Big Sweep: Security + Race-Conditions + Tests + DSGVO + A11y, SW by-v1095
SECURITY (auth.py, routes/auth.py, database.py, main.py) - JWT bekommt jti; Logout trägt in neue jwt_blacklist-Tabelle ein, decode_token() prüft → server-side Invalidierung - JWT-Expiry default 30 → 7 Tage (ENV JWT_EXPIRY_DAYS überschreibt) - Sliding-Refresh-Middleware: erneuert Cookie wenn >50% verbraucht (Schwelle via JWT_REFRESH_FRACTION, Default 2) - Login-Lockout in DB-Tabelle login_attempts (5 Versuche / 15 Min, überlebt Container-Restart) — alte In-Memory-Lockouts ersetzt - SMTP-Versand: alle 'except: pass' durch logger.exception ersetzt; Fehlversuche landen in failed_emails-Tabelle für späteres Retry - Referral-Counter Race gefixt: UPDATE partner_codes SET uses=uses+1 ... WHERE uses<max_uses RETURNING — atomar statt SELECT+UPDATE RACE CONDITIONS (routes/invoices.py, database.py) - Neue invoice_counters-Tabelle für atomare Nummernvergabe - _next_invoice_number nutzt BEGIN IMMEDIATE + atomares UPDATE - Funktioniert für RG- und ST-Prefixe (Stornorechnungen) - Race-Test verifiziert (5 Threads × 20 Calls = 100 eindeutige Nummern) VERSION + TESTS + ERROR-DIGEST (VERSION, Makefile, tests/, scheduler.py) - Neue VERSION-Datei (Single Source of Truth) — main.py liest beim Startup - Makefile-Target 'make bump' propagiert in sw.js, app.js, index.html - Makefile-Target 'make test' setzt venv auf, läuft pytest - 19 Smoke-Tests in tests/ (health, auth, diary, invoice) — alle grün - Scheduler: täglicher _job_error_digest um 06:30 → schickt Error- Zusammenfassung an ADMIN_EMAIL (still wenn keine Errors) DSGVO + A11Y + ERSTE-HILFE - landing.html: 'HTML und ODS' → 'JSON' (tatsächlich implementiert) - datenschutz.js: Sektion Account-Löschung erweitert (sofort gelöscht / anonymisiert / 10 Jahre für Rechnungen) - erste-hilfe.js: prominentes Warning-Banner oben (ersetzt keine Tierarzt-Beratung); Notfallnummern gruppiert nach Land, TODO-Platz- halter für AT-Uni-Klinik, CH Tox Info Suisse, CH Tierspital Zürich - ui.js Modal: ESC schließt, Focus-Trap, Auto-Focus erstes Element, Restore Focus auf vorigen Caller - impressum.js Kontaktformular: Labels mit for=cf-name etc. NEUE DB-TABELLEN (idempotent via CREATE TABLE IF NOT EXISTS) - jwt_blacklist, login_attempts, failed_emails, invoice_counters NEUE ENV-VARS - JWT_REFRESH_FRACTION (Default 2) - JWT_EXPIRY_DAYS Default geändert (30 → 7)
This commit is contained in:
parent
6224044654
commit
9394bab1fb
23 changed files with 1208 additions and 78 deletions
71
tests/test_diary.py
Normal file
71
tests/test_diary.py
Normal file
|
|
@ -0,0 +1,71 @@
|
|||
"""Smoke-Tests fuer Tagebuch-CRUD."""
|
||||
|
||||
|
||||
def test_create_diary_entry(client, user, dog):
|
||||
"""POST /api/dogs/{id}/diary -> 201 mit Entry."""
|
||||
r = client.post(
|
||||
f"/api/dogs/{dog['id']}/diary",
|
||||
headers=user["headers"],
|
||||
json={"titel": "Mein erster Eintrag", "text": "Heute war ein toller Tag."},
|
||||
)
|
||||
assert r.status_code == 201, r.text
|
||||
entry = r.json()
|
||||
assert entry["titel"] == "Mein erster Eintrag"
|
||||
assert entry["dog_id"] == dog["id"]
|
||||
|
||||
|
||||
def test_list_diary_entries(client, user, dog):
|
||||
"""GET /api/dogs/{id}/diary listet erstellte Eintraege."""
|
||||
client.post(
|
||||
f"/api/dogs/{dog['id']}/diary",
|
||||
headers=user["headers"],
|
||||
json={"titel": "Eintrag A", "text": "Erstes Mal Gassi."},
|
||||
)
|
||||
client.post(
|
||||
f"/api/dogs/{dog['id']}/diary",
|
||||
headers=user["headers"],
|
||||
json={"titel": "Eintrag B", "text": "Tierarzt."},
|
||||
)
|
||||
r = client.get(f"/api/dogs/{dog['id']}/diary", headers=user["headers"])
|
||||
assert r.status_code == 200
|
||||
entries = r.json()
|
||||
assert isinstance(entries, list)
|
||||
titles = [e["titel"] for e in entries]
|
||||
assert "Eintrag A" in titles
|
||||
assert "Eintrag B" in titles
|
||||
|
||||
|
||||
def test_get_single_diary_entry(client, user, dog):
|
||||
"""GET /api/dogs/{id}/diary/{entry_id} liefert genauen Eintrag."""
|
||||
r = client.post(
|
||||
f"/api/dogs/{dog['id']}/diary",
|
||||
headers=user["headers"],
|
||||
json={"titel": "Einzeleintrag", "text": "Inhalt."},
|
||||
)
|
||||
eid = r.json()["id"]
|
||||
|
||||
r2 = client.get(f"/api/dogs/{dog['id']}/diary/{eid}", headers=user["headers"])
|
||||
assert r2.status_code == 200
|
||||
assert r2.json()["titel"] == "Einzeleintrag"
|
||||
|
||||
|
||||
def test_delete_diary_entry(client, user, dog):
|
||||
"""DELETE entfernt Eintrag (204) — danach 404."""
|
||||
r = client.post(
|
||||
f"/api/dogs/{dog['id']}/diary",
|
||||
headers=user["headers"],
|
||||
json={"titel": "Loeschen mich", "text": "."},
|
||||
)
|
||||
eid = r.json()["id"]
|
||||
|
||||
r2 = client.delete(f"/api/dogs/{dog['id']}/diary/{eid}", headers=user["headers"])
|
||||
assert r2.status_code == 204
|
||||
|
||||
r3 = client.get(f"/api/dogs/{dog['id']}/diary/{eid}", headers=user["headers"])
|
||||
assert r3.status_code == 404
|
||||
|
||||
|
||||
def test_diary_unauth(client, dog):
|
||||
"""Ohne Token -> 401."""
|
||||
r = client.get(f"/api/dogs/{dog['id']}/diary")
|
||||
assert r.status_code == 401
|
||||
Loading…
Add table
Add a link
Reference in a new issue