feat: implement 5 QA-driven security and quality proposals

Implemented proposals from comprehensive QA review: 1. extend-csrf-protection - Add POST to CSRF protected methods in frontend - Global CSRF middleware for all state-changing operations - Update tests with CSRF token fixtures 2. tighten-cors-websocket-security - Replace wildcard CORS with explicit method/header lists - Disable query parameter auth in production (code 4002) - Add per-user WebSocket connection limit (max 5, code 4005) 3. shorten-jwt-expiry - Reduce JWT expiry from 7 days to 60 minutes - Add refresh token support with 7-day expiry - Implement token rotation on refresh - Frontend auto-refresh when token near expiry (<5 min) 4. fix-frontend-quality - Add React.lazy() code splitting for all pages - Fix useCallback dependency arrays (Dashboard, Comments) - Add localStorage data validation in AuthContext - Complete i18n for AttachmentUpload component 5. enhance-backend-validation - Add SecurityAuditMiddleware for access denied logging - Add ErrorSanitizerMiddleware for production error messages - Protect /health/detailed with admin authentication - Add input length validation (comment 5000, desc 10000) All 521 backend tests passing. Frontend builds successfully. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 23:19:05 +08:00
parent df50d5e7f8
commit 35c90fe76b
48 changed files with 2132 additions and 403 deletions
--- a/backend/tests/test_schedule_triggers.py
+++ b/backend/tests/test_schedule_triggers.py
@@ -52,6 +52,14 @@ def test_user_token(client, mock_redis, test_user):
    return token


+@pytest.fixture
+def test_user_csrf_token(test_user):
+    """Generate a CSRF token for the test user."""
+    from app.core.security import generate_csrf_token
+
+    return generate_csrf_token(test_user.id)
+
+
@pytest.fixture
 def test_space(db, test_user):
    """Create a test space."""
@@ -445,11 +453,11 @@ class TestDeadlineReminderLogic:
 class TestScheduleTriggerAPI:
    """Tests for Schedule Trigger API endpoints."""

-    def test_create_cron_trigger(self, client, test_user_token, test_project):
+    def test_create_cron_trigger(self, client, test_user_token, test_user_csrf_token, test_project):
        """Test creating a schedule trigger with cron expression."""
        response = client.post(
            f"/api/projects/{test_project.id}/triggers",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers={"Authorization": f"Bearer {test_user_token}", "X-CSRF-Token": test_user_csrf_token},
            json={
                "name": "Weekly Monday Reminder",
                "description": "Remind every Monday at 9am",
@@ -471,11 +479,11 @@ class TestScheduleTriggerAPI:
        assert data["trigger_type"] == "schedule"
        assert data["conditions"]["cron_expression"] == "0 9 * * 1"

-    def test_create_deadline_trigger(self, client, test_user_token, test_project):
+    def test_create_deadline_trigger(self, client, test_user_token, test_user_csrf_token, test_project):
        """Test creating a schedule trigger with deadline reminder."""
        response = client.post(
            f"/api/projects/{test_project.id}/triggers",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers={"Authorization": f"Bearer {test_user_token}", "X-CSRF-Token": test_user_csrf_token},
            json={
                "name": "Deadline Reminder",
                "description": "Remind 5 days before deadline",
@@ -494,11 +502,11 @@ class TestScheduleTriggerAPI:
        data = response.json()
        assert data["conditions"]["deadline_reminder_days"] == 5

-    def test_create_schedule_trigger_invalid_cron(self, client, test_user_token, test_project):
+    def test_create_schedule_trigger_invalid_cron(self, client, test_user_token, test_user_csrf_token, test_project):
        """Test creating a schedule trigger with invalid cron expression."""
        response = client.post(
            f"/api/projects/{test_project.id}/triggers",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers={"Authorization": f"Bearer {test_user_token}", "X-CSRF-Token": test_user_csrf_token},
            json={
                "name": "Invalid Cron Trigger",
                "trigger_type": "schedule",
@@ -512,11 +520,11 @@ class TestScheduleTriggerAPI:
        assert response.status_code == 400
        assert "Invalid cron expression" in response.json()["detail"]

-    def test_create_schedule_trigger_missing_condition(self, client, test_user_token, test_project):
+    def test_create_schedule_trigger_missing_condition(self, client, test_user_token, test_user_csrf_token, test_project):
        """Test creating a schedule trigger without cron or deadline condition."""
        response = client.post(
            f"/api/projects/{test_project.id}/triggers",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers={"Authorization": f"Bearer {test_user_token}", "X-CSRF-Token": test_user_csrf_token},
            json={
                "name": "Empty Schedule Trigger",
                "trigger_type": "schedule",
@@ -528,11 +536,11 @@ class TestScheduleTriggerAPI:
        assert response.status_code == 400
        assert "require either cron_expression or deadline_reminder_days" in response.json()["detail"]

-    def test_update_schedule_trigger_cron(self, client, test_user_token, cron_trigger):
+    def test_update_schedule_trigger_cron(self, client, test_user_token, test_user_csrf_token, cron_trigger):
        """Test updating a schedule trigger's cron expression."""
        response = client.put(
            f"/api/triggers/{cron_trigger.id}",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers={"Authorization": f"Bearer {test_user_token}", "X-CSRF-Token": test_user_csrf_token},
            json={
                "conditions": {
                    "cron_expression": "0 10 * * *",  # Changed to 10am
@@ -544,11 +552,11 @@ class TestScheduleTriggerAPI:
        data = response.json()
        assert data["conditions"]["cron_expression"] == "0 10 * * *"

-    def test_update_schedule_trigger_invalid_cron(self, client, test_user_token, cron_trigger):
+    def test_update_schedule_trigger_invalid_cron(self, client, test_user_token, test_user_csrf_token, cron_trigger):
        """Test updating a schedule trigger with invalid cron expression."""
        response = client.put(
            f"/api/triggers/{cron_trigger.id}",
-            headers={"Authorization": f"Bearer {test_user_token}"},
+            headers={"Authorization": f"Bearer {test_user_token}", "X-CSRF-Token": test_user_csrf_token},
            json={
                "conditions": {
                    "cron_expression": "not valid",