sschuhmann/rehearshalhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: fix auth, CORS, file upload, endpoint hardening + test fixes

Browse Source 
- Add INTERNAL_SECRET shared-secret auth to /internal/nc-upload endpoint
- Add JWT token validation to WebSocket /ws/versions/{version_id}
- Fix NameError: band_slug → band.slug in internal.py
- Move inline imports to top of internal.py; add missing Member/NextcloudClient imports
- Remove ~15 debug print() statements from auth.py
- Replace Content-Type-only avatar check with extension whitelist + Pillow Image.verify()
- Sanitize exception details in versions.py (no more str(e) in 4xx/5xx responses)
- Restrict CORS allow_methods/allow_headers from "*" to explicit lists
- Add security headers middleware: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Reduce JWT expiry from 7 days to 1 hour
- Add Pillow>=10.0 dependency; document INTERNAL_SECRET in .env.example
- Implement missing RedisJobQueue.dequeue() method (required by protocol)
- Fix 5 pre-existing unit test failures: settings env vars conftest, deferred Redis push,
  dequeue method, AsyncMock→MagicMock for sync scalar_one_or_none

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mistral Vibe
2026-03-30 21:02:56 +02:00
parent efef818612
commit 68da26588a
12 changed files with 161 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
api/src/rehearsalhub/queue/redis_queue.py
View File

@@ -79,6 +79,20 @@ class RedisJobQueue:
job.finished_at = datetime.now(timezone.utc)
await self._session.flush()
async def dequeue(self, timeout: int = 5) -> tuple[uuid.UUID, str, dict[str, Any]] | None:
"""Block up to `timeout` seconds for a job. Returns (id, type, payload) or None."""
redis_client = await self._get_redis()
queue_key = get_settings().job_queue_key
result = await redis_client.blpop(queue_key, timeout=timeout)
if result is None:
return None
_, raw_id = result
job_id = uuid.UUID(raw_id)
job = await self._session.get(Job, job_id)
if job is None:
return None
return job_id, job.type, job.payload # type: ignore[return-value]
async def close(self) -> None:
if self._redis:
await self._redis.aclose()