Untone
05c188df62
Some checks failed
Deploy on push / deploy (push) Failing after 39s
### 🚨 CRITICAL Security Fixes - **🔒 Open Redirect Protection**: Добавлена строгая валидация redirect_uri против whitelist доменов - **🔒 Rate Limiting**: Защита OAuth endpoints от брутфорса (10 попыток за 5 минут на IP) - **🔒 Logout Endpoint**: Критически важный endpoint для безопасного отзыва httpOnly cookies - **🔒 Provider Validation**: Усиленная валидация OAuth провайдеров с логированием атак - **🚨 GlitchTip Alerts**: Автоматические алерты безопасности в GlitchTip при критических событиях ### 🛡️ Security Modules - **auth/oauth_security.py**: Модуль безопасности OAuth с валидацией и rate limiting + GlitchTip алерты - **auth/logout.py**: Безопасный logout с поддержкой JSON API и browser redirect - **tests/test_oauth_security.py**: Комплексные тесты безопасности (11 тестов) - **tests/test_oauth_glitchtip_alerts.py**: Тесты интеграции с GlitchTip (8 тестов) ### 🔧 OAuth Improvements - **Minimal Flow**: Упрощен до минимума - только httpOnly cookie, нет JWT в URL - **Simple Logic**: Нет error параметра = успех, максимальная простота - **DRY Refactoring**: Устранено дублирование кода в logout и валидации ### 🎯 OAuth Endpoints - **Старт**: `v3.dscrs.site/oauth/{provider}` - с rate limiting и валидацией - **Callback**: `v3.dscrs.site/oauth/{provider}/callback` - безопасный redirect_uri - **Logout**: `v3.dscrs.site/auth/logout` - отзыв httpOnly cookies - **Финализация**: `testing.discours.io/oauth?redirect_url=...` - минимальная схема ### 📊 Security Test Coverage - ✅ Open redirect attack prevention - ✅ Rate limiting protection - ✅ Provider validation - ✅ Safe fallback mechanisms - ✅ Cookie security (httpOnly + Secure + SameSite) - ✅ GlitchTip integration (8 тестов алертов) ### 📝 Documentation - Создан `docs/oauth-minimal-flow.md` - полное описание минимального flow - Обновлена документация OAuth в `docs/auth/oauth.md` - Добавлены security best practices
Discours.io Core
🚀 Modern community platform with GraphQL API, RBAC system, and comprehensive testing infrastructure.
🎯 Features
- 🔐 Authentication: JWT + OAuth (Google, GitHub, Facebook)
- 🏘️ Communities: Full community management with roles and permissions
- 🔒 RBAC System: Role-based access control with inheritance
- 🌐 GraphQL API: Modern API with comprehensive schema
- 🧪 Testing: Complete test suite with E2E automation
- 🚀 CI/CD: Automated testing and deployment pipeline
🚀 Quick Start
Prerequisites
- Python 3.11+
- Node.js 18+
- Redis
- uv (Python package manager)
Installation
# Clone repository
git clone <repository-url>
cd core
# Install Python dependencies
uv sync --group dev
# Install Node.js dependencies
cd panel
npm ci
cd ..
# Setup environment
cp .env.example .env
# Edit .env with your configuration
Development
# Start backend server
uv run python dev.py
# Start frontend (in another terminal)
cd panel
npm run dev
🧪 Testing
Run All Tests
uv run pytest tests/ -v
Test Categories
Run only unit tests
uv run pytest tests/ -m "not e2e" -v
Run only integration tests
uv run pytest tests/ -m "integration" -v
Run only e2e tests
uv run pytest tests/ -m "e2e" -v
Run browser tests
uv run pytest tests/ -m "browser" -v
Run API tests
uv run pytest tests/ -m "api" -v
Skip slow tests
uv run pytest tests/ -m "not slow" -v
Run tests with specific markers
uv run pytest tests/ -m "db and not slow" -v
Test Markers
unit- Unit tests (fast)integration- Integration testse2e- End-to-end testsbrowser- Browser automation testsapi- API-based testsdb- Database testsredis- Redis testsauth- Authentication testsslow- Slow tests (can be skipped)
E2E Testing
E2E tests automatically start backend and frontend servers:
- Backend:
http://localhost:8000 - Frontend:
http://localhost:3000
🚀 CI/CD Pipeline
GitHub Actions Workflow
The project includes a comprehensive CI/CD pipeline that:
-
🧪 Testing Phase
- Matrix testing across Python 3.11, 3.12, 3.13
- Unit, integration, and E2E tests
- Code coverage reporting
- Linting and type checking
-
🚀 Deployment Phase
- Staging: Automatic deployment on
devbranch - Production: Automatic deployment on
mainbranch - Dokku integration for seamless deployments
- Staging: Automatic deployment on
Local CI Testing
Test the CI pipeline locally:
# Run local CI simulation
chmod +x scripts/test-ci-local.sh
./scripts/test-ci-local.sh
CI Server Management
The ./ci-server.py script manages servers for CI:
# Start servers in CI mode
CI_MODE=true python3 ./ci-server.py
📊 Project Structure
core/
├── auth/ # Authentication system
├── orm/ # Database models
├── resolvers/ # GraphQL resolvers
├── services/ # Business logic
├── panel/ # Frontend (SolidJS)
├── tests/ # Test suite
├── scripts/ # CI/CD scripts
└── docs/ # Documentation
🔧 Configuration
Environment Variables
DATABASE_URL- Database connection stringREDIS_URL- Redis connection stringJWT_SECRET- JWT signing secretOAUTH_*- OAuth provider credentials
Database
- Development: SQLite (default)
- Production: PostgreSQL
- Testing: In-memory SQLite
📚 Documentation
🤝 Contributing
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests for new functionality
- Ensure all tests pass
- Submit a pull request
Development Workflow
# Create feature branch
git checkout -b feature/your-feature
# Make changes and test
uv run pytest tests/ -v
# Commit changes
git commit -m "feat: add your feature"
# Push and create PR
git push origin feature/your-feature
📈 Status
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.