chicken_babies_site

ptarrant/chicken_babies_site

Fork 0

Commit Graph

Author	SHA1	Message	Date
Phillip Tarrant	d9090f5055	feat: phase 5 contact form — hCaptcha, honeypot, rate limit, notify Working /contact POST flow: honeypot → hCaptcha server-verify → field validation → SlowAPI 3/hr IP rate limit → contact_submissions row → best-effort Resend notification (Reply-To = submitter) → generic success page. Spam paths don't persist and render the same success page (anti-enumeration). Send failures don't break the request path — the row is already durable. New services: HCaptchaService (async httpx + dev fallback), ContactService. EmailService gains send_contact_notification. Production config validator now requires ADMIN_CONTACT_EMAIL, HCAPTCHA_SECRET, HCAPTCHA_SITE_KEY. 23 new tests, all green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 06:47:06 -05:00
Phillip Tarrant	59dea99079	feat: phase 3 admin magic-link auth — tokens, sessions, rate limits, audit End-to-end passwordless admin auth. /admin/login accepts an email, POSTs mint a 256-bit magic-link token stored only as SHA-256 in magic_link_tokens (15-min TTL, single-use via atomic rowcount UPDATE). Resend delivers the link; in dev with no API key, EmailService logs a structured magic_link_dev_fallback event with the URL so the flow works offline. /admin/auth/consume/{token} verifies, upserts a users row (display_name from email local-part), creates a sessions row, and drops an itsdangerous-signed cb_session cookie (HttpOnly, SameSite=Lax, Secure in prod). /admin renders a placeholder "Welcome, <name>" page pending Phase 4 CMS. /admin/logout flips revoked_at rather than deleting the row to preserve the audit trail. Rate limits use SlowAPI's in-memory limiter (5/15min/IP on login, 20/15min/IP on consume) plus a DB per-email count to catch IP-rotating abuse. ADMIN_EMAILS enforces allowlist; non-allowlisted submissions return the same "check your inbox" page with no token inserted and no email sent (anti-enumeration). Every event lands in auth_events via AuditService: link_requested, link_consumed, consume_failed, session_created, session_revoked, rate_limited. Add a production config validator refusing empty RESEND_API_KEY, RESEND_FROM, or ADMIN_EMAILS; add PUBLIC_BASE_URL for email link construction. CSRF deferred to Phase 6 per roadmap scoping; logout handler marked # TODO(phase-6-csrf). Mark Phase 3 complete in docs/ROADMAP.md.	2026-04-21 16:20:51 -05:00

Author

SHA1

Message

Date

Phillip Tarrant

d9090f5055

feat: phase 5 contact form — hCaptcha, honeypot, rate limit, notify

Working /contact POST flow: honeypot → hCaptcha server-verify →
field validation → SlowAPI 3/hr IP rate limit → contact_submissions
row → best-effort Resend notification (Reply-To = submitter) →
generic success page. Spam paths don't persist and render the same
success page (anti-enumeration). Send failures don't break the
request path — the row is already durable.

New services: HCaptchaService (async httpx + dev fallback),
ContactService. EmailService gains send_contact_notification.
Production config validator now requires ADMIN_CONTACT_EMAIL,
HCAPTCHA_SECRET, HCAPTCHA_SITE_KEY. 23 new tests, all green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-22 06:47:06 -05:00

Phillip Tarrant

59dea99079

feat: phase 3 admin magic-link auth — tokens, sessions, rate limits, audit

End-to-end passwordless admin auth. /admin/login accepts an email, POSTs
mint a 256-bit magic-link token stored only as SHA-256 in
magic_link_tokens (15-min TTL, single-use via atomic rowcount UPDATE).
Resend delivers the link; in dev with no API key, EmailService logs a
structured magic_link_dev_fallback event with the URL so the flow works
offline. /admin/auth/consume/{token} verifies, upserts a users row
(display_name from email local-part), creates a sessions row, and drops
an itsdangerous-signed cb_session cookie (HttpOnly, SameSite=Lax, Secure
in prod). /admin renders a placeholder "Welcome, <name>" page pending
Phase 4 CMS. /admin/logout flips revoked_at rather than deleting the row
to preserve the audit trail.

Rate limits use SlowAPI's in-memory limiter (5/15min/IP on login,
20/15min/IP on consume) plus a DB per-email count to catch
IP-rotating abuse. ADMIN_EMAILS enforces allowlist; non-allowlisted
submissions return the same "check your inbox" page with no token
inserted and no email sent (anti-enumeration). Every event lands in
auth_events via AuditService: link_requested, link_consumed,
consume_failed, session_created, session_revoked, rate_limited.

Add a production config validator refusing empty RESEND_API_KEY,
RESEND_FROM, or ADMIN_EMAILS; add PUBLIC_BASE_URL for email link
construction. CSRF deferred to Phase 6 per roadmap scoping; logout
handler marked # TODO(phase-6-csrf).

Mark Phase 3 complete in docs/ROADMAP.md.

2026-04-21 16:20:51 -05:00

2 Commits