rene
1ff66a7083
PYDANTIC max_length (38 Routen, ~400 Field-Constraints): Schützt vor DoS durch Riesen-Payloads (10MB Thread-Titel etc.). Pragmatische Limits: - Titel/Name: 200 · Beschreibung/Body: 10000 · Notiz: 5000 - Email: 254 (RFC 5321) · URL: 500 · Slug/Kategorie: 100 - Hund-Name/Rasse: 80 · Hund-Bio: 2000 Top-betroffen: forum.py, diary.py, health.py, dogs.py, expenses.py, notes.py, auth.py, profile.py. Manuelle len()-Checks in profile, chat, ki entfernt (jetzt durch Field abgedeckt). PYTEST COVERAGE (+19 Tests, 37 grün + 1 xfail): - test_security.py: require_owner (Places GET/PATCH/DELETE mit Fremduser → 403), JWT-Blacklist (Logout invalidiert Token), Login-Lockout (5 Fehlversuche → 429 + Retry-After Header) - test_race.py: Invoice-Counter (20 parallele Threads, alle unique), Founder-Number (atomare Vergabe, voll bei 100) - test_validation.py: Forum-Titel 30k Zeichen → 422, Diary-Text 50k → 422 (verifiziert Pydantic max_length-Sweep) A11Y (Tap-Targets ≥44×44 + Dark-Mode-Kontrast): - #header-user-btn 36→44px, .header-back 40→44, .header-menu-btn 40→44 - dog-profile Wrapped-Slider Prev/Next 40→44 - forum-Lightbox Close 40→44 - --c-text-muted Light: #B0A090 (2.37:1 FAIL) → #7F6B58 (4.74:1 PASS) - --c-text-muted Dark: #806A58 (3.58:1 FAIL) → #A08878 (5.46:1 PASS) - Branding-Farben unangetastet
136 lines
4.9 KiB
Python
136 lines
4.9 KiB
Python
"""BAN YARO — Service-Angebote (Sitting & Walks Matching)"""
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException
|
|
from pydantic import BaseModel, Field
|
|
from typing import Optional
|
|
from database import db
|
|
from auth import get_current_user
|
|
from math_utils import haversine_km
|
|
|
|
router = APIRouter()
|
|
|
|
ALLOWED_TYPES = {'sitting', 'walks'}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# Schemas
|
|
# ------------------------------------------------------------------
|
|
class ServiceCreate(BaseModel):
|
|
type: str = Field(..., max_length=30)
|
|
beschreibung: Optional[str] = Field(None, max_length=5000)
|
|
preis_pro_tag: Optional[float] = None
|
|
lat: Optional[float] = None
|
|
lon: Optional[float] = None
|
|
radius_km: int = 10
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# GET /api/services — Angebote in der Nähe
|
|
# ------------------------------------------------------------------
|
|
@router.get("")
|
|
async def list_services(
|
|
type: str,
|
|
lat: Optional[float] = None,
|
|
lon: Optional[float] = None,
|
|
radius: float = 20, # km
|
|
):
|
|
if type not in ALLOWED_TYPES:
|
|
raise HTTPException(400, f"type muss 'sitting' oder 'walks' sein.")
|
|
|
|
with db() as conn:
|
|
rows = conn.execute("""
|
|
SELECT so.*, u.name AS anbieter_name
|
|
FROM service_offers so
|
|
JOIN users u ON u.id = so.user_id
|
|
WHERE so.type = ? AND so.aktiv = 1
|
|
LIMIT 200
|
|
""", (type,)).fetchall()
|
|
|
|
result = []
|
|
for r in rows:
|
|
d = dict(r)
|
|
if lat is not None and lon is not None and d['lat'] and d['lon']:
|
|
dist = haversine_km(lat, lon, d['lat'], d['lon'])
|
|
if dist > radius:
|
|
continue
|
|
d['distanz_km'] = round(dist, 1)
|
|
else:
|
|
d['distanz_km'] = None
|
|
result.append(d)
|
|
|
|
if lat is not None:
|
|
result.sort(key=lambda x: x.get('distanz_km') or 9999)
|
|
|
|
return result[:50]
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# GET /api/services/me — eigene Angebote
|
|
# ------------------------------------------------------------------
|
|
@router.get("/me")
|
|
async def my_services(user=Depends(get_current_user)):
|
|
with db() as conn:
|
|
rows = conn.execute(
|
|
"SELECT * FROM service_offers WHERE user_id = ? ORDER BY type",
|
|
(user['id'],)
|
|
).fetchall()
|
|
return [dict(r) for r in rows]
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# POST /api/services — Angebot erstellen oder aktualisieren (Upsert)
|
|
# ------------------------------------------------------------------
|
|
@router.post("", status_code=201)
|
|
async def upsert_service(data: ServiceCreate, user=Depends(get_current_user)):
|
|
if data.type not in ALLOWED_TYPES:
|
|
raise HTTPException(400, "type muss 'sitting' oder 'walks' sein.")
|
|
|
|
with db() as conn:
|
|
existing = conn.execute(
|
|
"SELECT id FROM service_offers WHERE user_id = ? AND type = ?",
|
|
(user['id'], data.type)
|
|
).fetchone()
|
|
|
|
if existing:
|
|
conn.execute("""
|
|
UPDATE service_offers
|
|
SET beschreibung = ?, preis_pro_tag = ?, lat = ?, lon = ?,
|
|
radius_km = ?, aktiv = 1
|
|
WHERE user_id = ? AND type = ?
|
|
""", (data.beschreibung, data.preis_pro_tag, data.lat, data.lon,
|
|
data.radius_km, user['id'], data.type))
|
|
row = conn.execute(
|
|
"SELECT * FROM service_offers WHERE user_id = ? AND type = ?",
|
|
(user['id'], data.type)
|
|
).fetchone()
|
|
else:
|
|
cur = conn.execute("""
|
|
INSERT INTO service_offers
|
|
(user_id, type, beschreibung, preis_pro_tag, lat, lon, radius_km)
|
|
VALUES (?, ?, ?, ?, ?, ?, ?)
|
|
""", (user['id'], data.type, data.beschreibung, data.preis_pro_tag,
|
|
data.lat, data.lon, data.radius_km))
|
|
row = conn.execute(
|
|
"SELECT * FROM service_offers WHERE id = ?", (cur.lastrowid,)
|
|
).fetchone()
|
|
|
|
return dict(row)
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# DELETE /api/services/{id} — Angebot deaktivieren
|
|
# ------------------------------------------------------------------
|
|
@router.delete("/{offer_id}")
|
|
async def deactivate_service(offer_id: int, user=Depends(get_current_user)):
|
|
with db() as conn:
|
|
offer = conn.execute(
|
|
"SELECT * FROM service_offers WHERE id = ?", (offer_id,)
|
|
).fetchone()
|
|
if not offer:
|
|
raise HTTPException(404, "Angebot nicht gefunden.")
|
|
if offer['user_id'] != user['id']:
|
|
raise HTTPException(403, "Kein Zugriff.")
|
|
conn.execute(
|
|
"UPDATE service_offers SET aktiv = 0 WHERE id = ?", (offer_id,)
|
|
)
|
|
return {"ok": True}
|