fix(security): authenticate shutdown endpoints with a per-session token

Dotify71 · Dotify71 · commit 3997f8bd309b · 2026-06-07T01:56:46.000+05:30
The /shutdown endpoints on both the backend (port 52123) and sync microservice (port 52124) were unauthenticated, allowing any local process to send a POST request and terminate PictoPy without user interaction. Fix: - Generate a cryptographically random 256-bit token (secrets.token_hex) on every backend startup and write it to a temporary file (pictopy_shutdown.token in the OS temp directory). - Both shutdown endpoints now require an X-Shutdown-Token header whose value is compared against the session token using hmac.compare_digest to prevent timing-based attacks. Requests with a missing or incorrect token receive 403 Forbidden. - The sync microservice reads the same token file written by the backend, so both services share one token without additional coordination. - The Tauri frontend (Windows path) is updated to read the token file at shutdown time and attach it as an X-Shutdown-Token header, preserving the existing Windows close behaviour. Closes #1241
diff --git a/backend/app/config/settings.py b/backend/app/config/settings.py
@@ -1,5 +1,7 @@
 import os
 import sys
+import secrets
+import tempfile
 
 from platformdirs import user_data_dir
 
@@ -35,3 +37,14 @@
     DATABASE_PATH = os.path.join(user_data_dir("PictoPy"), "database", "PictoPy.db")
 THUMBNAIL_IMAGES_PATH = os.path.join(user_data_dir("PictoPy"), "thumbnails")
 IMAGES_PATH = "./images"
+
+# Generate a fresh cryptographic token on every backend startup.
+# This token is written to a temporary file so that only the local Tauri
+# frontend — which reads the same file — can authenticate shutdown requests.
+# Any other process on the machine will not know the token and will be
+# rejected with 403 Forbidden.
+SHUTDOWN_TOKEN: str = secrets.token_hex(32)
+SHUTDOWN_TOKEN_FILE: str = os.path.join(tempfile.gettempdir(), "pictopy_shutdown.token")
+
+with open(SHUTDOWN_TOKEN_FILE, "w") as _f:
+    _f.write(SHUTDOWN_TOKEN)
diff --git a/backend/app/routes/shutdown.py b/backend/app/routes/shutdown.py
@@ -1,9 +1,11 @@
 import asyncio
+import hmac
 import os
 import platform
 import signal
-from fastapi import APIRouter
+from fastapi import APIRouter, Header, HTTPException
 from pydantic import BaseModel
+from app.config.settings import SHUTDOWN_TOKEN
 from app.logging.setup_logging import get_logger
 
 logger = get_logger(__name__)
@@ -37,16 +39,23 @@ async def _delayed_shutdown(delay: float = 0.5):
 
 
 @router.post("/shutdown", response_model=ShutdownResponse)
-async def shutdown():
+async def shutdown(x_shutdown_token: str = Header(...)):
     """
     Gracefully shutdown the PictoPy backend.
 
-    This endpoint schedules backend server termination after response is sent.
-    The frontend is responsible for shutting down the sync service separately.
+    This endpoint requires the ``X-Shutdown-Token`` header to match the token
+    generated at startup.  The token is shared with the Tauri frontend via a
+    temporary file, so only the PictoPy application itself can trigger this
+    endpoint — arbitrary local processes are rejected with 403 Forbidden.
 
     Returns:
         ShutdownResponse with status and message
     """
+    # Use constant-time comparison to prevent timing-based token guessing
+    if not hmac.compare_digest(x_shutdown_token, SHUTDOWN_TOKEN):
+        logger.warning("Shutdown attempt rejected: invalid token")
+        raise HTTPException(status_code=403, detail="Forbidden")
+
     logger.info("Shutdown request received for PictoPy backend")
 
     # Define callback to handle potential exceptions in the background task
diff --git a/frontend/src-tauri/src/main.rs b/frontend/src-tauri/src/main.rs
@@ -61,11 +61,31 @@ fn kill_process(process: &sysinfo::Process) {
 #[cfg(windows)]
 pub fn kill_process(_process: &sysinfo::Process) -> Result<(), String> {
     use reqwest::blocking::Client;
+    use reqwest::header::{HeaderMap, HeaderName, HeaderValue};
+    use std::str::FromStr;
+
+    // Read the per-session shutdown token written by the backend at startup.
+    // This guarantees that only the PictoPy frontend — which runs alongside
+    // the backend — can authenticate the shutdown request.
+    let token_path = std::env::temp_dir().join("pictopy_shutdown.token");
+    let token = std::fs::read_to_string(&token_path)
+        .map(|t| t.trim().to_string())
+        .unwrap_or_default();
+
+    let mut headers = HeaderMap::new();
+    if !token.is_empty() {
+        if let (Ok(name), Ok(value)) = (
+            HeaderName::from_str("x-shutdown-token"),
+            HeaderValue::from_str(&token),
+        ) {
+            headers.insert(name, value);
+        }
+    }
 
     let client = Client::builder().build().map_err(|e| e.to_string())?;
 
     for (name, url, _) in &ENDPOINTS {
-        match client.post(*url).send() {
+        match client.post(*url).headers(headers.clone()).send() {
             Ok(resp) => {
                 let status = resp.status();
 
diff --git a/sync-microservice/app/config/settings.py b/sync-microservice/app/config/settings.py
@@ -1,5 +1,6 @@
 from platformdirs import user_data_dir
 import os
+import tempfile
 
 # Model Exports Path
 MODEL_EXPORTS_PATH = "app/models/ONNX_Exports"
@@ -28,3 +29,16 @@
     DATABASE_PATH = os.path.join(user_data_dir("PictoPy"), "database", "PictoPy.db")
 THUMBNAIL_IMAGES_PATH = "./images/thumbnails"
 IMAGES_PATH = "./images"
+
+# The backend writes a fresh cryptographic token to this temp file on every
+# startup.  The sync microservice reads the same file so both services share
+# a single token without any additional coordination.
+SHUTDOWN_TOKEN_FILE: str = os.path.join(tempfile.gettempdir(), "pictopy_shutdown.token")
+
+try:
+    with open(SHUTDOWN_TOKEN_FILE) as _f:
+        SHUTDOWN_TOKEN: str = _f.read().strip()
+except FileNotFoundError:
+    # Fallback: generate an independent token if the backend hasn't started yet.
+    import secrets
+    SHUTDOWN_TOKEN = secrets.token_hex(32)
diff --git a/sync-microservice/app/routes/shutdown.py b/sync-microservice/app/routes/shutdown.py
@@ -1,9 +1,11 @@
 import asyncio
+import hmac
 import os
 import platform
 import signal
-from fastapi import APIRouter
+from fastapi import APIRouter, Header, HTTPException
 from pydantic import BaseModel
+from app.config.settings import SHUTDOWN_TOKEN
 from app.utils.watcher import watcher_util_stop_folder_watcher
 from app.logging.setup_logging import get_sync_logger
 
@@ -38,18 +40,29 @@ async def _delayed_shutdown(delay: float = 0.1):
 
 
 @router.post("/shutdown", response_model=ShutdownResponse)
-async def shutdown():
+async def shutdown(x_shutdown_token: str = Header(...)):
     """
     Gracefully shutdown the sync microservice.
 
+    This endpoint requires the ``X-Shutdown-Token`` header to match the token
+    generated by the backend at startup.  The token is shared between services
+    via a temporary file, so only the PictoPy application itself can trigger
+    shutdown — arbitrary local processes are rejected with 403 Forbidden.
+
     This endpoint:
-    1. Stops the folder watcher
-    2. Schedules server termination after response is sent
-    3. Returns confirmation to the caller
+    1. Validates the shutdown token
+    2. Stops the folder watcher
+    3. Schedules server termination after response is sent
+    4. Returns confirmation to the caller
 
     Returns:
         ShutdownResponse with status and message
     """
+    # Use constant-time comparison to prevent timing-based token guessing
+    if not hmac.compare_digest(x_shutdown_token, SHUTDOWN_TOKEN):
+        logger.warning("Shutdown attempt rejected: invalid token")
+        raise HTTPException(status_code=403, detail="Forbidden")
+
     logger.info("Shutdown request received for sync microservice")
 
     try:
