BanGUI/Docs/Tasks.md at 6bc440dce466eb68923262766926c14cb99b402f

Files

Lukas 6bc440dce4 Refactor backend configuration and authentication

- Add comprehensive documentation for backend development
- Improve client IP detection with utility functions and tests
- Update auth router with better error handling
- Refactor config module with environment-based settings

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

2026-04-29 19:39:55 +02:00

5.4 KiB

Raw Blame History

33) Trusted proxy configuration is hardcoded in auth router

Where found:
- backend/app/routers/auth.py
- backend/app/utils/client_ip.py
Why this is needed:
- Incorrect client IP extraction can break per-IP rate limiting behind proxies.
Goal:
- Move trusted proxies to validated runtime config.
What to do:
- Add settings for trusted proxy IPs/CIDRs.
- Validate and use these in client IP extraction.
Possible traps and issues:
- Over-trusting headers can enable spoofing.
Docs changes needed:
- Add reverse-proxy deployment configuration section.
Doc references:
- Docs/Instructions.md

34) Setup redirect allowlist uses broad prefix matching

Where found:
- backend/app/main.py
Why this is needed:
- Prefix-based allow rules are fragile for future route additions.
Goal:
- Use exact path or route-level allow policy.
What to do:
- Replace startswith matching with explicit allowlist checks.
Possible traps and issues:
- API docs and setup flow paths must remain reachable.
Docs changes needed:
- Add setup guard route policy documentation.
Doc references:
- backend/app/main.py

35) API client sends JSON and CSRF header for every request method

Where found:
- frontend/src/api/client.ts
Why this is needed:
- Extra headers on GET increase unnecessary CORS preflights and noise.
Goal:
- Apply headers by method/body requirements.
What to do:
- Only set Content-Type for requests with JSON body.
- Send CSRF header for mutating cookie-authenticated requests only.
Possible traps and issues:
- CSRF protection assumptions must still hold for all mutating paths.
Docs changes needed:
- Update frontend API client contract and CSRF notes.
Doc references:
- backend/app/middleware/csrf.py

36) Polling continues when tab is not visible

Where found:
- frontend/src/hooks/usePolledData.ts
- frontend/src/hooks/useBlocklistStatus.ts
Why this is needed:
- Unnecessary backend load and client resource usage in background tabs.
Goal:
- Pause/reduce polling when page is hidden.
What to do:
- Add visibility-aware polling strategy and optional backoff.
Possible traps and issues:
- Data may appear stale immediately after tab restore if refresh is delayed.
Docs changes needed:
- Add frontend polling lifecycle policy.
Doc references:
- Docs/Web-Development.md

37) Multi-worker safety check depends on one environment variable

Where found:
- backend/app/startup.py
Why this is needed:
- Other process managers can still launch multiple workers without this variable.
Goal:
- Enforce scheduler single-executor safety regardless of launcher.
What to do:
- Add robust single-run lock/leader mechanism for scheduler ownership.
Possible traps and issues:
- Locking strategy must be reliable in container orchestration.
Docs changes needed:
- Expand deployment constraints and supported run modes.
Doc references:
- Docs/Architekture.md

38) History archive query paths may need explicit indexing plan

Where found:
- backend/app/db.py
- backend/app/repositories/history_archive_repo.py
Why this is needed:
- Large archive datasets can degrade filter/sort performance.
Goal:
- Add indexes aligned with real query patterns.
What to do:
- Benchmark common history queries.
- Add migration with targeted indexes.
Possible traps and issues:
- Extra indexes increase write cost and DB size.
Docs changes needed:
- Add DB performance/indexing section for history.
Doc references:
- Docs/Backend-Development.md
- https://www.sqlite.org/queryplanner.html

39) No explicit DI container strategy for backend service graph

Where found:
- backend/app/dependencies.py
- backend/app/services
Why this is needed:
- Dependency construction and lifecycle are partly implicit.
Goal:
- Define a clear dependency wiring pattern for services and repositories.
What to do:
- Create service composition root pattern and document usage.
Possible traps and issues:
- Over-engineering if container abstraction is too heavy for current size.
Docs changes needed:
- Add dependency wiring chapter.
Doc references:
- Docs/Architekture.md

40) Frontend and backend observability are not aligned

Where found:
- backend/app/main.py
- frontend/src
Why this is needed:
- Backend uses structured logging while frontend error telemetry is mostly local and ad-hoc.
Goal:
- Define unified error telemetry and correlation approach.
What to do:
- Introduce frontend error reporting pipeline and request correlation IDs.
Possible traps and issues:
- PII/sensitive payload leakage risk in client-side telemetry.
Docs changes needed:
- Add observability and privacy-safe logging guidelines.
Doc references:
- Docs/Architekture.md
- Docs/Web-Development.md

5.4 KiB Raw Blame History

33) Trusted proxy configuration is hardcoded in auth router

34) Setup redirect allowlist uses broad prefix matching

35) API client sends JSON and CSRF header for every request method

36) Polling continues when tab is not visible

37) Multi-worker safety check depends on one environment variable

38) History archive query paths may need explicit indexing plan

39) No explicit DI container strategy for backend service graph

40) Frontend and backend observability are not aligned

5.4 KiB

Raw Blame History