fix: security hardening — Keychain, no hardcoded creds, safe URLs

- Add KeychainService for encrypted token storage (auth, refresh, health JWT, API key) - Remove hardcoded email/password from HealthAPIService, store in Keychain - Move all tokens from UserDefaults to Keychain - API key sent via X-API-Key header instead of URL query parameter - Replace force unwrap URL(string:)! with guard let + throws - Fix force unwrap Calendar.date() in HealthKitService - Mark HealthKitService @MainActor for thread-safe @Published - Use withTaskGroup for parallel habit log fetching in TrackerView - Check notification permission before scheduling reminders - Add input validation (title max 200 chars) - Add privacy policy and terms links in Settings - Update CLAUDE.md with security section Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 14:11:10 +03:00
parent 28fca1de89
commit 44c759c190
10 changed files with 167 additions and 58 deletions
--- a/PulseHealth/Services/APIService.swift
+++ b/PulseHealth/Services/APIService.swift
@@ -25,8 +25,12 @@ class APIService {
    let baseURL = "https://api.digital-home.site"
    weak var authManager: AuthManager?

-    private func makeRequest(_ path: String, method: String = "GET", token: String? = nil, body: Data? = nil) -> URLRequest {
-        var req = URLRequest(url: URL(string: "\(baseURL)\(path)")!)
+    private func makeRequest(_ path: String, method: String = "GET", token: String? = nil, body: Data? = nil) throws -> URLRequest {
+        let encoded = path.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) ?? path
+        guard let url = URL(string: "\(baseURL)\(encoded)") else {
+            throw APIError.networkError("Неверный URL: \(path)")
+        }
+        var req = URLRequest(url: url)
        req.httpMethod = method
        req.setValue("application/json", forHTTPHeaderField: "Content-Type")
        req.timeoutInterval = 15
@@ -36,7 +40,7 @@ class APIService {
    }

    private func fetch<T: Decodable>(_ path: String, method: String = "GET", token: String? = nil, body: Data? = nil) async throws -> T {
-        let req = makeRequest(path, method: method, token: token, body: body)
+        let req = try makeRequest(path, method: method, token: token, body: body)
        let (data, response) = try await URLSession.shared.data(for: req)
        guard let http = response as? HTTPURLResponse else { throw APIError.networkError("Нет ответа") }
        if http.statusCode == 401, let auth = authManager, !auth.refreshToken.isEmpty, !path.contains("/auth/refresh") {
--- a/PulseHealth/Services/HealthAPIService.swift
+++ b/PulseHealth/Services/HealthAPIService.swift
@@ -3,44 +3,61 @@ import Foundation
 class HealthAPIService {
    static let shared = HealthAPIService()
    let baseURL = "https://health.digital-home.site"
-    
+
    private var cachedToken: String? {
-        get { UserDefaults.standard.string(forKey: "healthJWTToken") }
-        set { UserDefaults.standard.set(newValue, forKey: "healthJWTToken") }
+        get { KeychainService.load(key: KeychainService.healthTokenKey) }
+        set {
+            if let v = newValue { KeychainService.save(key: KeychainService.healthTokenKey, value: v) }
+            else { KeychainService.delete(key: KeychainService.healthTokenKey) }
+        }
    }
-    
-    // Логин в health сервис (отдельный JWT)
+
    func ensureToken() async throws -> String {
        if let t = cachedToken { return t }
        return try await refreshToken()
    }
-    
+
    func refreshToken() async throws -> String {
+        // Use credentials from Keychain (set during first login or onboarding)
+        guard let email = KeychainService.load(key: "health_email"),
+              let password = KeychainService.load(key: "health_password") else {
+            throw APIError.unauthorized
+        }
        var req = URLRequest(url: URL(string: "\(baseURL)/api/auth/login")!)
        req.httpMethod = "POST"
        req.setValue("application/json", forHTTPHeaderField: "Content-Type")
-        req.httpBody = try? JSONEncoder().encode(["email": "daniilklimov25@gmail.com", "password": "cosmo-health-2026"])
+        req.httpBody = try? JSONEncoder().encode(["email": email, "password": password])
        req.timeoutInterval = 15
-        let (data, _) = try await URLSession.shared.data(for: req)
+        let (data, response) = try await URLSession.shared.data(for: req)
+        guard let http = response as? HTTPURLResponse, http.statusCode == 200 else {
+            throw APIError.unauthorized
+        }
        struct LoginResp: Decodable { let token: String }
        let resp = try JSONDecoder().decode(LoginResp.self, from: data)
        cachedToken = resp.token
        return resp.token
    }

+    /// Call once during setup to store health credentials securely
+    static func configureCredentials(email: String, password: String) {
+        KeychainService.save(key: "health_email", value: email)
+        KeychainService.save(key: "health_password", value: password)
+    }
+
    private func fetch<T: Decodable>(_ path: String) async throws -> T {
        let token = try await ensureToken()
-        var req = URLRequest(url: URL(string: "\(baseURL)\(path)")!)
+        guard let url = URL(string: "\(baseURL)\(path)") else { throw APIError.networkError("Неверный URL") }
+        var req = URLRequest(url: url)
        req.setValue("Bearer \(token)", forHTTPHeaderField: "Authorization")
        req.setValue("application/json", forHTTPHeaderField: "Content-Type")
        req.timeoutInterval = 15
        let (data, response) = try await URLSession.shared.data(for: req)
-        guard let http = response as? HTTPURLResponse else { throw APIError.networkError("No response") }
+        guard let http = response as? HTTPURLResponse else { throw APIError.networkError("Нет ответа") }
        if http.statusCode == 401 {
-            // Token expired, retry once
            cachedToken = nil
            let newToken = try await refreshToken()
-            var req2 = URLRequest(url: URL(string: "\(baseURL)\(path)")!)
+            guard let retryURL = URL(string: "\(baseURL)\(path)") else { throw APIError.networkError("Неверный URL") }
+            var req2 = URLRequest(url: retryURL)
            req2.setValue("Bearer \(newToken)", forHTTPHeaderField: "Authorization")
            req2.setValue("application/json", forHTTPHeaderField: "Content-Type")
            req2.timeoutInterval = 15
@@ -63,7 +80,8 @@ class HealthAPIService {

    func getHeatmap(days: Int = 30) async throws -> [HeatmapEntry] {
        let token = try await ensureToken()
-        var req = URLRequest(url: URL(string: "\(baseURL)/api/health/heatmap?days=\(days)")!)
+        guard let url = URL(string: "\(baseURL)/api/health/heatmap?days=\(days)") else { return [] }
+        var req = URLRequest(url: url)
        req.setValue("Bearer \(token)", forHTTPHeaderField: "Authorization")
        req.timeoutInterval = 15
        let (data, _) = try await URLSession.shared.data(for: req)
@@ -72,17 +90,4 @@ class HealthAPIService {
        let wrapped = try JSONDecoder().decode(HeatmapResponse.self, from: data)
        return wrapped.data
    }
-
-    func sendHealthData(apiKey: String, payload: Data) async throws {
-        let url = URL(string: "\(baseURL)/api/health?key=\(apiKey)")!
-        var req = URLRequest(url: url)
-        req.httpMethod = "POST"
-        req.setValue("application/json", forHTTPHeaderField: "Content-Type")
-        req.httpBody = payload
-        req.timeoutInterval = 30
-        let (_, response) = try await URLSession.shared.data(for: req)
-        guard let http = response as? HTTPURLResponse, (200...299).contains(http.statusCode) else {
-            throw APIError.serverError((response as? HTTPURLResponse)?.statusCode ?? 0, "Ошибка отправки")
-        }
-    }
 }
--- a/PulseHealth/Services/HealthKitService.swift
+++ b/PulseHealth/Services/HealthKitService.swift
@@ -1,6 +1,7 @@
 import HealthKit
 import Foundation

+@MainActor
 class HealthKitService: ObservableObject {
    let healthStore = HKHealthStore()
    @Published var isSyncing = false
@@ -20,9 +21,14 @@ class HealthKitService: ObservableObject {
    ]

    func requestAuthorization() async throws {
+        guard isAvailable else { throw HealthKitError.notAvailable }
        try await healthStore.requestAuthorization(toShare: [], read: typesToRead)
    }

+    func checkAuthorization(for type: HKObjectType) -> Bool {
+        healthStore.authorizationStatus(for: type) == .sharingAuthorized
+    }
+
    // MARK: - Collect All Metrics

    func collectAllMetrics() async -> [[String: Any]] {
@@ -150,7 +156,7 @@ class HealthKitService: ObservableObject {

        // Берём последние 24 часа, чтобы захватить ночной сон
        let now = Date()
-        let yesterday = Calendar.current.date(byAdding: .hour, value: -24, to: now)!
+        guard let yesterday = Calendar.current.date(byAdding: .hour, value: -24, to: now) else { return [] }
        let sleepPredicate = HKQuery.predicateForSamples(withStart: yesterday, end: now)

        return await withCheckedContinuation { cont in
@@ -240,8 +246,8 @@ class HealthKitService: ObservableObject {
    // MARK: - Send to Server

    func syncToServer(apiKey: String) async throws {
-        await MainActor.run { isSyncing = true }
-        defer { Task { @MainActor in isSyncing = false } }
+        isSyncing = true
+        defer { isSyncing = false }

        guard isAvailable else {
            throw HealthKitError.notAvailable
@@ -262,14 +268,14 @@ class HealthKitService: ObservableObject {

        let jsonData = try JSONSerialization.data(withJSONObject: payload)

-        let urlStr = "\(HealthAPIService.shared.baseURL)/api/health?key=\(apiKey)"
-        guard let url = URL(string: urlStr) else {
+        guard let url = URL(string: "\(HealthAPIService.shared.baseURL)/api/health") else {
            throw HealthKitError.invalidURL
        }

        var request = URLRequest(url: url)
        request.httpMethod = "POST"
        request.setValue("application/json", forHTTPHeaderField: "Content-Type")
+        request.setValue(apiKey, forHTTPHeaderField: "X-API-Key")
        request.httpBody = jsonData
        request.timeoutInterval = 30

@@ -322,7 +328,7 @@ class HealthKitService: ObservableObject {
    func fetchSleepSegments() async -> [SleepSegment] {
        guard let sleepType = HKCategoryType.categoryType(forIdentifier: .sleepAnalysis) else { return [] }
        let now = Date()
-        let yesterday = Calendar.current.date(byAdding: .hour, value: -24, to: now)!
+        guard let yesterday = Calendar.current.date(byAdding: .hour, value: -24, to: now) else { return [] }
        let predicate = HKQuery.predicateForSamples(withStart: yesterday, end: now)

        return await withCheckedContinuation { cont in
--- a/PulseHealth/Services/KeychainService.swift
+++ b/PulseHealth/Services/KeychainService.swift
@@ -0,0 +1,49 @@
+import Foundation
+import Security
+
+enum KeychainService {
+    static let service = "com.daniil.pulsehealth"
+
+    static func save(key: String, value: String) {
+        guard let data = value.data(using: .utf8) else { return }
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: service,
+            kSecAttrAccount as String: key
+        ]
+        SecItemDelete(query as CFDictionary)
+        var add = query
+        add[kSecValueData as String] = data
+        add[kSecAttrAccessible as String] = kSecAttrAccessibleAfterFirstUnlock
+        SecItemAdd(add as CFDictionary, nil)
+    }
+
+    static func load(key: String) -> String? {
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: service,
+            kSecAttrAccount as String: key,
+            kSecReturnData as String: true,
+            kSecMatchLimit as String: kSecMatchLimitOne
+        ]
+        var result: AnyObject?
+        guard SecItemCopyMatching(query as CFDictionary, &result) == errSecSuccess,
+              let data = result as? Data else { return nil }
+        return String(data: data, encoding: .utf8)
+    }
+
+    static func delete(key: String) {
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: service,
+            kSecAttrAccount as String: key
+        ]
+        SecItemDelete(query as CFDictionary)
+    }
+
+    // Keys
+    static let tokenKey = "auth_token"
+    static let refreshTokenKey = "auth_refresh_token"
+    static let healthTokenKey = "health_jwt_token"
+    static let healthApiKeyKey = "health_api_key"
+}
--- a/PulseHealth/Services/NotificationService.swift
+++ b/PulseHealth/Services/NotificationService.swift
@@ -157,13 +157,16 @@ class NotificationService {
        cancelReminder("morning_reminder")
        cancelReminder("evening_reminder")

-        if morning {
-            let parts = morningTime.split(separator: ":").compactMap { Int($0) }
-            if parts.count == 2 { scheduleMorningReminder(hour: parts[0], minute: parts[1]) }
-        }
-        if evening {
-            let parts = eveningTime.split(separator: ":").compactMap { Int($0) }
-            if parts.count == 2 { scheduleEveningReminder(hour: parts[0], minute: parts[1]) }
+        Task {
+            guard await isAuthorized() else { return }
+            if morning {
+                let parts = morningTime.split(separator: ":").compactMap { Int($0) }
+                if parts.count == 2 { scheduleMorningReminder(hour: parts[0], minute: parts[1]) }
+            }
+            if evening {
+                let parts = eveningTime.split(separator: ":").compactMap { Int($0) }
+                if parts.count == 2 { scheduleEveningReminder(hour: parts[0], minute: parts[1]) }
+            }
        }
    }
 }