feat: implement 5 QA-driven security and quality proposals

Implemented proposals from comprehensive QA review: 1. extend-csrf-protection - Add POST to CSRF protected methods in frontend - Global CSRF middleware for all state-changing operations - Update tests with CSRF token fixtures 2. tighten-cors-websocket-security - Replace wildcard CORS with explicit method/header lists - Disable query parameter auth in production (code 4002) - Add per-user WebSocket connection limit (max 5, code 4005) 3. shorten-jwt-expiry - Reduce JWT expiry from 7 days to 60 minutes - Add refresh token support with 7-day expiry - Implement token rotation on refresh - Frontend auto-refresh when token near expiry (<5 min) 4. fix-frontend-quality - Add React.lazy() code splitting for all pages - Fix useCallback dependency arrays (Dashboard, Comments) - Add localStorage data validation in AuthContext - Complete i18n for AttachmentUpload component 5. enhance-backend-validation - Add SecurityAuditMiddleware for access denied logging - Add ErrorSanitizerMiddleware for production error messages - Protect /health/detailed with admin authentication - Add input length validation (comment 5000, desc 10000) All 521 backend tests passing. Frontend builds successfully. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 23:19:05 +08:00
parent df50d5e7f8
commit 35c90fe76b
48 changed files with 2132 additions and 403 deletions
--- a/backend/tests/test_api_enhancements.py
+++ b/backend/tests/test_api_enhancements.py
@@ -173,7 +173,7 @@ class TestProjectTemplates:
        # Should return list of templates
        assert "templates" in data or isinstance(data, list)

-    def test_create_template(self, client, admin_token, db):
+    def test_create_template(self, client, auth_headers, db):
        """Test creating a new project template."""
        from app.models import Space

@@ -192,14 +192,14 @@ class TestProjectTemplates:
                    {"name": "Done", "color": "#00FF00"}
                ]
            },
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers=auth_headers
        )

        assert response.status_code in [200, 201]
        data = response.json()
        assert data.get("name") == "Test Template"

-    def test_create_project_from_template(self, client, admin_token, db):
+    def test_create_project_from_template(self, client, auth_headers, db):
        """Test creating a project from a template."""
        from app.models import Space, ProjectTemplate

@@ -228,14 +228,14 @@ class TestProjectTemplates:
                "description": "Created from template",
                "template_id": "test-template-id"
            },
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers=auth_headers
        )

        assert response.status_code in [200, 201]
        data = response.json()
        assert data.get("name") == "Project from Template"

-    def test_delete_template(self, client, admin_token, db):
+    def test_delete_template(self, client, auth_headers, db):
        """Test deleting a project template."""
        from app.models import ProjectTemplate

@@ -251,7 +251,7 @@ class TestProjectTemplates:

        response = client.delete(
            "/api/templates/delete-template-id",
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers=auth_headers
        )

        assert response.status_code in [200, 204]