Kyle Pope
d8bdae8ec3
Phase 1: Add role, mfa_enforce_pending, must_change_password to users table. Create system_config (singleton) and audit_log tables. Migration 026. Phase 2: Add user_id FK to all 8 data tables (todos, reminders, projects, calendars, people, locations, event_templates, ntfy_sent) with 4-step nullable→backfill→FK→NOT NULL pattern. Migrations 027-034. Phase 3: Harden auth schemas (extra="forbid" on RegisterRequest), add MFA enforcement token serializer with distinct salt, rewrite auth router with require_role() factory and registration endpoint. Phase 4: Scope all 12 routers by user_id, fix dependency type bugs, bound weather cache (SEC-15), multi-user ntfy dispatch. Phase 5: Create admin router (14 endpoints), admin schemas, audit service, rate limiting in nginx. SEC-08 CSRF via X-Requested-With. Phase 6: Update frontend types, useAuth hook (role/isAdmin/register), App.tsx (AdminRoute guard), Sidebar (admin link), api.ts (XHR header). Security findings addressed: SEC-01, SEC-02, SEC-03, SEC-04, SEC-05, SEC-06, SEC-07, SEC-08, SEC-12, SEC-13, SEC-15. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
87 lines
2.5 KiB
Python
87 lines
2.5 KiB
Python
from fastapi import APIRouter, Depends, HTTPException, status
|
|
from sqlalchemy.ext.asyncio import AsyncSession
|
|
from sqlalchemy import select
|
|
|
|
from app.database import get_db
|
|
from app.routers.auth import get_current_user
|
|
from app.models.user import User
|
|
from app.models.event_template import EventTemplate
|
|
from app.schemas.event_template import (
|
|
EventTemplateCreate,
|
|
EventTemplateUpdate,
|
|
EventTemplateResponse,
|
|
)
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
@router.get("/", response_model=list[EventTemplateResponse])
|
|
async def list_templates(
|
|
db: AsyncSession = Depends(get_db),
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
result = await db.execute(
|
|
select(EventTemplate)
|
|
.where(EventTemplate.user_id == current_user.id)
|
|
.order_by(EventTemplate.name)
|
|
)
|
|
return result.scalars().all()
|
|
|
|
|
|
@router.post("/", response_model=EventTemplateResponse, status_code=status.HTTP_201_CREATED)
|
|
async def create_template(
|
|
payload: EventTemplateCreate,
|
|
db: AsyncSession = Depends(get_db),
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
template = EventTemplate(**payload.model_dump(), user_id=current_user.id)
|
|
db.add(template)
|
|
await db.commit()
|
|
await db.refresh(template)
|
|
return template
|
|
|
|
|
|
@router.put("/{template_id}", response_model=EventTemplateResponse)
|
|
async def update_template(
|
|
template_id: int,
|
|
payload: EventTemplateUpdate,
|
|
db: AsyncSession = Depends(get_db),
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
result = await db.execute(
|
|
select(EventTemplate).where(
|
|
EventTemplate.id == template_id,
|
|
EventTemplate.user_id == current_user.id,
|
|
)
|
|
)
|
|
template = result.scalar_one_or_none()
|
|
if template is None:
|
|
raise HTTPException(status_code=404, detail="Template not found")
|
|
|
|
for field, value in payload.model_dump(exclude_unset=True).items():
|
|
setattr(template, field, value)
|
|
|
|
await db.commit()
|
|
await db.refresh(template)
|
|
return template
|
|
|
|
|
|
@router.delete("/{template_id}", status_code=status.HTTP_204_NO_CONTENT)
|
|
async def delete_template(
|
|
template_id: int,
|
|
db: AsyncSession = Depends(get_db),
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
result = await db.execute(
|
|
select(EventTemplate).where(
|
|
EventTemplate.id == template_id,
|
|
EventTemplate.user_id == current_user.id,
|
|
)
|
|
)
|
|
template = result.scalar_one_or_none()
|
|
if template is None:
|
|
raise HTTPException(status_code=404, detail="Template not found")
|
|
|
|
await db.delete(template)
|
|
await db.commit()
|