sschuhmann/rehearshalhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
68da26588a97c6fbad6c0e163f3e0925b8269007
rehearshalhub/api/src/rehearsalhub/routers/ws.py
Mistral Vibe 68da26588a security: fix auth, CORS, file upload, endpoint hardening + test fixes 
- Add INTERNAL_SECRET shared-secret auth to /internal/nc-upload endpoint
- Add JWT token validation to WebSocket /ws/versions/{version_id}
- Fix NameError: band_slug → band.slug in internal.py
- Move inline imports to top of internal.py; add missing Member/NextcloudClient imports
- Remove ~15 debug print() statements from auth.py
- Replace Content-Type-only avatar check with extension whitelist + Pillow Image.verify()
- Sanitize exception details in versions.py (no more str(e) in 4xx/5xx responses)
- Restrict CORS allow_methods/allow_headers from "*" to explicit lists
- Add security headers middleware: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Reduce JWT expiry from 7 days to 1 hour
- Add Pillow>=10.0 dependency; document INTERNAL_SECRET in .env.example
- Implement missing RedisJobQueue.dequeue() method (required by protocol)
- Fix 5 pre-existing unit test failures: settings env vars conftest, deferred Redis push,
  dequeue method, AsyncMock→MagicMock for sync scalar_one_or_none

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 21:02:56 +02:00

43 lines
1.4 KiB
Python
Raw Blame History

"""WebSocket endpoint for real-time version room events."""
import uuid
from fastapi import APIRouter, Query, WebSocket, WebSocketDisconnect
from rehearsalhub.repositories.member import MemberRepository
from rehearsalhub.db.engine import get_session
from rehearsalhub.services.auth import decode_token
from rehearsalhub.ws import manager
router = APIRouter(tags=["websocket"])
@router.websocket("/ws/versions/{version_id}")
async def version_ws(
version_id: uuid.UUID,
websocket: WebSocket,
token: str = Query(...),
):
"""WebSocket endpoint. Requires a valid JWT passed as ?token=<jwt>."""
# Validate token before accepting the connection
async for session in get_session():
try:
payload = decode_token(token)
member_id = uuid.UUID(payload["sub"])
member = await MemberRepository(session).get_by_id(member_id)
if member is None:
raise ValueError("member not found")
except Exception:
await websocket.close(code=4001)
return
await manager.connect(version_id, websocket)
try:
while True:
# Echo back any client pings; clients can send {"event": "ping"}
data = await websocket.receive_json()
if data.get("event") == "ping":
await websocket.send_json({"event": "pong"})
except WebSocketDisconnect:
manager.disconnect(version_id, websocket)
Reference in New Issue View Git Blame Copy Permalink