beabigegg
35c90fe76b
feat: implement 5 QA-driven security and quality proposals
...
Implemented proposals from comprehensive QA review:
1. extend-csrf-protection
- Add POST to CSRF protected methods in frontend
- Global CSRF middleware for all state-changing operations
- Update tests with CSRF token fixtures
2. tighten-cors-websocket-security
- Replace wildcard CORS with explicit method/header lists
- Disable query parameter auth in production (code 4002)
- Add per-user WebSocket connection limit (max 5, code 4005)
3. shorten-jwt-expiry
- Reduce JWT expiry from 7 days to 60 minutes
- Add refresh token support with 7-day expiry
- Implement token rotation on refresh
- Frontend auto-refresh when token near expiry (<5 min)
4. fix-frontend-quality
- Add React.lazy() code splitting for all pages
- Fix useCallback dependency arrays (Dashboard, Comments)
- Add localStorage data validation in AuthContext
- Complete i18n for AttachmentUpload component
5. enhance-backend-validation
- Add SecurityAuditMiddleware for access denied logging
- Add ErrorSanitizerMiddleware for production error messages
- Protect /health/detailed with admin authentication
- Add input length validation (comment 5000, desc 10000)
All 521 backend tests passing. Frontend builds successfully.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-12 23:19:05 +08:00
beabigegg
9b220523ff
feat: complete issue fixes and implement remaining features
...
## Critical Issues (CRIT-001~003) - All Fixed
- JWT secret key validation with pydantic field_validator
- Login audit logging for success/failure attempts
- Frontend API path prefix removal
## High Priority Issues (HIGH-001~008) - All Fixed
- Project soft delete using is_active flag
- Redis session token bytes handling
- Rate limiting with slowapi (5 req/min for login)
- Attachment API permission checks
- Kanban view with drag-and-drop
- Workload heatmap UI (WorkloadPage, WorkloadHeatmap)
- TaskDetailModal integrating Comments/Attachments
- UserSelect component for task assignment
## Medium Priority Issues (MED-001~012) - All Fixed
- MED-001~005: DB commits, N+1 queries, datetime, error format, blocker flag
- MED-006: Project health dashboard (HealthService, ProjectHealthPage)
- MED-007: Capacity update API (PUT /api/users/{id}/capacity)
- MED-008: Schedule triggers (cron parsing, deadline reminders)
- MED-009: Watermark feature (image/PDF watermarking)
- MED-010~012: useEffect deps, DOM operations, PDF export
## New Files
- backend/app/api/health/ - Project health API
- backend/app/services/health_service.py
- backend/app/services/trigger_scheduler.py
- backend/app/services/watermark_service.py
- backend/app/core/rate_limiter.py
- frontend/src/pages/ProjectHealthPage.tsx
- frontend/src/components/ProjectHealthCard.tsx
- frontend/src/components/KanbanBoard.tsx
- frontend/src/components/WorkloadHeatmap.tsx
## Tests
- 113 new tests passing (health: 32, users: 14, triggers: 35, watermark: 32)
## OpenSpec Archives
- add-project-health-dashboard
- add-capacity-update-api
- add-schedule-triggers
- add-watermark-feature
- add-rate-limiting
- enhance-frontend-ux
- add-resource-management-ui
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-01-04 21:49:52 +08:00
beabigegg
1fda7da2c2
feat: implement user authentication module
...
- Backend (FastAPI):
- External API authentication (pj-auth-api.vercel.app)
- JWT token validation with Redis session storage
- RBAC with department isolation
- User, Role, Department models with pjctrl_ prefix
- Alembic migrations with project-specific version table
- Complete test coverage (13 tests)
- Frontend (React + Vite):
- AuthContext for state management
- Login page with error handling
- Protected route component
- Dashboard with user info display
- OpenSpec:
- 7 capability specs defined
- add-user-auth change archived
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2025-12-28 23:41:37 +08:00
