egg/PROJECT-CONTORL
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement 5 QA-driven security and quality proposals

Browse Source 
Implemented proposals from comprehensive QA review:

1. extend-csrf-protection
   - Add POST to CSRF protected methods in frontend
   - Global CSRF middleware for all state-changing operations
   - Update tests with CSRF token fixtures

2. tighten-cors-websocket-security
   - Replace wildcard CORS with explicit method/header lists
   - Disable query parameter auth in production (code 4002)
   - Add per-user WebSocket connection limit (max 5, code 4005)

3. shorten-jwt-expiry
   - Reduce JWT expiry from 7 days to 60 minutes
   - Add refresh token support with 7-day expiry
   - Implement token rotation on refresh
   - Frontend auto-refresh when token near expiry (<5 min)

4. fix-frontend-quality
   - Add React.lazy() code splitting for all pages
   - Fix useCallback dependency arrays (Dashboard, Comments)
   - Add localStorage data validation in AuthContext
   - Complete i18n for AttachmentUpload component

5. enhance-backend-validation
   - Add SecurityAuditMiddleware for access denied logging
   - Add ErrorSanitizerMiddleware for production error messages
   - Protect /health/detailed with admin authentication
   - Add input length validation (comment 5000, desc 10000)

All 521 backend tests passing. Frontend builds successfully.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
beabigegg
2026-01-12 23:19:05 +08:00
parent df50d5e7f8
commit 35c90fe76b
48 changed files with 2132 additions and 403 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
backend/tests/test_audit.py
View File

@@ -253,7 +253,7 @@ class TestAuditAPI:
assert data["total"] == 3
assert all(log["resource_id"] == resource_id for log in data["logs"])
def test_verify_integrity(self, client, admin_token, db):
def test_verify_integrity(self, client, auth_headers, db):
"""Test integrity verification."""
now = datetime.utcnow()
@@ -270,7 +270,7 @@ class TestAuditAPI:
response = client.post(
"/api/audit-logs/verify-integrity",
headers={"Authorization": f"Bearer {admin_token}"},
headers=auth_headers,
json={
"start_date": (now - timedelta(hours=1)).isoformat(),
"end_date": (now + timedelta(hours=1)).isoformat(),
@@ -281,7 +281,7 @@ class TestAuditAPI:
assert data["total_checked"] >= 1
assert data["invalid_count"] == 0
def test_acknowledge_alert(self, client, admin_token, db):
def test_acknowledge_alert(self, client, auth_headers, db):
"""Test acknowledging an alert."""
# Create a log and alert
log = AuditLog(
@@ -309,7 +309,7 @@ class TestAuditAPI:
response = client.put(
f"/api/audit-alerts/{alert.id}/acknowledge",
headers={"Authorization": f"Bearer {admin_token}"},
headers=auth_headers,
)
assert response.status_code == 200
data = response.json()