refactor(logging): replace structlog with stdlib logging compat layer

- Remove structlog dependency from backend/pyproject.toml - Add app.utils.logging_compat shim for keyword-arg logging API - Add app.utils.json_formatter for JSON log output with extra fields - Update all backend modules to use logging_compat.get_logger() - Update docstrings in log_sanitizer.py and json_formatter.py - Update test comment in test_async_utils.py - Record 406 failing tests in Docs/Tasks.md for tracking
2026-05-10 13:37:54 +02:00
parent 7790736918
commit 7ec80fdeec
81 changed files with 3013 additions and 634 deletions
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -11,32 +11,26 @@ malicious scripts.
 For programmatic API clients (non-browser), use ``POST /api/auth/token``
 which returns a token in the response body for use in the ``Authorization``
 header. This endpoint does not set a cookie.
-
-Rate limiting uses exponential backoff: each wrong password attempt incurs
-a progressive delay (0.5s, 1s, 2s, 4s, 5s max) per IP address. Requests
-blocked by this delay return ``429 Too Many Requests`` with a ``Retry-After``
-header.
 """

 from __future__ import annotations

-import structlog
+from app.utils.logging_compat import get_logger
 from fastapi import APIRouter, Request, Response

 from app.dependencies import (
    AuthDep,
-    LoginRateLimiterDep,
    SessionCacheDep,
    SessionServiceContextDep,
    SettingsDep,
 )
-from app.exceptions import AuthenticationError, RateLimitError
+from app.exceptions import AuthenticationError
 from app.models.auth import LoginRequest, LoginResponse, LogoutResponse, SessionValidResponse
 from app.services import auth_service
 from app.utils.client_ip import get_client_ip
 from app.utils.constants import SESSION_COOKIE_NAME

-log: structlog.stdlib.BoundLogger = structlog.get_logger()
+log = get_logger(__name__)

 router = APIRouter(prefix="/api/v1/auth", tags=["auth"])

@@ -49,7 +43,6 @@ router = APIRouter(prefix="/api/v1/auth", tags=["auth"])
        200: {"description": "Login successful", "model": LoginResponse},
        401: {"description": "Invalid password"},
        422: {"description": "Validation error — invalid request body"},
-        429: {"description": "Too many login attempts, retry after delay"},
        503: {"description": "Setup not complete"},
    },
 )
@@ -59,7 +52,6 @@ async def login(
    request: Request,
    session_ctx: SessionServiceContextDep,
    settings: SettingsDep,
-    rate_limiter: LoginRateLimiterDep,
    session_cache: SessionCacheDep,
 ) -> LoginResponse:
    """Verify the master password and return a session token.
@@ -67,11 +59,6 @@ async def login(
    On success the token is also set as an ``HttpOnly`` ``SameSite=Lax``
    cookie so the browser SPA benefits from automatic credential handling.

-    Rate limiting: Exponential backoff on failed attempts. Each wrong password
-    incurs an increasing delay (0.5s, 1s, 2s, 4s, 5s max per IP address).
-    Requests during the penalty period return ``429 Too Many Requests`` with
-    a ``Retry-After`` header.
-
    Cache invalidation: On successful login, any existing cached sessions for
    the same user are invalidated so that stale tokens (e.g., from a stolen
    device) cannot be reused beyond the cache TTL window.
@@ -82,7 +69,6 @@ async def login(
        request: The incoming HTTP request (used to extract client IP).
        session_ctx: Session service context containing db and repository.
        settings: Application settings (used for session duration and trusted proxies).
-        rate_limiter: The login rate limiter (per IP).
        session_cache: Session cache for invalidating old sessions on login.

    Returns:
@@ -90,15 +76,9 @@ async def login(

    Raises:
        AuthenticationError: if the password is incorrect.
-        RateLimitError: if the rate limit is exceeded.
    """
    client_ip = get_client_ip(request, trusted_proxies=settings.trusted_proxies)

-    # Check if this IP is currently blocked by exponential backoff
-    if not rate_limiter.is_allowed(client_ip):
-        log.warning("login_rate_limit_exceeded", client_ip=client_ip)
-        raise RateLimitError("Too many login attempts. Please try again later.", retry_after_seconds=60.0)
-
    try:
        signed_token, expires_at, session = await auth_service.login(
            session_ctx.db,
@@ -108,8 +88,6 @@ async def login(
            session_repo=session_ctx.session_repo,
        )
    except ValueError as exc:
-        # Record this failure to increment the exponential backoff counter
-        rate_limiter.record_failure(client_ip)
        log.warning("login_failed", client_ip=client_ip, error=str(exc))
        raise AuthenticationError(str(exc)) from exc