Fix/issue 139 and issue 142 security hardening#186
Closed
olathedev wants to merge 2 commits intoNOVUS-X:mainfrom
Closed
Fix/issue 139 and issue 142 security hardening#186olathedev wants to merge 2 commits intoNOVUS-X:mainfrom
olathedev wants to merge 2 commits intoNOVUS-X:mainfrom
Conversation
… security Resolves NOVUS-X#139 — Fix Runtime Crashes From Latest Merge: - schemas/user.py: add missing `Enum` import alongside `StrEnum` - core/config.py: add `SOROBAN_NETWORK_PASSPHRASE` and `BACKEND_SECRET_KEY` settings; fix 8-space indentation in Soroban config block - services/soroban.py: replace module-level `SorobanServer()` and `Keypair.from_secret()` calls with lazy-initialised helpers (`_get_soroban_server`, `_get_backend_signer`) so importing the module without Stellar secrets configured no longer crashes the app Resolves NOVUS-X#142 — Backend Security Hardening: - Rate limiting (slowapi): `/auth/login` 5/min, `/auth/register` 3/hr, `/auth/refresh` 10/min; HTTP 429 + Retry-After on breach; adds SlowAPI middleware to main.py; adds slowapi to requirements.txt - Payment auth guards: `POST /payments/release` and `/payments/refund` now require `require_admin`; logs admin user_id on each action - Stub endpoints replaced with real DB operations: - `DELETE /artisans/{id}`: deletes from DB, returns 404 if not found - `PUT /artisans/availability`: updates `is_available` via `AvailabilityUpdate` schema (replaces raw `dict`) - `GET /artisans/my-portfolio`: queries Portfolio records for current artisan - `POST /artisans/portfolio/add`: creates Portfolio record via `PortfolioItemAdd` schema; returns 201 Adds new test files per acceptance criteria: - test_rate_limiting.py - test_payment_auth_guards.py - test_stub_endpoints.py Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
10 tasks
Collaborator
|
please look in to ci @olathedev also resolve conflicts |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Title: fix runtime crashes and harden backend security
closes #142
Body:
Summary
Changes
Issue 139 — Runtime Crashes
schemas/user.py: add missingEnumimport alongsideStrEnumcore/config.py: addSOROBAN_NETWORK_PASSPHRASEandBACKEND_SECRET_KEYsettings; fix 8-space indentation in Soroban blockservices/soroban.py: replace module-levelSorobanServer()andKeypair.from_secret()calls with lazy helpers (_get_soroban_server,_get_backend_signer) — importing the module without Stellar secrets configured no longer crashes the appIssue #142 — Security Hardening
/auth/login5/min,/auth/register3/hr,/auth/refresh10/min; returns HTTP 429 +Retry-Afteron breach; addsSlowAPIMiddlewaretomain.py; addsslowapitorequirements.txtPOST /payments/releaseand/payments/refundnow requireDepends(require_admin); adminuser_idis logged on each actionDELETE /artisans/{id}— deletes from DB, returns 404 if not foundPUT /artisans/availability— updatesis_availableusing newAvailabilityUpdateschema (replaces rawdict)GET /artisans/my-portfolio— queries actualPortfoliorecords for the current artisanPOST /artisans/portfolio/add— creates aPortfoliorecord using newPortfolioItemAddschema; returns 201Test plan
python -c "from app.schemas.user import RegisterRequest"succeedspython -c "from app.services.soroban import invoke_contract_function"succeeds without Stellar secretsPOST /payments/releaseand/payments/refundreturn 401DELETE /artisans/{id}removes record (subsequent GET returns 404)PUT /artisans/availabilitypersistsis_availablechange to DBpytest)test_rate_limiting.py,test_payment_auth_guards.py,test_stub_endpoints.py