feat: implement 5 QA-driven security and quality proposals

Implemented proposals from comprehensive QA review: 1. extend-csrf-protection - Add POST to CSRF protected methods in frontend - Global CSRF middleware for all state-changing operations - Update tests with CSRF token fixtures 2. tighten-cors-websocket-security - Replace wildcard CORS with explicit method/header lists - Disable query parameter auth in production (code 4002) - Add per-user WebSocket connection limit (max 5, code 4005) 3. shorten-jwt-expiry - Reduce JWT expiry from 7 days to 60 minutes - Add refresh token support with 7-day expiry - Implement token rotation on refresh - Frontend auto-refresh when token near expiry (<5 min) 4. fix-frontend-quality - Add React.lazy() code splitting for all pages - Fix useCallback dependency arrays (Dashboard, Comments) - Add localStorage data validation in AuthContext - Complete i18n for AttachmentUpload component 5. enhance-backend-validation - Add SecurityAuditMiddleware for access denied logging - Add ErrorSanitizerMiddleware for production error messages - Protect /health/detailed with admin authentication - Add input length validation (comment 5000, desc 10000) All 521 backend tests passing. Frontend builds successfully. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 23:19:05 +08:00
parent df50d5e7f8
commit 35c90fe76b
48 changed files with 2132 additions and 403 deletions
--- a/backend/tests/test_concurrency_reliability.py
+++ b/backend/tests/test_concurrency_reliability.py
@@ -18,7 +18,7 @@ from datetime import datetime, timedelta
 class TestOptimisticLocking:
    """Test optimistic locking for concurrent updates."""

-    def test_version_increments_on_update(self, client, admin_token, db):
+    def test_version_increments_on_update(self, client, admin_token, csrf_token, db):
        """Test that task version increments on successful update."""
        from app.models import Space, Project, Task, TaskStatus

@@ -47,7 +47,7 @@ class TestOptimisticLocking:
        response = client.patch(
            "/api/tasks/task-1",
            json={"title": "Updated Task", "version": 1},
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token}
        )

        assert response.status_code == 200
@@ -55,7 +55,7 @@ class TestOptimisticLocking:
        assert data["title"] == "Updated Task"
        assert data["version"] == 2  # Version should increment

-    def test_version_conflict_returns_409(self, client, admin_token, db):
+    def test_version_conflict_returns_409(self, client, admin_token, csrf_token, db):
        """Test that stale version returns 409 Conflict."""
        from app.models import Space, Project, Task, TaskStatus

@@ -84,7 +84,7 @@ class TestOptimisticLocking:
        response = client.patch(
            "/api/tasks/task-2",
            json={"title": "Stale Update", "version": 1},
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token}
        )

        assert response.status_code == 409
@@ -94,7 +94,7 @@ class TestOptimisticLocking:
        assert detail.get("current_version") == 5
        assert detail.get("provided_version") == 1

-    def test_update_without_version_succeeds(self, client, admin_token, db):
+    def test_update_without_version_succeeds(self, client, admin_token, csrf_token, db):
        """Test that update without version (for backward compatibility) still works."""
        from app.models import Space, Project, Task, TaskStatus

@@ -123,7 +123,7 @@ class TestOptimisticLocking:
        response = client.patch(
            "/api/tasks/task-3",
            json={"title": "No Version Update"},
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token}
        )

        # Should succeed (backward compatibility)
@@ -179,7 +179,7 @@ class TestTriggerRetryMechanism:
 class TestCascadeRestore:
    """Test cascade restore for soft-deleted tasks."""

-    def test_restore_parent_with_children(self, client, admin_token, db):
+    def test_restore_parent_with_children(self, client, admin_token, csrf_token, db):
        """Test restoring parent task also restores children deleted at same time."""
        from app.models import Space, Project, Task, TaskStatus
        from datetime import datetime
@@ -236,7 +236,7 @@ class TestCascadeRestore:
        response = client.post(
            "/api/tasks/parent-task/restore",
            json={"cascade": True},
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token}
        )

        assert response.status_code == 200
@@ -254,7 +254,7 @@ class TestCascadeRestore:
        assert child_task1.is_deleted is False
        assert child_task2.is_deleted is False

-    def test_restore_parent_only(self, client, admin_token, db):
+    def test_restore_parent_only(self, client, admin_token, csrf_token, db):
        """Test restoring parent task without cascade leaves children deleted."""
        from app.models import Space, Project, Task, TaskStatus
        from datetime import datetime
@@ -299,7 +299,7 @@ class TestCascadeRestore:
        response = client.post(
            "/api/tasks/parent-task-2/restore",
            json={"cascade": False},
-            headers={"Authorization": f"Bearer {admin_token}"}
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token}
        )

        assert response.status_code == 200