679b89ae4c
Security Validation (enhance-security-validation): - JWT secret validation with entropy checking and pattern detection - CSRF protection middleware with token generation/validation - Frontend CSRF token auto-injection for DELETE/PUT/PATCH requests - MIME type validation with magic bytes detection for file uploads Error Resilience (add-error-resilience): - React ErrorBoundary component with fallback UI and retry functionality - ErrorBoundaryWithI18n wrapper for internationalization support - Page-level and section-level error boundaries in App.tsx Query Performance (optimize-query-performance): - Query monitoring utility with threshold warnings - N+1 query fixes using joinedload/selectinload - Optimized project members, tasks, and subtasks endpoints Bug Fixes: - WebSocket session management (P0): Return primitives instead of ORM objects - LIKE query injection (P1): Escape special characters in search queries Tests: 543 backend tests, 56 frontend tests passing Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
23 lines
840 B
Markdown
23 lines
840 B
Markdown
# Change: Enhance Security Validation
|
|
|
|
## Why
|
|
|
|
QA review identified several security gaps that could be exploited:
|
|
1. JWT secret keys lack entropy validation, allowing weak secrets
|
|
2. File uploads only check extensions, not actual MIME types (content spoofing risk)
|
|
3. Missing CSRF protection on sensitive state-changing operations
|
|
|
|
## What Changes
|
|
|
|
- **user-auth**: Add JWT secret key strength validation (minimum length, entropy check)
|
|
- **user-auth**: Add CSRF token validation for sensitive operations
|
|
- **document-management**: Add file MIME type validation using magic bytes detection
|
|
|
|
## Impact
|
|
|
|
- Affected specs: `user-auth`, `document-management`
|
|
- Affected code:
|
|
- `backend/app/core/security.py` - JWT validation
|
|
- `backend/app/api/v1/endpoints/` - CSRF middleware
|
|
- `backend/app/services/file_service.py` - MIME validation
|