Addition of Middlewares

FileStream/server/API/__init__.py

@@ -1,7 +1,7 @@
 import aiohttp_cors
 from aiohttp import web
 
-
+#---------------------- Local Imports --------------------#
 from .listings import (
     list_all_files_db,
     list_all_files,
@@ -13,17 +13,26 @@ from .listings import (
 from .downloads import stream_handler
 from .uploads import upload_file
 
+
+#-----------------------------Functions------------------------#
 async def handle_v2(request):
     return web.Response(text="Hello from app api!")
 
-# Web server setup with optimized CORS handling
-api = web.Application()
+
+
+"""
 cors = aiohttp_cors.setup(api, defaults={"*": aiohttp_cors.ResourceOptions(
     allow_credentials=False,
     expose_headers="*",
     allow_headers="*",
     allow_methods="*"
 )})
+"""
+
+#---------------------------Routes ---------------------------#
+# Web server setup with optimized CORS handling
+api = web.Application()
+
 
 cors.add(api.router.add_get('/', handle_v2))
 

FileStream/server/APP/__init__.py

@@ -2,24 +2,20 @@ import os
 from aiohttp import web
 from aiohttp.http_exceptions import BadStatusLine
 
-
+#-----------------------------Local Imports-----------------------------#
 from .render_template import render_page, render_upload
 from .routes_app import stream_handler,upload_handler
 from FileStream.Exceptions import FIleNotFound, InvalidHash
 
-
-
-
+#------------------------------Functions--------------------------------#
 async def handle_v2(request):
     return web.Response(text="Hello from app v2!")
 
-sub_app = web.Application()
-
 
+#----------------------------Server Routes-----------------------------#
+app = web.Application()
 #static_dir = os.path.join("FileStream", "bot", "server", "template")
 #sub_app.router.add_static('/static/', path=static_dir, name='static')
-
-
-sub_app.router.add_get('/', handle_v2)
-sub_app.router.add_get('/watch/{path}', stream_handler)
-sub_app.router.add_get('/up', upload_handler)
+app.router.add_get('/', handle_v2)
+app.router.add_get('/watch/{path}', stream_handler)
+app.router.add_get('/up', upload_handler)

FileStream/server/APP/routes_app.py

@@ -2,10 +2,13 @@ import os
 from aiohttp import web
 from aiohttp.http_exceptions import BadStatusLine
 
+#--------------------------Local Import -----------------------------#
 from ..Functions.downloader import media_streamer
 from .render_template import render_page, render_upload
 from FileStream.Exceptions import FIleNotFound, InvalidHash
 
+
+#------------------------------Functions------------------------------#
 #@sub_app.get("/watch/{path}", allow_head=True)
 async def stream_handler(request: web.Request):
   try:

FileStream/server/Middlewares/__init__.py

@@ -0,0 +1,5 @@
+from .app_token_middleware import app_token_middleware
+from .jwt_middleware import jwt_middleware,create_jwt
+from .logging_middleware import logging_middleware
+from .rate_limit_middleware import rate_limit_middleware
+from .security_headers_middleware import security_headers_middleware

FileStream/server/Middlewares/app_token_middleware.py

@@ -0,0 +1,12 @@
+from aiohttp import web
+
+DEFAULT_APP_TOKEN = "supersecureapptoken"
+
+@web.middleware
+async def app_token_middleware(request, handler):
+    """Middleware to enforce token authentication for /app."""
+    if request.path.startswith("/app"):
+        token = request.headers.get("App-Token")
+        if token != DEFAULT_APP_TOKEN:
+            raise web.HTTPUnauthorized(reason="Invalid or missing App-Token")
+    return await handler(request)

FileStream/server/Middlewares/jwt_middleware.py

@@ -0,0 +1,26 @@
+import jwt
+from aiohttp import web
+
+SECRET_KEY = "your_secret_key"  # Use a strong, randomly generated secret key
+
+def create_jwt(user_id: str):
+    """Create a JWT token."""
+    payload = {"sub": user_id, "role": "api_user"}
+    return jwt.encode(payload, SECRET_KEY, algorithm="HS256")
+
+@web.middleware
+async def jwt_middleware(request, handler):
+    """JWT Middleware for /api endpoints."""
+    if request.path.startswith("/api"):
+        token = request.headers.get("Authorization")
+        if not token or not token.startswith("Bearer "):
+            raise web.HTTPUnauthorized(reason="Authorization header missing or malformed")
+        token = token.split("Bearer ")[1]
+        try:
+            decoded = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
+            request["user"] = decoded  # Attach user info to the request
+        except jwt.ExpiredSignatureError:
+            raise web.HTTPUnauthorized(reason="Token has expired")
+        except jwt.InvalidTokenError:
+            raise web.HTTPUnauthorized(reason="Invalid token")
+    return await handler(request)

FileStream/server/Middlewares/logging_middleware.py

@@ -0,0 +1,8 @@
+import logging
+from aiohttp import web
+
+@web.middleware
+async def logging_middleware(request, handler):
+    """Log each request."""
+    logging.info(f"Incoming request: {request.method} {request.path}")
+    return await handler(request)

FileStream/server/Middlewares/rate_limit_middleware.py

@@ -0,0 +1,8 @@
+from aiohttp_rate_limiter import RateLimiter
+
+rate_limiter = RateLimiter(per_minute=60)
+
+@rate_limiter.limit("60/minute")
+async def rate_limit_middleware(request, handler):
+    """Rate limiter middleware."""
+    return await handler(request)

FileStream/server/Middlewares/security_headers_middleware.py

@@ -0,0 +1,14 @@
+from aiohttp import web
+
+@web.middleware
+async def security_headers_middleware(request, handler):
+    """Add security headers."""
+    response = await handler(request)
+    response.headers.update({
+        "Content-Security-Policy": "default-src 'self'",
+        "X-Content-Type-Options": "nosniff",
+        "X-Frame-Options": "DENY",
+        "Referrer-Policy": "no-referrer",
+        "Strict-Transport-Security": "max-age=31536000; includeSubDomains"
+    })
+    return response

FileStream/server/__init__.py

@@ -4,10 +4,15 @@ from aiohttp import web
 
 #-----------------------Local Imports-------------------------#
 from .API import api
-from .APP import sub_app
+from .APP import app
+from .Authentication import auth
 from .routes_main import routes
 from FileStream.bot import MULTI_CLIENTS, WORK_LOADS, ACTIVE_CLIENTS
 
+from .Middlewares.jwt_middleware import jwt_middleware
+from .Middlewares.app_token_middleware import app_token_middleware
+from .Middlewares.logging_middleware import logging_middleware
+from .Middlewares.rate_limit_middleware import rate_limit_middleware
 
 # Set time to consider a client inactive (e.g., 10 minutes)
 INACTIVITY_TIMEOUT = 180  # 3 minutes
@@ -32,9 +37,20 @@ async def root_route_handler(request):
 
 def web_server():
     web_app = web.Application(client_max_size=500)
+
+    # Add middlewares
+    web_app.middleware.extend([
+        logging_middleware,
+        security_headers_middleware,
+        jwt_middleware,
+        app_token_middleware,
+        rate_limit_middleware
+    ])
+
     web_app.router.add_get('/', root_route_handler)
     web_app.add_routes(routes)
-    web_app.add_subapp('/app', sub_app)
+    web_app.add_subapp('/app', app)
     web_app.add_subapp('/api', api)
+    web_app.add_subapp('/auth', auth)
     # Return the app to be used with AppRunner
     return web_app

requirements.txt

@@ -2,6 +2,8 @@ tmdbv3api==1.9.0
 aiofiles==23.2.1
 aiohttp==3.9.3
 aiohttp_cors
+aiohttp-rate-limiter==0.3.0
+PyJWT==2.6.0
 aiosignal==1.3.1
 aiosqlite==0.20.0
 async-timeout==4.0.3