security: fix auth, CORS, file upload, endpoint hardening + test fixes

- Add INTERNAL_SECRET shared-secret auth to /internal/nc-upload endpoint - Add JWT token validation to WebSocket /ws/versions/{version_id} - Fix NameError: band_slug → band.slug in internal.py - Move inline imports to top of internal.py; add missing Member/NextcloudClient imports - Remove ~15 debug print() statements from auth.py - Replace Content-Type-only avatar check with extension whitelist + Pillow Image.verify() - Sanitize exception details in versions.py (no more str(e) in 4xx/5xx responses) - Restrict CORS allow_methods/allow_headers from "*" to explicit lists - Add security headers middleware: X-Frame-Options, X-Content-Type-Options, Referrer-Policy - Reduce JWT expiry from 7 days to 1 hour - Add Pillow>=10.0 dependency; document INTERNAL_SECRET in .env.example - Implement missing RedisJobQueue.dequeue() method (required by protocol) - Fix 5 pre-existing unit test failures: settings env vars conftest, deferred Redis push, dequeue method, AsyncMock→MagicMock for sync scalar_one_or_none Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 21:02:56 +02:00
parent efef818612
commit 68da26588a
12 changed files with 161 additions and 98 deletions
--- a/api/src/rehearsalhub/routers/ws.py
+++ b/api/src/rehearsalhub/routers/ws.py
@@ -2,15 +2,35 @@

 import uuid

-from fastapi import APIRouter, Depends, WebSocket, WebSocketDisconnect
+from fastapi import APIRouter, Query, WebSocket, WebSocketDisconnect

+from rehearsalhub.repositories.member import MemberRepository
+from rehearsalhub.db.engine import get_session
+from rehearsalhub.services.auth import decode_token
 from rehearsalhub.ws import manager

 router = APIRouter(tags=["websocket"])


@router.websocket("/ws/versions/{version_id}")
-async def version_ws(version_id: uuid.UUID, websocket: WebSocket):
+async def version_ws(
+    version_id: uuid.UUID,
+    websocket: WebSocket,
+    token: str = Query(...),
+):
+    """WebSocket endpoint. Requires a valid JWT passed as ?token=<jwt>."""
+    # Validate token before accepting the connection
+    async for session in get_session():
+        try:
+            payload = decode_token(token)
+            member_id = uuid.UUID(payload["sub"])
+            member = await MemberRepository(session).get_by_id(member_id)
+            if member is None:
+                raise ValueError("member not found")
+        except Exception:
+            await websocket.close(code=4001)
+            return
+
    await manager.connect(version_id, websocket)
    try:
        while True: