feat: implement security, error resilience, and query optimization proposals

Security Validation (enhance-security-validation): - JWT secret validation with entropy checking and pattern detection - CSRF protection middleware with token generation/validation - Frontend CSRF token auto-injection for DELETE/PUT/PATCH requests - MIME type validation with magic bytes detection for file uploads Error Resilience (add-error-resilience): - React ErrorBoundary component with fallback UI and retry functionality - ErrorBoundaryWithI18n wrapper for internationalization support - Page-level and section-level error boundaries in App.tsx Query Performance (optimize-query-performance): - Query monitoring utility with threshold warnings - N+1 query fixes using joinedload/selectinload - Optimized project members, tasks, and subtasks endpoints Bug Fixes: - WebSocket session management (P0): Return primitives instead of ORM objects - LIKE query injection (P1): Escape special characters in search queries Tests: 543 backend tests, 56 frontend tests passing Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-11 18:41:19 +08:00
parent 2cb591ef23
commit 679b89ae4c
41 changed files with 3673 additions and 153 deletions
--- a/openspec/changes/archive/2026-01-11-enhance-security-validation/proposal.md
+++ b/openspec/changes/archive/2026-01-11-enhance-security-validation/proposal.md
@@ -0,0 +1,22 @@
+# Change: Enhance Security Validation
+
+## Why
+
+QA review identified several security gaps that could be exploited:
+1. JWT secret keys lack entropy validation, allowing weak secrets
+2. File uploads only check extensions, not actual MIME types (content spoofing risk)
+3. Missing CSRF protection on sensitive state-changing operations
+
+## What Changes
+
+- **user-auth**: Add JWT secret key strength validation (minimum length, entropy check)
+- **user-auth**: Add CSRF token validation for sensitive operations
+- **document-management**: Add file MIME type validation using magic bytes detection
+
+## Impact
+
+- Affected specs: `user-auth`, `document-management`
+- Affected code:
+  - `backend/app/core/security.py` - JWT validation
+  - `backend/app/api/v1/endpoints/` - CSRF middleware
+  - `backend/app/services/file_service.py` - MIME validation
--- a/openspec/changes/archive/2026-01-11-enhance-security-validation/specs/document-management/spec.md
+++ b/openspec/changes/archive/2026-01-11-enhance-security-validation/specs/document-management/spec.md
@@ -0,0 +1,23 @@
+## ADDED Requirements
+
+### Requirement: File MIME Type Validation
+The system SHALL validate file content type using magic bytes detection.
+
+#### Scenario: Valid file with matching extension
+- **WHEN** a user uploads a file
+- **AND** the detected MIME type matches the file extension
+- **THEN** the upload SHALL be accepted
+
+#### Scenario: Spoofed file extension rejected
+- **WHEN** a user uploads a file with extension `.jpg`
+- **AND** the actual content is detected as `application/x-executable`
+- **THEN** the upload SHALL be rejected with error "File type mismatch"
+
+#### Scenario: Unsupported MIME type rejected
+- **WHEN** a user uploads a file with an unsupported MIME type
+- **THEN** the upload SHALL be rejected with error "Unsupported file type"
+
+#### Scenario: MIME validation bypass for trusted sources
+- **WHEN** a file is uploaded from a trusted internal source
+- **AND** the system is configured to allow bypass
+- **THEN** MIME validation MAY be skipped
--- a/openspec/changes/archive/2026-01-11-enhance-security-validation/specs/user-auth/spec.md
+++ b/openspec/changes/archive/2026-01-11-enhance-security-validation/specs/user-auth/spec.md
@@ -0,0 +1,30 @@
+## ADDED Requirements
+
+### Requirement: JWT Secret Validation
+The system SHALL validate JWT secret key strength on startup.
+
+#### Scenario: Weak secret rejected
+- **WHEN** the configured JWT secret is less than 32 characters
+- **THEN** the system SHALL log a critical warning
+- **AND** optionally refuse to start in production mode
+
+#### Scenario: Low entropy secret warning
+- **WHEN** the JWT secret has low entropy (repeating patterns, common words)
+- **THEN** the system SHALL log a security warning
+
+### Requirement: CSRF Protection
+The system SHALL protect sensitive state-changing operations with CSRF tokens.
+
+#### Scenario: CSRF token required for password change
+- **WHEN** a user attempts to change their password
+- **AND** the request does not include a valid CSRF token
+- **THEN** the request SHALL be rejected with 403 Forbidden
+
+#### Scenario: CSRF token required for account deletion
+- **WHEN** a user attempts to delete their account or resources
+- **AND** the request does not include a valid CSRF token
+- **THEN** the request SHALL be rejected with 403 Forbidden
+
+#### Scenario: Valid CSRF token accepted
+- **WHEN** a state-changing request includes a valid CSRF token
+- **THEN** the request SHALL proceed normally
--- a/openspec/changes/archive/2026-01-11-enhance-security-validation/tasks.md
+++ b/openspec/changes/archive/2026-01-11-enhance-security-validation/tasks.md
@@ -0,0 +1,19 @@
+## 1. JWT Secret Validation
+- [x] 1.1 Add minimum secret length check (32+ characters)
+- [x] 1.2 Add entropy validation for JWT secret
+- [x] 1.3 Log warning on startup if secret is weak
+- [x] 1.4 Write unit tests for secret validation
+
+## 2. CSRF Protection
+- [x] 2.1 Add CSRF token generation utility
+- [x] 2.2 Add CSRF validation middleware
+- [x] 2.3 Apply to sensitive endpoints (password change, delete operations)
+- [x] 2.4 Update frontend to include CSRF token in requests
+- [x] 2.5 Write integration tests for CSRF validation
+
+## 3. MIME Type Validation
+- [x] 3.1 Add python-magic or similar library for MIME detection
+- [x] 3.2 Implement magic bytes validation in file upload service
+- [x] 3.3 Reject files where extension doesn't match actual content
+- [x] 3.4 Add configurable allowed MIME types per file category
+- [x] 3.5 Write unit tests for MIME validation