feat: implement 5 QA-driven security and quality proposals

Implemented proposals from comprehensive QA review: 1. extend-csrf-protection - Add POST to CSRF protected methods in frontend - Global CSRF middleware for all state-changing operations - Update tests with CSRF token fixtures 2. tighten-cors-websocket-security - Replace wildcard CORS with explicit method/header lists - Disable query parameter auth in production (code 4002) - Add per-user WebSocket connection limit (max 5, code 4005) 3. shorten-jwt-expiry - Reduce JWT expiry from 7 days to 60 minutes - Add refresh token support with 7-day expiry - Implement token rotation on refresh - Frontend auto-refresh when token near expiry (<5 min) 4. fix-frontend-quality - Add React.lazy() code splitting for all pages - Fix useCallback dependency arrays (Dashboard, Comments) - Add localStorage data validation in AuthContext - Complete i18n for AttachmentUpload component 5. enhance-backend-validation - Add SecurityAuditMiddleware for access denied logging - Add ErrorSanitizerMiddleware for production error messages - Protect /health/detailed with admin authentication - Add input length validation (comment 5000, desc 10000) All 521 backend tests passing. Frontend builds successfully. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 23:19:05 +08:00
parent df50d5e7f8
commit 35c90fe76b
48 changed files with 2132 additions and 403 deletions
--- a/backend/tests/test_collaboration.py
+++ b/backend/tests/test_collaboration.py
@@ -36,6 +36,13 @@ def user_token(client, mock_redis, test_user):
    return token


+@pytest.fixture
+def user_csrf_token(test_user):
+    """Generate a CSRF token for the test user."""
+    from app.core.security import generate_csrf_token
+    return generate_csrf_token(test_user.id)
+
+
@pytest.fixture
 def test_space(db):
    """Create a test space."""
@@ -100,11 +107,11 @@ def test_task(db, test_project, test_status):
 class TestComments:
    """Tests for Comments API."""

-    def test_create_comment(self, client, admin_token, test_task):
+    def test_create_comment(self, client, auth_headers, test_task):
        """Test creating a comment."""
        response = client.post(
            f"/api/tasks/{test_task.id}/comments",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers=auth_headers,
            json={"content": "This is a test comment"},
        )
        assert response.status_code == 201
@@ -136,7 +143,7 @@ class TestComments:
        assert len(data["comments"]) == 1
        assert data["comments"][0]["content"] == "Test comment"

-    def test_update_comment(self, client, admin_token, db, test_task):
+    def test_update_comment(self, client, auth_headers, db, test_task):
        """Test updating a comment."""
        comment = Comment(
            id=str(uuid.uuid4()),
@@ -149,7 +156,7 @@ class TestComments:

        response = client.put(
            f"/api/comments/{comment.id}",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers=auth_headers,
            json={"content": "Updated content"},
        )
        assert response.status_code == 200
@@ -157,7 +164,7 @@ class TestComments:
        assert data["content"] == "Updated content"
        assert data["is_edited"] is True

-    def test_delete_comment(self, client, admin_token, db, test_task):
+    def test_delete_comment(self, client, auth_headers, db, test_task):
        """Test deleting a comment (soft delete)."""
        comment = Comment(
            id=str(uuid.uuid4()),
@@ -170,7 +177,7 @@ class TestComments:

        response = client.delete(
            f"/api/comments/{comment.id}",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers=auth_headers,
        )
        assert response.status_code == 204

@@ -178,13 +185,13 @@ class TestComments:
        db.refresh(comment)
        assert comment.is_deleted is True

-    def test_mention_limit(self, client, admin_token, test_task):
+    def test_mention_limit(self, client, auth_headers, test_task):
        """Test that @mention limit is enforced."""
        # Create content with more than 10 mentions
        mentions = " ".join([f"@user{i}" for i in range(15)])
        response = client.post(
            f"/api/tasks/{test_task.id}/comments",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers=auth_headers,
            json={"content": f"Test with many mentions: {mentions}"},
        )
        assert response.status_code == 400
@@ -218,7 +225,7 @@ class TestNotifications:
        assert data["total"] >= 1
        assert data["unread_count"] >= 1

-    def test_mark_notification_as_read(self, client, admin_token, db):
+    def test_mark_notification_as_read(self, client, auth_headers, db):
        """Test marking a notification as read."""
        notification = Notification(
            id=str(uuid.uuid4()),
@@ -233,14 +240,14 @@ class TestNotifications:

        response = client.put(
            f"/api/notifications/{notification.id}/read",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers=auth_headers,
        )
        assert response.status_code == 200
        data = response.json()
        assert data["is_read"] is True
        assert data["read_at"] is not None

-    def test_mark_all_as_read(self, client, admin_token, db):
+    def test_mark_all_as_read(self, client, auth_headers, db):
        """Test marking all notifications as read."""
        # Create multiple unread notifications
        for i in range(3):
@@ -257,7 +264,7 @@ class TestNotifications:

        response = client.put(
            "/api/notifications/read-all",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers=auth_headers,
        )
        assert response.status_code == 200
        data = response.json()
@@ -290,11 +297,11 @@ class TestNotifications:
 class TestBlockers:
    """Tests for Blockers API."""

-    def test_create_blocker(self, client, admin_token, test_task):
+    def test_create_blocker(self, client, auth_headers, test_task):
        """Test creating a blocker."""
        response = client.post(
            f"/api/tasks/{test_task.id}/blockers",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers=auth_headers,
            json={"reason": "Waiting for external dependency"},
        )
        assert response.status_code == 201
@@ -302,7 +309,7 @@ class TestBlockers:
        assert data["reason"] == "Waiting for external dependency"
        assert data["resolved_at"] is None

-    def test_resolve_blocker(self, client, admin_token, db, test_task):
+    def test_resolve_blocker(self, client, auth_headers, db, test_task):
        """Test resolving a blocker."""
        blocker = Blocker(
            id=str(uuid.uuid4()),
@@ -316,7 +323,7 @@ class TestBlockers:

        response = client.put(
            f"/api/blockers/{blocker.id}/resolve",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers=auth_headers,
            json={"resolution_note": "Issue resolved by updating config"},
        )
        assert response.status_code == 200
@@ -348,7 +355,7 @@ class TestBlockers:
        assert data["total"] == 1
        assert data["blockers"][0]["reason"] == "Test blocker"

-    def test_cannot_create_duplicate_active_blocker(self, client, admin_token, db, test_task):
+    def test_cannot_create_duplicate_active_blocker(self, client, auth_headers, db, test_task):
        """Test that duplicate active blockers are prevented."""
        # Create first blocker
        blocker = Blocker(
@@ -363,7 +370,7 @@ class TestBlockers:
        # Try to create second blocker
        response = client.post(
            f"/api/tasks/{test_task.id}/blockers",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers=auth_headers,
            json={"reason": "Second blocker"},
        )
        assert response.status_code == 400