feat: implement security, error resilience, and query optimization proposals

Security Validation (enhance-security-validation): - JWT secret validation with entropy checking and pattern detection - CSRF protection middleware with token generation/validation - Frontend CSRF token auto-injection for DELETE/PUT/PATCH requests - MIME type validation with magic bytes detection for file uploads Error Resilience (add-error-resilience): - React ErrorBoundary component with fallback UI and retry functionality - ErrorBoundaryWithI18n wrapper for internationalization support - Page-level and section-level error boundaries in App.tsx Query Performance (optimize-query-performance): - Query monitoring utility with threshold warnings - N+1 query fixes using joinedload/selectinload - Optimized project members, tasks, and subtasks endpoints Bug Fixes: - WebSocket session management (P0): Return primitives instead of ORM objects - LIKE query injection (P1): Escape special characters in search queries Tests: 543 backend tests, 56 frontend tests passing Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-11 18:41:19 +08:00
parent 2cb591ef23
commit 679b89ae4c
41 changed files with 3673 additions and 153 deletions
--- a/backend/app/api/users/router.py
+++ b/backend/app/api/users/router.py
@@ -3,7 +3,7 @@ from sqlalchemy.orm import Session
 from sqlalchemy import or_
 from typing import List

-from app.core.database import get_db
+from app.core.database import get_db, escape_like
 from app.core.redis import get_redis
 from app.models.user import User
 from app.models.role import Role
@@ -16,6 +16,7 @@ from app.middleware.auth import (
    check_department_access,
 )
 from app.middleware.audit import get_audit_metadata
+from app.middleware.csrf import require_csrf_token
 from app.services.audit_service import AuditService

 router = APIRouter()
@@ -32,11 +33,13 @@ async def search_users(
    Search users by name or email. Used for @mention autocomplete.
    Returns users matching the query, limited to same department unless system admin.
    """
+    # Escape special LIKE characters to prevent injection
+    escaped_q = escape_like(q)
    query = db.query(User).filter(
        User.is_active == True,
        or_(
-            User.name.ilike(f"%{q}%"),
-            User.email.ilike(f"%{q}%"),
+            User.name.ilike(f"%{escaped_q}%", escape="\\"),
+            User.email.ilike(f"%{escaped_q}%", escape="\\"),
        )
    )

@@ -197,6 +200,7 @@ async def assign_role(


@router.patch("/{user_id}/admin", response_model=UserResponse)
+@require_csrf_token
 async def set_admin_status(
    user_id: str,
    is_admin: bool,
@@ -205,7 +209,7 @@ async def set_admin_status(
    current_user: User = Depends(require_system_admin),
 ):
    """
-    Set or revoke system administrator status. Requires system admin.
+    Set or revoke system administrator status. Requires system admin and CSRF token.
    """
    user = db.query(User).filter(User.id == user_id).first()
    if not user: