feat: sécurité HIGH — token Bearer, validation, rate limiting, headers

- Token Bearer auth sur le streaming server (auto-généré ou env var) - Validation actions replay (types, longueurs, coordonnées 0-1) - Rate limiting in-memory (10 replays/min, 200 images/min) - Security headers Flask (nosniff, SAMEORIGIN, XSS) - Validation uploads (50MB max, MIME type) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 00:29:54 +01:00
parent 24a947b51d
commit fe5e0ba83d
6 changed files with 96 additions and 12 deletions
--- a/agent_v0/agent_v1/network/streamer.py
+++ b/agent_v0/agent_v1/network/streamer.py
@@ -25,7 +25,7 @@ import time
 import requests
 from PIL import Image

-from ..config import STREAMING_ENDPOINT
+from ..config import API_TOKEN, STREAMING_ENDPOINT

 logger = logging.getLogger(__name__)

@@ -56,6 +56,13 @@ class TraceStreamer:
        self._health_thread = None
        self._server_available = True  # Désactivé après trop d'échecs

+    @staticmethod
+    def _auth_headers() -> dict:
+        """Headers d'authentification Bearer pour les requêtes API."""
+        if API_TOKEN:
+            return {"Authorization": f"Bearer {API_TOKEN}"}
+        return {}
+
    def start(self):
        """Démarrer le streaming et enregistrer la session côté serveur."""
        self.running = True
@@ -240,6 +247,7 @@ class TraceStreamer:
            try:
                resp = requests.get(
                    f"{STREAMING_ENDPOINT}/stats",
+                    headers=self._auth_headers(),
                    timeout=3,
                )
                if resp.ok:
@@ -292,6 +300,7 @@ class TraceStreamer:
                    "session_id": self.session_id,
                    "machine_id": self.machine_id,
                },
+                headers=self._auth_headers(),
                timeout=3,
            )
            if resp.ok:
@@ -319,6 +328,7 @@ class TraceStreamer:
                    "session_id": self.session_id,
                    "machine_id": self.machine_id,
                },
+                headers=self._auth_headers(),
                timeout=30,  # Le build workflow peut prendre du temps
            )
            if resp.ok:
@@ -343,6 +353,7 @@ class TraceStreamer:
            resp = requests.post(
                f"{STREAMING_ENDPOINT}/event",
                json=payload,
+                headers=self._auth_headers(),
                timeout=2,
            )
            return resp.ok
@@ -377,6 +388,7 @@ class TraceStreamer:
                    f"{STREAMING_ENDPOINT}/image",
                    files=files,
                    params=params,
+                    headers=self._auth_headers(),
                    timeout=5,
                )
                return resp.ok
@@ -390,6 +402,7 @@ class TraceStreamer:
                        f"{STREAMING_ENDPOINT}/image",
                        files=files,
                        params=params,
+                        headers=self._auth_headers(),
                        timeout=5,
                    )
                    return resp.ok