feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
"""Request logging middleware for FastAPI.
|
|
|
|
|
|
|
|
|
|
Logs HTTP requests with timing, status codes, and client information
|
|
|
|
|
for monitoring and debugging purposes.
|
|
|
|
|
"""
|
|
|
|
|
|
2026-03-08 12:50:44 -04:00
|
|
|
import logging
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
import time
|
|
|
|
|
import uuid
|
|
|
|
|
|
|
|
|
|
from starlette.middleware.base import BaseHTTPMiddleware
|
|
|
|
|
from starlette.requests import Request
|
|
|
|
|
from starlette.responses import Response
|
|
|
|
|
|
|
|
|
|
logger = logging.getLogger("timmy.requests")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class RequestLoggingMiddleware(BaseHTTPMiddleware):
|
|
|
|
|
"""Middleware to log all HTTP requests.
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
Logs the following information for each request:
|
|
|
|
|
- HTTP method and path
|
|
|
|
|
- Response status code
|
|
|
|
|
- Request processing time
|
|
|
|
|
- Client IP address
|
|
|
|
|
- User-Agent header
|
|
|
|
|
- Correlation ID for tracing
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
Usage:
|
|
|
|
|
app.add_middleware(RequestLoggingMiddleware)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
# Skip certain paths:
|
|
|
|
|
app.add_middleware(RequestLoggingMiddleware, skip_paths=["/health", "/metrics"])
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
Attributes:
|
|
|
|
|
skip_paths: List of URL paths to skip logging.
|
|
|
|
|
log_level: Logging level for successful requests.
|
|
|
|
|
"""
|
2026-03-08 12:50:44 -04:00
|
|
|
|
ruff (#169)
* polish: streamline nav, extract inline styles, improve tablet UX
- Restructure desktop nav from 8+ flat links + overflow dropdown into
5 grouped dropdowns (Core, Agents, Intel, System, More) matching
the mobile menu structure to reduce decision fatigue
- Extract all inline styles from mission_control.html and base.html
notification elements into mission-control.css with semantic classes
- Replace JS-built innerHTML with secure DOM construction in
notification loader and chat history
- Add CONNECTING state to connection indicator (amber) instead of
showing OFFLINE before WebSocket connects
- Add tablet breakpoint (1024px) with larger touch targets for
Apple Pencil / stylus use and safe-area padding for iPad toolbar
- Add active-link highlighting in desktop dropdown menus
- Rename "Mission Control" page title to "System Overview" to
disambiguate from the chat home page
- Add "Home — Timmy Time" page title to index.html
https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h
* fix(security): move auth-gate credentials to environment variables
Hardcoded username, password, and HMAC secret in auth-gate.py replaced
with os.environ lookups. Startup now refuses to run if any variable is
unset. Added AUTH_GATE_SECRET/USER/PASS to .env.example.
https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h
* refactor(tooling): migrate from black+isort+bandit to ruff
Replace three separate linting/formatting tools with a single ruff
invocation. Updates tox.ini (lint, format, pre-push, pre-commit envs),
.pre-commit-config.yaml, and CI workflow. Fixes all ruff errors
including unused imports, missing raise-from, and undefined names.
Ruff config maps existing bandit skips to equivalent S-rules.
https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h
---------
Co-authored-by: Claude <noreply@anthropic.com>
2026-03-11 12:23:35 -04:00
|
|
|
def __init__(self, app, skip_paths: list[str] | None = None, log_level: int = logging.INFO):
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
super().__init__(app)
|
|
|
|
|
self.skip_paths = set(skip_paths or [])
|
|
|
|
|
self.log_level = log_level
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-21 18:06:34 +00:00
|
|
|
def _should_skip_path(self, path: str) -> bool:
|
|
|
|
|
"""Check if the request path should be skipped from logging.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
path: The request URL path.
|
|
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
|
True if the path should be skipped, False otherwise.
|
|
|
|
|
"""
|
|
|
|
|
return path in self.skip_paths
|
|
|
|
|
|
|
|
|
|
def _prepare_request_context(self, request: Request) -> tuple[str, float]:
|
|
|
|
|
"""Prepare context for request processing.
|
|
|
|
|
|
|
|
|
|
Generates a correlation ID and records the start time.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
request: The incoming request.
|
|
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
|
Tuple of (correlation_id, start_time).
|
|
|
|
|
"""
|
|
|
|
|
correlation_id = str(uuid.uuid4())[:8]
|
|
|
|
|
request.state.correlation_id = correlation_id
|
|
|
|
|
start_time = time.time()
|
|
|
|
|
return correlation_id, start_time
|
|
|
|
|
|
|
|
|
|
def _get_duration_ms(self, start_time: float) -> float:
|
|
|
|
|
"""Calculate the request duration in milliseconds.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
start_time: The start time from time.time().
|
|
|
|
|
|
|
|
|
|
Returns:
|
|
|
|
|
Duration in milliseconds.
|
|
|
|
|
"""
|
|
|
|
|
return (time.time() - start_time) * 1000
|
|
|
|
|
|
|
|
|
|
def _log_success(
|
|
|
|
|
self,
|
|
|
|
|
request: Request,
|
|
|
|
|
response: Response,
|
|
|
|
|
correlation_id: str,
|
|
|
|
|
duration_ms: float,
|
|
|
|
|
client_ip: str,
|
|
|
|
|
user_agent: str,
|
|
|
|
|
) -> None:
|
|
|
|
|
"""Log a successful request.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
request: The incoming request.
|
|
|
|
|
response: The response from downstream.
|
|
|
|
|
correlation_id: The request correlation ID.
|
|
|
|
|
duration_ms: Request duration in milliseconds.
|
|
|
|
|
client_ip: Client IP address.
|
|
|
|
|
user_agent: User-Agent header value.
|
|
|
|
|
"""
|
|
|
|
|
self._log_request(
|
|
|
|
|
method=request.method,
|
|
|
|
|
path=request.url.path,
|
|
|
|
|
status_code=response.status_code,
|
|
|
|
|
duration_ms=duration_ms,
|
|
|
|
|
client_ip=client_ip,
|
|
|
|
|
user_agent=user_agent,
|
|
|
|
|
correlation_id=correlation_id,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
def _log_error(
|
|
|
|
|
self,
|
|
|
|
|
request: Request,
|
|
|
|
|
exc: Exception,
|
|
|
|
|
correlation_id: str,
|
|
|
|
|
duration_ms: float,
|
|
|
|
|
client_ip: str,
|
|
|
|
|
) -> None:
|
|
|
|
|
"""Log a failed request and capture the error.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
request: The incoming request.
|
|
|
|
|
exc: The exception that was raised.
|
|
|
|
|
correlation_id: The request correlation ID.
|
|
|
|
|
duration_ms: Request duration in milliseconds.
|
|
|
|
|
client_ip: Client IP address.
|
|
|
|
|
"""
|
|
|
|
|
logger.error(
|
|
|
|
|
f"[{correlation_id}] {request.method} {request.url.path} "
|
|
|
|
|
f"- ERROR - {duration_ms:.2f}ms - {client_ip} - {str(exc)}"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Auto-escalate: create bug report task from unhandled exception
|
|
|
|
|
try:
|
|
|
|
|
from infrastructure.error_capture import capture_error
|
|
|
|
|
|
|
|
|
|
capture_error(
|
|
|
|
|
exc,
|
|
|
|
|
source="http",
|
|
|
|
|
context={
|
|
|
|
|
"method": request.method,
|
|
|
|
|
"path": request.url.path,
|
|
|
|
|
"correlation_id": correlation_id,
|
|
|
|
|
"client_ip": client_ip,
|
|
|
|
|
"duration_ms": f"{duration_ms:.0f}",
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
except Exception:
|
|
|
|
|
logger.warning("Escalation logging error: capture failed")
|
|
|
|
|
# never let escalation break the request
|
|
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
async def dispatch(self, request: Request, call_next) -> Response:
|
|
|
|
|
"""Log the request and response details.
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
Args:
|
|
|
|
|
request: The incoming request.
|
|
|
|
|
call_next: Callable to get the response from downstream.
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
Returns:
|
|
|
|
|
The response from downstream.
|
|
|
|
|
"""
|
2026-03-21 18:06:34 +00:00
|
|
|
if self._should_skip_path(request.url.path):
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
return await call_next(request)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-21 18:06:34 +00:00
|
|
|
correlation_id, start_time = self._prepare_request_context(request)
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
client_ip = self._get_client_ip(request)
|
|
|
|
|
user_agent = request.headers.get("user-agent", "-")
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
try:
|
|
|
|
|
response = await call_next(request)
|
2026-03-21 18:06:34 +00:00
|
|
|
duration_ms = self._get_duration_ms(start_time)
|
|
|
|
|
self._log_success(request, response, correlation_id, duration_ms, client_ip, user_agent)
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
response.headers["X-Correlation-ID"] = correlation_id
|
|
|
|
|
return response
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
except Exception as exc:
|
2026-03-21 18:06:34 +00:00
|
|
|
duration_ms = self._get_duration_ms(start_time)
|
|
|
|
|
self._log_error(request, exc, correlation_id, duration_ms, client_ip)
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
raise
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
def _get_client_ip(self, request: Request) -> str:
|
|
|
|
|
"""Extract the client IP address from the request.
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
Checks X-Forwarded-For and X-Real-IP headers first for proxied requests,
|
|
|
|
|
falls back to the direct client IP.
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
Args:
|
|
|
|
|
request: The incoming request.
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
Returns:
|
|
|
|
|
Client IP address string.
|
|
|
|
|
"""
|
|
|
|
|
# Check for forwarded IP (behind proxy/load balancer)
|
|
|
|
|
forwarded_for = request.headers.get("x-forwarded-for")
|
|
|
|
|
if forwarded_for:
|
|
|
|
|
# X-Forwarded-For can contain multiple IPs, take the first one
|
|
|
|
|
return forwarded_for.split(",")[0].strip()
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
real_ip = request.headers.get("x-real-ip")
|
|
|
|
|
if real_ip:
|
|
|
|
|
return real_ip
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
# Fall back to direct connection
|
|
|
|
|
if request.client:
|
|
|
|
|
return request.client.host
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
return "-"
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
def _log_request(
|
|
|
|
|
self,
|
|
|
|
|
method: str,
|
|
|
|
|
path: str,
|
|
|
|
|
status_code: int,
|
|
|
|
|
duration_ms: float,
|
|
|
|
|
client_ip: str,
|
|
|
|
|
user_agent: str,
|
2026-03-08 12:50:44 -04:00
|
|
|
correlation_id: str,
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
) -> None:
|
|
|
|
|
"""Format and log the request details.
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
Args:
|
|
|
|
|
method: HTTP method.
|
|
|
|
|
path: Request path.
|
|
|
|
|
status_code: HTTP status code.
|
|
|
|
|
duration_ms: Request duration in milliseconds.
|
|
|
|
|
client_ip: Client IP address.
|
|
|
|
|
user_agent: User-Agent header value.
|
|
|
|
|
correlation_id: Request correlation ID.
|
|
|
|
|
"""
|
|
|
|
|
# Determine log level based on status code
|
|
|
|
|
level = self.log_level
|
|
|
|
|
if status_code >= 500:
|
|
|
|
|
level = logging.ERROR
|
|
|
|
|
elif status_code >= 400:
|
|
|
|
|
level = logging.WARNING
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
message = (
|
|
|
|
|
f"[{correlation_id}] {method} {path} - {status_code} "
|
|
|
|
|
f"- {duration_ms:.2f}ms - {client_ip}"
|
|
|
|
|
)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
# Add user agent for non-health requests
|
|
|
|
|
if path not in self.skip_paths:
|
|
|
|
|
message += f" - {user_agent[:50]}"
|
2026-03-08 12:50:44 -04:00
|
|
|
|
feat: add security middleware suite - CSRF, security headers, and request logging (#102)
Implements three security middleware components with full test coverage:
- CSRF Protection: Token generation/validation, safe method allowlist,
auto-exempt webhooks, constant-time comparison for timing attack prevention
- Security Headers: X-Content-Type-Options, X-Frame-Options, CSP,
Permissions-Policy, Referrer-Policy, HSTS (production)
- Request Logging: Method/path/status/duration logging with correlation IDs,
configurable path exclusions, X-Forwarded-For support
Also fixes Discord test isolation issue where settings.discord_token
was not being properly reset between tests.
New files:
- src/dashboard/middleware/{csrf,security_headers,request_logging}.py
- tests/dashboard/middleware/test_{csrf,security_headers,request_logging}.py
Addresses design review recommendations R3, R8, R9, R4.
All tests pass: 1950 passed, 40 skipped
Co-authored-by: Alexander Payne <apayne@MM.local>
2026-02-28 23:21:09 -05:00
|
|
|
logger.log(level, message)
|
