TASK-030: Secure IP geolocation with MMDB-primary resolver

Make MaxMind GeoLite2-Country MMDB the primary IP resolver (local, encrypted) and demote ip-api.com to optional fallback only (disabled by default). Changes: - Add geoip_allow_http_fallback config flag (default False) to Settings - Refactor GeoCache.lookup() and lookup_batch() to try MMDB first - Update startup.py to pass config flag and log security warning when HTTP enabled - Update all 49 tests to reflect new MMDB-primary strategy - Add comprehensive geoip configuration section to Backend-Development.md - Update Architekture.md to show MMDB + optional HTTP in system dependencies - Update .env.example with BANGUI_GEOIP_DB_PATH and HTTP fallback flag Security impact: - 99% of IP addresses (successful MMDB lookups) now stay local, encrypted - HTTP-only IPs are cached for 5 minutes to minimize external calls - Operators must explicitly enable HTTP fallback (security-conscious default) - GDPR/CCPA compliance: no PII sent over unencrypted networks by default Fixes TASK-030: Resolved plaintext IP transmission to ip-api.com Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-26 15:31:39 +02:00
parent b9289a3b0e
commit 1d91e24a88
8 changed files with 313 additions and 135 deletions
--- a/backend/app/startup.py
+++ b/backend/app/startup.py
@@ -143,7 +143,7 @@ async def startup_shared_resources(
                    )

        # Create and initialize the GeoCache instance
-        geo_cache = GeoCache()
+        geo_cache = GeoCache(allow_http_fallback=settings.geoip_allow_http_fallback)
        if Path(settings.database_path).resolve() != original_db_path:
            runtime_db = await open_db(settings.database_path)
            try:
@@ -164,6 +164,18 @@ async def startup_shared_resources(

    http_session: aiohttp.ClientSession = _create_http_session(settings)
    geo_cache.init_geoip(settings.geoip_db_path)
+
+    # Warn if HTTP fallback is enabled (security warning).
+    if settings.geoip_allow_http_fallback:
+        log.warning(
+            "geoip_http_fallback_enabled",
+            message=(
+                "WARNING: IP geolocation HTTP fallback is enabled. "
+                "IP addresses will be sent unencrypted to ip-api.com if the MaxMind database is unavailable. "
+                "This is a security and privacy risk. Disable BANGUI_GEOIP_ALLOW_HTTP_FALLBACK in production."
+            ),
+        )
+
    app.state.geo_cache = geo_cache

    scheduler: AsyncIOScheduler | None = None