feat: implement 5 QA-driven security and quality proposals

Implemented proposals from comprehensive QA review: 1. extend-csrf-protection - Add POST to CSRF protected methods in frontend - Global CSRF middleware for all state-changing operations - Update tests with CSRF token fixtures 2. tighten-cors-websocket-security - Replace wildcard CORS with explicit method/header lists - Disable query parameter auth in production (code 4002) - Add per-user WebSocket connection limit (max 5, code 4005) 3. shorten-jwt-expiry - Reduce JWT expiry from 7 days to 60 minutes - Add refresh token support with 7-day expiry - Implement token rotation on refresh - Frontend auto-refresh when token near expiry (<5 min) 4. fix-frontend-quality - Add React.lazy() code splitting for all pages - Fix useCallback dependency arrays (Dashboard, Comments) - Add localStorage data validation in AuthContext - Complete i18n for AttachmentUpload component 5. enhance-backend-validation - Add SecurityAuditMiddleware for access denied logging - Add ErrorSanitizerMiddleware for production error messages - Protect /health/detailed with admin authentication - Add input length validation (comment 5000, desc 10000) All 521 backend tests passing. Frontend builds successfully. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 23:19:05 +08:00
parent df50d5e7f8
commit 35c90fe76b
48 changed files with 2132 additions and 403 deletions
--- a/backend/tests/test_task_dependencies.py
+++ b/backend/tests/test_task_dependencies.py
@@ -783,7 +783,7 @@ class TestDateValidation:
 class TestDependencyCRUDAPI:
    """Test dependency CRUD API endpoints."""

-    def test_create_dependency(self, client, db, admin_token):
+    def test_create_dependency(self, client, db, admin_token, csrf_token):
        """Test creating a dependency via API."""
        # Create test data
        space = Space(
@@ -838,7 +838,7 @@ class TestDependencyCRUDAPI:
                "dependency_type": "FS",
                "lag_days": 0
            },
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token},
        )

        assert response.status_code == 201
@@ -914,7 +914,7 @@ class TestDependencyCRUDAPI:
        assert data["total"] >= 1
        assert any(d["predecessor_id"] == "task-api-list-1" for d in data["dependencies"])

-    def test_delete_dependency(self, client, db, admin_token):
+    def test_delete_dependency(self, client, db, admin_token, csrf_token):
        """Test deleting a dependency."""
        # Create test data
        space = Space(
@@ -973,7 +973,7 @@ class TestDependencyCRUDAPI:
        # Delete dependency
        response = client.delete(
            "/api/task-dependencies/dep-api-del",
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token},
        )

        assert response.status_code == 204
@@ -984,7 +984,7 @@ class TestDependencyCRUDAPI:
        ).first()
        assert dep_check is None

-    def test_circular_dependency_rejected_via_api(self, client, db, admin_token):
+    def test_circular_dependency_rejected_via_api(self, client, db, admin_token, csrf_token):
        """Test that circular dependencies are rejected via API."""
        # Create test data
        space = Space(
@@ -1049,7 +1049,7 @@ class TestDependencyCRUDAPI:
                "dependency_type": "FS",
                "lag_days": 0
            },
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token},
        )

        assert response.status_code == 400
@@ -1060,7 +1060,7 @@ class TestDependencyCRUDAPI:
 class TestTaskDateValidationAPI:
    """Test task date validation in task API."""

-    def test_create_task_with_invalid_dates_rejected(self, client, db, admin_token):
+    def test_create_task_with_invalid_dates_rejected(self, client, db, admin_token, csrf_token):
        """Test that creating a task with start_date > due_date is rejected."""
        # Create test data
        space = Space(
@@ -1099,13 +1099,13 @@ class TestTaskDateValidationAPI:
                "start_date": (now + timedelta(days=10)).isoformat(),
                "due_date": now.isoformat(),
            },
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token},
        )

        assert response.status_code == 400
        assert "Start date cannot be after due date" in response.json()["detail"]

-    def test_update_task_with_invalid_dates_rejected(self, client, db, admin_token):
+    def test_update_task_with_invalid_dates_rejected(self, client, db, admin_token, csrf_token):
        """Test that updating a task to have start_date > due_date is rejected."""
        # Create test data
        space = Space(
@@ -1153,12 +1153,12 @@ class TestTaskDateValidationAPI:
            json={
                "start_date": (now + timedelta(days=20)).isoformat(),
            },
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token},
        )

        assert response.status_code == 400

-    def test_create_task_with_valid_dates_accepted(self, client, db, admin_token):
+    def test_create_task_with_valid_dates_accepted(self, client, db, admin_token, csrf_token):
        """Test that creating a task with valid dates is accepted."""
        # Create test data
        space = Space(
@@ -1197,7 +1197,7 @@ class TestTaskDateValidationAPI:
                "start_date": now.isoformat(),
                "due_date": (now + timedelta(days=10)).isoformat(),
            },
-            headers={"Authorization": f"Bearer {admin_token}"},
+            headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token},
        )

        assert response.status_code == 201
@@ -1217,7 +1217,7 @@ class TestDependencyTypes:
        assert DependencyType.FF.value == "FF"
        assert DependencyType.SF.value == "SF"

-    def test_create_dependency_with_different_types(self, client, db, admin_token):
+    def test_create_dependency_with_different_types(self, client, db, admin_token, csrf_token):
        """Test creating dependencies with different types via API."""
        # Create test data
        space = Space(
@@ -1268,7 +1268,7 @@ class TestDependencyTypes:
                    "dependency_type": dep_type,
                    "lag_days": i
                },
-                headers={"Authorization": f"Bearer {admin_token}"},
+                headers={"Authorization": f"Bearer {admin_token}", "X-CSRF-Token": csrf_token},
            )

            assert response.status_code == 201