security fixes + codegen improvement

.github/workflows/cleanup-uploads.yml

@@ -0,0 +1,23 @@
+# GitHub Actions workflow to clean up uploaded files on Render
+# This runs every 5 hours
+# The workflow calls the cleanup API endpoint
+
+name: Cleanup Uploaded Files
+
+on:
+  schedule:
+    # Run every 5 hours
+    - cron: '0 */5 * * *'
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Trigger cleanup endpoint
+        run: |
+          curl -X POST \
+            -H "Content-Type: application/json" \
+            "${{ secrets.CLEANUP_ENDPOINT_URL }}" \
+            -d '{"secret": "${{ secrets.CLEANUP_SECRET }}"}'

.gitignore

@@ -73,6 +73,7 @@ sqlnet.ora
 # Django staticfiles and media
   staticfiles/
   media/
+  temp_uploads/
 
   # Python build artifacts
   *.egg-info/

project/.env.example

@@ -7,16 +7,26 @@
 # =====================================================
 
 # Django Settings
-DJANGO_SECRET_KEY=your-secret-key-here
-DJANGO_DEBUG=True
+# CRITICAL: Generate a secure secret key for production
+# python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'
+DJANGO_SECRET_KEY=your-secret-key-here-CHANGE-THIS-IN-PRODUCTION
+DJANGO_DEBUG=False
 DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1
 
 # Deployment Environment
 # Set to "DEV" or "LOCAL" to use server-side API keys (for local development)
-# Set to "PROD" or leave empty to require users to provide their own keys (for remote deployment)
-# Default: PROD (users bring their own keys)
+# Set to "PROD" for production deployment (users bring their own keys)
+# IMPORTANT: In production, also set CORS_ALLOWED_ORIGINS and CSRF_TRUSTED_ORIGINS
 ENVIRONMENT=DEV
 
+# Production CORS Configuration (required when DEBUG=False)
+# Comma-separated list of allowed origins
+# CORS_ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
+
+# Production CSRF Configuration (required when DEBUG=False)
+# Comma-separated list of trusted origins
+# CSRF_TRUSTED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
+
 # AI Provider Configuration
 # Choose which AI provider to use: 'gemini' or 'claude'
 AI_PROVIDER=gemini
@@ -60,3 +70,8 @@ ORACLE_WALLET_PASSWORD=
 # GitHub OAuth (configured in Firebase Console)
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
+
+# File Cleanup Configuration
+# Secret token for triggering remote file cleanup
+# Generate with: python -c 'import secrets; print(secrets.token_urlsafe(32))'
+CLEANUP_SECRET_TOKEN=your-cleanup-secret-token-here

project/authentication/firebase_auth.py

@@ -2,11 +2,12 @@
 Firebase Admin SDK initialization and authentication utilities.
 """
 import os
+import logging
 import firebase_admin
 from firebase_admin import credentials, auth
 from dotenv import load_dotenv
 
-# Load environment variables
+logger = logging.getLogger('authentication')
 load_dotenv()
 
 
@@ -53,8 +54,17 @@ def verify_firebase_token(id_token):
         initialize_firebase()
         decoded_token = auth.verify_id_token(id_token)
         return decoded_token
+    except auth.InvalidIdTokenError as e:
+        logger.warning(f"Invalid Firebase ID token: {str(e)}")
+        return None
+    except auth.ExpiredIdTokenError as e:
+        logger.warning(f"Expired Firebase ID token: {str(e)}")
+        return None
+    except auth.RevokedIdTokenError as e:
+        logger.warning(f"Revoked Firebase ID token: {str(e)}")
+        return None
     except Exception as e:
-        print(f"Firebase token verification error: {str(e)}")
+        logger.error(f"Unexpected Firebase token verification error: {str(e)}", exc_info=True)
         return None
 
 

project/authentication/middleware.py

@@ -1,11 +1,14 @@
 """
 Firebase authentication middleware for Django.
 """
+import logging
 from django.utils.deprecation import MiddlewareMixin
 from django.http import JsonResponse
 from .firebase_auth import verify_firebase_token, get_user_info_from_token
 from .models import User
 
+logger = logging.getLogger('authentication')
+
 
 class FirebaseAuthenticationMiddleware(MiddlewareMixin):
     """
@@ -25,7 +28,8 @@ def process_request(self, request):
         # Skip authentication for certain paths
         exempt_paths = [
             '/admin/',
-            '/api/auth/verify-token',  # Allow token verification endpoint
+            '/api/auth/verify-token',
+            '/api/auth/csrf',
         ]
 
         if any(request.path.startswith(path) for path in exempt_paths):
@@ -63,7 +67,7 @@ def process_request(self, request):
             else:
                 request.firebase_user = None
         except Exception as e:
-            print(f"Firebase authentication error: {str(e)}")
+            logger.error(f"Firebase authentication error: {str(e)}", exc_info=True)
             request.firebase_user = None
 
         return None
@@ -81,6 +85,7 @@ def my_view(request):
     """
     def wrapper(request, *args, **kwargs):
         if not hasattr(request, 'firebase_user') or request.firebase_user is None:
+            logger.warning(f"Unauthorized access attempt to {request.path} from IP {request.META.get('REMOTE_ADDR')}")
             return JsonResponse({
                 'error': 'Authentication required',
                 'message': 'You must be logged in to access this endpoint'

project/authentication/urls.py

@@ -5,6 +5,7 @@
 from . import views
 
 urlpatterns = [
+    path('csrf', views.get_csrf_token, name='csrf_token'),
     path('verify-token', views.verify_token, name='verify_token'),
     path('me', views.get_current_user, name='get_current_user'),
     path('update-session', views.update_session, name='update_session'),

project/authentication/views.py

@@ -2,21 +2,40 @@
 Authentication API views for Firebase integration.
 """
 from django.http import JsonResponse, HttpRequest
-from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
 from django.views.decorators.http import require_http_methods
 from django.utils import timezone
+from django.conf import settings
 from django_ratelimit.decorators import ratelimit
 import json
 import traceback
+import logging
 
 from .firebase_auth import verify_firebase_token, get_user_info_from_token
 from .models import User
 from .middleware import require_authentication
 
+logger = logging.getLogger('authentication')
+
+
+@require_http_methods(["GET"])
+@ensure_csrf_cookie
+def get_csrf_token(request: HttpRequest) -> JsonResponse:
+    """
+    Get CSRF token for subsequent requests.
+
+    GET /api/auth/csrf
+
+    Returns:
+        200: CSRF token in response header and body
+    """
+    response = JsonResponse({'success': True, 'detail': 'CSRF cookie set'})
+    return response
+
 
 @csrf_exempt
 @require_http_methods(["POST"])
-@ratelimit(key='ip', rate='30/m', method='POST', block=True)
+@ratelimit(key='ip', rate='10/m', method='POST', block=True)
 def verify_token(request: HttpRequest) -> JsonResponse:
     """
     Verify Firebase ID token and create/update user in database.
@@ -44,6 +63,7 @@ def verify_token(request: HttpRequest) -> JsonResponse:
         # Verify token
         decoded_token = verify_firebase_token(token)
         if not decoded_token:
+            logger.warning(f"Failed token verification from IP {request.META.get('REMOTE_ADDR')}")
             return JsonResponse({
                 'error': 'Invalid token',
                 'message': 'Failed to verify Firebase token'
@@ -114,11 +134,14 @@ def verify_token(request: HttpRequest) -> JsonResponse:
             'message': 'Request body must be valid JSON'
         }, status=400)
     except Exception as e:
-        traceback.print_exc()  # Print full traceback to console for debugging
-        return JsonResponse({
+        logger.error(f"Unexpected error in verify_token: {str(e)}", exc_info=True)
+        response = {
             'error': 'Server error',
             'message': 'An unexpected error occurred. Please try again later.'
-        }, status=500)
+        }
+        if settings.DEBUG:
+            response['traceback'] = traceback.format_exc()
+        return JsonResponse(response, status=500)
 
 
 @csrf_exempt
@@ -161,7 +184,7 @@ def get_current_user(request: HttpRequest) -> JsonResponse:
 @csrf_exempt
 @require_http_methods(["POST"])
 @require_authentication
-@ratelimit(key='user_or_ip', rate='120/h', method='POST', block=True)
+@ratelimit(key='user_or_ip', rate='60/h', method='POST', block=True)
 def update_session(request):
     """
     Update session information (increment session count, add time spent).
@@ -204,11 +227,14 @@ def update_session(request):
             'message': 'Request body must be valid JSON'
         }, status=400)
     except Exception as e:
-        traceback.print_exc()  # Print full traceback to console for debugging
-        return JsonResponse({
+        logger.error(f"Error in update_session: {str(e)}", exc_info=True)
+        response = {
             'error': 'Server error',
             'message': 'An unexpected error occurred. Please try again later.'
-        }, status=500)
+        }
+        if settings.DEBUG:
+            response['traceback'] = traceback.format_exc()
+        return JsonResponse(response, status=500)
 
 
 @csrf_exempt
@@ -235,17 +261,20 @@ def logout(request):
         }, status=200)
 
     except Exception as e:
-        traceback.print_exc()  # Print full traceback to console for debugging
-        return JsonResponse({
+        logger.error(f"Error in logout: {str(e)}", exc_info=True)
+        response = {
             'error': 'Server error',
             'message': 'An unexpected error occurred. Please try again later.'
-        }, status=500)
+        }
+        if settings.DEBUG:
+            response['traceback'] = traceback.format_exc()
+        return JsonResponse(response, status=500)
 
 
 @csrf_exempt
 @require_http_methods(["POST"])
 @require_authentication
-@ratelimit(key='user_or_ip', rate='60/h', method='POST', block=True)
+@ratelimit(key='user_or_ip', rate='30/h', method='POST', block=True)
 def mark_milestone(request):
     """
     Mark user milestones (first model created, first export).
@@ -293,8 +322,11 @@ def mark_milestone(request):
             'message': 'Request body must be valid JSON'
         }, status=400)
     except Exception as e:
-        traceback.print_exc()  # Print full traceback to console for debugging
-        return JsonResponse({
+        logger.error(f"Error in mark_milestone: {str(e)}", exc_info=True)
+        response = {
             'error': 'Server error',
             'message': 'An unexpected error occurred. Please try again later.'
-        }, status=500)
+        }
+        if settings.DEBUG:
+            response['traceback'] = traceback.format_exc()
+        return JsonResponse(response, status=500)

project/backend/settings.py

@@ -25,10 +25,12 @@
 # See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = os.getenv('DJANGO_SECRET_KEY', 'django-insecure-oy%j%4%)w%7#sx@e!h+m-hai9zvl*)-5$5uz%wlro4ry1*4vc-')
+SECRET_KEY = os.getenv('DJANGO_SECRET_KEY')
+if not SECRET_KEY:
+    raise ValueError("DJANGO_SECRET_KEY environment variable must be set")
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = os.getenv('DJANGO_DEBUG', 'True') == 'True'
+DEBUG = os.getenv('DJANGO_DEBUG', 'False') == 'True'
 
 # Environment Variable Validation (Production Only)
 REQUIRED_ENV_VARS = [
@@ -106,7 +108,12 @@
 ]
 
 # CORS configuration - read from environment variable for production
-cors_origins = os.getenv('CORS_ALLOWED_ORIGINS', 'http://localhost:3000,http://localhost:5173,http://localhost:5000')
+if DEBUG:
+    cors_origins = os.getenv('CORS_ALLOWED_ORIGINS', 'http://localhost:3000,http://localhost:5173,http://localhost:5000')
+else:
+    cors_origins = os.getenv('CORS_ALLOWED_ORIGINS')
+    if not cors_origins:
+        raise ValueError("CORS_ALLOWED_ORIGINS environment variable must be set in production")
 CORS_ALLOWED_ORIGINS = [origin.strip() for origin in cors_origins.split(',')]
 
 CORS_ALLOW_CREDENTIALS = True
@@ -125,12 +132,19 @@
     'x-firebase-token',
 ]
 
-csrf_origins = os.getenv('CSRF_TRUSTED_ORIGINS', 'http://localhost:3000,http://localhost:5173,http://localhost:5000')
+if DEBUG:
+    csrf_origins = os.getenv('CSRF_TRUSTED_ORIGINS', 'http://localhost:3000,http://localhost:5173,http://localhost:5000')
+else:
+    csrf_origins = os.getenv('CSRF_TRUSTED_ORIGINS')
+    if not csrf_origins:
+        raise ValueError("CSRF_TRUSTED_ORIGINS environment variable must be set in production")
 CSRF_TRUSTED_ORIGINS = [origin.strip() for origin in csrf_origins.split(',')]
 
-# CSRF configuration: keep cookie HTTP-only; frontend should use X-CSRFToken header pattern
+# CSRF Protection
 CSRF_COOKIE_HTTPONLY = True
-CSRF_USE_SESSIONS = False  # Use cookie-based CSRF tokens
+CSRF_USE_SESSIONS = False
+CSRF_COOKIE_SAMESITE = 'Lax'
+CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'
 
 # Environment mode configuration
 # Controls API key behavior: PROD/missing = BYOK, DEV/LOCAL = server keys
@@ -139,18 +153,16 @@
 REQUIRES_USER_API_KEY = IS_PRODUCTION
 
 REST_FRAMEWORK = {
-    # For local dev only: allow unauthenticated access to endpoints
     "DEFAULT_PERMISSION_CLASSES": [
-        "rest_framework.permissions.AllowAny",
+        "rest_framework.permissions.IsAuthenticatedOrReadOnly",
     ],
-    # Rate limiting via DRF throttling (global fallback)
     "DEFAULT_THROTTLE_CLASSES": [
         "rest_framework.throttling.AnonRateThrottle",
         "rest_framework.throttling.UserRateThrottle",
     ],
     "DEFAULT_THROTTLE_RATES": {
-        "anon": "100/hour",
-        "user": "1000/hour",
+        "anon": "60/hour",
+        "user": "600/hour",
     },
 }
 
@@ -260,10 +272,16 @@
     # https://github.com/firebase/firebase-js-sdk/issues/8541
     SECURE_CROSS_ORIGIN_OPENER_POLICY = 'same-origin-allow-popups'
 
-    # Content Security Policy (basic - customize as needed)
-    # CSP_DEFAULT_SRC = ("'self'",)
-    # CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'")  # Adjust based on your needs
-    # CSP_STYLE_SRC = ("'self'", "'unsafe-inline'")
+    # Content Security Policy
+    CSP_DEFAULT_SRC = ("'self'",)
+    CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'", "'unsafe-eval'", "https://www.gstatic.com", "https://apis.google.com")
+    CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "https://fonts.googleapis.com")
+    CSP_IMG_SRC = ("'self'", "data:", "https:", "blob:")
+    CSP_FONT_SRC = ("'self'", "https://fonts.gstatic.com", "data:")
+    CSP_CONNECT_SRC = ("'self'", "https://firebasestorage.googleapis.com", "https://identitytoolkit.googleapis.com", "https://securetoken.googleapis.com", "https://*.googleapis.com")
+    CSP_FRAME_SRC = ("https://accounts.google.com", "https://github.com")
+    CSP_OBJECT_SRC = ("'none'",)
+    CSP_BASE_URI = ("'self'",)
 
 else:
     # Development settings - less strict
@@ -295,3 +313,12 @@
 # https://docs.djangoproject.com/en/5.2/ref/settings/#default-auto-field
 
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
+
+# ==========================================
+# FILE UPLOAD CONFIGURATION
+# ==========================================
+TEMP_UPLOAD_DIR = BASE_DIR / 'temp_uploads'
+UPLOAD_RETENTION_HOURS = 2  # Delete files older than 2 hours
+
+# Create upload directory if it doesn't exist
+TEMP_UPLOAD_DIR.mkdir(exist_ok=True)