feat: Add FastAPI backend with rate limiting service and update security documentation.

cliff-de-tech · cliff-de-tech · commit ef3d42e9c8db · 2025-12-22T03:29:30.000Z
diff --git a/SECURITY.md b/SECURITY.md
@@ -118,7 +118,65 @@ This ensures:
 
 ---
 
-## API Key Storage
+## Multi-Tenant Isolation Guarantees
+
+### Design Principle
+
+```
+┌───────────────────────────────────────────────────────────────────┐
+│             MULTI-TENANT ISOLATION GUARANTEES                      │
+├───────────────────────────────────────────────────────────────────┤
+│                                                                    │
+│  ✅ User A can ONLY access:          ❌ User A can NEVER access:  │
+│  - Their own OAuth tokens            - User B's tokens            │
+│  - Their own GitHub activity         - User B's activity          │
+│  - Their own LinkedIn posts          - User B's posts             │
+│  - Their own settings                - User B's settings          │
+│                                                                    │
+└───────────────────────────────────────────────────────────────────┘
+```
+
+### Implementation Details
+
+**Database Level:**
+- Every query includes `WHERE user_id = ?`
+- User ID is the Clerk authentication ID
+- No admin endpoints return all users' data
+
+**API Level:**
+- User ID extracted from JWT claims
+- All endpoints scoped to authenticated user
+- Cross-user access returns 404/403
+
+**Service Level:**
+- GitHub activity: Scoped by username/token
+- AI generation: Receives only user's activity
+- LinkedIn posting: Uses only user's OAuth token
+
+### Token Validation
+
+Before any operation that requires an OAuth token:
+
+```python
+# 1. Verify user is authenticated (Clerk JWT)
+# 2. Retrieve token by user_id (tenant isolation)
+# 3. Check token exists
+# 4. Check token not expired
+# 5. Proceed or return error
+```
+
+**Graceful Failure Handling:**
+- Missing token → "Please connect your account"
+- Expired token → "Please reconnect your account"
+- Invalid token → "Authentication failed, please reconnect"
+- Rate limited → "Too many requests, please wait"
+
+### Cross-User Prevention
+
+1. **No token enumeration** — Tokens keyed by user_id, not sequential IDs
+2. **No URN guessing** — LinkedIn URN not exposed externally
+3. **Parameterized queries** — SQL injection prevented
+4. **JWT validation** — User identity verified on every request
 
 ### In-Transit
 
diff --git a/backend/app.py b/backend/app.py
@@ -64,6 +64,13 @@
     get_user_posts = None
     get_user_stats = None
 
+# Import Rate Limiter
+try:
+    from services.rate_limiter import check_rate_limit, get_rate_limit_status
+except ImportError:
+    check_rate_limit = None
+    get_rate_limit_status = None
+
 try:
     # Import core functions from the refactored services
     # from services.ai_service import generate_post_with_ai # Already imported above
diff --git a/services/rate_limiter.py b/services/rate_limiter.py
@@ -0,0 +1,128 @@
+"""
+Rate Limiter Service - Per-User Request Throttling
+
+Implements simple in-memory rate limiting to prevent abuse.
+
+CONFIGURATION:
+    - Default: 60 requests per minute per user
+    - Configurable via environment variables
+
+DESIGN:
+    - In-memory storage (resets on server restart)
+    - Keyed by user_id for multi-tenant isolation
+    - Sliding window algorithm
+"""
+import time
+import os
+from collections import defaultdict
+from threading import Lock
+import logging
+
+logger = logging.getLogger(__name__)
+
+# Configuration
+RATE_LIMIT_REQUESTS = int(os.getenv('RATE_LIMIT_REQUESTS', '60'))
+RATE_LIMIT_WINDOW_SECONDS = int(os.getenv('RATE_LIMIT_WINDOW', '60'))
+
+
+class RateLimiter:
+    """
+    Thread-safe per-user rate limiter using sliding window.
+    
+    MULTI-TENANT ISOLATION:
+        - Each user has their own request counter
+        - No cross-user rate limit sharing
+    """
+    
+    def __init__(self, max_requests: int = RATE_LIMIT_REQUESTS, 
+                 window_seconds: int = RATE_LIMIT_WINDOW_SECONDS):
+        self.max_requests = max_requests
+        self.window_seconds = window_seconds
+        self.requests = defaultdict(list)  # user_id -> [timestamps]
+        self.lock = Lock()
+    
+    def is_allowed(self, user_id: str) -> tuple[bool, dict]:
+        """
+        Check if a request is allowed for a user.
+        
+        Args:
+            user_id: Clerk user ID (tenant isolation key)
+            
+        Returns:
+            (allowed: bool, info: dict with remaining, reset_at, etc.)
+            
+        SECURITY: Uses user_id to ensure rate limits are per-tenant.
+        """
+        if not user_id:
+            # Anonymous requests - use stricter limit
+            user_id = "anonymous"
+        
+        current_time = time.time()
+        window_start = current_time - self.window_seconds
+        
+        with self.lock:
+            # Clean old requests
+            self.requests[user_id] = [
+                ts for ts in self.requests[user_id] 
+                if ts > window_start
+            ]
+            
+            request_count = len(self.requests[user_id])
+            remaining = max(0, self.max_requests - request_count)
+            
+            if request_count >= self.max_requests:
+                # Rate limited
+                oldest = self.requests[user_id][0] if self.requests[user_id] else current_time
+                reset_at = oldest + self.window_seconds
+                return False, {
+                    "allowed": False,
+                    "remaining": 0,
+                    "limit": self.max_requests,
+                    "reset_at": int(reset_at),
+                    "retry_after": int(reset_at - current_time)
+                }
+            
+            # Allow and record
+            self.requests[user_id].append(current_time)
+            
+            return True, {
+                "allowed": True,
+                "remaining": remaining - 1,
+                "limit": self.max_requests,
+                "reset_at": int(current_time + self.window_seconds)
+            }
+    
+    def get_status(self, user_id: str) -> dict:
+        """Get current rate limit status for a user without consuming quota."""
+        current_time = time.time()
+        window_start = current_time - self.window_seconds
+        
+        with self.lock:
+            requests = [ts for ts in self.requests.get(user_id, []) if ts > window_start]
+            remaining = max(0, self.max_requests - len(requests))
+            
+            return {
+                "remaining": remaining,
+                "limit": self.max_requests,
+                "window_seconds": self.window_seconds,
+                "used": len(requests)
+            }
+
+
+# Global rate limiter instance
+rate_limiter = RateLimiter()
+
+
+def check_rate_limit(user_id: str) -> tuple[bool, dict]:
+    """
+    Convenience function to check rate limit.
+    
+    Returns:
+        (allowed: bool, info: dict)
+    """
+    return rate_limiter.is_allowed(user_id)
+
+
+def get_rate_limit_status(user_id: str) -> dict:
+    """Get rate limit status without consuming quota."""
+    return rate_limiter.get_status(user_id)
