backend/app/config.py

@@ -9,9 +9,8 @@ class Settings(BaseSettings):
     COOKIE_SECURE: bool = False
     OPENWEATHERMAP_API_KEY: str = ""
 
-    # Session config — sliding window
+    # Session config
-    SESSION_MAX_AGE_DAYS: int = 7              # Sliding window: inactive sessions expire after 7 days
+    SESSION_MAX_AGE_DAYS: int = 30
-    SESSION_TOKEN_HARD_CEILING_DAYS: int = 30  # Absolute token lifetime for itsdangerous max_age
 
     # MFA token config (short-lived token bridging password OK → TOTP verification)
     MFA_TOKEN_MAX_AGE_SECONDS: int = 300  # 5 minutes

backend/app/main.py

@@ -19,59 +19,6 @@ from app.models import system_config as _system_config_model  # noqa: F401
 from app.models import audit_log as _audit_log_model  # noqa: F401
 
 
-# ---------------------------------------------------------------------------
-# Pure ASGI CSRF middleware — SEC-08 (global)
-# ---------------------------------------------------------------------------
-
-class CSRFHeaderMiddleware:
-    """
-    Require X-Requested-With: XMLHttpRequest on all state-mutating requests.
-
-    Browsers never send this header cross-origin without a CORS preflight,
-    which our CORS policy blocks. This prevents CSRF attacks from simple
-    form submissions and cross-origin fetches.
-
-    Uses pure ASGI (not BaseHTTPMiddleware) to avoid streaming/memory overhead.
-    """
-
-    _EXEMPT_PATHS = frozenset({
-        "/health",
-        "/",
-        "/api/auth/login",
-        "/api/auth/setup",
-        "/api/auth/register",
-        "/api/auth/totp-verify",
-        "/api/auth/totp/enforce-setup",
-        "/api/auth/totp/enforce-confirm",
-    })
-    _MUTATING_METHODS = frozenset({"POST", "PUT", "PATCH", "DELETE"})
-
-    def __init__(self, app):
-        self.app = app
-
-    async def __call__(self, scope, receive, send):
-        if scope["type"] == "http":
-            method = scope.get("method", "")
-            path = scope.get("path", "")
-
-            if method in self._MUTATING_METHODS and path not in self._EXEMPT_PATHS:
-                headers = dict(scope.get("headers", []))
-                if headers.get(b"x-requested-with") != b"XMLHttpRequest":
-                    body = b'{"detail":"Invalid request origin"}'
-                    await send({
-                        "type": "http.response.start",
-                        "status": 403,
-                        "headers": [
-                            [b"content-type", b"application/json"],
-                            [b"content-length", str(len(body)).encode()],
-                        ],
-                    })
-                    await send({"type": "http.response.body", "body": body})
-                    return
-
-        await self.app(scope, receive, send)
-
-
 @asynccontextmanager
 async def lifespan(app: FastAPI):
     scheduler = AsyncIOScheduler()
@@ -100,12 +47,7 @@ app = FastAPI(
     openapi_url="/openapi.json" if _is_dev else None,
 )
 
-# Middleware stack — added in reverse order (last added = outermost).
+# CORS configuration
-# CSRF is added first (innermost), then CORS wraps it (outermost).
-# This ensures CORS headers appear on CSRF 403 responses.
-app.add_middleware(CSRFHeaderMiddleware)
-
-# CORS configuration — outermost layer
 app.add_middleware(
     CORSMiddleware,
     allow_origins=[o.strip() for o in settings.CORS_ORIGINS.split(",") if o.strip()],

backend/app/routers/admin.py

@@ -4,7 +4,7 @@ Admin router — full user management, system config, and audit log.
 Security measures implemented:
   SEC-02: Session revocation on role change
   SEC-05: Block admin self-actions (own role/password/MFA/active status)
-  SEC-08: X-Requested-With validation (now handled globally by CSRFHeaderMiddleware)
+  SEC-08: X-Requested-With header check (verify_xhr) on all state-mutating requests
   SEC-13: Session revocation + ntfy alert on MFA disable
 
 All routes require the `require_admin` dependency (which chains through
@@ -15,7 +15,7 @@ from datetime import datetime
 from typing import Optional
 
 import sqlalchemy as sa
-from fastapi import APIRouter, Depends, HTTPException, Path, Query, Request
+from fastapi import APIRouter, Depends, HTTPException, Query, Request
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.database import get_db
@@ -48,12 +48,26 @@ from app.services.audit import log_audit_event
 from app.services.auth import hash_password
 
 # ---------------------------------------------------------------------------
-# Router — all endpoints inherit require_admin
+# CSRF guard — SEC-08
-# (SEC-08 CSRF validation is now handled globally by CSRFHeaderMiddleware)
+# ---------------------------------------------------------------------------
+
+async def verify_xhr(request: Request) -> None:
+    """
+    Lightweight CSRF mitigation: require X-Requested-With on state-mutating
+    requests. Browsers never send this header cross-origin without CORS
+    pre-flight, which our CORS policy blocks.
+    """
+    if request.method not in ("GET", "HEAD", "OPTIONS"):
+        if request.headers.get("X-Requested-With") != "XMLHttpRequest":
+            raise HTTPException(status_code=403, detail="Invalid request origin")
+
+
+# ---------------------------------------------------------------------------
+# Router — all endpoints inherit require_admin + verify_xhr
 # ---------------------------------------------------------------------------
 
 router = APIRouter(
-    dependencies=[Depends(require_admin)],
+    dependencies=[Depends(require_admin), Depends(verify_xhr)],
 )
 
 
@@ -131,7 +145,7 @@ async def list_users(
 
 @router.get("/users/{user_id}", response_model=UserDetailResponse)
 async def get_user(
-    user_id: int = Path(ge=1, le=2147483647),
+    user_id: int,
     db: AsyncSession = Depends(get_db),
     _actor: User = Depends(get_current_user),
 ):
@@ -207,8 +221,8 @@ async def create_user(
 
 @router.put("/users/{user_id}/role")
 async def update_user_role(
-    user_id: int = Path(ge=1, le=2147483647),
+    user_id: int,
-    data: UpdateUserRoleRequest = ...,
+    data: UpdateUserRoleRequest,
     request: Request,
     db: AsyncSession = Depends(get_db),
     actor: User = Depends(get_current_user),
@@ -261,8 +275,8 @@ async def update_user_role(
 
 @router.post("/users/{user_id}/reset-password", response_model=ResetPasswordResponse)
 async def reset_user_password(
-    user_id: int = Path(ge=1, le=2147483647),
+    user_id: int,
-    request: Request = ...,
+    request: Request,
     db: AsyncSession = Depends(get_db),
     actor: User = Depends(get_current_user),
 ):
@@ -306,8 +320,8 @@ async def reset_user_password(
 
 @router.post("/users/{user_id}/disable-mfa")
 async def disable_user_mfa(
-    user_id: int = Path(ge=1, le=2147483647),
+    user_id: int,
-    request: Request = ...,
+    request: Request,
     db: AsyncSession = Depends(get_db),
     actor: User = Depends(get_current_user),
 ):
@@ -356,8 +370,8 @@ async def disable_user_mfa(
 
 @router.put("/users/{user_id}/enforce-mfa")
 async def toggle_mfa_enforce(
-    user_id: int = Path(ge=1, le=2147483647),
+    user_id: int,
-    data: ToggleMfaEnforceRequest = ...,
+    data: ToggleMfaEnforceRequest,
     request: Request,
     db: AsyncSession = Depends(get_db),
     actor: User = Depends(get_current_user),
@@ -391,8 +405,8 @@ async def toggle_mfa_enforce(
 
 @router.put("/users/{user_id}/active")
 async def toggle_user_active(
-    user_id: int = Path(ge=1, le=2147483647),
+    user_id: int,
-    data: ToggleActiveRequest = ...,
+    data: ToggleActiveRequest,
     request: Request,
     db: AsyncSession = Depends(get_db),
     actor: User = Depends(get_current_user),
@@ -434,8 +448,8 @@ async def toggle_user_active(
 
 @router.delete("/users/{user_id}/sessions")
 async def revoke_user_sessions(
-    user_id: int = Path(ge=1, le=2147483647),
+    user_id: int,
-    request: Request = ...,
+    request: Request,
     db: AsyncSession = Depends(get_db),
     actor: User = Depends(get_current_user),
 ):
@@ -465,7 +479,7 @@ async def revoke_user_sessions(
 
 @router.get("/users/{user_id}/sessions")
 async def list_user_sessions(
-    user_id: int = Path(ge=1, le=2147483647),
+    user_id: int,
     db: AsyncSession = Depends(get_db),
     _actor: User = Depends(get_current_user),
 ):

backend/app/routers/auth.py

@@ -36,7 +36,6 @@ from app.schemas.auth import (
 )
 from app.services.auth import (
     hash_password,
-    verify_password,
     verify_password_with_upgrade,
     create_session_token,
     verify_session_token,
@@ -48,12 +47,6 @@ from app.config import settings as app_settings
 
 router = APIRouter()
 
-# Pre-computed dummy hash for timing equalization (M-02).
-# When a login attempt targets a non-existent username, we still run
-# Argon2id verification against this dummy hash so the response time
-# is indistinguishable from a wrong-password attempt.
-_DUMMY_HASH = hash_password("timing-equalization-dummy")
-
 # ---------------------------------------------------------------------------
 # Cookie helper
 # ---------------------------------------------------------------------------
@@ -75,16 +68,11 @@ def _set_session_cookie(response: Response, token: str) -> None:
 
 async def get_current_user(
     request: Request,
-    response: Response,
     session_cookie: Optional[str] = Cookie(None, alias="session"),
     db: AsyncSession = Depends(get_db),
 ) -> User:
     """
     Dependency that verifies the session cookie and returns the authenticated User.
-
-    L-03 sliding window: if the session has less than
-    (SESSION_MAX_AGE_DAYS - 1) days remaining, silently extend expires_at
-    and re-issue the cookie so active users never hit expiration.
     """
     if not session_cookie:
         raise HTTPException(status_code=401, detail="Not authenticated")
@@ -118,17 +106,6 @@ async def get_current_user(
     if not user:
         raise HTTPException(status_code=401, detail="User not found or inactive")
 
-    # L-03: Sliding window renewal — extend session if >1 day has elapsed since
-    # last renewal (i.e. remaining time < SESSION_MAX_AGE_DAYS - 1 day).
-    now = datetime.now()
-    renewal_threshold = timedelta(days=app_settings.SESSION_MAX_AGE_DAYS - 1)
-    if db_session.expires_at - now < renewal_threshold:
-        db_session.expires_at = now + timedelta(days=app_settings.SESSION_MAX_AGE_DAYS)
-        await db.flush()
-        # Re-issue cookie with fresh signed token to reset browser max_age timer
-        fresh_token = create_session_token(user_id, session_id)
-        _set_session_cookie(response, fresh_token)
-
     return user
 
 
@@ -310,17 +287,12 @@ async def login(
     user = result.scalar_one_or_none()
 
     if not user:
-        # M-02: Run Argon2id against a dummy hash so the response time is
-        # indistinguishable from a wrong-password attempt (prevents username enumeration).
-        verify_password("x", _DUMMY_HASH)
         raise HTTPException(status_code=401, detail="Invalid username or password")
 
-    # M-02: Run password verification BEFORE lockout check so Argon2id always
-    # executes — prevents distinguishing "locked" from "wrong password" via timing.
-    valid, new_hash = verify_password_with_upgrade(data.password, user.password_hash)
-
     await _check_account_lockout(user)
 
+    valid, new_hash = verify_password_with_upgrade(data.password, user.password_hash)
+
     if not valid:
         await _record_failed_login(db, user)
         await log_audit_event(

backend/app/routers/calendars.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, Path
+from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, update
 from typing import List
@@ -48,8 +48,8 @@ async def create_calendar(
 
 @router.put("/{calendar_id}", response_model=CalendarResponse)
 async def update_calendar(
-    calendar_id: int = Path(ge=1, le=2147483647),
+    calendar_id: int,
-    calendar_update: CalendarUpdate = ...,
+    calendar_update: CalendarUpdate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -77,7 +77,7 @@ async def update_calendar(
 
 @router.delete("/{calendar_id}", status_code=204)
 async def delete_calendar(
-    calendar_id: int = Path(ge=1, le=2147483647),
+    calendar_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):

backend/app/routers/event_templates.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, Path, status
+from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
 
@@ -43,8 +43,8 @@ async def create_template(
 
 @router.put("/{template_id}", response_model=EventTemplateResponse)
 async def update_template(
-    template_id: int = Path(ge=1, le=2147483647),
+    template_id: int,
-    payload: EventTemplateUpdate = ...,
+    payload: EventTemplateUpdate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -68,7 +68,7 @@ async def update_template(
 
 @router.delete("/{template_id}", status_code=status.HTTP_204_NO_CONTENT)
 async def delete_template(
-    template_id: int = Path(ge=1, le=2147483647),
+    template_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):

backend/app/routers/events.py

@@ -1,5 +1,5 @@
 import json
-from fastapi import APIRouter, Depends, HTTPException, Path, Query
+from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, delete
 from sqlalchemy.orm import selectinload
@@ -272,7 +272,7 @@ async def create_event(
 
 @router.get("/{event_id}", response_model=CalendarEventResponse)
 async def get_event(
-    event_id: int = Path(ge=1, le=2147483647),
+    event_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -296,8 +296,8 @@ async def get_event(
 
 @router.put("/{event_id}", response_model=CalendarEventResponse)
 async def update_event(
-    event_id: int = Path(ge=1, le=2147483647),
+    event_id: int,
-    event_update: CalendarEventUpdate = ...,
+    event_update: CalendarEventUpdate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -421,7 +421,7 @@ async def update_event(
 
 @router.delete("/{event_id}", status_code=204)
 async def delete_event(
-    event_id: int = Path(ge=1, le=2147483647),
+    event_id: int,
     scope: Optional[Literal["this", "this_and_future"]] = Query(None),
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),

backend/app/routers/locations.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, Path, Query
+from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, or_
 from datetime import datetime, timezone
@@ -120,7 +120,7 @@ async def create_location(
 
 @router.get("/{location_id}", response_model=LocationResponse)
 async def get_location(
-    location_id: int = Path(ge=1, le=2147483647),
+    location_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -138,8 +138,8 @@ async def get_location(
 
 @router.put("/{location_id}", response_model=LocationResponse)
 async def update_location(
-    location_id: int = Path(ge=1, le=2147483647),
+    location_id: int,
-    location_update: LocationUpdate = ...,
+    location_update: LocationUpdate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -168,7 +168,7 @@ async def update_location(
 
 @router.delete("/{location_id}", status_code=204)
 async def delete_location(
-    location_id: int = Path(ge=1, le=2147483647),
+    location_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):

backend/app/routers/people.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, Path, Query
+from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, or_
 from datetime import datetime, timezone
@@ -91,7 +91,7 @@ async def create_person(
 
 @router.get("/{person_id}", response_model=PersonResponse)
 async def get_person(
-    person_id: int = Path(ge=1, le=2147483647),
+    person_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -109,8 +109,8 @@ async def get_person(
 
 @router.put("/{person_id}", response_model=PersonResponse)
 async def update_person(
-    person_id: int = Path(ge=1, le=2147483647),
+    person_id: int,
-    person_update: PersonUpdate = ...,
+    person_update: PersonUpdate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -146,7 +146,7 @@ async def update_person(
 
 @router.delete("/{person_id}", status_code=204)
 async def delete_person(
-    person_id: int = Path(ge=1, le=2147483647),
+    person_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):

backend/app/routers/projects.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, Path, Query
+from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
 from sqlalchemy.orm import selectinload
@@ -128,7 +128,7 @@ async def create_project(
 
 @router.get("/{project_id}", response_model=ProjectResponse)
 async def get_project(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -149,8 +149,8 @@ async def get_project(
 
 @router.put("/{project_id}", response_model=ProjectResponse)
 async def update_project(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
-    project_update: ProjectUpdate = ...,
+    project_update: ProjectUpdate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -178,7 +178,7 @@ async def update_project(
 
 @router.delete("/{project_id}", status_code=204)
 async def delete_project(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -199,7 +199,7 @@ async def delete_project(
 
 @router.get("/{project_id}/tasks", response_model=List[ProjectTaskResponse])
 async def get_project_tasks(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -230,8 +230,8 @@ async def get_project_tasks(
 
 @router.post("/{project_id}/tasks", response_model=ProjectTaskResponse, status_code=201)
 async def create_project_task(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
-    task: ProjectTaskCreate = ...,
+    task: ProjectTaskCreate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -279,8 +279,8 @@ async def create_project_task(
 
 @router.put("/{project_id}/tasks/reorder", status_code=200)
 async def reorder_tasks(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
-    items: List[ReorderItem] = ...,
+    items: List[ReorderItem],
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -312,9 +312,9 @@ async def reorder_tasks(
 
 @router.put("/{project_id}/tasks/{task_id}", response_model=ProjectTaskResponse)
 async def update_project_task(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
-    task_id: int = Path(ge=1, le=2147483647),
+    task_id: int,
-    task_update: ProjectTaskUpdate = ...,
+    task_update: ProjectTaskUpdate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -356,8 +356,8 @@ async def update_project_task(
 
 @router.delete("/{project_id}/tasks/{task_id}", status_code=204)
 async def delete_project_task(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
-    task_id: int = Path(ge=1, le=2147483647),
+    task_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -388,9 +388,9 @@ async def delete_project_task(
 
 @router.post("/{project_id}/tasks/{task_id}/comments", response_model=TaskCommentResponse, status_code=201)
 async def create_task_comment(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
-    task_id: int = Path(ge=1, le=2147483647),
+    task_id: int,
-    comment: TaskCommentCreate = ...,
+    comment: TaskCommentCreate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -423,9 +423,9 @@ async def create_task_comment(
 
 @router.delete("/{project_id}/tasks/{task_id}/comments/{comment_id}", status_code=204)
 async def delete_task_comment(
-    project_id: int = Path(ge=1, le=2147483647),
+    project_id: int,
-    task_id: int = Path(ge=1, le=2147483647),
+    task_id: int,
-    comment_id: int = Path(ge=1, le=2147483647),
+    comment_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):

backend/app/routers/reminders.py

@@ -1,6 +1,6 @@
 from datetime import datetime, timedelta
 
-from fastapi import APIRouter, Depends, HTTPException, Path, Query
+from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, and_, or_
 from typing import Optional, List
@@ -69,8 +69,8 @@ async def get_due_reminders(
 
 @router.patch("/{reminder_id}/snooze", response_model=ReminderResponse)
 async def snooze_reminder(
-    reminder_id: int = Path(ge=1, le=2147483647),
+    reminder_id: int,
-    body: ReminderSnooze = ...,
+    body: ReminderSnooze,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -115,7 +115,7 @@ async def create_reminder(
 
 @router.get("/{reminder_id}", response_model=ReminderResponse)
 async def get_reminder(
-    reminder_id: int = Path(ge=1, le=2147483647),
+    reminder_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -136,8 +136,8 @@ async def get_reminder(
 
 @router.put("/{reminder_id}", response_model=ReminderResponse)
 async def update_reminder(
-    reminder_id: int = Path(ge=1, le=2147483647),
+    reminder_id: int,
-    reminder_update: ReminderUpdate = ...,
+    reminder_update: ReminderUpdate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -175,7 +175,7 @@ async def update_reminder(
 
 @router.delete("/{reminder_id}", status_code=204)
 async def delete_reminder(
-    reminder_id: int = Path(ge=1, le=2147483647),
+    reminder_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):
@@ -199,7 +199,7 @@ async def delete_reminder(
 
 @router.patch("/{reminder_id}/dismiss", response_model=ReminderResponse)
 async def dismiss_reminder(
-    reminder_id: int = Path(ge=1, le=2147483647),
+    reminder_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user)
 ):

backend/app/routers/todos.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, Path, Query
+from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, and_, func
 from typing import Optional, List
@@ -174,7 +174,7 @@ async def create_todo(
 
 @router.get("/{todo_id}", response_model=TodoResponse)
 async def get_todo(
-    todo_id: int = Path(ge=1, le=2147483647),
+    todo_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -192,8 +192,8 @@ async def get_todo(
 
 @router.put("/{todo_id}", response_model=TodoResponse)
 async def update_todo(
-    todo_id: int = Path(ge=1, le=2147483647),
+    todo_id: int,
-    todo_update: TodoUpdate = ...,
+    todo_update: TodoUpdate,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
     current_settings: Settings = Depends(get_current_settings),
@@ -249,7 +249,7 @@ async def update_todo(
 
 @router.delete("/{todo_id}", status_code=204)
 async def delete_todo(
-    todo_id: int = Path(ge=1, le=2147483647),
+    todo_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -270,7 +270,7 @@ async def delete_todo(
 
 @router.patch("/{todo_id}/toggle", response_model=TodoResponse)
 async def toggle_todo(
-    todo_id: int = Path(ge=1, le=2147483647),
+    todo_id: int,
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
     current_settings: Settings = Depends(get_current_settings),

backend/app/routers/totp.py

@@ -24,7 +24,7 @@ from datetime import datetime, timedelta
 from typing import Optional
 
 from fastapi import APIRouter, Depends, HTTPException, Request, Response
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, delete
 from sqlalchemy.exc import IntegrityError
@@ -76,38 +76,32 @@ _ph = PasswordHasher(
 # ---------------------------------------------------------------------------
 
 class TOTPConfirmRequest(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    code: str
-    code: str = Field(min_length=6, max_length=6)
 
 
 class TOTPVerifyRequest(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    mfa_token: str
-    mfa_token: str = Field(max_length=256)
+    code: Optional[str] = None        # 6-digit TOTP code
-    code: Optional[str] = Field(None, min_length=6, max_length=6)        # 6-digit TOTP code
+    backup_code: Optional[str] = None  # Alternative: XXXX-XXXX backup code
-    backup_code: Optional[str] = Field(None, max_length=9)  # XXXX-XXXX backup code
 
 
 class TOTPDisableRequest(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    password: str
-    password: str = Field(max_length=128)
+    code: str  # Current TOTP code required to disable
-    code: str = Field(min_length=6, max_length=6)  # Current TOTP code required to disable
 
 
 class BackupCodesRegenerateRequest(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    password: str
-    password: str = Field(max_length=128)
+    code: str  # Current TOTP code required to regenerate
-    code: str = Field(min_length=6, max_length=6)  # Current TOTP code required to regenerate
 
 
 class EnforceSetupRequest(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    mfa_token: str
-    mfa_token: str = Field(max_length=256)
 
 
 class EnforceConfirmRequest(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    mfa_token: str
-    mfa_token: str = Field(max_length=256)
+    code: str  # 6-digit TOTP code from authenticator app
-    code: str = Field(min_length=6, max_length=6)  # 6-digit TOTP code from authenticator app
 
 
 # ---------------------------------------------------------------------------

backend/app/schemas/auth.py

@@ -84,8 +84,6 @@ class LoginRequest(BaseModel):
 
 
 class ChangePasswordRequest(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
     old_password: str
     new_password: str
 
@@ -96,8 +94,6 @@ class ChangePasswordRequest(BaseModel):
 
 
 class VerifyPasswordRequest(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
     password: str
 
     @field_validator("password")

backend/app/schemas/calendar.py

@@ -1,20 +1,16 @@
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict
 from datetime import datetime
 from typing import Optional
 
 
 class CalendarCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    name: str
-
+    color: str = "#3b82f6"
-    name: str = Field(min_length=1, max_length=100)
-    color: str = Field("#3b82f6", max_length=20)
 
 
 class CalendarUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    name: Optional[str] = None
-
+    color: Optional[str] = None
-    name: Optional[str] = Field(None, min_length=1, max_length=100)
-    color: Optional[str] = Field(None, max_length=20)
     is_visible: Optional[bool] = None
 
 

backend/app/schemas/calendar_event.py

@@ -39,14 +39,12 @@ def _coerce_recurrence_rule(v):
 
 
 class CalendarEventCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    title: str
-
+    description: Optional[str] = None
-    title: str = Field(min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     start_datetime: datetime
     end_datetime: datetime
     all_day: bool = False
-    color: Optional[str] = Field(None, max_length=20)
+    color: Optional[str] = None
     location_id: Optional[int] = None
     recurrence_rule: Optional[RecurrenceRule] = None
     is_starred: bool = False
@@ -59,14 +57,12 @@ class CalendarEventCreate(BaseModel):
 
 
 class CalendarEventUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    title: Optional[str] = None
-
+    description: Optional[str] = None
-    title: Optional[str] = Field(None, min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     start_datetime: Optional[datetime] = None
     end_datetime: Optional[datetime] = None
     all_day: Optional[bool] = None
-    color: Optional[str] = Field(None, max_length=20)
+    color: Optional[str] = None
     location_id: Optional[int] = None
     recurrence_rule: Optional[RecurrenceRule] = None
     is_starred: Optional[bool] = None

backend/app/schemas/event_template.py

@@ -1,29 +1,25 @@
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict
 from datetime import datetime
 from typing import Optional
 
 
 class EventTemplateCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    name: str
-
+    title: str
-    name: str = Field(min_length=1, max_length=255)
+    description: Optional[str] = None
-    title: str = Field(min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     calendar_id: Optional[int] = None
-    recurrence_rule: Optional[str] = Field(None, max_length=5000)
+    recurrence_rule: Optional[str] = None
     all_day: bool = False
     location_id: Optional[int] = None
     is_starred: bool = False
 
 
 class EventTemplateUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    name: Optional[str] = None
-
+    title: Optional[str] = None
-    name: Optional[str] = Field(None, min_length=1, max_length=255)
+    description: Optional[str] = None
-    title: Optional[str] = Field(None, min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     calendar_id: Optional[int] = None
-    recurrence_rule: Optional[str] = Field(None, max_length=5000)
+    recurrence_rule: Optional[str] = None
     all_day: Optional[bool] = None
     location_id: Optional[int] = None
     is_starred: Optional[bool] = None

backend/app/schemas/location.py

@@ -1,5 +1,5 @@
 import re
-from pydantic import BaseModel, ConfigDict, Field, field_validator
+from pydantic import BaseModel, ConfigDict, field_validator
 from datetime import datetime
 from typing import Optional, Literal
 
@@ -14,15 +14,13 @@ class LocationSearchResult(BaseModel):
 
 
 class LocationCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    name: str
-
+    address: str
-    name: str = Field(min_length=1, max_length=255)
+    category: str = "other"
-    address: str = Field(min_length=1, max_length=2000)
+    notes: Optional[str] = None
-    category: str = Field("other", max_length=100)
-    notes: Optional[str] = Field(None, max_length=5000)
     is_frequent: bool = False
-    contact_number: Optional[str] = Field(None, max_length=50)
+    contact_number: Optional[str] = None
-    email: Optional[str] = Field(None, max_length=255)
+    email: Optional[str] = None
 
     @field_validator('email')
     @classmethod
@@ -33,15 +31,13 @@ class LocationCreate(BaseModel):
 
 
 class LocationUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    name: Optional[str] = None
-
+    address: Optional[str] = None
-    name: Optional[str] = Field(None, min_length=1, max_length=255)
+    category: Optional[str] = None
-    address: Optional[str] = Field(None, min_length=1, max_length=2000)
+    notes: Optional[str] = None
-    category: Optional[str] = Field(None, max_length=100)
-    notes: Optional[str] = Field(None, max_length=5000)
     is_frequent: Optional[bool] = None
-    contact_number: Optional[str] = Field(None, max_length=50)
+    contact_number: Optional[str] = None
-    email: Optional[str] = Field(None, max_length=255)
+    email: Optional[str] = None
 
     @field_validator('email')
     @classmethod

backend/app/schemas/person.py

@@ -1,5 +1,5 @@
 import re
-from pydantic import BaseModel, ConfigDict, Field, model_validator, field_validator
+from pydantic import BaseModel, ConfigDict, model_validator, field_validator
 from datetime import datetime, date
 from typing import Optional
 
@@ -7,22 +7,20 @@ _EMAIL_RE = re.compile(r'^[^@\s]+@[^@\s]+\.[^@\s]+$')
 
 
 class PersonCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    name: Optional[str] = None          # legacy fallback — auto-split into first/last if provided alone
-
+    first_name: Optional[str] = None
-    name: Optional[str] = Field(None, max_length=255)          # legacy fallback — auto-split into first/last if provided alone
+    last_name: Optional[str] = None
-    first_name: Optional[str] = Field(None, max_length=100)
+    nickname: Optional[str] = None
-    last_name: Optional[str] = Field(None, max_length=100)
+    email: Optional[str] = None
-    nickname: Optional[str] = Field(None, max_length=100)
+    phone: Optional[str] = None
-    email: Optional[str] = Field(None, max_length=255)
+    mobile: Optional[str] = None
-    phone: Optional[str] = Field(None, max_length=50)
+    address: Optional[str] = None
-    mobile: Optional[str] = Field(None, max_length=50)
-    address: Optional[str] = Field(None, max_length=2000)
     birthday: Optional[date] = None
-    category: Optional[str] = Field(None, max_length=100)
+    category: Optional[str] = None
     is_favourite: bool = False
-    company: Optional[str] = Field(None, max_length=255)
+    company: Optional[str] = None
-    job_title: Optional[str] = Field(None, max_length=255)
+    job_title: Optional[str] = None
-    notes: Optional[str] = Field(None, max_length=5000)
+    notes: Optional[str] = None
 
     @model_validator(mode='after')
     def require_some_name(self) -> 'PersonCreate':
@@ -44,22 +42,20 @@ class PersonCreate(BaseModel):
 
 
 class PersonUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
     # name is intentionally omitted — always computed from first/last/nickname
-    first_name: Optional[str] = Field(None, max_length=100)
+    first_name: Optional[str] = None
-    last_name: Optional[str] = Field(None, max_length=100)
+    last_name: Optional[str] = None
-    nickname: Optional[str] = Field(None, max_length=100)
+    nickname: Optional[str] = None
-    email: Optional[str] = Field(None, max_length=255)
+    email: Optional[str] = None
-    phone: Optional[str] = Field(None, max_length=50)
+    phone: Optional[str] = None
-    mobile: Optional[str] = Field(None, max_length=50)
+    mobile: Optional[str] = None
-    address: Optional[str] = Field(None, max_length=2000)
+    address: Optional[str] = None
     birthday: Optional[date] = None
-    category: Optional[str] = Field(None, max_length=100)
+    category: Optional[str] = None
     is_favourite: Optional[bool] = None
-    company: Optional[str] = Field(None, max_length=255)
+    company: Optional[str] = None
-    job_title: Optional[str] = Field(None, max_length=255)
+    job_title: Optional[str] = None
-    notes: Optional[str] = Field(None, max_length=5000)
+    notes: Optional[str] = None
 
     @field_validator('email')
     @classmethod

backend/app/schemas/project.py

@@ -1,4 +1,4 @@
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict
 from datetime import datetime, date
 from typing import Optional, List, Literal
 from app.schemas.project_task import ProjectTaskResponse
@@ -7,23 +7,19 @@ ProjectStatus = Literal["not_started", "in_progress", "completed", "blocked", "r
 
 
 class ProjectCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    name: str
-
+    description: Optional[str] = None
-    name: str = Field(min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     status: ProjectStatus = "not_started"
-    color: Optional[str] = Field(None, max_length=20)
+    color: Optional[str] = None
     due_date: Optional[date] = None
     is_tracked: bool = False
 
 
 class ProjectUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    name: Optional[str] = None
-
+    description: Optional[str] = None
-    name: Optional[str] = Field(None, min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     status: Optional[ProjectStatus] = None
-    color: Optional[str] = Field(None, max_length=20)
+    color: Optional[str] = None
     due_date: Optional[date] = None
     is_tracked: Optional[bool] = None
 

backend/app/schemas/project_task.py

@@ -1,4 +1,4 @@
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict
 from datetime import datetime, date
 from typing import Optional, List, Literal
 from app.schemas.task_comment import TaskCommentResponse
@@ -8,10 +8,8 @@ TaskPriority = Literal["none", "low", "medium", "high"]
 
 
 class ProjectTaskCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    title: str
-
+    description: Optional[str] = None
-    title: str = Field(min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     status: TaskStatus = "pending"
     priority: TaskPriority = "medium"
     due_date: Optional[date] = None
@@ -21,10 +19,8 @@ class ProjectTaskCreate(BaseModel):
 
 
 class ProjectTaskUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    title: Optional[str] = None
-
+    description: Optional[str] = None
-    title: Optional[str] = Field(None, min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     status: Optional[TaskStatus] = None
     priority: Optional[TaskPriority] = None
     due_date: Optional[date] = None

backend/app/schemas/reminder.py

@@ -1,23 +1,19 @@
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict
 from datetime import datetime
 from typing import Literal, Optional
 
 
 class ReminderCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    title: str
-
+    description: Optional[str] = None
-    title: str = Field(min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     remind_at: Optional[datetime] = None
     is_active: bool = True
     recurrence_rule: Optional[Literal['daily', 'weekly', 'monthly']] = None
 
 
 class ReminderUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    title: Optional[str] = None
-
+    description: Optional[str] = None
-    title: Optional[str] = Field(None, min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     remind_at: Optional[datetime] = None
     is_active: Optional[bool] = None
     is_dismissed: Optional[bool] = None
@@ -25,8 +21,6 @@ class ReminderUpdate(BaseModel):
 
 
 class ReminderSnooze(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
     minutes: Literal[5, 10, 15]
     client_now: Optional[datetime] = None
 

backend/app/schemas/settings.py

@@ -1,5 +1,5 @@
 import re
-from pydantic import BaseModel, ConfigDict, Field, field_validator
+from pydantic import BaseModel, ConfigDict, field_validator
 from datetime import datetime
 from typing import Literal, Optional
 
@@ -9,19 +9,17 @@ _NTFY_TOPIC_RE = re.compile(r'^[a-zA-Z0-9_-]{1,64}$')
 
 
 class SettingsUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
-
     accent_color: Optional[AccentColor] = None
     upcoming_days: int | None = None
-    preferred_name: str | None = Field(None, max_length=100)
+    preferred_name: str | None = None
-    weather_city: str | None = Field(None, max_length=100)
+    weather_city: str | None = None
     weather_lat: float | None = None
     weather_lon: float | None = None
     first_day_of_week: int | None = None
 
     # ntfy configuration fields
-    ntfy_server_url: Optional[str] = Field(None, max_length=500)
+    ntfy_server_url: Optional[str] = None
-    ntfy_topic: Optional[str] = Field(None, max_length=100)
+    ntfy_topic: Optional[str] = None
     # Empty string means "clear the token"; None means "leave unchanged"
     ntfy_auth_token: Optional[str] = None
     ntfy_enabled: Optional[bool] = None

backend/app/schemas/task_comment.py

@@ -1,11 +1,9 @@
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict
 from datetime import datetime
 
 
 class TaskCommentCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    content: str
-
-    content: str = Field(min_length=1, max_length=10000)
 
 
 class TaskCommentResponse(BaseModel):

backend/app/schemas/todo.py

@@ -1,4 +1,4 @@
-from pydantic import BaseModel, ConfigDict, Field
+from pydantic import BaseModel, ConfigDict
 from datetime import datetime, date, time
 from typing import Optional, Literal
 
@@ -7,28 +7,24 @@ RecurrenceRule = Literal["daily", "weekly", "monthly"]
 
 
 class TodoCreate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    title: str
-
+    description: Optional[str] = None
-    title: str = Field(min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     priority: TodoPriority = "medium"
     due_date: Optional[date] = None
     due_time: Optional[time] = None
-    category: Optional[str] = Field(None, max_length=100)
+    category: Optional[str] = None
     recurrence_rule: Optional[RecurrenceRule] = None
     project_id: Optional[int] = None
 
 
 class TodoUpdate(BaseModel):
-    model_config = ConfigDict(extra="forbid")
+    title: Optional[str] = None
-
+    description: Optional[str] = None
-    title: Optional[str] = Field(None, min_length=1, max_length=255)
-    description: Optional[str] = Field(None, max_length=5000)
     priority: Optional[TodoPriority] = None
     due_date: Optional[date] = None
     due_time: Optional[time] = None
     completed: Optional[bool] = None
-    category: Optional[str] = Field(None, max_length=100)
+    category: Optional[str] = None
     recurrence_rule: Optional[RecurrenceRule] = None
     project_id: Optional[int] = None
 

backend/app/services/auth.py

@@ -88,14 +88,10 @@ def create_session_token(user_id: int, session_id: str) -> str:
 def verify_session_token(token: str, max_age: int | None = None) -> dict | None:
     """
     Verify a session cookie and return its payload dict, or None if invalid/expired.
-
+    max_age defaults to SESSION_MAX_AGE_DAYS from config.
-    max_age defaults to SESSION_TOKEN_HARD_CEILING_DAYS (absolute token lifetime).
-    The sliding window (SESSION_MAX_AGE_DAYS) is enforced via DB expires_at checks,
-    not by itsdangerous — this decoupling prevents the serializer from rejecting
-    renewed tokens that were created more than SESSION_MAX_AGE_DAYS ago.
     """
     if max_age is None:
-        max_age = app_settings.SESSION_TOKEN_HARD_CEILING_DAYS * 86400
+        max_age = app_settings.SESSION_MAX_AGE_DAYS * 86400
     try:
         return _serializer.loads(token, max_age=max_age)
     except (BadSignature, SignatureExpired):