Aniworld/todolist.md

Todolist - Architecture and Design Issues

This document tracks design and architecture issues discovered during documentation review.

---

Completed Issues (2025-12-15)

✅ 1. In-Memory Rate Limiting Not Persistent

Title: In-memory rate limiting resets on process restart

Severity: medium

Location: src/server/middleware/auth.py

Description: Rate limiting state is stored in memory dictionaries (_rate, _origin_rate) which reset when the process restarts, allowing attackers to bypass lockouts.

Resolution: Added comprehensive documentation warning in the module docstring about single-process limitations and recommendations for production deployments (Redis, reverse proxy, etc.).

---

✅ 2. Failed Login Attempts Not Persisted

Title: Failed login attempts stored in-memory only

Severity: medium

Location: src/server/services/auth_service.py

Description: The _failed dictionary tracking failed login attempts resets on process restart, allowing brute-force bypass via service restart.

Resolution: Added comprehensive documentation warning in the class docstring about single-process limitations and recommendations for production deployments.

---

✅ 3. Duplicate Health Endpoints

Title: Health endpoints defined in two locations

Severity: low

Location: src/server/api/health.py

Description: Health check functionality was split between api/health.py (detailed checks) and controllers/health_controller.py (basic check). Both were registered, causing confusion.

Resolution: Consolidated health endpoints into api/health.py only. Removed controllers/health_controller.py. Updated fastapi_app.py to import from api/health.py.

---

✅ 4. Deprecation Warnings in Production Code

Title: Deprecated file-based scan method still in use

Severity: low

Location: src/core/SerieScanner.py

Description: The scan() method emits deprecation warnings but is still callable. CLI may still use this method.

Resolution: Fixed CLI (src/cli/Main.py) to use correct method names (serie_scanner not SerieScanner, rescan() is async). CLI now properly calls asyncio.run(self.series_app.rescan(use_database=False)) for backward compatibility with file-based mode.

---

✅ 9. Inconsistent Error Response Format

Title: Some endpoints return different error formats

Severity: low

Location: src/server/api/download.py, src/server/api/anime.py

Description: Most endpoints use the standard error response format from error_handler.py, but some handlers return raw {"detail": "..."} responses.

Resolution: Updated download.py and anime.py to use custom exception classes (BadRequestError, NotFoundError, ServerError, ValidationError) which are handled by the centralized error handler for consistent response format with success, error, message, and details fields.

---

✅ 10. Missing Input Validation on WebSocket

Title: WebSocket messages lack comprehensive validation

Severity: low

Location: src/server/api/websocket.py

Description: Client messages are parsed with basic Pydantic validation, but room names and action types are not strictly validated against an allow-list.

Resolution: Added explicit room name validation against VALID_ROOMS allow-list. Added per-connection rate limiting (60 messages/minute) to prevent abuse. Added cleanup of rate limit records on disconnect.

---

Summary

Severity	Completed
Medium	2
Low	4
Total	6

---

Changelog

2025-12-15: Completed all 6 identified issues:

• Enhanced documentation for in-memory limitations in rate limiting and failed login tracking
• Consolidated duplicate health endpoints into single module
• Fixed CLI to use correct async method names
• Updated endpoints to use consistent custom exception classes
• Added WebSocket room validation and rate limiting

2025-12-13: Initial documentation review completed. Created comprehensive API.md with all REST and WebSocket endpoints documented with source references. Updated ARCHITECTURE.md with system overview, layer descriptions, design patterns, and data flow diagrams. Created README.md with quick start guide. Identified 12 design/architecture issues requiring attention.