feat: implement 5 QA-driven security and quality proposals

Implemented proposals from comprehensive QA review:

1. extend-csrf-protection
   - Add POST to CSRF protected methods in frontend
   - Global CSRF middleware for all state-changing operations
   - Update tests with CSRF token fixtures

2. tighten-cors-websocket-security
   - Replace wildcard CORS with explicit method/header lists
   - Disable query parameter auth in production (code 4002)
   - Add per-user WebSocket connection limit (max 5, code 4005)

3. shorten-jwt-expiry
   - Reduce JWT expiry from 7 days to 60 minutes
   - Add refresh token support with 7-day expiry
   - Implement token rotation on refresh
   - Frontend auto-refresh when token near expiry (<5 min)

4. fix-frontend-quality
   - Add React.lazy() code splitting for all pages
   - Fix useCallback dependency arrays (Dashboard, Comments)
   - Add localStorage data validation in AuthContext
   - Complete i18n for AttachmentUpload component

5. enhance-backend-validation
   - Add SecurityAuditMiddleware for access denied logging
   - Add ErrorSanitizerMiddleware for production error messages
   - Protect /health/detailed with admin authentication
   - Add input length validation (comment 5000, desc 10000)

All 521 backend tests passing. Frontend builds successfully.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/websocket/router.py

@@ -9,6 +9,7 @@ from sqlalchemy.orm import Session
 from app.core import database
 from app.core.security import decode_access_token
 from app.core.redis import get_redis_sync
+from app.core.config import settings
 from app.models import User, Notification, Project
 from app.services.websocket_manager import manager
 from app.core.redis_pubsub import NotificationSubscriber, ProjectTaskSubscriber
@@ -72,14 +73,24 @@ async def authenticate_websocket(
     Supports two authentication methods:
     1. First message authentication (preferred, more secure)
        - Client sends: {"type": "auth", "token": "<jwt_token>"}
-    2. Query parameter authentication (deprecated, for backward compatibility)
+    2. Query parameter authentication (disabled in production, for backward compatibility only)
        - Client connects with: ?token=<jwt_token>
 
     Returns:
         Tuple of (user_id, error_reason). user_id is None if authentication fails.
+        Error reasons: "invalid_token", "invalid_message", "missing_token",
+                      "timeout", "error", "query_auth_disabled"
     """
     # If token provided via query parameter (backward compatibility)
     if query_token:
+        # Reject query parameter auth in production for security
+        if settings.ENVIRONMENT == "production":
+            logger.warning(
+                "WebSocket query parameter authentication attempted in production environment. "
+                "This is disabled for security reasons."
+            )
+            return None, "query_auth_disabled"
+
         logger.warning(
             "WebSocket authentication via query parameter is deprecated. "
             "Please use first-message authentication for better security."
@@ -195,9 +206,21 @@ async def websocket_notifications(
     user_id, error_reason = await authenticate_websocket(websocket, token)
 
     if user_id is None:
-        if error_reason == "invalid_token":
+        if error_reason == "query_auth_disabled":
+            await websocket.send_json({"type": "error", "message": "Query parameter auth disabled in production"})
+            await websocket.close(code=4002, reason="Query parameter auth disabled in production")
+        elif error_reason == "invalid_token":
             await websocket.send_json({"type": "error", "message": "Invalid or expired token"})
-        await websocket.close(code=4001, reason="Invalid or expired token")
+            await websocket.close(code=4001, reason="Invalid or expired token")
+        else:
+            await websocket.close(code=4001, reason="Invalid or expired token")
+        return
+
+    # Check connection limit before accepting
+    can_connect, reject_reason = await manager.check_connection_limit(user_id)
+    if not can_connect:
+        await websocket.send_json({"type": "error", "message": reject_reason})
+        await websocket.close(code=4005, reason=reject_reason)
         return
 
     await manager.connect(websocket, user_id)
@@ -394,9 +417,21 @@ async def websocket_project_sync(
     user_id, error_reason = await authenticate_websocket(websocket, token)
 
     if user_id is None:
-        if error_reason == "invalid_token":
+        if error_reason == "query_auth_disabled":
+            await websocket.send_json({"type": "error", "message": "Query parameter auth disabled in production"})
+            await websocket.close(code=4002, reason="Query parameter auth disabled in production")
+        elif error_reason == "invalid_token":
             await websocket.send_json({"type": "error", "message": "Invalid or expired token"})
-        await websocket.close(code=4001, reason="Invalid or expired token")
+            await websocket.close(code=4001, reason="Invalid or expired token")
+        else:
+            await websocket.close(code=4001, reason="Invalid or expired token")
+        return
+
+    # Check connection limit before accepting
+    can_connect, reject_reason = await manager.check_connection_limit(user_id)
+    if not can_connect:
+        await websocket.send_json({"type": "error", "message": reject_reason})
+        await websocket.close(code=4005, reason=reject_reason)
         return
 
     # Verify user has access to the project