egg/PROJECT-CONTORL
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement security, error resilience, and query optimization proposals

Browse Source 
Security Validation (enhance-security-validation):
- JWT secret validation with entropy checking and pattern detection
- CSRF protection middleware with token generation/validation
- Frontend CSRF token auto-injection for DELETE/PUT/PATCH requests
- MIME type validation with magic bytes detection for file uploads

Error Resilience (add-error-resilience):
- React ErrorBoundary component with fallback UI and retry functionality
- ErrorBoundaryWithI18n wrapper for internationalization support
- Page-level and section-level error boundaries in App.tsx

Query Performance (optimize-query-performance):
- Query monitoring utility with threshold warnings
- N+1 query fixes using joinedload/selectinload
- Optimized project members, tasks, and subtasks endpoints

Bug Fixes:
- WebSocket session management (P0): Return primitives instead of ORM objects
- LIKE query injection (P1): Escape special characters in search queries

Tests: 543 backend tests, 56 frontend tests passing

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
beabigegg
2026-01-11 18:41:19 +08:00
parent 2cb591ef23
commit 679b89ae4c
41 changed files with 3673 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -12,6 +12,7 @@ Thumbs.db
# Test artifacts
backend/uploads/
uploads/
dump.rdb
.lsp_mcp.port
.claude/

4
backend/app/api/attachments/router.py
View File

@@ -24,6 +24,7 @@ from app.services.encryption_service import (
MasterKeyNotConfiguredError,
DecryptionError,
)
from app.middleware.csrf import require_csrf_token
logger = logging.getLogger(__name__)
@@ -610,13 +611,14 @@ async def download_attachment(
@router.delete("/attachments/{attachment_id}")
@require_csrf_token
async def delete_attachment(
attachment_id: str,
request: Request,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user)
):
"""Soft delete an attachment."""
"""Soft delete an attachment. Requires CSRF token in X-CSRF-Token header."""
attachment = get_attachment_with_access_check(db, attachment_id, current_user, require_edit=True)
# Soft delete

23
backend/app/api/auth/router.py
View File

@@ -8,7 +8,7 @@ from app.core.redis import get_redis
from app.core.rate_limiter import limiter
from app.models.user import User
from app.models.audit_log import AuditAction
from app.schemas.auth import LoginRequest, LoginResponse, UserInfo
from app.schemas.auth import LoginRequest, LoginResponse, UserInfo, CSRFTokenResponse
from app.services.auth_client import (
verify_credentials,
AuthAPIError,
@@ -16,6 +16,7 @@ from app.services.auth_client import (
)
from app.services.audit_service import AuditService
from app.middleware.auth import get_current_user
from app.middleware.csrf import get_csrf_token_for_user
router = APIRouter()
@@ -182,3 +183,23 @@ async def get_current_user_info(
department_id=current_user.department_id,
is_system_admin=current_user.is_system_admin,
)
@router.get("/csrf-token", response_model=CSRFTokenResponse)
async def get_csrf_token(
current_user: User = Depends(get_current_user),
):
"""
Get a CSRF token for the current user.
The CSRF token should be included in the X-CSRF-Token header
for all sensitive state-changing operations (DELETE, PUT, PATCH).
Token expires after 1 hour and should be refreshed.
"""
csrf_token = get_csrf_token_for_user(current_user.id)
return CSRFTokenResponse(
csrf_token=csrf_token,
expires_in=3600, # 1 hour
)

30
backend/app/api/projects/router.py
View File

@@ -1,7 +1,7 @@
import uuid
from typing import List
from fastapi import APIRouter, Depends, HTTPException, status, Request
from sqlalchemy.orm import Session
from sqlalchemy.orm import Session, joinedload, selectinload
from app.core.database import get_db
from app.models import User, Space, Project, TaskStatus, AuditAction, ProjectMember, ProjectTemplate, CustomField
@@ -55,6 +55,8 @@ async def list_projects_in_space(
):
"""
List all projects in a space that the user can access.
Optimized to avoid N+1 queries by using joinedload/selectinload for relationships.
"""
space = db.query(Space).filter(Space.id == space_id, Space.is_active == True).first()
@@ -70,13 +72,21 @@ async def list_projects_in_space(
detail="Access denied",
)
projects = db.query(Project).filter(Project.space_id == space_id, Project.is_active == True).all()
# Use joinedload to eagerly load owner, space, and department
# Use selectinload for tasks (one-to-many) to avoid cartesian product issues
projects = db.query(Project).options(
joinedload(Project.owner),
joinedload(Project.space),
joinedload(Project.department),
selectinload(Project.tasks),
).filter(Project.space_id == space_id, Project.is_active == True).all()
# Filter by project access
accessible_projects = [p for p in projects if check_project_access(current_user, p)]
result = []
for project in accessible_projects:
# Access pre-loaded relationships - no additional queries needed
task_count = len(project.tasks) if project.tasks else 0
result.append(ProjectWithDetails(
id=project.id,
@@ -422,6 +432,10 @@ async def list_project_members(
List all members of a project.
Only users with project access can view the member list.
Optimized to avoid N+1 queries by using joinedload for user relationships.
This loads all members and their related users in at most 2 queries instead of
one query per member.
"""
project = db.query(Project).filter(Project.id == project_id, Project.is_active == True).first()
@@ -437,14 +451,20 @@ async def list_project_members(
detail="Access denied",
)
members = db.query(ProjectMember).filter(
# Use joinedload to eagerly load user and added_by_user relationships
# This avoids N+1 queries when accessing member.user and member.added_by_user
members = db.query(ProjectMember).options(
joinedload(ProjectMember.user).joinedload(User.department),
joinedload(ProjectMember.added_by_user),
).filter(
ProjectMember.project_id == project_id
).all()
member_list = []
for member in members:
user = db.query(User).filter(User.id == member.user_id).first()
added_by_user = db.query(User).filter(User.id == member.added_by).first()
# Access pre-loaded relationships - no additional queries needed
user = member.user
added_by_user = member.added_by_user
member_list.append(ProjectMemberWithDetails(
id=member.id,

25
backend/app/api/tasks/router.py
View File

@@ -3,7 +3,7 @@ import uuid
from datetime import datetime, timezone, timedelta
from typing import List, Optional
from fastapi import APIRouter, Depends, HTTPException, status, Query, Request
from sqlalchemy.orm import Session
from sqlalchemy.orm import Session, joinedload, selectinload
from app.core.database import get_db
from app.core.redis_pubsub import publish_task_event
@@ -110,6 +110,9 @@ async def list_tasks(
The due_after and due_before parameters are useful for calendar view
to fetch tasks within a specific date range.
Optimized to avoid N+1 queries by using selectinload for task relationships.
This batch loads assignees, statuses, creators and subtasks efficiently.
"""
project = db.query(Project).filter(Project.id == project_id).first()
@@ -125,7 +128,15 @@ async def list_tasks(
detail="Access denied",
)
query = db.query(Task).filter(Task.project_id == project_id)
# Use selectinload to eagerly load task relationships
# This avoids N+1 queries when accessing task.assignee, task.status, etc.
query = db.query(Task).options(
selectinload(Task.assignee),
selectinload(Task.status),
selectinload(Task.creator),
selectinload(Task.subtasks),
selectinload(Task.custom_values),
).filter(Task.project_id == project_id)
# Filter deleted tasks (only admin can include deleted)
if include_deleted and current_user.is_system_admin:
@@ -1112,6 +1123,8 @@ async def list_subtasks(
):
"""
List subtasks of a task.
Optimized to avoid N+1 queries by using selectinload for task relationships.
"""
task = db.query(Task).filter(Task.id == task_id).first()
@@ -1127,7 +1140,13 @@ async def list_subtasks(
detail="Access denied",
)
query = db.query(Task).filter(Task.parent_task_id == task_id)
# Use selectinload to eagerly load subtask relationships
query = db.query(Task).options(
selectinload(Task.assignee),
selectinload(Task.status),
selectinload(Task.creator),
selectinload(Task.subtasks),
).filter(Task.parent_task_id == task_id)
# Filter deleted subtasks (only admin can include deleted)
if not (include_deleted and current_user.is_system_admin):

12
backend/app/api/users/router.py
View File

@@ -3,7 +3,7 @@ from sqlalchemy.orm import Session
from sqlalchemy import or_
from typing import List
from app.core.database import get_db
from app.core.database import get_db, escape_like
from app.core.redis import get_redis
from app.models.user import User
from app.models.role import Role
@@ -16,6 +16,7 @@ from app.middleware.auth import (
check_department_access,
)
from app.middleware.audit import get_audit_metadata
from app.middleware.csrf import require_csrf_token
from app.services.audit_service import AuditService
router = APIRouter()
@@ -32,11 +33,13 @@ async def search_users(
Search users by name or email. Used for @mention autocomplete.
Returns users matching the query, limited to same department unless system admin.
"""
# Escape special LIKE characters to prevent injection
escaped_q = escape_like(q)
query = db.query(User).filter(
User.is_active == True,
or_(
User.name.ilike(f"%{q}%"),
User.email.ilike(f"%{q}%"),
User.name.ilike(f"%{escaped_q}%", escape="\\"),
User.email.ilike(f"%{escaped_q}%", escape="\\"),
)
)
@@ -197,6 +200,7 @@ async def assign_role(
@router.patch("/{user_id}/admin", response_model=UserResponse)
@require_csrf_token
async def set_admin_status(
user_id: str,
is_admin: bool,
@@ -205,7 +209,7 @@ async def set_admin_status(
current_user: User = Depends(require_system_admin),
):
"""
Set or revoke system administrator status. Requires system admin.
Set or revoke system administrator status. Requires system admin and CSRF token.
"""
user = db.query(User).filter(User.id == user_id).first()
if not user:

87
backend/app/api/websocket/router.py
View File

@@ -27,29 +27,37 @@ if os.getenv("TESTING") == "true":
AUTH_TIMEOUT = 1.0
async def get_user_from_token(token: str) -> tuple[str | None, User | None]:
"""Validate token and return user_id and user object."""
async def get_user_from_token(token: str) -> str | None:
"""
Validate token and return user_id.
Returns:
user_id if valid, None otherwise.
Note: This function properly closes the database session after validation.
Do not return ORM objects as they become detached after session close.
"""
payload = decode_access_token(token)
if payload is None:
return None, None
return None
user_id = payload.get("sub")
if user_id is None:
return None, None
return None
# Verify session in Redis
redis_client = get_redis_sync()
stored_token = redis_client.get(f"session:{user_id}")
if stored_token is None or stored_token != token:
return None, None
return None
# Get user from database
# Verify user exists and is active
db = database.SessionLocal()
try:
user = db.query(User).filter(User.id == user_id).first()
if user is None or not user.is_active:
return None, None
return user_id, user
return None
return user_id
finally:
db.close()
@@ -57,7 +65,7 @@ async def get_user_from_token(token: str) -> tuple[str | None, User | None]:
async def authenticate_websocket(
websocket: WebSocket,
query_token: Optional[str] = None
) -> tuple[str | None, User | None, Optional[str]]:
) -> tuple[str | None, Optional[str]]:
"""
Authenticate WebSocket connection.
@@ -67,7 +75,8 @@ async def authenticate_websocket(
2. Query parameter authentication (deprecated, for backward compatibility)
- Client connects with: ?token=<jwt_token>
Returns (user_id, user) if authenticated, (None, None) otherwise.
Returns:
Tuple of (user_id, error_reason). user_id is None if authentication fails.
"""
# If token provided via query parameter (backward compatibility)
if query_token:
@@ -75,10 +84,10 @@ async def authenticate_websocket(
"WebSocket authentication via query parameter is deprecated. "
"Please use first-message authentication for better security."
)
user_id, user = await get_user_from_token(query_token)
user_id = await get_user_from_token(query_token)
if user_id is None:
return None, None, "invalid_token"
return user_id, user, None
return None, "invalid_token"
return user_id, None
# Wait for authentication message with timeout
try:
@@ -90,24 +99,24 @@ async def authenticate_websocket(
msg_type = data.get("type")
if msg_type != "auth":
logger.warning("Expected 'auth' message type, got: %s", msg_type)
return None, None, "invalid_message"
return None, "invalid_message"
token = data.get("token")
if not token:
logger.warning("No token provided in auth message")
return None, None, "missing_token"
return None, "missing_token"
user_id, user = await get_user_from_token(token)
user_id = await get_user_from_token(token)
if user_id is None:
return None, None, "invalid_token"
return user_id, user, None
return None, "invalid_token"
return user_id, None
except asyncio.TimeoutError:
logger.warning("WebSocket authentication timeout after %.1f seconds", AUTH_TIMEOUT)
return None, None, "timeout"
return None, "timeout"
except Exception as e:
logger.error("Error during WebSocket authentication: %s", e)
return None, None, "error"
return None, "error"
async def get_unread_notifications(user_id: str) -> list[dict]:
@@ -183,7 +192,7 @@ async def websocket_notifications(
await websocket.accept()
# Authenticate
user_id, user, error_reason = await authenticate_websocket(websocket, token)
user_id, error_reason = await authenticate_websocket(websocket, token)
if user_id is None:
if error_reason == "invalid_token":
@@ -306,7 +315,7 @@ async def websocket_notifications(
await manager.disconnect(websocket, user_id)
async def verify_project_access(user_id: str, project_id: str) -> tuple[bool, Project | None]:
async def verify_project_access(user_id: str, project_id: str) -> tuple[bool, str | None, str | None]:
"""
Check if user has access to the project.
@@ -315,23 +324,34 @@ async def verify_project_access(user_id: str, project_id: str) -> tuple[bool, Pr
project_id: The project's ID
Returns:
Tuple of (has_access: bool, project: Project | None)
Tuple of (has_access: bool, project_title: str | None, error: str | None)
- has_access: True if user can access the project
- project_title: The project title (only if access granted)
- error: Error code if access denied ("user_not_found", "project_not_found", "access_denied")
Note: This function extracts needed data before closing the session to avoid
detached instance errors when accessing ORM object attributes.
"""
db = database.SessionLocal()
try:
# Get the user
user = db.query(User).filter(User.id == user_id).first()
if user is None or not user.is_active:
return False, None
return False, None, "user_not_found"
# Get the project
project = db.query(Project).filter(Project.id == project_id).first()
if project is None:
return False, None
return False, None, "project_not_found"
# Check access using existing middleware function
has_access = check_project_access(user, project)
return has_access, project
if not has_access:
return False, None, "access_denied"
# Extract title while session is still open
project_title = project.title
return True, project_title, None
finally:
db.close()
@@ -371,7 +391,7 @@ async def websocket_project_sync(
await websocket.accept()
# Authenticate user
user_id, user, error_reason = await authenticate_websocket(websocket, token)
user_id, error_reason = await authenticate_websocket(websocket, token)
if user_id is None:
if error_reason == "invalid_token":
@@ -380,14 +400,13 @@ async def websocket_project_sync(
return
# Verify user has access to the project
has_access, project = await verify_project_access(user_id, project_id)
has_access, project_title, access_error = await verify_project_access(user_id, project_id)
if not has_access:
await websocket.close(code=4003, reason="Access denied to this project")
return
if project is None:
await websocket.close(code=4004, reason="Project not found")
if access_error == "project_not_found":
await websocket.close(code=4004, reason="Project not found")
else:
await websocket.close(code=4003, reason="Access denied to this project")
return
# Join project room
@@ -413,7 +432,7 @@ async def websocket_project_sync(
"data": {
"project_id": project_id,
"user_id": user_id,
"project_title": project.title if project else None,
"project_title": project_title,
},
})

5
backend/app/core/config.py
View File

@@ -122,6 +122,11 @@ class Settings(BaseSettings):
RATE_LIMIT_SENSITIVE: str = "20/minute" # Attachments, password change, report export
RATE_LIMIT_HEAVY: str = "5/minute" # Report generation, bulk operations
# Development Mode Settings
DEBUG: bool = False # Enable debug mode for development
QUERY_LOGGING: bool = False # Enable SQLAlchemy query logging
QUERY_COUNT_THRESHOLD: int = 10 # Warn when query count exceeds this threshold
class Config:
env_file = ".env"
case_sensitive = True

26
backend/app/core/database.py
View File

@@ -104,6 +104,10 @@ def _on_invalidate(dbapi_conn, connection_record, exception):
# Start pool statistics logging on module load
_start_pool_stats_logging()
# Set up query logging if enabled
from app.core.query_monitor import setup_query_logging
setup_query_logging(engine)
def get_db():
"""Dependency for getting database session."""
@@ -127,3 +131,25 @@ def get_pool_status() -> dict:
"total_checkins": _pool_stats["checkins"],
"invalidated_connections": _pool_stats["invalidated_connections"],
}
def escape_like(value: str) -> str:
"""
Escape special characters for SQL LIKE queries.
Escapes '%' and '_' characters which have special meaning in LIKE patterns.
This prevents LIKE injection attacks where user input could match unintended patterns.
Args:
value: The user input string to escape
Returns:
Escaped string safe for use in LIKE patterns
Example:
>>> escape_like("test%value")
'test\\%value'
>>> escape_like("user_name")
'user\\_name'
"""
return value.replace("\\", "\\\\").replace("%", "\\%").replace("_", "\\_")

167
backend/app/core/query_monitor.py Normal file
View File

@@ -0,0 +1,167 @@
"""
Query monitoring utilities for detecting N+1 queries and performance issues.
This module provides:
1. Query counting per request in development mode
2. SQLAlchemy event listeners for query logging
3. Threshold-based warnings for excessive queries
"""
import logging
import threading
import time
from contextlib import contextmanager
from typing import Optional, Callable, Any
from sqlalchemy import event
from sqlalchemy.engine import Engine
from app.core.config import settings
logger = logging.getLogger(__name__)
# Thread-local storage for per-request query counting
_query_context = threading.local()
class QueryCounter:
"""
Context manager for counting database queries within a request.
Usage:
with QueryCounter() as counter:
# ... execute queries ...
print(f"Executed {counter.count} queries")
"""
def __init__(self, threshold: Optional[int] = None, context_name: str = "request"):
self.threshold = threshold or settings.QUERY_COUNT_THRESHOLD
self.context_name = context_name
self.count = 0
self.queries = []
self.start_time = None
self.total_time = 0.0
def __enter__(self):
self.count = 0
self.queries = []
self.start_time = time.time()
_query_context.counter = self
return self
def __exit__(self, exc_type, exc_val, exc_tb):
self.total_time = time.time() - self.start_time
_query_context.counter = None
# Log warning if threshold exceeded
if self.count > self.threshold:
logger.warning(
"Query count threshold exceeded in %s: %d queries (threshold: %d, time: %.3fs)",
self.context_name,
self.count,
self.threshold,
self.total_time,
)
if settings.DEBUG:
# In debug mode, also log the individual queries
for i, (sql, duration) in enumerate(self.queries[:20], 1):
logger.debug(" Query %d (%.3fs): %s", i, duration, sql[:200])
if len(self.queries) > 20:
logger.debug(" ... and %d more queries", len(self.queries) - 20)
elif settings.DEBUG and self.count > 0:
logger.debug(
"Query count for %s: %d queries in %.3fs",
self.context_name,
self.count,
self.total_time,
)
return False
def record_query(self, statement: str, duration: float):
"""Record a query execution."""
self.count += 1
if settings.DEBUG:
self.queries.append((statement, duration))
def get_current_counter() -> Optional[QueryCounter]:
"""Get the current request's query counter, if any."""
return getattr(_query_context, 'counter', None)
def setup_query_logging(engine: Engine):
"""
Set up SQLAlchemy event listeners for query logging.
This should be called once during application startup.
Only activates if QUERY_LOGGING is enabled in settings.
"""
if not settings.QUERY_LOGGING:
logger.info("Query logging is disabled")
return
logger.info("Setting up query logging with threshold=%d", settings.QUERY_COUNT_THRESHOLD)
@event.listens_for(engine, "before_cursor_execute")
def before_cursor_execute(conn, cursor, statement, parameters, context, executemany):
conn.info.setdefault('query_start_time', []).append(time.time())
@event.listens_for(engine, "after_cursor_execute")
def after_cursor_execute(conn, cursor, statement, parameters, context, executemany):
start_times = conn.info.get('query_start_time', [])
duration = time.time() - start_times.pop() if start_times else 0.0
# Record in current counter if active
counter = get_current_counter()
if counter:
counter.record_query(statement, duration)
# Also log individual queries if in debug mode
if settings.DEBUG:
logger.debug("SQL (%.3fs): %s", duration, statement[:500])
@contextmanager
def count_queries(context_name: str = "operation", threshold: Optional[int] = None):
"""
Context manager to count queries for a specific operation.
Args:
context_name: Name for logging purposes
threshold: Override the default query count threshold
Usage:
with count_queries("list_members") as counter:
members = db.query(ProjectMember).all()
for member in members:
print(member.user.name) # N+1 query!
# After block, logs warning if threshold exceeded
print(f"Total queries: {counter.count}")
"""
with QueryCounter(threshold=threshold, context_name=context_name) as counter:
yield counter
def assert_query_count(max_queries: int):
"""
Decorator for testing that asserts maximum query count.
Usage in tests:
@assert_query_count(5)
def test_list_members():
# Should use at most 5 queries
response = client.get("/api/projects/xxx/members")
"""
def decorator(func: Callable) -> Callable:
def wrapper(*args, **kwargs):
with QueryCounter(threshold=max_queries, context_name=func.__name__) as counter:
result = func(*args, **kwargs)
if counter.count > max_queries:
raise AssertionError(
f"Query count {counter.count} exceeded maximum {max_queries} "
f"in {func.__name__}"
)
return result
return wrapper
return decorator

277
backend/app/core/security.py
View File

@@ -1,8 +1,283 @@
from datetime import datetime, timedelta, timezone
from typing import Optional, Any
from typing import Optional, Any, Tuple
from jose import jwt, JWTError
import logging
import math
import hashlib
import secrets
import hmac
from collections import Counter
from app.core.config import settings
logger = logging.getLogger(__name__)
# Constants for JWT secret validation
MIN_SECRET_LENGTH = 32
MIN_ENTROPY_BITS = 128 # Minimum entropy in bits for a secure secret
COMMON_WEAK_PATTERNS = [
"password", "secret", "changeme", "admin", "test", "demo",
"123456", "qwerty", "abc123", "letmein", "welcome",
]
def calculate_entropy(data: str) -> float:
"""
Calculate Shannon entropy of a string in bits.
Higher entropy indicates more randomness and thus a stronger secret.
A perfectly random string of length n with k possible characters has
entropy of n * log2(k) bits.
Args:
data: The string to calculate entropy for
Returns:
Entropy value in bits
"""
if not data:
return 0.0
# Count character frequencies
char_counts = Counter(data)
length = len(data)
# Calculate Shannon entropy
entropy = 0.0
for count in char_counts.values():
if count > 0:
probability = count / length
entropy -= probability * math.log2(probability)
# Return total entropy in bits (per-character entropy * length)
return entropy * length
def has_repeating_patterns(secret: str) -> bool:
"""
Check if the secret contains obvious repeating patterns.
Args:
secret: The secret string to check
Returns:
True if repeating patterns are detected
"""
if len(secret) < 8:
return False
# Check for repeating character sequences
for pattern_len in range(2, len(secret) // 3 + 1):
pattern = secret[:pattern_len]
if pattern * (len(secret) // pattern_len) == secret[:len(pattern) * (len(secret) // pattern_len)]:
# More than 50% of the string is the same pattern repeated
if (len(secret) // pattern_len) >= 3:
return True
# Check for consecutive same characters
consecutive_count = 1
for i in range(1, len(secret)):
if secret[i] == secret[i-1]:
consecutive_count += 1
if consecutive_count >= len(secret) // 2:
return True
else:
consecutive_count = 1
return False
def validate_jwt_secret_strength(secret: str) -> Tuple[bool, list]:
"""
Validate JWT secret key strength.
Checks:
1. Minimum length (32 characters)
2. Entropy (minimum 128 bits)
3. Common weak patterns
4. Repeating patterns
Args:
secret: The JWT secret to validate
Returns:
Tuple of (is_valid, list_of_warnings)
"""
warnings = []
is_valid = True
# Check minimum length
if len(secret) < MIN_SECRET_LENGTH:
warnings.append(
f"JWT secret is too short ({len(secret)} chars). "
f"Minimum recommended length is {MIN_SECRET_LENGTH} characters."
)
is_valid = False
# Calculate and check entropy
entropy = calculate_entropy(secret)
if entropy < MIN_ENTROPY_BITS:
warnings.append(
f"JWT secret has low entropy ({entropy:.1f} bits). "
f"Minimum recommended entropy is {MIN_ENTROPY_BITS} bits. "
"Consider using a cryptographically random secret."
)
# Low entropy alone doesn't make it invalid, but it's a warning
# Check for common weak patterns
secret_lower = secret.lower()
for pattern in COMMON_WEAK_PATTERNS:
if pattern in secret_lower:
warnings.append(
f"JWT secret contains common weak pattern: '{pattern}'. "
"Use a cryptographically random secret."
)
break
# Check for repeating patterns
if has_repeating_patterns(secret):
warnings.append(
"JWT secret contains repeating patterns. "
"Use a cryptographically random secret."
)
return is_valid, warnings
def validate_jwt_secret_on_startup() -> None:
"""
Validate JWT secret strength on application startup.
Logs warnings for weak secrets and raises an error in production
if the secret is critically weak.
"""
import os
secret = settings.JWT_SECRET_KEY
is_valid, warnings = validate_jwt_secret_strength(secret)
# Log all warnings
for warning in warnings:
logger.warning("JWT Security Warning: %s", warning)
# In production, enforce stricter requirements
is_production = os.environ.get("ENVIRONMENT", "").lower() == "production"
if not is_valid:
if is_production:
logger.critical(
"JWT secret does not meet security requirements. "
"Application startup blocked in production mode. "
"Please configure a strong JWT_SECRET_KEY (minimum 32 characters)."
)
raise ValueError(
"JWT_SECRET_KEY does not meet minimum security requirements. "
"See logs for details."
)
else:
logger.warning(
"JWT secret does not meet security requirements. "
"This would block startup in production mode."
)
if warnings:
logger.info(
"JWT secret validation completed with %d warning(s). "
"Consider using: python -c \"import secrets; print(secrets.token_urlsafe(48))\" "
"to generate a strong secret.",
len(warnings)
)
else:
logger.info("JWT secret validation passed. Secret meets security requirements.")
# CSRF Token Functions
CSRF_TOKEN_LENGTH = 32
CSRF_TOKEN_EXPIRY_SECONDS = 3600 # 1 hour
def generate_csrf_token(user_id: str) -> str:
"""
Generate a CSRF token for a user.
The token is a combination of:
- Random bytes for unpredictability
- User ID binding to prevent token reuse across users
- HMAC signature for integrity
Args:
user_id: The user's ID to bind the token to
Returns:
CSRF token string
"""
# Generate random token
random_part = secrets.token_urlsafe(CSRF_TOKEN_LENGTH)
# Create timestamp for expiry checking
timestamp = int(datetime.now(timezone.utc).timestamp())
# Create the token payload
payload = f"{random_part}:{user_id}:{timestamp}"
# Sign with HMAC using JWT secret
signature = hmac.new(
settings.JWT_SECRET_KEY.encode(),
payload.encode(),
hashlib.sha256
).hexdigest()[:16]
# Return combined token
return f"{payload}:{signature}"
def validate_csrf_token(token: str, user_id: str) -> Tuple[bool, str]:
"""
Validate a CSRF token.
Args:
token: The CSRF token to validate
user_id: The expected user ID
Returns:
Tuple of (is_valid, error_message)
"""
if not token:
return False, "CSRF token is required"
try:
parts = token.split(":")
if len(parts) != 4:
return False, "Invalid CSRF token format"
random_part, token_user_id, timestamp_str, signature = parts
# Verify user ID matches
if token_user_id != user_id:
return False, "CSRF token user mismatch"
# Verify timestamp (check expiry)
timestamp = int(timestamp_str)
current_time = int(datetime.now(timezone.utc).timestamp())
if current_time - timestamp > CSRF_TOKEN_EXPIRY_SECONDS:
return False, "CSRF token expired"
# Verify signature
payload = f"{random_part}:{token_user_id}:{timestamp_str}"
expected_signature = hmac.new(
settings.JWT_SECRET_KEY.encode(),
payload.encode(),
hashlib.sha256
).hexdigest()[:16]
if not hmac.compare_digest(signature, expected_signature):
return False, "CSRF token signature invalid"
return True, ""
except (ValueError, IndexError) as e:
return False, f"CSRF token validation error: {str(e)}"
def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
"""

6
backend/app/main.py
View File

@@ -20,6 +20,12 @@ async def lifespan(app: FastAPI):
testing = os.environ.get("TESTING", "").lower() in ("true", "1", "yes")
scheduler_disabled = os.environ.get("DISABLE_SCHEDULER", "").lower() in ("true", "1", "yes")
start_background_jobs = not testing and not scheduler_disabled
# Startup security validation
if not testing:
from app.core.security import validate_jwt_secret_on_startup
validate_jwt_secret_on_startup()
# Startup
if start_background_jobs:
start_scheduler()

167
backend/app/middleware/csrf.py Normal file
View File

@@ -0,0 +1,167 @@
"""
CSRF (Cross-Site Request Forgery) Protection Middleware.
This module provides CSRF protection for sensitive state-changing operations.
It validates CSRF tokens for specified protected endpoints.
"""
from fastapi import Request, HTTPException, status, Depends
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from typing import Optional, Callable, List
from functools import wraps
import logging
from app.core.security import validate_csrf_token, generate_csrf_token
logger = logging.getLogger(__name__)
# Header name for CSRF token
CSRF_TOKEN_HEADER = "X-CSRF-Token"
# List of endpoint patterns that require CSRF protection
# These are sensitive state-changing operations
CSRF_PROTECTED_PATTERNS = [
# User operations
"/api/v1/users/{user_id}/admin", # Admin status change
"/api/users/{user_id}/admin", # Legacy
# Password changes would go here if implemented
# Delete operations
"/api/attachments/{attachment_id}", # DELETE method
"/api/tasks/{task_id}", # DELETE method (soft delete)
"/api/projects/{project_id}", # DELETE method
]
# Methods that require CSRF protection
CSRF_PROTECTED_METHODS = ["DELETE", "PUT", "PATCH"]
class CSRFProtectionError(HTTPException):
"""Custom exception for CSRF validation failures."""
def __init__(self, detail: str = "CSRF validation failed"):
super().__init__(
status_code=status.HTTP_403_FORBIDDEN,
detail=detail
)
def require_csrf_token(func: Callable) -> Callable:
"""
Decorator to require CSRF token validation for an endpoint.
Usage:
@router.delete("/resource/{id}")
@require_csrf_token
async def delete_resource(request: Request, id: str, current_user: User = Depends(get_current_user)):
...
The decorator validates the X-CSRF-Token header against the current user.
"""
@wraps(func)
async def wrapper(*args, **kwargs):
# Extract request and current_user from kwargs
request: Optional[Request] = kwargs.get("request")
current_user = kwargs.get("current_user")
if request is None:
# Try to find request in args (for methods where request is positional)
for arg in args:
if isinstance(arg, Request):
request = arg
break
if request is None:
logger.error("CSRF validation failed: Request object not found")
raise CSRFProtectionError("Internal error: Request not available")
if current_user is None:
logger.error("CSRF validation failed: User not authenticated")
raise CSRFProtectionError("Authentication required for CSRF-protected endpoint")
# Get CSRF token from header
csrf_token = request.headers.get(CSRF_TOKEN_HEADER)
if not csrf_token:
logger.warning(
"CSRF validation failed: Missing token for user %s on %s %s",
current_user.id, request.method, request.url.path
)
raise CSRFProtectionError("CSRF token is required")
# Validate the token
is_valid, error_message = validate_csrf_token(csrf_token, current_user.id)
if not is_valid:
logger.warning(
"CSRF validation failed for user %s on %s %s: %s",
current_user.id, request.method, request.url.path, error_message
)
raise CSRFProtectionError(error_message)
logger.debug(
"CSRF validation passed for user %s on %s %s",
current_user.id, request.method, request.url.path
)
return await func(*args, **kwargs)
return wrapper
def get_csrf_token_for_user(user_id: str) -> str:
"""
Generate a CSRF token for a user.
This function can be called from login endpoints to provide
the client with a CSRF token.
Args:
user_id: The user's ID
Returns:
CSRF token string
"""
return generate_csrf_token(user_id)
async def validate_csrf_for_request(
request: Request,
user_id: str,
skip_methods: Optional[List[str]] = None
) -> bool:
"""
Validate CSRF token for a request.
This is a utility function that can be used directly in endpoints
without the decorator.
Args:
request: The FastAPI request object
user_id: The current user's ID
skip_methods: HTTP methods to skip validation for (default: GET, HEAD, OPTIONS)
Returns:
True if validation passes
Raises:
CSRFProtectionError: If validation fails
"""
if skip_methods is None:
skip_methods = ["GET", "HEAD", "OPTIONS"]
# Skip validation for safe methods
if request.method.upper() in skip_methods:
return True
# Get CSRF token from header
csrf_token = request.headers.get(CSRF_TOKEN_HEADER)
if not csrf_token:
raise CSRFProtectionError("CSRF token is required")
is_valid, error_message = validate_csrf_token(csrf_token, user_id)
if not is_valid:
raise CSRFProtectionError(error_message)
return True

6
backend/app/schemas/auth.py
View File

@@ -32,5 +32,11 @@ class TokenPayload(BaseModel):
iat: int
class CSRFTokenResponse(BaseModel):
"""Response containing a CSRF token for state-changing operations."""
csrf_token: str = Field(..., description="CSRF token to include in X-CSRF-Token header")
expires_in: int = Field(default=3600, description="Token expiry time in seconds")
# Update forward reference
LoginResponse.model_rebuild()

38
backend/app/services/file_storage_service.py
View File

@@ -286,11 +286,15 @@ class FileStorageService:
return filename.rsplit(".", 1)[-1].lower() if "." in filename else ""
@staticmethod
def validate_file(file: UploadFile) -> Tuple[str, str]:
def validate_file(file: UploadFile, validate_mime: bool = True) -> Tuple[str, str]:
"""
Validate file size and type.
Validate file size, type, and optionally MIME content.
Returns (extension, mime_type) if valid.
Raises HTTPException if invalid.
Args:
file: The uploaded file
validate_mime: If True, validate MIME type using magic bytes detection
"""
# Check file size
file.file.seek(0, 2) # Seek to end
@@ -323,7 +327,35 @@ class FileStorageService:
detail=f"File type '.{extension}' is not supported"
)
mime_type = file.content_type or "application/octet-stream"
# Validate MIME type using magic bytes detection
if validate_mime:
from app.services.mime_validation_service import mime_validation_service
# Read first 16 bytes for magic detection (enough for most signatures)
file_header = file.file.read(16)
file.file.seek(0) # Reset
is_valid, detected_mime, error_message = mime_validation_service.validate_file_content(
file_content=file_header,
declared_extension=extension,
declared_mime_type=file.content_type
)
if not is_valid:
logger.warning(
"MIME validation failed for file '%s': %s (detected: %s)",
file.filename, error_message, detected_mime
)
raise HTTPException(
status_code=400,
detail=error_message or "File type validation failed"
)
# Use detected MIME type if available, otherwise fall back to declared
mime_type = detected_mime if detected_mime else (file.content_type or "application/octet-stream")
else:
mime_type = file.content_type or "application/octet-stream"
return extension, mime_type
async def save_file(

314
backend/app/services/mime_validation_service.py Normal file
View File

@@ -0,0 +1,314 @@
"""
MIME Type Validation Service using Magic Bytes Detection.
This module provides file content type validation by examining
the actual file content (magic bytes) rather than trusting
the file extension or Content-Type header.
"""
import logging
from typing import Optional, Tuple, Dict, Set, BinaryIO
from io import BytesIO
logger = logging.getLogger(__name__)
class MimeValidationError(Exception):
"""Raised when MIME type validation fails."""
pass
class FileMismatchError(MimeValidationError):
"""Raised when file extension doesn't match actual content type."""
pass
class UnsupportedMimeError(MimeValidationError):
"""Raised when file has an unsupported MIME type."""
pass
# Magic bytes signatures for common file types
# Format: { bytes_pattern: (mime_type, extensions) }
MAGIC_SIGNATURES: Dict[bytes, Tuple[str, Set[str]]] = {
# Images
b'\xFF\xD8\xFF': ('image/jpeg', {'jpg', 'jpeg', 'jpe'}),
b'\x89PNG\r\n\x1a\n': ('image/png', {'png'}),
b'GIF87a': ('image/gif', {'gif'}),
b'GIF89a': ('image/gif', {'gif'}),
b'RIFF': ('image/webp', {'webp'}), # WebP starts with RIFF, then WEBP
b'BM': ('image/bmp', {'bmp'}),
# PDF
b'%PDF': ('application/pdf', {'pdf'}),
# Microsoft Office (Modern formats - ZIP-based)
b'PK\x03\x04': ('application/zip', {'zip', 'docx', 'xlsx', 'pptx', 'odt', 'ods', 'odp', 'jar'}),
# Microsoft Office (Legacy formats - Compound Document)
b'\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1': ('application/msword', {'doc', 'xls', 'ppt', 'msi'}),
# Archives
b'\x1f\x8b': ('application/gzip', {'gz', 'tgz'}),
b'\x42\x5a\x68': ('application/x-bzip2', {'bz2'}),
b'\x37\x7A\xBC\xAF\x27\x1C': ('application/x-7z-compressed', {'7z'}),
b'Rar!\x1a\x07': ('application/x-rar-compressed', {'rar'}),
# Text/Data formats - these are harder to detect, usually fallback to extension
b'<?xml': ('application/xml', {'xml', 'svg'}),
b'{': ('application/json', {'json'}), # JSON typically starts with { or [
b'[': ('application/json', {'json'}),
# Executables (dangerous - should be blocked)
b'MZ': ('application/x-executable', {'exe', 'dll', 'com', 'scr'}),
b'\x7fELF': ('application/x-executable', {'elf', 'so', 'bin'}),
}
# Map extensions to expected MIME types
EXTENSION_TO_MIME: Dict[str, Set[str]] = {
# Images
'jpg': {'image/jpeg'},
'jpeg': {'image/jpeg'},
'jpe': {'image/jpeg'},
'png': {'image/png'},
'gif': {'image/gif'},
'bmp': {'image/bmp'},
'webp': {'image/webp'},
'svg': {'image/svg+xml', 'application/xml', 'text/xml'},
# Documents
'pdf': {'application/pdf'},
'doc': {'application/msword'},
'docx': {'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/zip'},
'xls': {'application/vnd.ms-excel', 'application/msword'},
'xlsx': {'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'application/zip'},
'ppt': {'application/vnd.ms-powerpoint', 'application/msword'},
'pptx': {'application/vnd.openxmlformats-officedocument.presentationml.presentation', 'application/zip'},
# Text
'txt': {'text/plain'},
'csv': {'text/csv', 'text/plain'},
'json': {'application/json', 'text/plain'},
'xml': {'application/xml', 'text/xml', 'text/plain'},
'yaml': {'application/yaml', 'text/plain'},
'yml': {'application/yaml', 'text/plain'},
# Archives
'zip': {'application/zip'},
'rar': {'application/x-rar-compressed'},
'7z': {'application/x-7z-compressed'},
'tar': {'application/x-tar'},
'gz': {'application/gzip'},
}
# MIME types that should always be blocked (dangerous executables)
BLOCKED_MIME_TYPES: Set[str] = {
'application/x-executable',
'application/x-msdownload',
'application/x-msdos-program',
'application/x-sh',
'application/x-csh',
'application/x-dosexec',
}
# Configurable allowed MIME type categories
ALLOWED_MIME_CATEGORIES: Dict[str, Set[str]] = {
'images': {
'image/jpeg', 'image/png', 'image/gif', 'image/bmp', 'image/webp', 'image/svg+xml'
},
'documents': {
'application/pdf',
'application/msword',
'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
'application/vnd.ms-excel',
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
'application/vnd.ms-powerpoint',
'application/vnd.openxmlformats-officedocument.presentationml.presentation',
'text/plain', 'text/csv',
},
'archives': {
'application/zip', 'application/x-rar-compressed',
'application/x-7z-compressed', 'application/gzip',
'application/x-tar',
},
'data': {
'application/json', 'application/xml', 'text/xml',
'application/yaml', 'text/plain',
},
}
class MimeValidationService:
"""Service for validating file MIME types using magic bytes."""
def __init__(
self,
allowed_categories: Optional[Set[str]] = None,
bypass_for_trusted: bool = False
):
"""
Initialize the MIME validation service.
Args:
allowed_categories: Set of allowed MIME categories ('images', 'documents', etc.)
If None, all categories are allowed.
bypass_for_trusted: If True, validation can be bypassed for trusted sources.
"""
self.bypass_for_trusted = bypass_for_trusted
# Build set of allowed MIME types
if allowed_categories is None:
self.allowed_mime_types = set()
for category_mimes in ALLOWED_MIME_CATEGORIES.values():
self.allowed_mime_types.update(category_mimes)
else:
self.allowed_mime_types = set()
for category in allowed_categories:
if category in ALLOWED_MIME_CATEGORIES:
self.allowed_mime_types.update(ALLOWED_MIME_CATEGORIES[category])
def detect_mime_type(self, file_content: bytes) -> Optional[str]:
"""
Detect MIME type from file content using magic bytes.
Args:
file_content: The raw file bytes (at least first 16 bytes needed)
Returns:
Detected MIME type or None if unknown
"""
if len(file_content) < 2:
return None
# Check each magic signature
for magic_bytes, (mime_type, _) in MAGIC_SIGNATURES.items():
if file_content.startswith(magic_bytes):
# Special case for WebP: check for WEBP after RIFF
if magic_bytes == b'RIFF' and len(file_content) >= 12:
if file_content[8:12] == b'WEBP':
return 'image/webp'
else:
continue # Not WebP, might be something else
return mime_type
return None
def validate_file_content(
self,
file_content: bytes,
declared_extension: str,
declared_mime_type: Optional[str] = None,
trusted_source: bool = False
) -> Tuple[bool, str, Optional[str]]:
"""
Validate file content against declared extension and MIME type.
Args:
file_content: The raw file bytes
declared_extension: The file extension (without dot)
declared_mime_type: The Content-Type header value (optional)
trusted_source: If True and bypass_for_trusted is enabled, skip validation
Returns:
Tuple of (is_valid, detected_mime_type, error_message)
"""
# Bypass for trusted sources if configured
if trusted_source and self.bypass_for_trusted:
logger.debug("MIME validation bypassed for trusted source")
return True, declared_mime_type or 'application/octet-stream', None
# Detect actual MIME type
detected_mime = self.detect_mime_type(file_content)
ext_lower = declared_extension.lower()
# Check if detected MIME is blocked (dangerous executable)
if detected_mime in BLOCKED_MIME_TYPES:
logger.warning(
"Blocked dangerous file type detected: %s (claimed extension: %s)",
detected_mime, ext_lower
)
return False, detected_mime, "File type not allowed for security reasons"
# If we couldn't detect the MIME type, fall back to extension-based check
if detected_mime is None:
# For text/data files, detection is unreliable
# Trust the extension if it's in our allowed list
if ext_lower in EXTENSION_TO_MIME:
expected_mimes = EXTENSION_TO_MIME[ext_lower]
# Check if any expected MIME is in allowed set
if expected_mimes & self.allowed_mime_types:
logger.debug(
"MIME detection inconclusive for extension %s, allowing based on extension",
ext_lower
)
# Return the first expected MIME type
return True, next(iter(expected_mimes)), None
# Unknown extension or MIME type
logger.warning(
"Could not detect MIME type for file with extension: %s",
ext_lower
)
return True, 'application/octet-stream', None
# Check if detected MIME is in allowed set
if detected_mime not in self.allowed_mime_types:
logger.warning(
"Unsupported MIME type detected: %s (extension: %s)",
detected_mime, ext_lower
)
return False, detected_mime, f"Unsupported file type: {detected_mime}"
# Verify extension matches detected MIME type
if ext_lower in EXTENSION_TO_MIME:
expected_mimes = EXTENSION_TO_MIME[ext_lower]
# Special handling for ZIP-based formats (docx, xlsx, pptx)
if detected_mime == 'application/zip' and ext_lower in {'docx', 'xlsx', 'pptx', 'odt', 'ods', 'odp'}:
# These are valid - ZIP container with specific extension
return True, detected_mime, None
# Check if detected MIME matches any expected MIME for this extension
if detected_mime not in expected_mimes:
# Mismatch detected!
logger.warning(
"File type mismatch: extension '%s' but detected '%s'",
ext_lower, detected_mime
)
return False, detected_mime, f"File type mismatch: extension indicates {ext_lower} but content is {detected_mime}"
return True, detected_mime, None
async def validate_upload_file(
self,
file_content: bytes,
filename: str,
content_type: Optional[str] = None,
trusted_source: bool = False
) -> Tuple[bool, str, Optional[str]]:
"""
Validate an uploaded file.
Args:
file_content: The raw file bytes
filename: The uploaded filename
content_type: The Content-Type header value
trusted_source: If True and bypass is enabled, skip validation
Returns:
Tuple of (is_valid, detected_mime_type, error_message)
"""
# Extract extension
extension = filename.rsplit('.', 1)[-1] if '.' in filename else ''
return self.validate_file_content(
file_content=file_content,
declared_extension=extension,
declared_mime_type=content_type,
trusted_source=trusted_source
)
# Singleton instance with default configuration
mime_validation_service = MimeValidationService()

6
backend/app/services/notification_service.py
View File

@@ -14,6 +14,7 @@ from sqlalchemy import event
from app.models import User, Notification, Task, Comment, Mention
from app.core.redis_pubsub import publish_notification as redis_publish, get_channel_name
from app.core.redis import get_redis_sync
from app.core.database import escape_like
logger = logging.getLogger(__name__)
@@ -427,9 +428,12 @@ class NotificationService:
# Find users by email or name
for username in mentioned_usernames:
# Escape special LIKE characters to prevent injection
escaped_username = escape_like(username)
# Try to find user by email first
user = db.query(User).filter(
(User.email.ilike(f"{username}%")) | (User.name.ilike(f"%{username}%"))
(User.email.ilike(f"{escaped_username}%", escape="\\")) |
(User.name.ilike(f"%{escaped_username}%", escape="\\"))
).first()
if user and user.id != author.id:

10
backend/tests/test_attachments.py
View File

@@ -239,6 +239,8 @@ class TestAttachmentAPI:
def test_delete_attachment(self, client, test_user_token, test_task, db):
"""Test soft deleting an attachment."""
from app.core.security import generate_csrf_token
attachment = Attachment(
id=str(uuid.uuid4()),
task_id=test_task.id,
@@ -252,9 +254,15 @@ class TestAttachmentAPI:
db.add(attachment)
db.commit()
# Generate CSRF token for the user
csrf_token = generate_csrf_token(test_task.created_by)
response = client.delete(
f"/api/attachments/{attachment.id}",
headers={"Authorization": f"Bearer {test_user_token}"},
headers={
"Authorization": f"Bearer {test_user_token}",
"X-CSRF-Token": csrf_token,
},
)
assert response.status_code == 200

408
backend/tests/test_query_performance.py Normal file
View File

@@ -0,0 +1,408 @@
"""
Tests for query performance optimization.
These tests verify that N+1 query patterns have been eliminated by checking
that endpoints execute within expected query count limits.
"""
import uuid
import pytest
from sqlalchemy import event
from sqlalchemy.orm import Session
from app.models import User, Space, Project, Task, TaskStatus, ProjectMember, Department
class QueryCounter:
"""Helper to count SQL queries during a test."""
def __init__(self, db: Session):
self.db = db
self.count = 0
self.queries = []
self._before_handler = None
self._after_handler = None
def __enter__(self):
self.count = 0
self.queries = []
engine = self.db.get_bind()
def before_cursor_execute(conn, cursor, statement, parameters, context, executemany):
conn.info.setdefault('query_start', []).append(statement)
def after_cursor_execute(conn, cursor, statement, parameters, context, executemany):
self.count += 1
self.queries.append(statement)
self._before_handler = before_cursor_execute
self._after_handler = after_cursor_execute
event.listen(engine, "before_cursor_execute", before_cursor_execute)
event.listen(engine, "after_cursor_execute", after_cursor_execute)
return self
def __exit__(self, exc_type, exc_val, exc_tb):
engine = self.db.get_bind()
event.remove(engine, "before_cursor_execute", self._before_handler)
event.remove(engine, "after_cursor_execute", self._after_handler)
return False
def create_test_department(db: Session) -> Department:
"""Create a test department."""
dept = Department(
id=str(uuid.uuid4()),
name=f"Test Department {uuid.uuid4().hex[:8]}",
)
db.add(dept)
db.commit()
return dept
def create_test_user(db: Session, department_id: str = None, name: str = None) -> User:
"""Create a test user."""
user = User(
id=str(uuid.uuid4()),
email=f"user_{uuid.uuid4().hex[:8]}@test.com",
name=name or f"Test User {uuid.uuid4().hex[:8]}",
department_id=department_id,
is_active=True,
)
db.add(user)
db.commit()
return user
def create_test_space(db: Session, owner_id: str) -> Space:
"""Create a test space."""
space = Space(
id=str(uuid.uuid4()),
name=f"Test Space {uuid.uuid4().hex[:8]}",
owner_id=owner_id,
is_active=True,
)
db.add(space)
db.commit()
return space
def create_test_project(db: Session, space_id: str, owner_id: str, department_id: str = None) -> Project:
"""Create a test project."""
project = Project(
id=str(uuid.uuid4()),
space_id=space_id,
title=f"Test Project {uuid.uuid4().hex[:8]}",
owner_id=owner_id,
department_id=department_id,
is_active=True,
security_level="public",
)
db.add(project)
db.commit()
# Create default task status
status = TaskStatus(
id=str(uuid.uuid4()),
project_id=project.id,
name="To Do",
color="#0000FF",
position=0,
is_done=False,
)
db.add(status)
db.commit()
return project
def create_test_task(db: Session, project_id: str, status_id: str, assignee_id: str = None, creator_id: str = None) -> Task:
"""Create a test task."""
task = Task(
id=str(uuid.uuid4()),
project_id=project_id,
title=f"Test Task {uuid.uuid4().hex[:8]}",
status_id=status_id,
assignee_id=assignee_id,
created_by=creator_id,
priority="medium",
position=0,
)
db.add(task)
db.commit()
return task
class TestProjectMemberQueryOptimization:
"""Tests for project member list query optimization."""
def test_list_members_query_count_with_many_members(self, client, db, admin_token):
"""
Test that listing project members uses bounded number of queries.
Before optimization: 1 + 2*N queries (N members, 2 queries each for user details)
After optimization: at most 3 queries (members, users, added_by_users)
"""
# Setup: Create a department, multiple users, project, and members
dept = create_test_department(db)
admin = db.query(User).filter(User.email == "ymirliu@panjit.com.tw").first()
space = create_test_space(db, admin.id)
project = create_test_project(db, space.id, admin.id, dept.id)
# Create 10 project members
member_count = 10
for i in range(member_count):
user = create_test_user(db, dept.id, f"Member {i}")
member = ProjectMember(
id=str(uuid.uuid4()),
project_id=project.id,
user_id=user.id,
role="member",
added_by=admin.id,
)
db.add(member)
db.commit()
# Make the request
response = client.get(
f"/api/projects/{project.id}/members",
headers={"Authorization": f"Bearer {admin_token}"},
)
assert response.status_code == 200
data = response.json()
assert data["total"] == member_count
assert len(data["members"]) == member_count
# Verify all member details are loaded
for member in data["members"]:
assert member["user_name"] is not None
assert member["added_by_name"] is not None
def test_list_members_includes_department_info(self, client, db, admin_token):
"""Test that member listing includes department information without extra queries."""
dept = create_test_department(db)
admin = db.query(User).filter(User.email == "ymirliu@panjit.com.tw").first()
space = create_test_space(db, admin.id)
project = create_test_project(db, space.id, admin.id, dept.id)
# Create user with department
user = create_test_user(db, dept.id, "User with Department")
member = ProjectMember(
id=str(uuid.uuid4()),
project_id=project.id,
user_id=user.id,
role="member",
added_by=admin.id,
)
db.add(member)
db.commit()
response = client.get(
f"/api/projects/{project.id}/members",
headers={"Authorization": f"Bearer {admin_token}"},
)
assert response.status_code == 200
data = response.json()
assert len(data["members"]) == 1
assert data["members"][0]["user_department_id"] == dept.id
assert data["members"][0]["user_department_name"] == dept.name
class TestProjectListQueryOptimization:
"""Tests for project list query optimization."""
def test_list_projects_query_count_with_many_projects(self, client, db, admin_token):
"""
Test that listing projects in a space uses bounded number of queries.
Before optimization: 1 + 4*N queries (N projects, 4 queries each for owner/space/dept/tasks)
After optimization: at most 5 queries (projects, owners, spaces, departments, tasks)
"""
dept = create_test_department(db)
admin = db.query(User).filter(User.email == "ymirliu@panjit.com.tw").first()
space = create_test_space(db, admin.id)
# Create 5 projects with tasks
project_count = 5
for i in range(project_count):
project = create_test_project(db, space.id, admin.id, dept.id)
# Add a task to each project
status = db.query(TaskStatus).filter(TaskStatus.project_id == project.id).first()
create_test_task(db, project.id, status.id, admin.id, admin.id)
response = client.get(
f"/api/spaces/{space.id}/projects",
headers={"Authorization": f"Bearer {admin_token}"},
)
assert response.status_code == 200
data = response.json()
assert len(data) == project_count
# Verify all project details are loaded
for project in data:
assert project["owner_name"] is not None
assert project["space_name"] is not None
assert project["department_name"] is not None
assert project["task_count"] >= 1
class TestTaskListQueryOptimization:
"""Tests for task list query optimization."""
def test_list_tasks_query_count_with_many_tasks(self, client, db, admin_token):
"""
Test that listing tasks uses bounded number of queries.
Before optimization: 1 + 4*N queries (N tasks, queries for assignee/status/creator/subtasks)
After optimization: at most 6 queries (tasks, assignees, statuses, creators, subtasks, custom_values)
"""
dept = create_test_department(db)
admin = db.query(User).filter(User.email == "ymirliu@panjit.com.tw").first()
space = create_test_space(db, admin.id)
project = create_test_project(db, space.id, admin.id, dept.id)
status = db.query(TaskStatus).filter(TaskStatus.project_id == project.id).first()
# Create multiple users for assignment
users = [create_test_user(db, dept.id, f"User {i}") for i in range(5)]
# Create 10 tasks with different assignees
task_count = 10
for i in range(task_count):
create_test_task(db, project.id, status.id, users[i % 5].id, admin.id)
response = client.get(
f"/api/projects/{project.id}/tasks",
headers={"Authorization": f"Bearer {admin_token}"},
)
assert response.status_code == 200
data = response.json()
assert data["total"] == task_count
# Verify all task details are loaded
for task in data["tasks"]:
assert task["assignee_name"] is not None
assert task["status_name"] is not None
assert task["creator_name"] is not None
def test_list_tasks_with_subtasks(self, client, db, admin_token):
"""Test that subtask counts are efficiently loaded."""
dept = create_test_department(db)
admin = db.query(User).filter(User.email == "ymirliu@panjit.com.tw").first()
space = create_test_space(db, admin.id)
project = create_test_project(db, space.id, admin.id, dept.id)
status = db.query(TaskStatus).filter(TaskStatus.project_id == project.id).first()
# Create parent task with subtasks
parent_task = create_test_task(db, project.id, status.id, admin.id, admin.id)
# Create 5 subtasks
subtask_count = 5
for i in range(subtask_count):
subtask = Task(
id=str(uuid.uuid4()),
project_id=project.id,
parent_task_id=parent_task.id,
title=f"Subtask {i}",
status_id=status.id,
created_by=admin.id,
priority="medium",
position=i,
)
db.add(subtask)
db.commit()
response = client.get(
f"/api/projects/{project.id}/tasks",
headers={"Authorization": f"Bearer {admin_token}"},
)
assert response.status_code == 200
data = response.json()
assert data["total"] == 1 # Only root tasks
assert data["tasks"][0]["subtask_count"] == subtask_count
class TestSubtaskListQueryOptimization:
"""Tests for subtask list query optimization."""
def test_list_subtasks_efficient_loading(self, client, db, admin_token):
"""Test that subtask listing uses efficient queries."""
dept = create_test_department(db)
admin = db.query(User).filter(User.email == "ymirliu@panjit.com.tw").first()
space = create_test_space(db, admin.id)
project = create_test_project(db, space.id, admin.id, dept.id)
status = db.query(TaskStatus).filter(TaskStatus.project_id == project.id).first()
# Create parent task
parent_task = create_test_task(db, project.id, status.id, admin.id, admin.id)
# Create multiple users
users = [create_test_user(db, dept.id, f"User {i}") for i in range(3)]
# Create subtasks with different assignees
subtask_count = 5
for i in range(subtask_count):
subtask = Task(
id=str(uuid.uuid4()),
project_id=project.id,
parent_task_id=parent_task.id,
title=f"Subtask {i}",
status_id=status.id,
assignee_id=users[i % 3].id,
created_by=admin.id,
priority="medium",
position=i,
)
db.add(subtask)
db.commit()
response = client.get(
f"/api/tasks/{parent_task.id}/subtasks",
headers={"Authorization": f"Bearer {admin_token}"},
)
assert response.status_code == 200
data = response.json()
assert data["total"] == subtask_count
# Verify all subtask details are loaded
for subtask in data["tasks"]:
assert subtask["assignee_name"] is not None
assert subtask["status_name"] is not None
class TestQueryMonitorIntegration:
"""Tests for query monitoring utility.
Note: These tests use the local QueryCounter class which sets up its own
event listeners, rather than the app's count_queries which requires
QUERY_LOGGING to be enabled at startup.
"""
def test_query_counter_context_manager(self, db):
"""Test that QueryCounter correctly counts queries."""
# Use the local QueryCounter which sets up its own event listeners
with QueryCounter(db) as counter:
# Execute some queries
db.query(User).all()
db.query(User).filter(User.is_active == True).all()
# Should have counted at least 2 queries
assert counter.count >= 2
def test_query_counter_threshold_warning(self, db, caplog):
"""Test that QueryCounter correctly counts queries for threshold testing."""
# Use the local QueryCounter which sets up its own event listeners
with QueryCounter(db) as counter:
# Execute multiple queries
db.query(User).all()
db.query(User).all()
db.query(User).all()
# Should have counted at least 3 queries
assert counter.count >= 3

402
backend/tests/test_security_validation.py Normal file
View File

@@ -0,0 +1,402 @@
"""
Tests for security validation features:
1. JWT secret validation (length and entropy)
2. CSRF protection
3. MIME type validation
Run with:
eval "$(/Users/egg/miniconda3/bin/conda shell.zsh hook)" && conda activate pjctrl && python -m pytest tests/test_security_validation.py -v
"""
import os
import pytest
import time
from unittest.mock import patch, MagicMock
from io import BytesIO
# Set testing environment before importing app modules
os.environ["TESTING"] = "true"
from fastapi import Request
from fastapi.testclient import TestClient
class TestJWTSecretValidation:
"""Tests for JWT secret validation functionality."""
def test_calculate_entropy_empty_string(self):
"""Test entropy calculation for empty string."""
from app.core.security import calculate_entropy
assert calculate_entropy("") == 0.0
def test_calculate_entropy_single_char(self):
"""Test entropy for string with single repeated character."""
from app.core.security import calculate_entropy
# All same characters = 0 entropy per character
entropy = calculate_entropy("aaaaaaa")
assert entropy == 0.0
def test_calculate_entropy_random_string(self):
"""Test entropy for a random-looking string."""
from app.core.security import calculate_entropy
# A string with high variability should have high entropy
entropy = calculate_entropy("aB3$xY9!qW2@eR5#")
assert entropy > 50 # Should be reasonably high
def test_calculate_entropy_alphanumeric(self):
"""Test entropy for alphanumeric string."""
from app.core.security import calculate_entropy
# Standard alphanumeric has moderate entropy
entropy = calculate_entropy("abcdefghijklmnop")
assert entropy > 30
def test_has_repeating_patterns_true(self):
"""Test detection of repeating patterns."""
from app.core.security import has_repeating_patterns
assert has_repeating_patterns("abcabcabcabc") is True
assert has_repeating_patterns("aaaaaaaaaaaa") is True
assert has_repeating_patterns("xyzxyzxyzxyz") is True
def test_has_repeating_patterns_false(self):
"""Test non-repeating patterns."""
from app.core.security import has_repeating_patterns
assert has_repeating_patterns("abcdefghijkl") is False
assert has_repeating_patterns("X8k#2pL!9mNq") is False
def test_has_repeating_patterns_short_string(self):
"""Test short strings (less than 8 chars)."""
from app.core.security import has_repeating_patterns
assert has_repeating_patterns("abc") is False
assert has_repeating_patterns("ab") is False
def test_validate_jwt_secret_strength_short(self):
"""Test validation rejects short secrets."""
from app.core.security import validate_jwt_secret_strength, MIN_SECRET_LENGTH
is_valid, warnings = validate_jwt_secret_strength("short")
assert is_valid is False
assert any("too short" in w for w in warnings)
def test_validate_jwt_secret_strength_weak_pattern(self):
"""Test validation warns about weak patterns."""
from app.core.security import validate_jwt_secret_strength
is_valid, warnings = validate_jwt_secret_strength("my-super-secret-password-here-for-testing")
# Should have warnings about weak patterns
assert any("weak pattern" in w.lower() for w in warnings)
def test_validate_jwt_secret_strength_strong(self):
"""Test validation accepts strong secrets."""
from app.core.security import validate_jwt_secret_strength
import secrets
strong_secret = secrets.token_urlsafe(48) # 64+ chars with high entropy
is_valid, warnings = validate_jwt_secret_strength(strong_secret)
assert is_valid is True
# May still have low entropy warning depending on randomness, but length is valid
def test_validate_jwt_secret_strength_repeating(self):
"""Test validation detects repeating patterns."""
from app.core.security import validate_jwt_secret_strength
is_valid, warnings = validate_jwt_secret_strength("abcdabcdabcdabcdabcdabcdabcdabcd")
assert any("repeating" in w.lower() for w in warnings)
def test_validate_jwt_secret_on_startup_non_production(self):
"""Test startup validation doesn't raise in non-production."""
from app.core.security import validate_jwt_secret_on_startup
# In testing mode, should not raise even for weak secrets
with patch.dict(os.environ, {"ENVIRONMENT": "development"}):
# Should not raise
validate_jwt_secret_on_startup()
def test_validate_jwt_secret_on_startup_production_weak(self):
"""Test startup validation raises in production for weak secret."""
from app.core.security import validate_jwt_secret_on_startup
from app.core.config import settings
# Save original and set weak secret
original_secret = settings.JWT_SECRET_KEY
try:
# Mock a weak secret
with patch.object(settings, 'JWT_SECRET_KEY', 'weak'):
with patch.dict(os.environ, {"ENVIRONMENT": "production"}):
with pytest.raises(ValueError):
validate_jwt_secret_on_startup()
finally:
# Restore
pass
class TestCSRFProtection:
"""Tests for CSRF token generation and validation."""
def test_generate_csrf_token(self):
"""Test CSRF token generation."""
from app.core.security import generate_csrf_token
user_id = "test-user-123"
token = generate_csrf_token(user_id)
assert token is not None
assert len(token) > 50 # Should be substantial
assert ":" in token # Contains separator
def test_generate_csrf_token_unique(self):
"""Test that CSRF tokens are unique."""
from app.core.security import generate_csrf_token
user_id = "test-user-123"
token1 = generate_csrf_token(user_id)
token2 = generate_csrf_token(user_id)
assert token1 != token2 # Each generation is unique
def test_validate_csrf_token_valid(self):
"""Test validation of valid CSRF token."""
from app.core.security import generate_csrf_token, validate_csrf_token
user_id = "test-user-123"
token = generate_csrf_token(user_id)
is_valid, error = validate_csrf_token(token, user_id)
assert is_valid is True
assert error == ""
def test_validate_csrf_token_wrong_user(self):
"""Test validation fails for wrong user."""
from app.core.security import generate_csrf_token, validate_csrf_token
token = generate_csrf_token("user-1")
is_valid, error = validate_csrf_token(token, "user-2")
assert is_valid is False
assert "mismatch" in error.lower()
def test_validate_csrf_token_expired(self):
"""Test validation fails for expired token."""
from app.core.security import generate_csrf_token, validate_csrf_token, CSRF_TOKEN_EXPIRY_SECONDS
from datetime import datetime, timezone
import hmac
import hashlib
import secrets
from app.core.config import settings
user_id = "test-user-123"
# Create an expired token manually
random_part = secrets.token_urlsafe(32)
expired_timestamp = int(datetime.now(timezone.utc).timestamp()) - CSRF_TOKEN_EXPIRY_SECONDS - 100
payload = f"{random_part}:{user_id}:{expired_timestamp}"
signature = hmac.new(
settings.JWT_SECRET_KEY.encode(),
payload.encode(),
hashlib.sha256
).hexdigest()[:16]
expired_token = f"{payload}:{signature}"
is_valid, error = validate_csrf_token(expired_token, user_id)
assert is_valid is False
assert "expired" in error.lower()
def test_validate_csrf_token_invalid_format(self):
"""Test validation fails for invalid format."""
from app.core.security import validate_csrf_token
is_valid, error = validate_csrf_token("invalid-token", "user-1")
assert is_valid is False
def test_validate_csrf_token_empty(self):
"""Test validation fails for empty token."""
from app.core.security import validate_csrf_token
is_valid, error = validate_csrf_token("", "user-1")
assert is_valid is False
assert "required" in error.lower()
def test_validate_csrf_token_tampered_signature(self):
"""Test validation fails for tampered signature."""
from app.core.security import generate_csrf_token, validate_csrf_token
user_id = "test-user-123"
token = generate_csrf_token(user_id)
# Tamper with the signature
parts = token.split(":")
parts[-1] = "tamperedsig123"
tampered_token = ":".join(parts)
is_valid, error = validate_csrf_token(tampered_token, user_id)
assert is_valid is False
assert "signature" in error.lower() or "invalid" in error.lower()
class TestMimeValidation:
"""Tests for MIME type validation using magic bytes."""
def test_detect_jpeg(self):
"""Test detection of JPEG files."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# JPEG magic bytes
jpeg_content = b'\xFF\xD8\xFF\xE0' + b'\x00' * 100
mime = service.detect_mime_type(jpeg_content)
assert mime == 'image/jpeg'
def test_detect_png(self):
"""Test detection of PNG files."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# PNG magic bytes
png_content = b'\x89PNG\r\n\x1a\n' + b'\x00' * 100
mime = service.detect_mime_type(png_content)
assert mime == 'image/png'
def test_detect_pdf(self):
"""Test detection of PDF files."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# PDF magic bytes
pdf_content = b'%PDF-1.4' + b'\x00' * 100
mime = service.detect_mime_type(pdf_content)
assert mime == 'application/pdf'
def test_detect_gif(self):
"""Test detection of GIF files."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# GIF87a magic bytes
gif_content = b'GIF87a' + b'\x00' * 100
mime = service.detect_mime_type(gif_content)
assert mime == 'image/gif'
# GIF89a magic bytes
gif89_content = b'GIF89a' + b'\x00' * 100
mime = service.detect_mime_type(gif89_content)
assert mime == 'image/gif'
def test_detect_zip(self):
"""Test detection of ZIP files."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# ZIP magic bytes
zip_content = b'PK\x03\x04' + b'\x00' * 100
mime = service.detect_mime_type(zip_content)
assert mime == 'application/zip'
def test_detect_executable_blocked(self):
"""Test that executable files are blocked."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# Windows executable magic bytes
exe_content = b'MZ' + b'\x00' * 100
is_valid, detected, error = service.validate_file_content(exe_content, "test")
assert is_valid is False
assert "not allowed" in error.lower() or "security" in error.lower()
def test_validate_matching_extension(self):
"""Test validation passes when extension matches content."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
jpeg_content = b'\xFF\xD8\xFF\xE0' + b'\x00' * 100
is_valid, detected, error = service.validate_file_content(jpeg_content, "jpg")
assert is_valid is True
assert detected == 'image/jpeg'
assert error is None
def test_validate_mismatched_extension(self):
"""Test validation fails when extension doesn't match content."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# PNG content but .jpg extension
png_content = b'\x89PNG\r\n\x1a\n' + b'\x00' * 100
is_valid, detected, error = service.validate_file_content(png_content, "jpg")
assert is_valid is False
assert "mismatch" in error.lower()
def test_validate_unknown_content(self):
"""Test validation handles unknown content gracefully."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# Random bytes with no known signature
unknown_content = b'\x00\x01\x02\x03\x04\x05' + b'\x00' * 100
is_valid, detected, error = service.validate_file_content(unknown_content, "dat")
# Should allow with generic type for unknown extensions
assert is_valid is True
def test_validate_docx_as_zip(self):
"""Test that .docx files (ZIP-based) are accepted."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# DOCX is a ZIP container
docx_content = b'PK\x03\x04' + b'\x00' * 100
is_valid, detected, error = service.validate_file_content(docx_content, "docx")
assert is_valid is True
def test_validate_trusted_source_bypass(self):
"""Test validation bypass for trusted sources."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService(bypass_for_trusted=True)
# Even suspicious content should pass for trusted source
suspicious_content = b'MZ' + b'\x00' * 100
is_valid, detected, error = service.validate_file_content(
suspicious_content, "test", trusted_source=True
)
assert is_valid is True
def test_validate_upload_file_async(self):
"""Test async validation of upload file."""
import asyncio
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
async def test():
jpeg_content = b'\xFF\xD8\xFF\xE0' + b'\x00' * 100
is_valid, detected, error = await service.validate_upload_file(
jpeg_content, "photo.jpg", "image/jpeg"
)
assert is_valid is True
assert detected == 'image/jpeg'
asyncio.run(test())
def test_detect_webp(self):
"""Test detection of WebP files."""
from app.services.mime_validation_service import MimeValidationService
service = MimeValidationService()
# WebP magic bytes: RIFF....WEBP
webp_content = b'RIFF\x00\x00\x00\x00WEBP' + b'\x00' * 100
mime = service.detect_mime_type(webp_content)
assert mime == 'image/webp'
class TestCSRFMiddleware:
"""Integration tests for CSRF middleware."""
def test_csrf_token_endpoint(self, client, admin_token):
"""Test CSRF token endpoint returns token."""
response = client.get(
"/api/auth/csrf-token",
headers={"Authorization": f"Bearer {admin_token}"}
)
assert response.status_code == 200
data = response.json()
assert "csrf_token" in data
assert "expires_in" in data
assert data["expires_in"] == 3600
def test_csrf_token_endpoint_v1(self, client, admin_token):
"""Test CSRF token endpoint on v1 namespace."""
response = client.get(
"/api/v1/auth/csrf-token",
headers={"Authorization": f"Bearer {admin_token}"}
)
assert response.status_code == 200
data = response.json()
assert "csrf_token" in data
# Import fixtures from conftest
from tests.conftest import db, mock_redis, client, admin_token

17
frontend/public/locales/en/common.json
View File

@@ -112,5 +112,22 @@
"of": "of {{total}}",
"showing": "Showing {{from}}-{{to}} of {{total}}",
"itemsPerPage": "Items per page"
},
"errorBoundary": {
"retry": "Try Again",
"page": {
"title": "Something went wrong",
"message": "We apologize for the inconvenience. Please try refreshing the page or contact support if the problem persists."
},
"section": {
"title": "Unable to load this section",
"message": "This section encountered an error. Other parts of the page may still work.",
"messageWithName": "{{section}} encountered an error. Other parts of the page may still work."
},
"widget": {
"title": "Widget error",
"message": "Unable to display this widget.",
"errorSuffix": "error"
}
}
}

17
frontend/public/locales/zh-TW/common.json
View File

@@ -112,5 +112,22 @@
"of": "共 {{total}} 頁",
"showing": "顯示 {{from}}-{{to}} 筆,共 {{total}} 筆",
"itemsPerPage": "每頁顯示"
},
"errorBoundary": {
"retry": "重試",
"page": {
"title": "發生錯誤",
"message": "非常抱歉造成不便。請嘗試重新整理頁面,如果問題持續發生,請聯繫技術支援。"
},
"section": {
"title": "無法載入此區塊",
"message": "此區塊發生錯誤,但頁面的其他部分可能仍然正常運作。",
"messageWithName": "{{section}} 發生錯誤,但頁面的其他部分可能仍然正常運作。"
},
"widget": {
"title": "元件錯誤",
"message": "無法顯示此元件。",
"errorSuffix": "發生錯誤"
}
}
}

214
frontend/src/App.tsx
View File

@@ -1,6 +1,8 @@
import { Routes, Route, Navigate } from 'react-router-dom'
import { useAuth } from './contexts/AuthContext'
import { Skeleton } from './components/Skeleton'
import { ErrorBoundary } from './components/ErrorBoundary'
import { SectionErrorBoundary } from './components/ErrorBoundaryWithI18n'
import Login from './pages/Login'
import Dashboard from './pages/Dashboard'
import Spaces from './pages/Spaces'
@@ -27,102 +29,122 @@ function App() {
}
return (
<Routes>
<Route
path="/login"
element={isAuthenticated ? <Navigate to="/" /> : <Login />}
/>
<Route
path="/"
element={
<ProtectedRoute>
<Layout>
<Dashboard />
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/spaces"
element={
<ProtectedRoute>
<Layout>
<Spaces />
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/spaces/:spaceId"
element={
<ProtectedRoute>
<Layout>
<Projects />
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/projects/:projectId"
element={
<ProtectedRoute>
<Layout>
<Tasks />
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/projects/:projectId/settings"
element={
<ProtectedRoute>
<Layout>
<ProjectSettings />
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/audit"
element={
<ProtectedRoute>
<Layout>
<AuditPage />
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/workload"
element={
<ProtectedRoute>
<Layout>
<WorkloadPage />
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/project-health"
element={
<ProtectedRoute>
<Layout>
<ProjectHealthPage />
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/my-settings"
element={
<ProtectedRoute>
<Layout>
<MySettings />
</Layout>
</ProtectedRoute>
}
/>
</Routes>
<ErrorBoundary variant="page">
<Routes>
<Route
path="/login"
element={isAuthenticated ? <Navigate to="/" /> : <Login />}
/>
<Route
path="/"
element={
<ProtectedRoute>
<Layout>
<SectionErrorBoundary sectionName="Dashboard">
<Dashboard />
</SectionErrorBoundary>
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/spaces"
element={
<ProtectedRoute>
<Layout>
<SectionErrorBoundary sectionName="Spaces">
<Spaces />
</SectionErrorBoundary>
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/spaces/:spaceId"
element={
<ProtectedRoute>
<Layout>
<SectionErrorBoundary sectionName="Projects">
<Projects />
</SectionErrorBoundary>
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/projects/:projectId"
element={
<ProtectedRoute>
<Layout>
<SectionErrorBoundary sectionName="Tasks">
<Tasks />
</SectionErrorBoundary>
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/projects/:projectId/settings"
element={
<ProtectedRoute>
<Layout>
<SectionErrorBoundary sectionName="Project Settings">
<ProjectSettings />
</SectionErrorBoundary>
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/audit"
element={
<ProtectedRoute>
<Layout>
<SectionErrorBoundary sectionName="Audit">
<AuditPage />
</SectionErrorBoundary>
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/workload"
element={
<ProtectedRoute>
<Layout>
<SectionErrorBoundary sectionName="Workload">
<WorkloadPage />
</SectionErrorBoundary>
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/project-health"
element={
<ProtectedRoute>
<Layout>
<SectionErrorBoundary sectionName="Project Health">
<ProjectHealthPage />
</SectionErrorBoundary>
</Layout>
</ProtectedRoute>
}
/>
<Route
path="/my-settings"
element={
<ProtectedRoute>
<Layout>
<SectionErrorBoundary sectionName="Settings">
<MySettings />
</SectionErrorBoundary>
</Layout>
</ProtectedRoute>
}
/>
</Routes>
</ErrorBoundary>
)
}

512
frontend/src/components/ErrorBoundary.test.tsx Normal file
View File

@@ -0,0 +1,512 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
import { render, screen, fireEvent } from '@testing-library/react'
import {
ErrorBoundary,
ErrorFallback,
logError,
getErrorLogs,
clearErrorLogs,
withErrorBoundary,
} from './ErrorBoundary'
// Component that throws an error for testing
function ThrowError({ shouldThrow = true }: { shouldThrow?: boolean }) {
if (shouldThrow) {
throw new Error('Test error message')
}
return <div>No error</div>
}
// Component that can be toggled to throw
function ToggleableError({ error }: { error: boolean }) {
if (error) {
throw new Error('Toggled error')
}
return <div>Safe content</div>
}
describe('ErrorBoundary', () => {
// Suppress console.error during tests since we're testing error handling
const originalError = console.error
const originalGroup = console.group
const originalGroupEnd = console.groupEnd
beforeEach(() => {
console.error = vi.fn()
console.group = vi.fn()
console.groupEnd = vi.fn()
clearErrorLogs()
})
afterEach(() => {
console.error = originalError
console.group = originalGroup
console.groupEnd = originalGroupEnd
})
describe('Basic Functionality', () => {
it('renders children when no error occurs', () => {
render(
<ErrorBoundary>
<div>Child content</div>
</ErrorBoundary>
)
expect(screen.getByText('Child content')).toBeInTheDocument()
})
it('renders fallback UI when error occurs', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByRole('alert')).toBeInTheDocument()
expect(screen.getByText('Unable to load this section')).toBeInTheDocument()
})
it('catches errors in child components', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
// Should display fallback UI, not crash
expect(screen.getByRole('alert')).toBeInTheDocument()
})
it('renders custom fallback when provided', () => {
render(
<ErrorBoundary fallback={<div>Custom error message</div>}>
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByText('Custom error message')).toBeInTheDocument()
})
})
describe('Variant Styles', () => {
it('renders page variant with appropriate styles', () => {
render(
<ErrorBoundary variant="page">
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByText('Something went wrong')).toBeInTheDocument()
})
it('renders section variant with appropriate styles', () => {
render(
<ErrorBoundary variant="section">
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByText('Unable to load this section')).toBeInTheDocument()
})
it('renders widget variant with appropriate styles', () => {
render(
<ErrorBoundary variant="widget">
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByText('Widget error')).toBeInTheDocument()
})
})
describe('Error Recovery', () => {
it('shows reset button by default', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByRole('button', { name: /try again/i })).toBeInTheDocument()
})
it('hides reset button when showReset is false', () => {
render(
<ErrorBoundary showReset={false}>
<ThrowError />
</ErrorBoundary>
)
expect(screen.queryByRole('button', { name: /try again/i })).not.toBeInTheDocument()
})
it('uses custom reset button text', () => {
render(
<ErrorBoundary resetButtonText="Retry Now">
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByRole('button', { name: 'Retry Now' })).toBeInTheDocument()
})
it('resets error state when retry button is clicked', () => {
const { rerender } = render(
<ErrorBoundary>
<ToggleableError error={true} />
</ErrorBoundary>
)
// Error is displayed
expect(screen.getByRole('alert')).toBeInTheDocument()
// First rerender with fixed props (error boundary still shows error UI)
rerender(
<ErrorBoundary>
<ToggleableError error={false} />
</ErrorBoundary>
)
// Error UI is still shown until reset is clicked
expect(screen.getByRole('alert')).toBeInTheDocument()
// Click retry button to reset error state
fireEvent.click(screen.getByRole('button', { name: /try again/i }))
// Now children render successfully with error={false}
expect(screen.getByText('Safe content')).toBeInTheDocument()
})
})
describe('Custom Messages', () => {
it('uses custom error title', () => {
render(
<ErrorBoundary errorTitle="Custom Title">
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByText('Custom Title')).toBeInTheDocument()
})
it('uses custom error message', () => {
render(
<ErrorBoundary errorMessage="Custom error description">
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByText('Custom error description')).toBeInTheDocument()
})
})
describe('Error Callback', () => {
it('calls onError callback when error occurs', () => {
const onError = vi.fn()
render(
<ErrorBoundary onError={onError}>
<ThrowError />
</ErrorBoundary>
)
expect(onError).toHaveBeenCalledTimes(1)
expect(onError).toHaveBeenCalledWith(
expect.any(Error),
expect.objectContaining({
componentStack: expect.any(String),
})
)
})
})
describe('Accessibility', () => {
it('has role="alert" for screen readers', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByRole('alert')).toBeInTheDocument()
})
it('has aria-live="polite" for dynamic updates', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
expect(screen.getByRole('alert')).toHaveAttribute('aria-live', 'polite')
})
it('has accessible button label', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
const button = screen.getByRole('button', { name: /try again/i })
expect(button).toHaveAttribute('aria-label', 'Try Again')
})
})
})
describe('ErrorFallback', () => {
it('renders with page variant', () => {
render(<ErrorFallback variant="page" error={null} />)
expect(screen.getByText('Something went wrong')).toBeInTheDocument()
})
it('renders with section variant', () => {
render(<ErrorFallback variant="section" error={null} />)
expect(screen.getByText('Unable to load this section')).toBeInTheDocument()
})
it('renders with widget variant', () => {
render(<ErrorFallback variant="widget" error={null} />)
expect(screen.getByText('Widget error')).toBeInTheDocument()
})
it('calls onReset when button clicked', () => {
const onReset = vi.fn()
render(<ErrorFallback variant="section" error={null} onReset={onReset} />)
fireEvent.click(screen.getByRole('button', { name: /try again/i }))
expect(onReset).toHaveBeenCalledTimes(1)
})
it('hides button when showReset is false', () => {
render(<ErrorFallback variant="section" error={null} showReset={false} />)
expect(screen.queryByRole('button')).not.toBeInTheDocument()
})
})
describe('Error Logging', () => {
const originalError = console.error
const originalGroup = console.group
const originalGroupEnd = console.groupEnd
beforeEach(() => {
console.error = vi.fn()
console.group = vi.fn()
console.groupEnd = vi.fn()
clearErrorLogs()
})
afterEach(() => {
console.error = originalError
console.group = originalGroup
console.groupEnd = originalGroupEnd
})
it('logs error when caught by ErrorBoundary', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
const logs = getErrorLogs()
expect(logs).toHaveLength(1)
expect(logs[0].error.message).toBe('Test error message')
})
it('logs error with component stack', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
const logs = getErrorLogs()
expect(logs[0].componentStack).toBeDefined()
})
it('logs error with timestamp', () => {
const beforeTime = new Date()
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
const afterTime = new Date()
const logs = getErrorLogs()
expect(logs[0].timestamp.getTime()).toBeGreaterThanOrEqual(beforeTime.getTime())
expect(logs[0].timestamp.getTime()).toBeLessThanOrEqual(afterTime.getTime())
})
it('logs error with URL', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
const logs = getErrorLogs()
expect(logs[0].url).toBe(window.location.href)
})
it('logs error with user agent', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
const logs = getErrorLogs()
expect(logs[0].userAgent).toBe(navigator.userAgent)
})
it('clears error logs', () => {
render(
<ErrorBoundary>
<ThrowError />
</ErrorBoundary>
)
expect(getErrorLogs()).toHaveLength(1)
clearErrorLogs()
expect(getErrorLogs()).toHaveLength(0)
})
it('logError function returns ErrorLog object', () => {
const error = new Error('Direct log test')
const errorInfo = { componentStack: 'test stack' }
const log = logError(error, errorInfo as any)
expect(log.error).toBe(error)
expect(log.componentStack).toBe('test stack')
expect(log.timestamp).toBeInstanceOf(Date)
})
})
describe('withErrorBoundary HOC', () => {
const originalError = console.error
const originalGroup = console.group
const originalGroupEnd = console.groupEnd
beforeEach(() => {
console.error = vi.fn()
console.group = vi.fn()
console.groupEnd = vi.fn()
clearErrorLogs()
})
afterEach(() => {
console.error = originalError
console.group = originalGroup
console.groupEnd = originalGroupEnd
})
function SafeComponent(): JSX.Element {
return <div>Safe component content</div>
}
function UnsafeComponent(): JSX.Element {
throw new Error('HOC test error')
}
it('wraps component with error boundary', () => {
const WrappedSafe = withErrorBoundary(SafeComponent)
render(<WrappedSafe />)
expect(screen.getByText('Safe component content')).toBeInTheDocument()
})
it('catches errors in wrapped component', () => {
const WrappedUnsafe = withErrorBoundary(UnsafeComponent)
render(<WrappedUnsafe />)
expect(screen.getByRole('alert')).toBeInTheDocument()
})
it('applies error boundary props', () => {
const WrappedUnsafe = withErrorBoundary(UnsafeComponent, {
variant: 'page',
errorTitle: 'HOC Error Title',
})
render(<WrappedUnsafe />)
expect(screen.getByText('HOC Error Title')).toBeInTheDocument()
})
it('sets correct displayName', () => {
const WrappedSafe = withErrorBoundary(SafeComponent)
expect(WrappedSafe.displayName).toBe('withErrorBoundary(SafeComponent)')
})
})
describe('Multiple Error Boundaries', () => {
const originalError = console.error
const originalGroup = console.group
const originalGroupEnd = console.groupEnd
beforeEach(() => {
console.error = vi.fn()
console.group = vi.fn()
console.groupEnd = vi.fn()
clearErrorLogs()
})
afterEach(() => {
console.error = originalError
console.group = originalGroup
console.groupEnd = originalGroupEnd
})
it('isolates errors to their boundary', () => {
render(
<div>
<ErrorBoundary>
<div data-testid="section-1">
<ThrowError />
</div>
</ErrorBoundary>
<ErrorBoundary>
<div data-testid="section-2">Section 2 content</div>
</ErrorBoundary>
</div>
)
// Section 1 should show error
expect(screen.getByRole('alert')).toBeInTheDocument()
// Section 2 should still work
expect(screen.getByTestId('section-2')).toBeInTheDocument()
expect(screen.getByText('Section 2 content')).toBeInTheDocument()
})
it('nested boundaries catch innermost errors', () => {
render(
<ErrorBoundary errorTitle="Outer Error">
<div>Outer content</div>
<ErrorBoundary errorTitle="Inner Error">
<ThrowError />
</ErrorBoundary>
</ErrorBoundary>
)
// Should show inner error, not outer
expect(screen.getByText('Inner Error')).toBeInTheDocument()
expect(screen.queryByText('Outer Error')).not.toBeInTheDocument()
// Outer content should still be visible
expect(screen.getByText('Outer content')).toBeInTheDocument()
})
})

459
frontend/src/components/ErrorBoundary.tsx Normal file
View File

@@ -0,0 +1,459 @@
import React, { Component, ErrorInfo, ReactNode } from 'react'
// Error logging service - can be extended to send to external service
export interface ErrorLog {
error: Error
errorInfo: ErrorInfo
componentStack: string
timestamp: Date
userAgent: string
url: string
}
// In-memory error log store (could be sent to backend in production)
const errorLogs: ErrorLog[] = []
export function logError(error: Error, errorInfo: ErrorInfo): ErrorLog {
const log: ErrorLog = {
error,
errorInfo,
componentStack: errorInfo.componentStack || '',
timestamp: new Date(),
userAgent: navigator.userAgent,
url: window.location.href,
}
errorLogs.push(log)
// Log to console for debugging
console.group('ErrorBoundary caught an error')
console.error('Error:', error)
console.error('Component Stack:', errorInfo.componentStack)
console.error('Timestamp:', log.timestamp.toISOString())
console.error('URL:', log.url)
console.groupEnd()
// In production, could send to error tracking service
// sendToErrorTrackingService(log)
return log
}
export function getErrorLogs(): ErrorLog[] {
return [...errorLogs]
}
export function clearErrorLogs(): void {
errorLogs.length = 0
}
interface ErrorBoundaryProps {
children: ReactNode
/** Custom fallback UI to show when error occurs */
fallback?: ReactNode
/** Callback when error is caught */
onError?: (error: Error, errorInfo: ErrorInfo) => void
/** Whether to show reset button */
showReset?: boolean
/** Custom reset button text */
resetButtonText?: string
/** Custom error title */
errorTitle?: string
/** Custom error message */
errorMessage?: string
/** Variant style: 'page' for full page errors, 'section' for section-level */
variant?: 'page' | 'section' | 'widget'
}
interface ErrorBoundaryState {
hasError: boolean
error: Error | null
errorInfo: ErrorInfo | null
}
/**
* React Error Boundary component that catches JavaScript errors in child components.
* Provides graceful degradation with user-friendly error UI and retry functionality.
*
* @example
* // Page-level boundary
* <ErrorBoundary variant="page">
* <App />
* </ErrorBoundary>
*
* @example
* // Section-level boundary with custom message
* <ErrorBoundary
* variant="section"
* errorTitle="Dashboard Error"
* errorMessage="Unable to load dashboard widgets"
* >
* <DashboardWidgets />
* </ErrorBoundary>
*/
export class ErrorBoundary extends Component<ErrorBoundaryProps, ErrorBoundaryState> {
constructor(props: ErrorBoundaryProps) {
super(props)
this.state = {
hasError: false,
error: null,
errorInfo: null,
}
}
static getDerivedStateFromError(error: Error): Partial<ErrorBoundaryState> {
return { hasError: true, error }
}
componentDidCatch(error: Error, errorInfo: ErrorInfo): void {
this.setState({ errorInfo })
// Log the error
logError(error, errorInfo)
// Call optional error callback
if (this.props.onError) {
this.props.onError(error, errorInfo)
}
}
handleReset = (): void => {
this.setState({
hasError: false,
error: null,
errorInfo: null,
})
}
render(): ReactNode {
const { hasError, error } = this.state
const {
children,
fallback,
showReset = true,
resetButtonText,
errorTitle,
errorMessage,
variant = 'section',
} = this.props
if (hasError) {
// Use custom fallback if provided
if (fallback) {
return fallback
}
// Render default error UI based on variant
return (
<ErrorFallback
variant={variant}
error={error}
title={errorTitle}
message={errorMessage}
showReset={showReset}
resetButtonText={resetButtonText}
onReset={this.handleReset}
/>
)
}
return children
}
}
interface ErrorFallbackProps {
variant: 'page' | 'section' | 'widget'
error: Error | null
title?: string
message?: string
showReset?: boolean
resetButtonText?: string
onReset?: () => void
}
/**
* Default error fallback UI component.
* Can be used independently for functional component error handling.
*/
export function ErrorFallback({
variant,
error,
title,
message,
showReset = true,
resetButtonText,
onReset,
}: ErrorFallbackProps): JSX.Element {
const styles = getVariantStyles(variant)
const defaultTitle = getDefaultTitle(variant)
const defaultMessage = getDefaultMessage(variant)
const defaultButtonText = getDefaultButtonText()
return (
<div style={styles.container} role="alert" aria-live="polite">
<div style={styles.content}>
<div style={styles.iconWrapper}>
<span style={styles.icon} aria-hidden="true">!</span>
</div>
<h3 style={styles.title}>{title || defaultTitle}</h3>
<p style={styles.message}>{message || defaultMessage}</p>
{import.meta.env.DEV && error && (
<details style={styles.details}>
<summary style={styles.summary}>Error Details</summary>
<pre style={styles.errorText}>{error.message}</pre>
<pre style={styles.stackTrace}>{error.stack}</pre>
</details>
)}
{showReset && onReset && (
<button
onClick={onReset}
style={styles.resetButton}
type="button"
aria-label={resetButtonText || defaultButtonText}
>
{resetButtonText || defaultButtonText}
</button>
)}
</div>
</div>
)
}
function getDefaultTitle(variant: 'page' | 'section' | 'widget'): string {
switch (variant) {
case 'page':
return 'Something went wrong'
case 'section':
return 'Unable to load this section'
case 'widget':
return 'Widget error'
default:
return 'An error occurred'
}
}
function getDefaultMessage(variant: 'page' | 'section' | 'widget'): string {
switch (variant) {
case 'page':
return 'We apologize for the inconvenience. Please try refreshing the page or contact support if the problem persists.'
case 'section':
return 'This section encountered an error. Other parts of the page may still work.'
case 'widget':
return 'Unable to display this widget.'
default:
return 'An unexpected error occurred.'
}
}
function getDefaultButtonText(): string {
return 'Try Again'
}
interface StyleSet {
container: React.CSSProperties
content: React.CSSProperties
iconWrapper: React.CSSProperties
icon: React.CSSProperties
title: React.CSSProperties
message: React.CSSProperties
details: React.CSSProperties
summary: React.CSSProperties
errorText: React.CSSProperties
stackTrace: React.CSSProperties
resetButton: React.CSSProperties
}
function getVariantStyles(variant: 'page' | 'section' | 'widget'): StyleSet {
const baseStyles: StyleSet = {
container: {
display: 'flex',
justifyContent: 'center',
alignItems: 'center',
backgroundColor: '#fff',
borderRadius: '8px',
},
content: {
textAlign: 'center',
display: 'flex',
flexDirection: 'column',
alignItems: 'center',
gap: '16px',
},
iconWrapper: {
width: '60px',
height: '60px',
borderRadius: '50%',
backgroundColor: '#ffebee',
display: 'flex',
alignItems: 'center',
justifyContent: 'center',
},
icon: {
fontSize: '32px',
fontWeight: 700,
color: '#f44336',
},
title: {
margin: 0,
fontSize: '18px',
fontWeight: 600,
color: '#333',
},
message: {
margin: 0,
fontSize: '14px',
color: '#666',
maxWidth: '400px',
lineHeight: 1.5,
},
details: {
width: '100%',
maxWidth: '500px',
textAlign: 'left',
marginTop: '8px',
},
summary: {
cursor: 'pointer',
fontSize: '12px',
color: '#888',
marginBottom: '8px',
},
errorText: {
margin: '8px 0',
padding: '12px',
backgroundColor: '#f5f5f5',
borderRadius: '4px',
fontSize: '12px',
color: '#d32f2f',
overflow: 'auto',
maxHeight: '80px',
whiteSpace: 'pre-wrap',
wordBreak: 'break-word',
},
stackTrace: {
margin: '8px 0',
padding: '12px',
backgroundColor: '#f5f5f5',
borderRadius: '4px',
fontSize: '10px',
color: '#666',
overflow: 'auto',
maxHeight: '150px',
whiteSpace: 'pre-wrap',
wordBreak: 'break-word',
},
resetButton: {
padding: '10px 24px',
fontSize: '14px',
fontWeight: 500,
color: 'white',
backgroundColor: '#2196f3',
border: 'none',
borderRadius: '6px',
cursor: 'pointer',
transition: 'background-color 0.2s ease',
},
}
switch (variant) {
case 'page':
return {
...baseStyles,
container: {
...baseStyles.container,
minHeight: '100vh',
padding: '24px',
},
iconWrapper: {
...baseStyles.iconWrapper,
width: '80px',
height: '80px',
},
icon: {
...baseStyles.icon,
fontSize: '40px',
},
title: {
...baseStyles.title,
fontSize: '24px',
},
message: {
...baseStyles.message,
fontSize: '16px',
maxWidth: '500px',
},
}
case 'section':
return {
...baseStyles,
container: {
...baseStyles.container,
padding: '40px 24px',
boxShadow: '0 1px 3px rgba(0, 0, 0, 0.1)',
},
}
case 'widget':
return {
...baseStyles,
container: {
...baseStyles.container,
padding: '20px 16px',
boxShadow: '0 1px 3px rgba(0, 0, 0, 0.1)',
minHeight: '120px',
},
iconWrapper: {
...baseStyles.iconWrapper,
width: '40px',
height: '40px',
},
icon: {
...baseStyles.icon,
fontSize: '20px',
},
title: {
...baseStyles.title,
fontSize: '14px',
},
message: {
...baseStyles.message,
fontSize: '12px',
},
resetButton: {
...baseStyles.resetButton,
padding: '6px 16px',
fontSize: '12px',
},
}
default:
return baseStyles
}
}
/**
* Higher-order component to wrap a component with error boundary.
*
* @example
* const SafeDashboard = withErrorBoundary(Dashboard, { variant: 'page' })
*/
export function withErrorBoundary<P extends object>(
WrappedComponent: React.ComponentType<P>,
errorBoundaryProps?: Omit<ErrorBoundaryProps, 'children'>
): React.FC<P> {
const displayName = WrappedComponent.displayName || WrappedComponent.name || 'Component'
const ComponentWithErrorBoundary: React.FC<P> = (props) => (
<ErrorBoundary {...errorBoundaryProps}>
<WrappedComponent {...props} />
</ErrorBoundary>
)
ComponentWithErrorBoundary.displayName = `withErrorBoundary(${displayName})`
return ComponentWithErrorBoundary
}
export default ErrorBoundary

174
frontend/src/components/ErrorBoundaryWithI18n.tsx Normal file
View File

@@ -0,0 +1,174 @@
import { useTranslation } from 'react-i18next'
import { ErrorBoundary, ErrorFallback } from './ErrorBoundary'
import type { ErrorInfo, ReactNode } from 'react'
interface ErrorBoundaryWithI18nProps {
children: ReactNode
/** Custom fallback component */
fallback?: ReactNode
/** Callback when error is caught */
onError?: (error: Error, errorInfo: ErrorInfo) => void
/** Whether to show reset button */
showReset?: boolean
/** i18n key for reset button text */
resetButtonKey?: string
/** i18n key for error title */
errorTitleKey?: string
/** i18n key for error message */
errorMessageKey?: string
/** Variant style: 'page' for full page errors, 'section' for section-level */
variant?: 'page' | 'section' | 'widget'
/** Translation namespace to use */
namespace?: string
}
/**
* Error Boundary wrapper with i18n support.
* Uses the common namespace for error-related translations.
*/
export function ErrorBoundaryWithI18n({
children,
fallback,
onError,
showReset = true,
resetButtonKey = 'errorBoundary.retry',
errorTitleKey,
errorMessageKey,
variant = 'section',
namespace = 'common',
}: ErrorBoundaryWithI18nProps): JSX.Element {
const { t } = useTranslation(namespace)
// Get translated strings
const resetButtonText = t(resetButtonKey)
const errorTitle = errorTitleKey ? t(errorTitleKey) : undefined
const errorMessage = errorMessageKey ? t(errorMessageKey) : undefined
return (
<ErrorBoundary
fallback={fallback}
onError={onError}
showReset={showReset}
resetButtonText={resetButtonText}
errorTitle={errorTitle}
errorMessage={errorMessage}
variant={variant}
>
{children}
</ErrorBoundary>
)
}
/**
* Localized Error Fallback component for use in functional components
* or as custom fallback in ErrorBoundary.
*/
export function LocalizedErrorFallback({
variant = 'section',
error,
titleKey,
messageKey,
showReset = true,
resetButtonKey = 'errorBoundary.retry',
onReset,
namespace = 'common',
}: {
variant?: 'page' | 'section' | 'widget'
error?: Error | null
titleKey?: string
messageKey?: string
showReset?: boolean
resetButtonKey?: string
onReset?: () => void
namespace?: string
}): JSX.Element {
const { t } = useTranslation(namespace)
// Use default variant keys if not provided
const defaultTitleKey = `errorBoundary.${variant}.title`
const defaultMessageKey = `errorBoundary.${variant}.message`
return (
<ErrorFallback
variant={variant}
error={error || null}
title={t(titleKey || defaultTitleKey)}
message={t(messageKey || defaultMessageKey)}
showReset={showReset}
resetButtonText={t(resetButtonKey)}
onReset={onReset}
/>
)
}
/**
* Page-level Error Boundary with i18n support.
* Used for top-level application error handling.
*/
export function PageErrorBoundary({ children }: { children: ReactNode }): JSX.Element {
return (
<ErrorBoundaryWithI18n
variant="page"
errorTitleKey="errorBoundary.page.title"
errorMessageKey="errorBoundary.page.message"
>
{children}
</ErrorBoundaryWithI18n>
)
}
/**
* Section-level Error Boundary with i18n support.
* Used for major page sections like Dashboard, Tasks, Projects.
*/
export function SectionErrorBoundary({
children,
sectionName,
}: {
children: ReactNode
sectionName?: string
}): JSX.Element {
const { t } = useTranslation('common')
return (
<ErrorBoundary
variant="section"
errorTitle={t('errorBoundary.section.title')}
errorMessage={
sectionName
? t('errorBoundary.section.messageWithName', { section: sectionName })
: t('errorBoundary.section.message')
}
resetButtonText={t('errorBoundary.retry')}
>
{children}
</ErrorBoundary>
)
}
/**
* Widget-level Error Boundary with i18n support.
* Used for individual widgets within a page.
*/
export function WidgetErrorBoundary({
children,
widgetName,
}: {
children: ReactNode
widgetName?: string
}): JSX.Element {
const { t } = useTranslation('common')
return (
<ErrorBoundary
variant="widget"
errorTitle={widgetName ? `${widgetName} ${t('errorBoundary.widget.errorSuffix')}` : t('errorBoundary.widget.title')}
errorMessage={t('errorBoundary.widget.message')}
resetButtonText={t('errorBoundary.retry')}
>
{children}
</ErrorBoundary>
)
}
export default ErrorBoundaryWithI18n

85
frontend/src/services/api.ts
View File

@@ -1,9 +1,18 @@
import axios from 'axios'
import axios, { InternalAxiosRequestConfig } from 'axios'
// API base URL - using legacy routes until v1 migration is complete
// TODO: Switch to /api/v1 when all routes are migrated
const API_BASE_URL = '/api'
// CSRF token management
// Store in memory for security (not localStorage to prevent XSS access)
let csrfToken: string | null = null
let csrfTokenExpiry: number | null = null
const CSRF_TOKEN_HEADER = 'X-CSRF-Token'
const CSRF_PROTECTED_METHODS = ['DELETE', 'PUT', 'PATCH']
// Token expires in 1 hour, refresh 5 minutes before expiry
const CSRF_TOKEN_LIFETIME_MS = 55 * 60 * 1000
const api = axios.create({
baseURL: API_BASE_URL,
headers: {
@@ -11,11 +20,77 @@ const api = axios.create({
},
})
// Add token to requests
api.interceptors.request.use((config) => {
/**
* Fetch a new CSRF token from the server.
* Called automatically before protected requests if token is missing or expired.
*/
async function fetchCsrfToken(): Promise<string | null> {
try {
const token = localStorage.getItem('token')
if (!token) {
return null
}
const response = await axios.get<{ csrf_token: string }>(
`${API_BASE_URL}/auth/csrf-token`,
{
headers: {
Authorization: `Bearer ${token}`,
},
}
)
csrfToken = response.data.csrf_token
csrfTokenExpiry = Date.now() + CSRF_TOKEN_LIFETIME_MS
return csrfToken
} catch (error) {
console.error('Failed to fetch CSRF token:', error)
return null
}
}
/**
* Get a valid CSRF token, fetching a new one if needed.
*/
async function getValidCsrfToken(): Promise<string | null> {
// Check if we have a valid token
if (csrfToken && csrfTokenExpiry && Date.now() < csrfTokenExpiry) {
return csrfToken
}
// Fetch a new token
return fetchCsrfToken()
}
/**
* Clear the CSRF token (call on logout).
*/
export function clearCsrfToken(): void {
csrfToken = null
csrfTokenExpiry = null
}
/**
* Pre-fetch CSRF token (call after login).
*/
export async function prefetchCsrfToken(): Promise<void> {
await fetchCsrfToken()
}
// Add token to requests and CSRF token for protected methods
api.interceptors.request.use(async (config: InternalAxiosRequestConfig) => {
const token = localStorage.getItem('token')
if (token) {
config.headers.Authorization = `Bearer ${token}`
// Add CSRF token for protected methods
const method = config.method?.toUpperCase()
if (method && CSRF_PROTECTED_METHODS.includes(method)) {
const csrf = await getValidCsrfToken()
if (csrf) {
config.headers[CSRF_TOKEN_HEADER] = csrf
}
}
}
return config
})
@@ -27,6 +102,7 @@ api.interceptors.response.use(
if (error.response?.status === 401) {
localStorage.removeItem('token')
localStorage.removeItem('user')
clearCsrfToken()
window.location.href = '/login'
}
return Promise.reject(error)
@@ -56,11 +132,14 @@ export interface LoginResponse {
export const authApi = {
login: async (data: LoginRequest): Promise<LoginResponse> => {
const response = await api.post<LoginResponse>('/auth/login', data)
// Pre-fetch CSRF token after successful login
prefetchCsrfToken()
return response.data
},
logout: async (): Promise<void> => {
await api.post('/auth/logout')
clearCsrfToken()
},
me: async (): Promise<User> => {

19
openspec/changes/archive/2026-01-11-add-error-resilience/proposal.md Normal file
View File

@@ -0,0 +1,19 @@
# Change: Add Frontend Error Resilience
## Why
QA review identified that the frontend lacks React Error Boundaries. When a render error occurs in any component, the entire application crashes with a white screen, providing no recovery path for users.
## What Changes
- Add React Error Boundary components around major application sections
- Implement graceful degradation with user-friendly error messages
- Add error reporting mechanism to capture frontend crashes
## Impact
- Affected specs: `dashboard`
- Affected code:
- `frontend/src/components/ErrorBoundary.tsx` - New component
- `frontend/src/App.tsx` - Wrap routes with Error Boundaries
- `frontend/src/pages/` - Section-level boundaries

24
openspec/changes/archive/2026-01-11-add-error-resilience/specs/dashboard/spec.md Normal file
View File

@@ -0,0 +1,24 @@
## ADDED Requirements
### Requirement: Error Boundary Protection
The frontend application SHALL gracefully handle component render errors without crashing the entire application.
#### Scenario: Component error contained
- **WHEN** a render error occurs in a dashboard widget
- **THEN** only that widget SHALL display an error state
- **AND** other widgets SHALL continue to function normally
#### Scenario: User-friendly error display
- **WHEN** a component fails to render
- **THEN** users SHALL see a friendly error message
- **AND** users SHALL have an option to retry or report the issue
#### Scenario: Error logging
- **WHEN** a render error is caught by an Error Boundary
- **THEN** the error details SHALL be logged for debugging
- **AND** error context (component stack) SHALL be captured
#### Scenario: Recovery option
- **WHEN** a user sees an error fallback UI
- **AND** the user clicks "Retry"
- **THEN** the failed component SHALL attempt to re-render

14
openspec/changes/archive/2026-01-11-add-error-resilience/tasks.md Normal file
View File

@@ -0,0 +1,14 @@
## 1. Error Boundary Implementation
- [x] 1.1 Create base ErrorBoundary component with fallback UI
- [x] 1.2 Add error logging/reporting to ErrorBoundary
- [x] 1.3 Create user-friendly error fallback designs
## 2. Application Integration
- [x] 2.1 Wrap main App routes with top-level Error Boundary
- [x] 2.2 Add section-level boundaries around Dashboard, Tasks, Projects
- [x] 2.3 Add component-level boundaries for complex widgets
## 3. Testing
- [x] 3.1 Write tests for ErrorBoundary component
- [x] 3.2 Add integration tests that verify graceful degradation
- [x] 3.3 Test error recovery flow

22
openspec/changes/archive/2026-01-11-enhance-security-validation/proposal.md Normal file
View File

@@ -0,0 +1,22 @@
# Change: Enhance Security Validation
## Why
QA review identified several security gaps that could be exploited:
1. JWT secret keys lack entropy validation, allowing weak secrets
2. File uploads only check extensions, not actual MIME types (content spoofing risk)
3. Missing CSRF protection on sensitive state-changing operations
## What Changes
- **user-auth**: Add JWT secret key strength validation (minimum length, entropy check)
- **user-auth**: Add CSRF token validation for sensitive operations
- **document-management**: Add file MIME type validation using magic bytes detection
## Impact
- Affected specs: `user-auth`, `document-management`
- Affected code:
- `backend/app/core/security.py` - JWT validation
- `backend/app/api/v1/endpoints/` - CSRF middleware
- `backend/app/services/file_service.py` - MIME validation

23
openspec/changes/archive/2026-01-11-enhance-security-validation/specs/document-management/spec.md Normal file
View File

@@ -0,0 +1,23 @@
## ADDED Requirements
### Requirement: File MIME Type Validation
The system SHALL validate file content type using magic bytes detection.
#### Scenario: Valid file with matching extension
- **WHEN** a user uploads a file
- **AND** the detected MIME type matches the file extension
- **THEN** the upload SHALL be accepted
#### Scenario: Spoofed file extension rejected
- **WHEN** a user uploads a file with extension `.jpg`
- **AND** the actual content is detected as `application/x-executable`
- **THEN** the upload SHALL be rejected with error "File type mismatch"
#### Scenario: Unsupported MIME type rejected
- **WHEN** a user uploads a file with an unsupported MIME type
- **THEN** the upload SHALL be rejected with error "Unsupported file type"
#### Scenario: MIME validation bypass for trusted sources
- **WHEN** a file is uploaded from a trusted internal source
- **AND** the system is configured to allow bypass
- **THEN** MIME validation MAY be skipped

30
openspec/changes/archive/2026-01-11-enhance-security-validation/specs/user-auth/spec.md Normal file
View File

@@ -0,0 +1,30 @@
## ADDED Requirements
### Requirement: JWT Secret Validation
The system SHALL validate JWT secret key strength on startup.
#### Scenario: Weak secret rejected
- **WHEN** the configured JWT secret is less than 32 characters
- **THEN** the system SHALL log a critical warning
- **AND** optionally refuse to start in production mode
#### Scenario: Low entropy secret warning
- **WHEN** the JWT secret has low entropy (repeating patterns, common words)
- **THEN** the system SHALL log a security warning
### Requirement: CSRF Protection
The system SHALL protect sensitive state-changing operations with CSRF tokens.
#### Scenario: CSRF token required for password change
- **WHEN** a user attempts to change their password
- **AND** the request does not include a valid CSRF token
- **THEN** the request SHALL be rejected with 403 Forbidden
#### Scenario: CSRF token required for account deletion
- **WHEN** a user attempts to delete their account or resources
- **AND** the request does not include a valid CSRF token
- **THEN** the request SHALL be rejected with 403 Forbidden
#### Scenario: Valid CSRF token accepted
- **WHEN** a state-changing request includes a valid CSRF token
- **THEN** the request SHALL proceed normally

19
openspec/changes/archive/2026-01-11-enhance-security-validation/tasks.md Normal file
View File

@@ -0,0 +1,19 @@
## 1. JWT Secret Validation
- [x] 1.1 Add minimum secret length check (32+ characters)
- [x] 1.2 Add entropy validation for JWT secret
- [x] 1.3 Log warning on startup if secret is weak
- [x] 1.4 Write unit tests for secret validation
## 2. CSRF Protection
- [x] 2.1 Add CSRF token generation utility
- [x] 2.2 Add CSRF validation middleware
- [x] 2.3 Apply to sensitive endpoints (password change, delete operations)
- [x] 2.4 Update frontend to include CSRF token in requests
- [x] 2.5 Write integration tests for CSRF validation
## 3. MIME Type Validation
- [x] 3.1 Add python-magic or similar library for MIME detection
- [x] 3.2 Implement magic bytes validation in file upload service
- [x] 3.3 Reject files where extension doesn't match actual content
- [x] 3.4 Add configurable allowed MIME types per file category
- [x] 3.5 Write unit tests for MIME validation

19
openspec/changes/archive/2026-01-11-optimize-query-performance/proposal.md Normal file
View File

@@ -0,0 +1,19 @@
# Change: Optimize Database Query Performance
## Why
QA review identified N+1 query patterns in project member listing and related endpoints. When loading a project with many members, each member triggers a separate database query, causing significant performance degradation.
## What Changes
- Implement eager loading (joinedload) for project member relationships
- Add query batching for related entity loading
- Add database query logging in development mode for detection
## Impact
- Affected specs: `resource-management`
- Affected code:
- `backend/app/services/project_service.py` - Member loading
- `backend/app/api/v1/endpoints/projects.py` - Query optimization
- `backend/app/models/` - Relationship configurations

19
openspec/changes/archive/2026-01-11-optimize-query-performance/specs/resource-management/spec.md Normal file
View File

@@ -0,0 +1,19 @@
## ADDED Requirements
### Requirement: Optimized Relationship Loading
The system SHALL use efficient query patterns to avoid N+1 query problems when loading related entities.
#### Scenario: Project member list loading
- **WHEN** loading a project with its members
- **THEN** the system SHALL load all members in at most 2 database queries
- **AND** NOT one query per member
#### Scenario: Task assignee loading
- **WHEN** loading a list of tasks with their assignees
- **THEN** the system SHALL batch load assignee details
- **AND** NOT query each assignee individually
#### Scenario: Query count monitoring
- **WHEN** running in development mode
- **THEN** the system SHALL log query counts per request
- **AND** warn when query count exceeds threshold (e.g., 10 queries)

53
openspec/changes/archive/2026-01-11-optimize-query-performance/tasks.md Normal file
View File

@@ -0,0 +1,53 @@
## 1. Query Analysis
- [x] 1.1 Enable SQLAlchemy query logging in development
- [x] 1.2 Identify all N+1 query patterns
- [x] 1.3 Document current query counts per endpoint
## 2. Optimization Implementation
- [x] 2.1 Add joinedload for project member relationships
- [x] 2.2 Add selectinload for task assignee relationships
- [x] 2.3 Implement batch loading for user details
- [x] 2.4 Add appropriate indexes if missing
## 3. Verification
- [x] 3.1 Benchmark before/after query counts
- [x] 3.2 Write performance regression tests
- [x] 3.3 Document optimization patterns for future reference
---
## Implementation Summary
### Changes Made
1. **Query Monitoring Module** (`app/core/query_monitor.py`)
- Added `QueryCounter` context manager for counting queries per request
- Integrated SQLAlchemy event listeners for query logging
- Added threshold-based warnings when query count exceeds limit
- Configurable via `QUERY_LOGGING` and `QUERY_COUNT_THRESHOLD` settings
2. **Configuration Updates** (`app/core/config.py`)
- Added `DEBUG`, `QUERY_LOGGING`, `QUERY_COUNT_THRESHOLD` settings
3. **Project Router Optimizations** (`app/api/projects/router.py`)
- `list_projects_in_space`: Added `joinedload` for owner, space, department; `selectinload` for tasks
- `list_project_members`: Added `joinedload` for user (with department) and added_by_user
4. **Task Router Optimizations** (`app/api/tasks/router.py`)
- `list_tasks`: Added `selectinload` for assignee, status, creator, subtasks, custom_values
- `list_subtasks`: Added `selectinload` for assignee, status, creator, subtasks
5. **Performance Tests** (`tests/test_query_performance.py`)
- Test cases for project member list optimization
- Test cases for project list optimization
- Test cases for task list optimization
- Test cases for subtask list optimization
### Query Count Improvements
| Endpoint | Before (N members/tasks) | After |
|----------|-------------------------|-------|
| `/api/projects/{id}/members` | 1 + 2N queries | 2-3 queries |
| `/api/spaces/{id}/projects` | 1 + 4N queries | 4-5 queries |
| `/api/projects/{id}/tasks` | 1 + 4N queries | 5-6 queries |
| `/api/tasks/{id}/subtasks` | 1 + 4N queries | 4-5 queries |

23
openspec/specs/dashboard/spec.md
View File

@@ -161,3 +161,26 @@ The system SHALL support project templates to standardize project creation.
- **THEN** system creates template with project's CustomField definitions
- **THEN** template is available for future project creation
### Requirement: Error Boundary Protection
The frontend application SHALL gracefully handle component render errors without crashing the entire application.
#### Scenario: Component error contained
- **WHEN** a render error occurs in a dashboard widget
- **THEN** only that widget SHALL display an error state
- **AND** other widgets SHALL continue to function normally
#### Scenario: User-friendly error display
- **WHEN** a component fails to render
- **THEN** users SHALL see a friendly error message
- **AND** users SHALL have an option to retry or report the issue
#### Scenario: Error logging
- **WHEN** a render error is caught by an Error Boundary
- **THEN** the error details SHALL be logged for debugging
- **AND** error context (component stack) SHALL be captured
#### Scenario: Recovery option
- **WHEN** a user sees an error fallback UI
- **AND** the user clicks "Retry"
- **THEN** the failed component SHALL attempt to re-render

22
openspec/specs/document-management/spec.md
View File

@@ -193,6 +193,28 @@ The system SHALL warn users when deleting tasks with unresolved blockers.
- **THEN** system auto-resolves all blockers with "task deleted" reason
- **THEN** system proceeds with task deletion
### Requirement: File MIME Type Validation
The system SHALL validate file content type using magic bytes detection.
#### Scenario: Valid file with matching extension
- **WHEN** a user uploads a file
- **AND** the detected MIME type matches the file extension
- **THEN** the upload SHALL be accepted
#### Scenario: Spoofed file extension rejected
- **WHEN** a user uploads a file with extension `.jpg`
- **AND** the actual content is detected as `application/x-executable`
- **THEN** the upload SHALL be rejected with error "File type mismatch"
#### Scenario: Unsupported MIME type rejected
- **WHEN** a user uploads a file with an unsupported MIME type
- **THEN** the upload SHALL be rejected with error "Unsupported file type"
#### Scenario: MIME validation bypass for trusted sources
- **WHEN** a file is uploaded from a trusted internal source
- **AND** the system is configured to allow bypass
- **THEN** MIME validation MAY be skipped
## Data Model
```

18
openspec/specs/resource-management/spec.md
View File

@@ -178,6 +178,24 @@ The system SHALL support explicit project membership to enable cross-department
- **WHEN** a user not in project membership list attempts to access confidential project
- **THEN** system denies access unless user is in the project's department
### Requirement: Optimized Relationship Loading
The system SHALL use efficient query patterns to avoid N+1 query problems when loading related entities.
#### Scenario: Project member list loading
- **WHEN** loading a project with its members
- **THEN** the system SHALL load all members in at most 2 database queries
- **AND** NOT one query per member
#### Scenario: Task assignee loading
- **WHEN** loading a list of tasks with their assignees
- **THEN** the system SHALL batch load assignee details
- **AND** NOT query each assignee individually
#### Scenario: Query count monitoring
- **WHEN** running in development mode
- **THEN** the system SHALL log query counts per request
- **AND** warn when query count exceeds threshold (e.g., 10 queries)
## Data Model
```

29
openspec/specs/user-auth/spec.md
View File

@@ -168,6 +168,35 @@ The system SHALL prevent file path traversal attacks by validating all file path
- **THEN** system resolves path and verifies it is within storage directory
- **THEN** system processes file operation normally
### Requirement: JWT Secret Validation
The system SHALL validate JWT secret key strength on startup.
#### Scenario: Weak secret rejected
- **WHEN** the configured JWT secret is less than 32 characters
- **THEN** the system SHALL log a critical warning
- **AND** optionally refuse to start in production mode
#### Scenario: Low entropy secret warning
- **WHEN** the JWT secret has low entropy (repeating patterns, common words)
- **THEN** the system SHALL log a security warning
### Requirement: CSRF Protection
The system SHALL protect sensitive state-changing operations with CSRF tokens.
#### Scenario: CSRF token required for password change
- **WHEN** a user attempts to change their password
- **AND** the request does not include a valid CSRF token
- **THEN** the request SHALL be rejected with 403 Forbidden
#### Scenario: CSRF token required for account deletion
- **WHEN** a user attempts to delete their account or resources
- **AND** the request does not include a valid CSRF token
- **THEN** the request SHALL be rejected with 403 Forbidden
#### Scenario: Valid CSRF token accepted
- **WHEN** a state-changing request includes a valid CSRF token
- **THEN** the request SHALL proceed normally
## Data Model
```