rene/banyaro
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
banyaro/backend/routes/sharing.py
rene 1ff66a7083 Sicherheit + Tests + A11y, SW by-v1118 
PYDANTIC max_length (38 Routen, ~400 Field-Constraints):
Schützt vor DoS durch Riesen-Payloads (10MB Thread-Titel etc.).
Pragmatische Limits:
- Titel/Name: 200 · Beschreibung/Body: 10000 · Notiz: 5000
- Email: 254 (RFC 5321) · URL: 500 · Slug/Kategorie: 100
- Hund-Name/Rasse: 80 · Hund-Bio: 2000

Top-betroffen: forum.py, diary.py, health.py, dogs.py, expenses.py,
notes.py, auth.py, profile.py. Manuelle len()-Checks in profile,
chat, ki entfernt (jetzt durch Field abgedeckt).

PYTEST COVERAGE (+19 Tests, 37 grün + 1 xfail):
- test_security.py: require_owner (Places GET/PATCH/DELETE mit
  Fremduser → 403), JWT-Blacklist (Logout invalidiert Token),
  Login-Lockout (5 Fehlversuche → 429 + Retry-After Header)
- test_race.py: Invoice-Counter (20 parallele Threads, alle unique),
  Founder-Number (atomare Vergabe, voll bei 100)
- test_validation.py: Forum-Titel 30k Zeichen → 422, Diary-Text
  50k → 422 (verifiziert Pydantic max_length-Sweep)

A11Y (Tap-Targets ≥44×44 + Dark-Mode-Kontrast):
- #header-user-btn 36→44px, .header-back 40→44, .header-menu-btn 40→44
- dog-profile Wrapped-Slider Prev/Next 40→44
- forum-Lightbox Close 40→44
- --c-text-muted Light: #B0A090 (2.37:1 FAIL) → #7F6B58 (4.74:1 PASS)
- --c-text-muted Dark:  #806A58 (3.58:1 FAIL) → #A08878 (5.46:1 PASS)
- Branding-Farben unangetastet
2026-05-27 13:40:30 +02:00

141 lines
5.3 KiB
Python
Raw Blame History

"""BAN YARO — Hund teilen (Familie/Partner)"""
import secrets
from fastapi import APIRouter, Depends, HTTPException
from pydantic import BaseModel, Field
from database import db
from auth import get_current_user
# Hunde-spezifische Routen → eingebunden unter /api/dogs
dog_router = APIRouter()
# Token-basierte Routen → eingebunden unter /api/share
share_router = APIRouter()
class ShareInvite(BaseModel):
role: str = Field("editor", max_length=20) # viewer | editor
# ------------------------------------------------------------------
# POST /api/dogs/{dog_id}/share → Einladungs-Link erzeugen
# ------------------------------------------------------------------
@dog_router.post("/{dog_id}/share", status_code=201)
async def create_share(dog_id: int, data: ShareInvite,
user=Depends(get_current_user)):
if data.role not in ("viewer", "editor"):
raise HTTPException(400, "Rolle muss 'viewer' oder 'editor' sein.")
with db() as conn:
dog = conn.execute(
"SELECT id, name FROM dogs WHERE id=? AND user_id=?",
(dog_id, user["id"])
).fetchone()
if not dog:
raise HTTPException(404, "Hund nicht gefunden.")
token = secrets.token_urlsafe(24)
conn.execute(
"""INSERT INTO dog_shares (dog_id, owner_id, invite_token, role)
VALUES (?, ?, ?, ?)""",
(dog_id, user["id"], token, data.role),
)
return {"token": token, "invite_path": f"/teilen/{token}"}
# ------------------------------------------------------------------
# GET /api/dogs/{dog_id}/shares → aktive Einladungen auflisten
# ------------------------------------------------------------------
@dog_router.get("/{dog_id}/shares")
async def list_shares(dog_id: int, user=Depends(get_current_user)):
with db() as conn:
dog = conn.execute(
"SELECT id FROM dogs WHERE id=? AND user_id=?",
(dog_id, user["id"])
).fetchone()
if not dog:
raise HTTPException(404, "Nicht gefunden.")
rows = conn.execute(
"""SELECT ds.id, ds.invite_token, ds.role, ds.accepted_at,
u.name AS shared_with_name, u.email AS shared_with_email
FROM dog_shares ds
LEFT JOIN users u ON u.id = ds.shared_with_id
WHERE ds.dog_id = ?
ORDER BY ds.created_at DESC""",
(dog_id,)
).fetchall()
return [dict(r) for r in rows]
# ------------------------------------------------------------------
# DELETE /api/dogs/{dog_id}/share/{share_id} → Freigabe widerrufen
# ------------------------------------------------------------------
@dog_router.delete("/{dog_id}/share/{share_id}", status_code=204)
async def revoke_share(dog_id: int, share_id: int,
user=Depends(get_current_user)):
with db() as conn:
dog = conn.execute(
"SELECT id FROM dogs WHERE id=? AND user_id=?",
(dog_id, user["id"])
).fetchone()
if not dog:
raise HTTPException(404, "Nicht gefunden.")
conn.execute(
"DELETE FROM dog_shares WHERE id=? AND dog_id=?",
(share_id, dog_id)
)
# ------------------------------------------------------------------
# POST /api/share/accept/{token} → Einladung annehmen
# ------------------------------------------------------------------
@share_router.post("/accept/{token}")
async def accept_share(token: str, user=Depends(get_current_user)):
with db() as conn:
share = conn.execute(
"""SELECT ds.*, d.name AS dog_name, u.name AS owner_name
FROM dog_shares ds
JOIN dogs d ON d.id = ds.dog_id
JOIN users u ON u.id = ds.owner_id
WHERE ds.invite_token = ?""",
(token,)
).fetchone()
if not share:
raise HTTPException(404, "Einladungslink ungültig oder abgelaufen.")
if share["owner_id"] == user["id"]:
raise HTTPException(400, "Das ist dein eigener Hund.")
if share["accepted_at"]:
return {"message": "Bereits angenommen.", "dog_name": share["dog_name"]}
conn.execute(
"""UPDATE dog_shares
SET shared_with_id = ?, accepted_at = datetime('now')
WHERE invite_token = ?""",
(user["id"], token),
)
return {
"message": "Einladung angenommen!",
"dog_name": share["dog_name"],
"owner_name": share["owner_name"],
}
# ------------------------------------------------------------------
# GET /api/share/info/{token} → Info vor dem Annehmen (kein Auth nötig)
# ------------------------------------------------------------------
@share_router.get("/info/{token}")
async def share_info(token: str):
with db() as conn:
share = conn.execute(
"""SELECT d.name AS dog_name, d.foto_url, d.rasse,
u.name AS owner_name, ds.role, ds.accepted_at
FROM dog_shares ds
JOIN dogs d ON d.id = ds.dog_id
JOIN users u ON u.id = ds.owner_id
WHERE ds.invite_token = ?""",
(token,)
).fetchone()
if not share:
raise HTTPException(404, "Einladungslink ungültig.")
return dict(share)
Reference in a new issue View git blame Copy permalink