e6ee91babf
feat(auth): enable Basic Auth as default authentication method
...
- Initialize authentication system on Flask app startup
- Default to Basic Auth if no [authentication] section in config
- Support TISBACKUP_AUTH_USERNAME and TISBACKUP_AUTH_PASSWORD env vars
- Generate secure random password if not configured with warning
- Protect all Flask routes with @auth.require_auth decorator
- Fallback to 'none' auth provider on initialization errors
Routes protected:
- / (backup_all)
- /config_number/ (set_config_number)
- /all_json (backup_all_json)
- /json (backup_json)
- /status.json (export_backup_status)
- /backups.json (last_backup_json)
- /last_backups (last_backup)
- /export_backup (export_backup)
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-05 02:11:41 +02:00
f12d89f3da
feat(auth): add pluggable authentication system for Flask routes
...
Implement comprehensive authentication system with support for
Basic Auth, Flask-Login, and OAuth2 providers.
Features:
- Pluggable architecture via factory pattern
- Multiple authentication providers:
* None: No authentication (development/testing)
* Basic Auth: HTTP Basic with bcrypt support
* Flask-Login: Session-based with multiple users
* OAuth2: Google, GitHub, GitLab, and generic providers
- Decorator-based route protection (@auth.require_auth)
- User authorization by domain or email (OAuth)
- bcrypt password hashing support
- Comprehensive documentation and examples
Components:
- libtisbackup/auth/__init__.py: Factory function and exports
- libtisbackup/auth/base.py: Base provider interface
- libtisbackup/auth/basic_auth.py: HTTP Basic Auth implementation
- libtisbackup/auth/flask_login_auth.py: Flask-Login implementation
- libtisbackup/auth/oauth_auth.py: OAuth2 implementation
- libtisbackup/auth/example_integration.py: Integration examples
- libtisbackup/auth/README.md: API reference and examples
Documentation:
- AUTHENTICATION.md: Complete authentication guide
* Setup instructions for each provider
* Configuration examples
* Security best practices
* Troubleshooting guide
* Migration guide
- samples/auth-config-examples.ini: Configuration templates
Dependencies:
- Add optional dependencies in pyproject.toml:
* auth-basic: bcrypt>=4.0.0
* auth-login: flask-login>=0.6.0, bcrypt>=4.0.0
* auth-oauth: authlib>=1.3.0, requests>=2.32.0
* auth-all: All auth providers
Installation:
```bash
# Install specific provider
uv sync --extra auth-basic
# Install all providers
uv sync --extra auth-all
```
Usage:
```python
from libtisbackup.auth import get_auth_provider
# Initialize
auth = get_auth_provider("basic", {
"username": "admin",
"password": "$2b$12$...",
"use_bcrypt": True
})
auth.init_app(app)
# Protect routes
@app.route("/")
@auth.require_auth
def index():
user = auth.get_current_user()
return f"Hello {user['username']}"
```
Security features:
- bcrypt password hashing (work factor 12)
- OAuth domain/user restrictions
- Session-based authentication
- Clear separation of concerns
- Environment variable support for secrets
OAuth providers supported:
- Google (OpenID Connect)
- GitHub
- GitLab
- Generic OAuth2 provider
Breaking change: None - new feature, backward compatible
Users can continue without authentication (type=none)
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-05 02:02:46 +02:00
d130ba2a11
docs: comprehensive README rewrite with security improvements
...
Completely rewrite README.md based on codebase analysis and
implemented security improvements.
Changes:
- Add comprehensive overview with feature list
- Add supported backup types table with all 10+ drivers
- Restructure Quick Start with step-by-step installation
- Add detailed configuration examples for each backup type
- Document all CLI commands with Docker exec examples
- Add dedicated Security section highlighting improvements
- Include reverse proxy setup with security headers
- Add Troubleshooting section with common issues
- Add Development section with uv commands
- Reorganize into logical sections with clear hierarchy
Improvements:
- Emphasize Ed25519 as recommended SSH key algorithm
- Document Flask secret key security requirement
- Include security best practices section
- Add command execution safety information
- Provide nginx reverse proxy example with TLS
- Include proper file permissions instructions
Documentation structure:
1. Overview and features
2. Quick Start (10-step installation)
3. Configuration (by backup type)
4. CLI Usage (all commands)
5. Development setup
6. Security (best practices)
7. Reverse Proxy setup
8. Architecture overview
9. Troubleshooting
10. Contributing and support
Target audience:
- New users: Clear installation steps
- Existing users: Migration to Ed25519 keys
- Developers: Development environment setup
- Security-conscious admins: Best practices
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-05 01:47:45 +02:00
2533b56549
feat(security): modernize SSH key algorithm support with Ed25519
...
Replace deprecated DSA key support with modern SSH key algorithms,
prioritizing Ed25519 as the most secure option.
Changes:
- Add load_ssh_private_key() helper function in common.py
- Support Ed25519 (preferred), ECDSA, and RSA key types
- Remove deprecated and insecure DSA key support
- Update all SSH key loading across backup drivers:
* common.py: do_preexec, do_postexec, run_remote_command
* backup_mysql.py
* backup_pgsql.py
* backup_sqlserver.py
* backup_oracle.py
* backup_samba4.py
- Add ssh_port parameter to preexec/postexec connections
- Update README.md with SSH key generation instructions
- Document supported algorithms and migration path
Algorithm priority:
1. Ed25519 (most secure, modern, fast, timing-attack resistant)
2. ECDSA (secure, widely supported)
3. RSA (legacy support, requires 2048+ bits)
Security improvements:
- Eliminates vulnerable DSA algorithm (1024-bit limit, FIPS deprecated)
- Prioritizes elliptic curve cryptography (Ed25519, ECDSA)
- Provides clear error messages for unsupported key types
- Maintains backward compatibility with existing RSA keys
Documentation:
- Add SSH key generation examples to README.md
- Update expected directory structure to show Ed25519 keys
- Add migration notes in SECURITY_IMPROVEMENTS.md
- Include key generation commands for all supported types
Breaking change:
- DSA keys are no longer supported and will fail with clear error message
- Users must migrate to Ed25519, ECDSA, or RSA (4096-bit recommended)
Migration:
```bash
# Generate new Ed25519 key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
# Copy to remote servers
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote
```
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-05 01:39:17 +02:00
68ff4238e0
fix(security): remove hardcoded Flask secret key
...
Replace hardcoded Flask secret key with environment variable to
prevent session hijacking and CSRF attacks.
Changes:
- Load secret key from TISBACKUP_SECRET_KEY environment variable
- Fall back to cryptographically secure random key using secrets module
- Log warning when random key is used (sessions won't persist)
- Add environment variable example to README.md Docker Compose config
- Add setup instructions in Configuration section
Security improvements:
- Eliminates hardcoded secret in source code
- Uses secrets.token_hex(32) for cryptographically strong random generation
- Sessions remain secure even without env var (though won't persist)
- Prevents session hijacking and CSRF bypass attacks
Documentation:
- Update README.md with TISBACKUP_SECRET_KEY setup instructions
- Include command to generate secure random key
- Update SECURITY_IMPROVEMENTS.md with implementation details
- Mark hardcoded secret key issue as resolved
Setup:
```bash
# Generate secure key
python3 -c "import secrets; print(secrets.token_hex(32))"
# Set in environment
export TISBACKUP_SECRET_KEY=your-key-here
```
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-05 01:29:16 +02:00
debc753f13
fix(security): replace os.popen/os.system with subprocess for command injection prevention
...
Replace all deprecated and unsafe command execution methods with
secure subprocess.run() calls using list arguments.
Changes:
- Replace os.popen() with subprocess.run() in tisbackup_gui.py
- Replace os.system() with subprocess.run() in tasks.py and backup_xva.py
- Add input validation for device/partition names (regex-based)
- Fix file operations to use context managers (with statement)
- Remove wildcard import from shutil
- Add timeout protection to all subprocess calls (5-30s)
- Improve error handling with proper try/except blocks
Security improvements:
- Prevent command injection vulnerabilities in USB disk operations
- Validate device paths with regex before system calls
- Use list arguments instead of shell=True to prevent injection
- Add proper error handling instead of silent failures
Code quality improvements:
- Replace deprecated os.popen() (deprecated since Python 2.6)
- Use context managers for file operations
- Remove wildcard imports for cleaner namespace
- Add comprehensive error handling and logging
Documentation:
- Add SECURITY_IMPROVEMENTS.md documenting all changes
- Document remaining security issues and recommendations
- Include testing recommendations and migration notes
BREAKING CHANGE: None - all changes are backward compatible
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-05 01:23:53 +02:00
c586bd1817
Merge 'feat/refacto' ( #1 ) into master
...
lint / docker (push) Has been cancelled
Utilisation de uv
2025-04-19 00:04:39 +02:00
e823f65c3c
fix(tisbackup): 🐛 remove excess uv/uvx
2025-04-18 23:57:44 +02:00
5c627f3a64
fix(tisbackup): 🐛 Dockerfile fix venv uv
2025-04-18 23:48:25 +02:00
7b6ce02a93
fix(tisbackup): 🐛 fix dockerignore pyproject.toml absent
2025-04-18 23:36:26 +02:00
e7d3e1140c
fix(tisbackup): using uv is good in Dockerfile maybe
2025-04-18 23:32:15 +02:00
6fe3eebf36
fix(tisbackup): using uv is good
2025-04-18 23:11:05 +02:00
79d15628bd
fix(tisbackup): add elements to .dockerignore - bis
lint / docker (push) Successful in 9m17s
2025-04-14 23:54:51 +02:00
3a4f3267eb
fix(tisbackup): add elements to .dockerignore
lint / docker (push) Has been cancelled
2025-04-14 23:50:42 +02:00
8761a04c40
fix(tisbackup): add .dockerignore
lint / docker (push) Has been cancelled
2025-04-14 23:45:53 +02:00
586991bcf1
fix(tisbackup): fix iniparse wrong check
lint / docker (push) Has been cancelled
2025-04-14 23:37:16 +02:00
ddb5f3716d
Fix replace
lint / docker (push) Successful in 9m16s
2025-03-07 22:54:14 +01:00
b805f8387e
Fix re.compile / re.match warnings
lint / docker (push) Has been cancelled
2025-03-07 22:51:20 +01:00
da50051a3f
Python 3.13 + add nginx reverse-proxy
lint / docker (push) Successful in 14m2s
2025-03-07 22:24:27 +01:00
8ef9bbde06
improve README.md
lint / docker (push) Successful in 9m15s
2024-11-30 00:20:51 +01:00
737f9bea38
fix iniparse
...
lint / docker (push) Successful in 9m14s
fix code passing ruff linter
pre-commit ruff
pre-commit ruff format
2024-11-29 23:45:40 +01:00
aa8a68aa80
EOF & whitespace
lint / docker (push) Failing after 4m47s
2024-11-29 00:54:31 +01:00
7fcc5afc64
EOF & whitespace
2024-11-29 00:54:09 +01:00
e7e98d0b47
few fixes and lint compatible
2024-11-29 00:48:59 +01:00
8479c378ee
fix basic
2024-11-29 00:32:39 +01:00
274e1e2e59
requirements.txt
2024-11-29 00:02:24 +01:00
eb0bdaedbd
fix import
2024-11-28 23:59:02 +01:00
99dc6e0abf
fix import
2024-11-28 23:46:48 +01:00
e8ba6df102
fix first pass - .gitignore
2024-11-28 23:21:26 +01:00
ffd9bf3d39
fix first pass
2024-11-28 23:20:19 +01:00
c5a1ac0551
test ci - lint ruff
lint / docker (push) Failing after 5m14s
2024-11-28 20:58:27 +01:00
af9ef1da23
test ci
lint / docker (push) Successful in 13m19s
2024-11-27 22:51:28 +01:00
4786966097
test ci
2024-11-27 22:42:58 +01:00
Simon Fonteneau
9209a1bfa8
Update requirements.txt
2024-08-22 09:52:55 +02:00
roondar
b9a3ad755a
fix: Not use binary string in subprocess command
2023-03-08 17:58:06 +01:00
fggp
caf3e8ee23
Added uninstall instructions
2022-12-26 14:02:49 +01:00
fggp
4888be1af4
Update Readme.md
2022-12-26 14:02:49 +01:00
fggp
fc64eeda1d
stop and disable services on uninstall
2022-12-26 14:02:49 +01:00
fggp
aff59a7cc7
Update requirements.txt
2022-12-26 14:02:49 +01:00
fggp
54eb4a6412
Revert to previous commit
2022-12-26 14:02:49 +01:00
fggp
a6e04f727a
Minor fix
2022-12-26 14:02:49 +01:00
fggp
987f796d9b
Update createdeb.sh
2022-12-26 14:02:49 +01:00
fggp
fb641fb21c
huey 0.4.9 and redis are installed from postinst
...
This is to be sure that the binaries are put in /usr/local/bin
2022-12-26 14:02:49 +01:00
fggp
a64177bff4
pyo replaced by pyc in prerm
2022-12-26 14:02:49 +01:00
fggp
05c1d91b75
Update requirements.txt
2022-12-26 14:02:49 +01:00
fggp
03958fe7b1
Install huey and redis in python site-packages
2022-12-26 14:02:49 +01:00
fggp
49ad026e30
Update Readme.md
2022-12-26 14:02:49 +01:00
fggp
63f7339206
Corrected import of huey attribute
2022-12-26 14:02:49 +01:00
fggp
ca39549431
Start command
...
The start command path for tisbakcup_huey.service was wrong.
2022-12-26 14:02:49 +01:00
fggp
6e53f7d351
Old version of huey needed
2022-12-26 14:02:49 +01:00
