Skip to content

Feature: Backend Security Hardening & Real-Time WebSocket Alerts#50

Merged
GiZano merged 1 commit intomainfrom
Backend
Apr 18, 2026
Merged

Feature: Backend Security Hardening & Real-Time WebSocket Alerts#50
GiZano merged 1 commit intomainfrom
Backend

Conversation

@GiZano
Copy link
Copy Markdown
Owner

@GiZano GiZano commented Apr 18, 2026

🌋 Overview

This PR resolves Issue #19 (Security & Rate Limiting) and Issue #27 (Real-Time Notifications). It introduces critical security and scalability improvements to the FastAPI backend, preparing the API gateway to safely handle production IoT traffic and broadcast instant alerts.

🛠️ Key Changes

  • Defense in Depth: Enforced global X-API-Key validation for all IoT endpoints. Implemented strict ECDSA cryptographic signature validation and timestamp checking to block spoofed payloads and Replay attacks.
  • Thundering Herd Protection: Built a fast, Redis-backed rate limiter capping inbound traffic at 50 requests/second to protect the database from DoS attacks.
  • Real-Time Scalability: Replaced legacy REST polling with a highly scalable WebSocket endpoint (/ws/alerts). Hooked WebSockets into Redis Pub/Sub to instantly broadcast life-saving alerts to hundreds of clients across multiple containers.
  • Test Suite Updates: * Updated tests/stress_test.py to include proper API headers, simulate malicious Replay/Bad Signature attacks, and pace requests to respect the new rate limiter.
    • Created tests/test_websocket_broadcast.py to verify Pub/Sub broadcasting to concurrent mobile clients.

🧪 Testing Performed

  • Load Testing: Passed stress_test.py with 200 concurrent virtual sensors. Rate limiter successfully handled traffic bursts.
  • Security Testing: Verified that malicious payloads (invalid signatures, delayed timestamps) are correctly rejected with 401 Unauthorized and 403 Forbidden.
  • WebSocket Broadcasting: Passed test_websocket_broadcast.py simulating 100 concurrent mobile clients receiving instant Redis alerts.
  • Verified docker compose up --build works cleanly with new dependencies (redis, websockets).

⚠️ Notes for Reviewers

  • Phase 3 of the stress test (polling /statistics) is temporarily skipped as the endpoint has not been implemented yet.
  • Next step will be implementing the Python Redis worker.py to asynchronously persist the valid payloads to PostGIS.

@GiZano
feat(backend): secure API gateway and add real-time WebSocket alerts
320a393 
- Implemented ECDSA signature validation and anti-replay attack logic
- Added global X-API-Key validation for IoT devices
- Built Redis-backed rate limiter (50 req/sec) to prevent DoS
- Replaced REST polling with WebSockets and Redis Pub/Sub for alerts
- Updated stress and broadcast tests to support new security/limits
@GiZano GiZano merged commit c0b2310 into main Apr 18, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GiZano