task from src.core import task
from src.error.exception_handler import http_exception_handler from src.error.exception_handler import http_exception_handler
from src.error.exceptions import UnexpectedException from src.error.exceptions import UnexpectedException
from src.middleware.middleware import ErrorHandlingMiddleware, SecurityHeadersMiddleware
app = FastAPI(openapi_url=None) app = FastAPI(openapi_url=None)
@ -42,5 +43,9 @@ app.add_exception_handler(status.HTTP_403_FORBIDDEN, http_exception_handler)
# サーバーエラーが発生した場合のハンドラー。HTTPExceptionではハンドリングできないため、個別に設定 # サーバーエラーが発生した場合のハンドラー。HTTPExceptionではハンドリングできないため、個別に設定
app.add_exception_handler(UnexpectedException, http_exception_handler) app.add_exception_handler(UnexpectedException, http_exception_handler)
# セキュリティヘッダー設定・サーバーエラーや認証失敗はミドルウェアで処理する
app.add_middleware(ErrorHandlingMiddleware)
app.add_middleware(SecurityHeadersMiddleware)
# サーバー起動時のイベント # サーバー起動時のイベント
app.add_event_handler('startup', task.create_start_app_handler()) app.add_event_handler('startup', task.create_start_app_handler())

0
ecs/jskult-webapp/src/middleware/__init__.py Normal file
View File

47
ecs/jskult-webapp/src/middleware/middleware.py Normal file
View File

@ -0,0 +1,47 @@
from fastapi import Request, Response, status
from fastapi.responses import JSONResponse
from starlette.middleware.base import BaseHTTPMiddleware
class SecurityHeadersMiddleware(BaseHTTPMiddleware):
async def dispatch(self, request, call_next):
response = await call_next(request)
# X-Frame-Optionsヘッダー追加
response.headers['X-Frame-Options'] = 'DENY'
# X-Content-Type-Optionsヘッダー追加
response.headers['X-Content-Type-Options'] = 'nosniff'
# Strict-Transport-Securityヘッダー追加
response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
# Cache-Controlヘッダー追加
response.headers['Cache-Control'] = 'private'
return response
class ErrorHandlingMiddleware(BaseHTTPMiddleware):
# エラーハンドリングをするミドルウェア
# API内で発生したエラーをキャッチして処理を施す
async def dispatch(self, request: Request, call_next) -> Response:
try:
response: Response = await call_next(request)
except TypeError as e:
response = JSONResponse(
{"msg": "TypeError:内容を確認してもう一度データ挿入をしてください。"},
status.HTTP_404_NOT_FOUND,
)
except TimeoutError as e:
response = JSONResponse(
{"msg": "TimeoutError:タイムアウトエラーが発生しました。"},
status.HTTP_408_REQUEST_TIMEOUT,
)
except RuntimeError as e:
response = JSONResponse(
{"msg": "RuntimeError:ランタイムエラーが発生しました。"},
status.HTTP_500_INTERNAL_SERVER_ERROR,
)
except Exception as e:
response = JSONResponse(
{"msg": "Exception:基底クラスエラーが発生しました。"},
status.HTTP_500_INTERNAL_SERVER_ERROR,
)
return response

9
ecs/jskult-webapp/src/router/session_router.py
View File

@ -104,15 +104,6 @@ class AfterSetCookieSessionRoute(MeDaCaRoute):
async def post_process_route(self, request: Request, response: Response): async def post_process_route(self, request: Request, response: Response):
response = await super().post_process_route(request, response) response = await super().post_process_route(request, response)
# X-Frame-Optionsヘッダー追加
response.headers['X-Frame-Options'] = 'DENY'
# X-Content-Type-Optionsヘッダー追加
response.headers['X-Content-Type-Options'] = 'nosniff'
# Strict-Transport-Securityヘッダー追加
response.headers['Strict-Transport-Security'] = 'max-age=31536000 includeSubDomains'
# Cache-Controlヘッダー追加
response.headers['Cache-Control'] = 'private'
session_key = response.headers.get('session_key', None) session_key = response.headers.get('session_key', None)
# セッションキーがない場合はセットせずに返す # セッションキーがない場合はセットせずに返す
if session_key is None: if session_key is None: