mirror of https://github.com/interlegis/sapl.git
Tree:
ff8eaf171d
2756-status-materia-pauta
2989-adicionado-presenca-em-reunioes-3.1.x
3.1.162-patch
3.1.x
3007-Adcionando-mudança-de-apresentaçã0-de-oradores-painel
3058-refatorar-tela-composicao-de-comissao-para-vue
3217-registro-numeracao
3268-result-votacao
3279-leitura-em-bloco
3299-orderby-explicito
3828_refatorar_mesa_diretora
AlertaSonoroPainel
MateriaDiscussao
OsTicket_#635416
Reuniao_frente_3364
StringsNaoFormatadas
Websocket_painel
adicionar-cron-job
bump_django
centraliza_resultado
configuracao_impressao
cron-update-solr-index
deduplica_comissao
dependabot/npm_and_yarn/diff-8.0.3
dependabot/npm_and_yarn/js-yaml-4.1.1
dependabot/npm_and_yarn/lodash-4.17.23
dependabot/npm_and_yarn/multi-c8afcbbcd8
dependabot/npm_and_yarn/node-forge-1.3.2
dependabot/pip/requirements/django-4.2.26
dependabot/pip/requirements/weasyprint-68.0
django-celery
faceted-search-2
file-metafields
fixes_protocolo_materia
form-appconfig
frontend_assets
impressao-materia-tramitacao
insere_ano_numeracao_audiencia_publica
issue#3396
issue#3438
js-update
legislatura-fevereiro
master
merged-migrations-2021
mesa-vuejs
migracao
performance-relatorios
pesquisar-auditlog
rate-limiter-2026
refatora-relatorio-tramitacao
refatora-relatorios-pauta-sessao
sapl-logs
script-comissao
script-migracao-norma-materia
situacao-pauta
tela-config-relatorio
tipo-proposicao
upgrade-sapl
upgrade-sapl-sync-2026-02-25
valida-html
vuejs_painel
3.1.0-BETA
3.1.0-alpha
3.1.1-BETA
3.1.1-alpha
3.1.10-BETA
3.1.100
3.1.101
3.1.102
3.1.103
3.1.104
3.1.105
3.1.106
3.1.107
3.1.108
3.1.109
3.1.11-BETA
3.1.110
3.1.111
3.1.112
3.1.113
3.1.113-ALPHA
3.1.114
3.1.115
3.1.116
3.1.117
3.1.118
3.1.119
3.1.12-BETA
3.1.120
3.1.121
3.1.122
3.1.123
3.1.124
3.1.125
3.1.126
3.1.127
3.1.128
3.1.129
3.1.13-BETA
3.1.130
3.1.131
3.1.132
3.1.133
3.1.134
3.1.135
3.1.136
3.1.137
3.1.138
3.1.139
3.1.14-BETA
3.1.140
3.1.141
3.1.142
3.1.143
3.1.144
3.1.145
3.1.146
3.1.147
3.1.148
3.1.149
3.1.15-BETA
3.1.150
3.1.151
3.1.152
3.1.153
3.1.154
3.1.155
3.1.156
3.1.157
3.1.157-RC0
3.1.157-RC1
3.1.157-RC2
3.1.157-RC3
3.1.157-RC4
3.1.157-RC5
3.1.158
3.1.159
3.1.159-RC0
3.1.159-RC1
3.1.159-RC2
3.1.159-RC3
3.1.16-BETA
3.1.160
3.1.160-RC0
3.1.160-RC1
3.1.160-RC10
3.1.160-RC11
3.1.160-RC12
3.1.160-RC13
3.1.160-RC14
3.1.160-RC15
3.1.160-RC2
3.1.160-RC4
3.1.160-RC5
3.1.160-RC6
3.1.160-RC7
3.1.160-RC8
3.1.160-RC9
3.1.161
3.1.161-RC0
3.1.161-RC1
3.1.161-RC10
3.1.161-RC11
3.1.161-RC12
3.1.161-RC13
3.1.161-RC14
3.1.161-RC15
3.1.161-RC16
3.1.161-RC17
3.1.161-RC18
3.1.161-RC19
3.1.161-RC2
3.1.161-RC20
3.1.161-RC3
3.1.161-RC4
3.1.161-RC5
3.1.161-RC6
3.1.161-RC7
3.1.161-RC8
3.1.161-RC9
3.1.162
3.1.162-RC0
3.1.162-RC1
3.1.162-RC10
3.1.162-RC11
3.1.162-RC12
3.1.162-RC13
3.1.162-RC14
3.1.162-RC15
3.1.162-RC16
3.1.162-RC17
3.1.162-RC18
3.1.162-RC19
3.1.162-RC2
3.1.162-RC20
3.1.162-RC3
3.1.162-RC4
3.1.162-RC5
3.1.162-RC6
3.1.162-RC7
3.1.162-RC8
3.1.162-RC9
3.1.163
3.1.163-RC1
3.1.163-RC10
3.1.163-RC11
3.1.163-RC12
3.1.163-RC13
3.1.163-RC14
3.1.163-RC15
3.1.163-RC16
3.1.163-RC17
3.1.163-RC18
3.1.163-RC19
3.1.163-RC2
3.1.163-RC20
3.1.163-RC21
3.1.163-RC22
3.1.163-RC23
3.1.163-RC24
3.1.163-RC3
3.1.163-RC4
3.1.163-RC5
3.1.163-RC6
3.1.163-RC7
3.1.163-RC8
3.1.163-RC9
3.1.164-RC0
3.1.164-RC1
3.1.164-RC2
3.1.164-RC2-test
3.1.164-RC3
3.1.164-RC4
3.1.164-RC5
3.1.164-alpha
3.1.165-RC0
3.1.165-RC1
3.1.165-RC2
3.1.17-BETA
3.1.18-BETA
3.1.19-BETA
3.1.2-BETA
3.1.20-BETA
3.1.21-BETA
3.1.22-BETA
3.1.23-BETA
3.1.24-BETA
3.1.25-BETA
3.1.26-BETA
3.1.27-BETA
3.1.28-BETA
3.1.29-BETA
3.1.3-BETA
3.1.30-BETA
3.1.31-BETA
3.1.32-BETA
3.1.33-BETA
3.1.34-BETA
3.1.35-BETA
3.1.36-BETA
3.1.37-BETA
3.1.38-BETA
3.1.39-BETA
3.1.4-BETA
3.1.40-BETA
3.1.41-BETA
3.1.42-BETA
3.1.43-BETA
3.1.44-BETA
3.1.45
3.1.46
3.1.47
3.1.48
3.1.49
3.1.5-BETA
3.1.50
3.1.51
3.1.52
3.1.53
3.1.54
3.1.55
3.1.56
3.1.57
3.1.58
3.1.59
3.1.6-BETA
3.1.60
3.1.61
3.1.62
3.1.63
3.1.64
3.1.65
3.1.66
3.1.67
3.1.68
3.1.69
3.1.7-BETA
3.1.70
3.1.71
3.1.72
3.1.73
3.1.74
3.1.75
3.1.76
3.1.77
3.1.78
3.1.79
3.1.8-BETA
3.1.80
3.1.81
3.1.82
3.1.83
3.1.84
3.1.85
3.1.86
3.1.87
3.1.88
3.1.89
3.1.9-BETA
3.1.90
3.1.91
3.1.92
3.1.93
3.1.94
3.1.95
3.1.96
3.1.97
3.1.98
3.1.99
${ noResults }
1 Commits (ff8eaf171d73e35282567db41e5f12a6de0e3793)
| Author | SHA1 | Message | Date |
|---|---|---|---|
 Edward Ribeiro
|
64c9b241fa |
Phase 5: X-Accel-Redirect for /media/, UA Redis deny list, per-path counters
nginx: - /media/ proxied through Gunicorn (sapl_general rate limit) instead of direct alias — Django middleware now runs on every media request - /_accel/media/ internal location serves file bytes via X-Accel-Redirect sapl/base/media.py (new): - serve_media() gate: path traversal guard, auth redirect for documentos_privados/, per-path Redis counter, content-type metadata cache, X-Accel-Redirect response; falls back to Django serve() in DEBUG sapl/middleware/ratelimit.py: - RL_PATH_REQUESTS, RL_UA_BLOCKLIST, FILE_META_KEY constants - _incr_with_ttl() extracted to module level (reused by media.py) - Runtime UA deny list: _refresh_ua_blocklist() fetches rl:bot:ua:blocked SET from Redis (SMEMBERS, cached per worker, TTL=RATE_LIMITER_UA_BLOCKLIST_REFRESH); _is_redis_blocked_ua() tokenises UA and checks sha256 of each token sapl/settings.py: - RATE_LIMITER_UA_BLOCKLIST_REFRESH, MEDIA_PATH_COUNTER_TTL, MEDIA_FILE_CACHE_TTL added (all env-tunable via config()) plan/RATE_LIMITER_PLAN.md: - Key schema table updated; media file serving section added; decision flow documented; UA deny list seed section expanded Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
3 weeks ago |
|
Edward Ribeiro
|
b61e3e5bd9 |
GeoIP offline build; Redis inspection tools; smart_rate/smart_key; cache KEY_PREFIX
GeoIP (docker/Dockerfile): Remove at-build-time MaxMind download (required BuildKit secrets, caused cache-miss issues). Replace with COPY from docker/geoip/GeoLite2-ASN.mmdb (git-ignored binary). If absent, build succeeds with ASN blocking disabled. Add docker/geoip/update_geoip.sh — run before each build to refresh the database from MaxMind using MAXMIND_LICENSE_KEY from env or .env file. Redis inspection / synthetic test data: Add docker/scripts/redis_populate_test_data.py — injects synthetic rl:* entries into Redis DB1 to validate key schema and blocking thresholds without waiting for real traffic. Supports DRY_RUN and CLEAR modes. Add §4.5 (Redis CLI quick-reference + RedisInsight guide) to rate-limiter-v2.md. Auth-aware @ratelimit decorators (smart_rate / smart_key): All 51 @ratelimit decorators across 9 files used rate=RATE_LIMITER_RATE (35/m) regardless of authentication, silently over-throttling logged-in users compared to what RateLimitMiddleware allows (120/m). Add smart_key() and smart_rate() to sapl/middleware/ratelimit.py: - smart_key: user pk for authenticated requests, masked IP for anon - smart_rate: RATE_LIMITER_RATE_AUTHENTICATED (120/m) for auth, RATE_LIMITER_RATE (35/m) for anon — mirrors middleware thresholds Update all 51 decorators across crud/base.py + 8 view files. Remove now-unused RATE_LIMITER_RATE imports from those files. Cache KEY_PREFIX (settings.py): Change KEY_PREFIX from POD_NAMESPACE ("sapl") to f"cache:{POD_NAMESPACE}" so DB0 cache keys are unambiguously prefixed cache:{ns}:* — distinct from any future static or file cache key patterns. Update key schema table and code examples in rate-limiter-v2.md to match. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
3 weeks ago |
|
Edward Ribeiro
|
86fab64feb |
Fix remaining get_client_ip stale imports; split Phase 5 to work_queues.md
Import fixes (all three imported get_client_ip/ratelimit_ip from sapl.utils which no longer exports them — causing the ImportError at startup): - sapl/materia/forms.py: move get_client_ip to sapl.middleware.ratelimit - sapl/materia/views.py: move get_client_ip + ratelimit_ip; keep RATE_LIMITER_RATE in sapl.settings (used by @ratelimit decorators) - sapl/base/views.py: same pattern as materia/views.py Docs: - rate-limiter-v2.md: remove Phase 5 section (§8); renumber Open Questions to §8; update Table of Contents - work_queues.md (new): Async PDF via Celery + Django Channels WebSocket voting panel, with full context, Redis B topology rationale, k8s manifest list, and open questions. Planned start: after rate-limiter-2026 is stable. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
3 weeks ago |
|
Edward Ribeiro
|
eaf4a8405a |
Phase 0 hardening: nginx GeoIP2, rate limits, Gunicorn tuning, N+1 fix
- nginx: sendfile on, tcp_nopush, reduced keepalive/proxy timeouts - nginx: GeoIP2 ASN-based bot blocking (cloud providers + known scrapers) - nginx: UA blocklist (GPTBot, ClaudeBot, Chrome/98.0.4758 impersonator, etc.) - nginx: rate-limit zones (30r/m general, 10r/m heavy/relatorios), 429/500 error pages - nginx: proper ETags + Cache-Control on /media/ to stop 30GB logo re-transfers - Dockerfile: install libnginx-mod-http-geoip2; download GeoLite2-ASN.mmdb via BuildKit secret (key never baked into image layers); ARG GEOIP_CACHE_BUST for forced re-download without --no-cache - Gunicorn: workers 3->2, threads 8->4, timeout 300->120, max_memory 300->400MB - Django: FILE_UPLOAD_MAX_MEMORY_SIZE=2MB, FILE_UPLOAD_TEMP_DIR for large uploads - relatorios/views.py: fix N+1 in get_etiqueta_protocolos with bulk-fetch MateriaLegislativa + DocumentoAdministrativo using select_related + dict lookups - Add robots.txt, 429.html, 500.html static pages - docker-compose.yaml: use sapl:local for local dev - docker/README.md: build instructions with MAXMIND_LICENSE_KEY - rate-limiter-v2.md: canonical planning document (Architecture through Phase 5) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
3 weeks ago |