UMBRA

Author	SHA1	Message	Date
Kyle Pope	2f58282c31	M-01+M-03: Add input validation and extra=forbid to all request schemas - Add max_length constraints to all string fields in request schemas, matching DB column limits (title:255, description:5000, etc.) - Add min_length=1 to required name/title fields - Add ConfigDict(extra="forbid") to all request schemas to reject unknown fields (prevents silent field injection) - Add Path(ge=1, le=2147483647) to all integer path parameters across all routers to prevent integer overflow → 500 errors - Add max_length to TOTP inline schemas (code:6, mfa_token:256, etc.) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-27 15:43:55 +08:00
Kyle Pope	581efa183a	H-01: Add global CSRF middleware for all mutating endpoints Replace the admin-only verify_xhr dependency with a pure ASGI CSRFHeaderMiddleware that validates X-Requested-With: XMLHttpRequest on all POST/PUT/PATCH/DELETE requests globally. Pre-auth endpoints (login, setup, register, totp-verify, enforce-setup/confirm) are exempt. This closes the CSRF gap where non-admin routes accepted requests without origin validation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-27 15:39:42 +08:00
Kyle Pope	9f7bbbfcbb	Add per-user active session counts to IAM user list Move active_sessions field from UserDetailResponse into UserListItem so GET /admin/users returns session counts. Uses a correlated subquery to count non-revoked, non-expired sessions per user. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-27 13:26:32 +08:00
Kyle Pope	e57a5b00c9	Fix QA review findings: C-01 through C-04, W-01 through W-07, S-01/S-04/S-05/S-06 Critical fixes: - C-01: Pass user_id to _mark_sent/_already_sent (ntfy crash) - C-02: Align frontend HTTP methods with backend routes (PATCH->PUT, DELETE->POST, fix reset-password/enforce-mfa/disable-mfa paths) - C-03: Add X-Requested-With to CORS allow_headers - C-04: Replace scalar_one_or_none with func.count for auth/status Warning fixes: - W-01: Batch audit log into same transaction in create_user, setup, register - W-02: Extract users array from UserListResponse wrapper in useAdminUsers - W-03: Update password hint from "8 chars" to "12 chars" in CreateUserDialog - W-04: Remove password input from reset flow, show returned temp password - W-06: Remove unused actor_alias variable in admin_dashboard - W-07: Resolve usernames in dashboard audit entries via JOIN, remove ip_address column from recent_logins (not tracked on User model) Suggestions applied: - S-01/S-06: Add extra="forbid" to all admin mutation schemas - S-04: Add ondelete="SET NULL" to audit_log.actor_user_id FK - S-05: Improve registration error message for better UX Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-26 19:19:04 +08:00
Kyle Pope	d8bdae8ec3	Implement multi-user RBAC: database, auth, routing, admin API (Phases 1-6) Phase 1: Add role, mfa_enforce_pending, must_change_password to users table. Create system_config (singleton) and audit_log tables. Migration 026. Phase 2: Add user_id FK to all 8 data tables (todos, reminders, projects, calendars, people, locations, event_templates, ntfy_sent) with 4-step nullable→backfill→FK→NOT NULL pattern. Migrations 027-034. Phase 3: Harden auth schemas (extra="forbid" on RegisterRequest), add MFA enforcement token serializer with distinct salt, rewrite auth router with require_role() factory and registration endpoint. Phase 4: Scope all 12 routers by user_id, fix dependency type bugs, bound weather cache (SEC-15), multi-user ntfy dispatch. Phase 5: Create admin router (14 endpoints), admin schemas, audit service, rate limiting in nginx. SEC-08 CSRF via X-Requested-With. Phase 6: Update frontend types, useAuth hook (role/isAdmin/register), App.tsx (AdminRoute guard), Sidebar (admin link), api.ts (XHR header). Security findings addressed: SEC-01, SEC-02, SEC-03, SEC-04, SEC-05, SEC-06, SEC-07, SEC-08, SEC-12, SEC-13, SEC-15. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-26 19:06:25 +08:00

5 Commits