chore: promote UAT to production (CAR-662, audit logging middleware)

2026-04-15 04:29:39 +00:00
parent 17bf6872bb 30237784f8
commit 8457c2fbbc
10 changed files with 504 additions and 96 deletions
@@ -69,7 +69,9 @@ async def get_current_user(
    token: str | None = None

    # 1. Check session cookie — prefer __Secure- variant (HTTPS) over plain (HTTP dev)
-    cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(SESSION_COOKIE_NAME)
+    cookie_token = request.cookies.get(SECURE_SESSION_COOKIE_NAME) or request.cookies.get(
+        SESSION_COOKIE_NAME
+    )
    if cookie_token:
        # Better-Auth cookie format is "token.sessionId" — extract just the token part
        token = cookie_token.split(".")[0] if "." in cookie_token else cookie_token
@@ -86,7 +88,9 @@ async def get_current_user(
            detail="Authentication required",
        )

-    return await _validate_session_token(token, db)
+    user_id = await _validate_session_token(token, db)
+    request.state.user_id = user_id
+    return user_id


 async def verify_service_key(x_service_key: str = Header()) -> None:
@@ -47,5 +47,30 @@ class CacheClient:
            return
        await self._client.delete(key)

+    async def invalidate_price_cache(self, product_id: str) -> None:
+        """Invalidate all price-related cache entries for a product."""
+        if not self._client:
+            return
+        pattern = f"price:*:{product_id}"
+        await self._delete_pattern(pattern)
+
+    async def invalidate_product_cache(self, product_id: str) -> None:
+        """Invalidate the product detail cache entry."""
+        if not self._client:
+            return
+        await self._client.delete(f"product:{product_id}")
+
+    async def _delete_pattern(self, pattern: str) -> None:
+        """Delete all keys matching a pattern using SCAN."""
+        if not self._client:
+            return
+        cursor = 0
+        while True:
+            cursor, keys = await self._client.scan(cursor=cursor, match=pattern, count=100)
+            if keys:
+                await self._client.delete(*keys)
+            if cursor == 0:
+                break
+

 cache_client = CacheClient()
@@ -32,6 +32,9 @@ class Settings(BaseSettings):

    rate_limit_requests: int = 60
    rate_limit_window_seconds: int = 60
+    rate_limit_auth_requests: int = 5
+    rate_limit_auth_window_seconds: int = 60
+    rate_limit_redis_enabled: bool = True
    rate_limit_enabled: bool = True

    _PLACEHOLDER_VALUES = {"change-me-in-production"}
@@ -72,7 +75,9 @@ class Settings(BaseSettings):
    def normalize_database_url(self):
        """Normalize postgresql:// → postgresql+asyncpg:// for the asyncpg driver."""
        if self.database_url.startswith("postgresql://"):
-            self.database_url = self.database_url.replace("postgresql://", "postgresql+asyncpg://", 1)
+            self.database_url = self.database_url.replace(
+                "postgresql://", "postgresql+asyncpg://", 1
+            )
        return self


@@ -10,6 +10,7 @@ from cartsnitch_api.database import dispose_engine
 from cartsnitch_api.middleware.cors import add_cors_middleware
 from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware
 from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware
+from cartsnitch_api.middleware.audit import add_audit_middleware
 from cartsnitch_api.routes.alerts import router as alerts_router
 from cartsnitch_api.routes.coupons import router as coupons_router
 from cartsnitch_api.routes.health import router as health_router
@@ -43,6 +44,7 @@ def create_app() -> FastAPI:
    add_cors_middleware(app)
    add_error_monitor_middleware(app)
    add_rate_limit_middleware(app)
+    add_audit_middleware(app)

    # Exception handlers
    add_error_handlers(app)
@@ -0,0 +1,64 @@
+"""Audit logging middleware for sensitive API operations.
+
+Logs structured JSON for POST/PUT/PATCH/DELETE requests and GET /auth/me.
+Never logs request bodies, response bodies, Authorization headers, or cookie values.
+"""
+
+import json
+import logging
+import time
+from collections.abc import Awaitable, Callable
+
+from fastapi import FastAPI, Request
+from starlette.middleware.base import BaseHTTPMiddleware
+
+logger = logging.getLogger("cartsnitch_api.audit")
+
+HEALTH_PATHS = {"/health", "/healthz", "/ready"}
+
+
+class AuditMiddleware(BaseHTTPMiddleware):
+    """Middleware to log structured audit events for sensitive operations."""
+
+    async def dispatch(
+        self,
+        request: Request,
+        call_next: Callable[[Request], Awaitable],
+    ):
+        if request.method == "OPTIONS" or request.url.path in HEALTH_PATHS:
+            return await call_next(request)
+
+        method = request.method
+        path = request.url.path
+
+        is_sensitive_write = method in {"POST", "PUT", "PATCH", "DELETE"}
+        is_auth_me_read = method == "GET" and path == "/auth/me"
+
+        if not (is_sensitive_write or is_auth_me_read):
+            return await call_next(request)
+
+        start = time.perf_counter()
+        response = await call_next(request)
+        duration_ms = (time.perf_counter() - start) * 1000
+
+        user_id = getattr(request.state, "user_id", None)
+        client_ip = request.client.host if request.client else "unknown"
+
+        log_entry = {
+            "event": "audit",
+            "timestamp": time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime()),
+            "user_id": user_id,
+            "method": method,
+            "path": path,
+            "client_ip": client_ip,
+            "status_code": response.status_code,
+            "duration_ms": round(duration_ms, 2),
+        }
+
+        logger.info(json.dumps(log_entry))
+
+        return response
+
+
+def add_audit_middleware(app: FastAPI) -> None:
+    app.add_middleware(AuditMiddleware)
@@ -5,18 +5,31 @@ Per-IP limiting on public endpoints, per-token limiting on authenticated endpoin
 """

 import hashlib
+import logging
 import time
+import uuid
 from collections import defaultdict
 from threading import Lock
+from typing import Protocol

 from fastapi import FastAPI, Request, status
 from fastapi.responses import JSONResponse
+from redis.asyncio import Redis, RedisError
 from starlette.middleware.base import BaseHTTPMiddleware

 from cartsnitch_api.config import settings

+logger = logging.getLogger(__name__)

-class _SlidingWindowCounter:
+
+class RateLimitBackend(Protocol):
+    """Protocol for rate limit backends."""
+
+    async def is_allowed(self, key: str) -> tuple[bool, int, int]:
+        """Check if request is allowed. Returns (allowed, remaining, retry_after)."""
+
+
+class InMemorySlidingWindow:
    """Thread-safe in-memory sliding window rate limiter."""

    def __init__(self, max_requests: int, window_seconds: int) -> None:
@@ -25,13 +38,12 @@ class _SlidingWindowCounter:
        self._hits: dict[str, list[float]] = defaultdict(list)
        self._lock = Lock()

-    def is_allowed(self, key: str) -> tuple[bool, int, int]:
+    async def is_allowed(self, key: str) -> tuple[bool, int, int]:
        """Check if request is allowed. Returns (allowed, remaining, retry_after)."""
        now = time.monotonic()
        cutoff = now - self.window_seconds

        with self._lock:
-            # Prune expired entries
            self._hits[key] = [t for t in self._hits[key] if t > cutoff]

            current_count = len(self._hits[key])
@@ -44,15 +56,84 @@ class _SlidingWindowCounter:
            return True, remaining, 0


-# Module-level counters — one for public (per-IP), one for auth (per-token)
-_public_limiter = _SlidingWindowCounter(
-    max_requests=settings.rate_limit_requests,
-    window_seconds=settings.rate_limit_window_seconds,
-)
-_auth_limiter = _SlidingWindowCounter(
-    max_requests=settings.rate_limit_requests * 5,  # 300/min for authenticated users
-    window_seconds=settings.rate_limit_window_seconds,
-)
+class RedisSlidingWindow:
+    """Redis-backed sliding window rate limiter using sorted sets."""
+
+    def __init__(self, redis: Redis, max_requests: int, window_seconds: int) -> None:
+        self.redis = redis
+        self.max_requests = max_requests
+        self.window_seconds = window_seconds
+
+    async def is_allowed(self, key: str) -> tuple[bool, int, int]:
+        """Check if request is allowed. Returns (allowed, remaining, retry_after)."""
+        try:
+            now = time.monotonic()
+            cutoff = now - self.window_seconds
+            now_ms = int(now * 1000)
+            cutoff_ms = int(cutoff * 1000)
+
+            pipe = self.redis.pipeline()
+            pipe.zremrangebyscore(key, 0, cutoff_ms)
+            pipe.zcard(key)
+            results = await pipe.execute()
+
+            current_count = results[1]
+
+            if current_count >= self.max_requests:
+                oldest = await self.redis.zrange(key, 0, 0, withscores=True)
+                if oldest:
+                    retry_after = int((oldest[0][1] - cutoff) / 1000) + 1
+                else:
+                    retry_after = self.window_seconds
+                return False, 0, retry_after
+
+            member = f"{now_ms}:{uuid.uuid4().hex[:8]}"
+            pipe = self.redis.pipeline()
+            pipe.zadd(key, {member: now_ms})
+            pipe.expire(key, self.window_seconds)
+            await pipe.execute()
+
+            remaining = self.max_requests - current_count - 1
+            return True, remaining, 0
+
+        except RedisError as e:
+            logger.warning("Redis rate limit error, falling back to in-memory: %s", e)
+            in_memory = InMemorySlidingWindow(self.max_requests, self.window_seconds)
+            return await in_memory.is_allowed(key)
+
+
+_redis_client: Redis | None = None
+_use_redis = False
+
+if settings.rate_limit_redis_enabled:
+    try:
+        _redis_client = Redis.from_url(settings.redis_url)
+        _use_redis = True
+        logger.info("Rate limiting will use Redis at %s", settings.redis_url)
+    except Exception as e:
+        logger.warning("Failed to connect to Redis for rate limiting, using in-memory: %s", e)
+        _use_redis = False
+
+if _use_redis and _redis_client:
+    _public_limiter = RedisSlidingWindow(
+        _redis_client, settings.rate_limit_requests, settings.rate_limit_window_seconds
+    )
+    _auth_limiter = RedisSlidingWindow(
+        _redis_client, settings.rate_limit_requests * 5, settings.rate_limit_window_seconds
+    )
+    _auth_strict_limiter = RedisSlidingWindow(
+        _redis_client, settings.rate_limit_auth_requests, settings.rate_limit_auth_window_seconds
+    )
+else:
+    _public_limiter = InMemorySlidingWindow(
+        settings.rate_limit_requests, settings.rate_limit_window_seconds
+    )
+    _auth_limiter = InMemorySlidingWindow(
+        settings.rate_limit_requests * 5, settings.rate_limit_window_seconds
+    )
+    _auth_strict_limiter = InMemorySlidingWindow(
+        settings.rate_limit_auth_requests, settings.rate_limit_auth_window_seconds
+    )


 def _get_client_ip(request: Request) -> str:
@@ -63,30 +144,30 @@ def _get_client_ip(request: Request) -> str:
    return request.client.host if request.client else "unknown"


-def _get_rate_limit_key(request: Request) -> tuple[str, _SlidingWindowCounter]:
+def _get_rate_limit_key(request: Request) -> tuple[str, RateLimitBackend]:
    """Determine rate limit key and which limiter to use."""
    if request.url.path.startswith("/public"):
        return f"ip:{_get_client_ip(request)}", _public_limiter

-    # For authenticated endpoints, use Bearer token as key if present
+    if request.url.path.startswith("/auth/") and request.method == "POST":
+        return f"ip:{_get_client_ip(request)}", _auth_strict_limiter
+
    auth_header = request.headers.get("authorization", "")
    if auth_header.startswith("Bearer "):
        token = auth_header[7:]
        token_hash = hashlib.sha256(token.encode()).hexdigest()
        return f"token:{token_hash}", _auth_limiter

-    # Fallback to IP for unauthenticated non-public endpoints
    return f"ip:{_get_client_ip(request)}", _public_limiter


 class RateLimitMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request: Request, call_next):
-        # Skip rate limiting when disabled (e.g. in tests) or for health checks
        if not settings.rate_limit_enabled or request.url.path == "/health":
            return await call_next(request)

        key, limiter = _get_rate_limit_key(request)
-        allowed, remaining, retry_after = limiter.is_allowed(key)
+        allowed, remaining, retry_after = await limiter.is_allowed(key)

        if not allowed:
            return JSONResponse(
@@ -18,10 +18,14 @@ router = APIRouter(prefix="/public", tags=["public"])


@router.get("/trends/{product_id}", response_model=PublicTrendResponse)
-async def public_price_trend(product_id: UUID, db: AsyncSession = Depends(get_db)):
+async def public_price_trend(
+    product_id: UUID,
+    days: int = Query(90, ge=1, le=365),
+    db: AsyncSession = Depends(get_db),
+):
    svc = PublicService(db)
    try:
-        return await svc.get_trend(product_id)
+        return await svc.get_trend(product_id, days=days)
    except LookupError:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND, detail="Product not found"
@@ -31,6 +35,7 @@ async def public_price_trend(product_id: UUID, db: AsyncSession = Depends(get_db
@router.get("/store-comparison", response_model=PublicStoreComparisonResponse)
 async def public_store_comparison(
    product_ids: Annotated[list[UUID], Query(max_length=20)],
+    category: str | None = Query(None, max_length=100, pattern=r"^[a-zA-Z0-9 _-]+$"),
    db: AsyncSession = Depends(get_db),
 ):
    if not product_ids:
@@ -39,10 +44,14 @@ async def public_store_comparison(
            detail="At least one product_id is required",
        )
    svc = PublicService(db)
-    return await svc.get_store_comparison(product_ids)
+    return await svc.get_store_comparison(product_ids, category=category)


@router.get("/inflation", response_model=PublicInflationResponse)
-async def public_inflation(db: AsyncSession = Depends(get_db)):
+async def public_inflation(
+    category: str | None = Query(None, max_length=100, pattern=r"^[a-zA-Z0-9 _-]+$"),
+    period: str = Query("all-time", pattern=r"^(all-time|1y|6m|3m|1m)$"),
+    db: AsyncSession = Depends(get_db),
+):
    svc = PublicService(db)
-    return await svc.get_inflation()
+    return await svc.get_inflation(category=category, period=period)
@@ -1,5 +1,6 @@
 """Public service — unauthenticated price transparency endpoints."""

+from datetime import date, timedelta
 from uuid import UUID

 from sqlalchemy import and_, func, select
@@ -13,7 +14,7 @@ class PublicService:
    def __init__(self, db: AsyncSession) -> None:
        self.db = db

-    async def get_trend(self, product_id: UUID) -> dict:
+    async def get_trend(self, product_id: UUID, days: int = 90) -> dict:
        from cartsnitch_api.models import NormalizedProduct, PriceHistory

        result = await self.db.execute(
@@ -23,9 +24,13 @@ class PublicService:
        if not product:
            raise LookupError("Product not found")

+        date_threshold = date.today() - timedelta(days=days)
        prices_result = await self.db.execute(
            select(PriceHistory)
-            .where(PriceHistory.normalized_product_id == product_id)
+            .where(
+                PriceHistory.normalized_product_id == product_id,
+                PriceHistory.observed_date >= date_threshold,
+            )
            .options(selectinload(PriceHistory.store))
            .order_by(PriceHistory.observed_date)
        )
@@ -45,20 +50,25 @@ class PublicService:
            ],
        }

-    async def get_store_comparison(self, product_ids: list[UUID]) -> dict:
+    async def get_store_comparison(
+        self, product_ids: list[UUID], category: str | None = None
+    ) -> dict:
        from cartsnitch_api.models import NormalizedProduct, PriceHistory

        if not product_ids:
            return {"products": []}

-        # Fetch all products in one query
-        prod_result = await self.db.execute(
-            select(NormalizedProduct).where(NormalizedProduct.id.in_(product_ids))
-        )
+        product_query = select(NormalizedProduct).where(NormalizedProduct.id.in_(product_ids))
+        if category:
+            product_query = product_query.where(NormalizedProduct.category == category)
+        prod_result = await self.db.execute(product_query)
        products_by_id = {p.id: p for p in prod_result.scalars().all()}

-        # Latest prices for all requested products in one query
-        subq = latest_price_per_store(product_ids)
+        if not products_by_id:
+            return {"products": []}
+
+        filtered_product_ids = list(products_by_id.keys())
+        subq = latest_price_per_store(filtered_product_ids)
        prices_result = await self.db.execute(
            select(PriceHistory)
            .join(
@@ -69,18 +79,17 @@ class PublicService:
                    PriceHistory.normalized_product_id == subq.c.normalized_product_id,
                ),
            )
-            .where(PriceHistory.normalized_product_id.in_(product_ids))
+            .where(PriceHistory.normalized_product_id.in_(filtered_product_ids))
            .options(selectinload(PriceHistory.store))
        )
        all_prices = prices_result.scalars().all()

-        # Group by product
        prices_by_product: dict[UUID, list] = {}
        for ph in all_prices:
            prices_by_product.setdefault(ph.normalized_product_id, []).append(ph)

        products = []
-        for pid in product_ids:
+        for pid in filtered_product_ids:
            product = products_by_id.get(pid)
            if not product:
                continue
@@ -102,19 +111,29 @@ class PublicService:

        return {"products": products}

-    async def get_inflation(self) -> dict:
+    async def get_inflation(self, category: str | None = None, period: str = "all-time") -> dict:
        """Aggregate price change stats. Compares average prices across periods."""
        from cartsnitch_api.models import NormalizedProduct, PriceHistory

-        # Get average prices grouped by category for recent vs older data
-        result = await self.db.execute(
-            select(
-                NormalizedProduct.category,
-                func.avg(PriceHistory.regular_price),
-            )
-            .join(NormalizedProduct)
-            .group_by(NormalizedProduct.category)
-        )
+        date_threshold = None
+        if period != "all-time":
+            days_map = {"1y": 365, "6m": 180, "3m": 90, "1m": 30}
+            days = days_map.get(period, 365)
+            date_threshold = date.today() - timedelta(days=days)
+
+        query = select(
+            NormalizedProduct.category,
+            func.avg(PriceHistory.regular_price),
+        ).join(NormalizedProduct)
+
+        if category:
+            query = query.where(NormalizedProduct.category == category)
+        if date_threshold:
+            query = query.where(PriceHistory.observed_date >= date_threshold)
+
+        query = query.group_by(NormalizedProduct.category)
+
+        result = await self.db.execute(query)
        categories = {}
        for row in result.all():
            cat, avg_price = row
@@ -122,7 +141,7 @@ class PublicService:
                categories[cat] = float(avg_price) if avg_price else 0.0

        return {
-            "period": "all-time",
+            "period": period,
            "cartsnitch_index": sum(categories.values()) / max(len(categories), 1),
            "cpi_baseline": 100.0,
            "categories": categories,
@@ -1,49 +1,184 @@
 """Tests for rate limiting middleware."""

-from unittest.mock import MagicMock
+import time
+from unittest.mock import AsyncMock, MagicMock, patch

 import pytest

-from cartsnitch_api.middleware.rate_limit import _SlidingWindowCounter, _get_rate_limit_key
+from cartsnitch_api.config import settings
+from cartsnitch_api.middleware.rate_limit import (
+    InMemorySlidingWindow,
+    RedisSlidingWindow,
+    _get_client_ip,
+    _get_rate_limit_key,
+)


-class TestSlidingWindowCounter:
+class TestInMemorySlidingWindow:
    def test_allows_within_limit(self):
-        counter = _SlidingWindowCounter(max_requests=5, window_seconds=60)
+        limiter = InMemorySlidingWindow(max_requests=5, window_seconds=60)
        for i in range(5):
-            allowed, remaining, retry = counter.is_allowed("test-key")
+            allowed, remaining, retry = limiter.is_allowed("test-key")
            assert allowed is True
            assert remaining == 4 - i

    def test_blocks_over_limit(self):
-        counter = _SlidingWindowCounter(max_requests=3, window_seconds=60)
+        limiter = InMemorySlidingWindow(max_requests=3, window_seconds=60)
        for _ in range(3):
-            counter.is_allowed("test-key")
+            limiter.is_allowed("test-key")

-        allowed, remaining, retry = counter.is_allowed("test-key")
+        allowed, remaining, retry = limiter.is_allowed("test-key")
        assert allowed is False
        assert remaining == 0
        assert retry > 0

    def test_separate_keys(self):
-        counter = _SlidingWindowCounter(max_requests=2, window_seconds=60)
-        # Fill key-a
-        counter.is_allowed("key-a")
-        counter.is_allowed("key-a")
-        allowed_a, _, _ = counter.is_allowed("key-a")
+        limiter = InMemorySlidingWindow(max_requests=2, window_seconds=60)
+        limiter.is_allowed("key-a")
+        limiter.is_allowed("key-a")
+        allowed_a, _, _ = limiter.is_allowed("key-a")
        assert allowed_a is False

-        # key-b should still be allowed
-        allowed_b, remaining, _ = counter.is_allowed("key-b")
+        allowed_b, remaining, _ = limiter.is_allowed("key-b")
        assert allowed_b is True
        assert remaining == 1

+    def test_resets_after_window_expires(self):
+        limiter = InMemorySlidingWindow(max_requests=2, window_seconds=1)
+        for _ in range(2):
+            limiter.is_allowed("test-key")
+        allowed, remaining, _ = limiter.is_allowed("test-key")
+        assert allowed is False
+
+        time.sleep(1.1)
+        allowed, remaining, _ = limiter.is_allowed("test-key")
+        assert allowed is True
+        assert remaining == 1
+
+
+class TestGetClientIp:
+    def test_x_forwarded_for_single(self):
+        req = MagicMock()
+        req.headers = {"x-forwarded-for": "192.168.1.1"}
+        req.client = None
+        assert _get_client_ip(req) == "192.168.1.1"
+
+    def test_x_forwarded_for_multiple(self):
+        req = MagicMock()
+        req.headers = {"x-forwarded-for": "192.168.1.1, 10.0.0.1, 172.16.0.1"}
+        req.client = None
+        assert _get_client_ip(req) == "192.168.1.1"
+
+    def test_x_forwarded_for_with_port(self):
+        req = MagicMock()
+        req.headers = {"x-forwarded-for": "192.168.1.1:8080"}
+        req.client = None
+        assert _get_client_ip(req) == "192.168.1.1"
+
+    def test_no_forwarded_header(self):
+        req = MagicMock()
+        req.headers = {}
+        req.client.host = "127.0.0.1"
+        assert _get_client_ip(req) == "127.0.0.1"
+
+    def test_no_client(self):
+        req = MagicMock()
+        req.headers = {}
+        req.client = None
+        assert _get_client_ip(req) == "unknown"
+
+
+class TestGetRateLimitKey:
+    def _make_request(
+        self,
+        path: str = "/purchases",
+        method: str = "GET",
+        auth_header: str = "",
+        headers: dict | None = None,
+    ) -> MagicMock:
+        req = MagicMock()
+        req.url.path = path
+        req.method = method
+        req.headers = dict(headers) if headers else {}
+        if auth_header:
+            req.headers["authorization"] = auth_header
+        return req
+
+    def test_public_path_uses_public_limiter(self):
+        req = self._make_request("/public/inflation")
+        key, limiter = _get_rate_limit_key(req)
+        assert key.startswith("ip:")
+        assert limiter.max_requests == settings.rate_limit_requests
+
+    def test_auth_post_path_uses_strict_limiter(self):
+        req = self._make_request("/auth/login", method="POST")
+        key, limiter = _get_rate_limit_key(req)
+        assert key.startswith("ip:")
+        assert limiter.max_requests == settings.rate_limit_auth_requests
+        assert limiter.window_seconds == settings.rate_limit_auth_window_seconds
+
+    def test_auth_get_path_uses_auth_limiter(self):
+        req = self._make_request("/auth/me", method="GET")
+        key, limiter = _get_rate_limit_key(req)
+        assert key.startswith("ip:")
+        assert limiter.max_requests == settings.rate_limit_requests * 5
+
+    def test_authenticated_token_uses_auth_limiter(self):
+        req = self._make_request("/purchases", auth_header="Bearer token123")
+        key, limiter = _get_rate_limit_key(req)
+        assert key.startswith("token:")
+        assert limiter.max_requests == settings.rate_limit_requests * 5
+
+    def test_distinct_tokens_produce_distinct_keys(self):
+        req1 = self._make_request("/purchases", auth_header="Bearer token_alpha_12345")
+        req2 = self._make_request("/purchases", auth_header="Bearer token_beta_67890")
+        key1, _ = _get_rate_limit_key(req1)
+        key2, _ = _get_rate_limit_key(req2)
+        assert key1 != key2
+
+    def test_same_token_produces_same_key(self):
+        req1 = self._make_request("/purchases", auth_header="Bearer same_token_value_abc")
+        req2 = self._make_request("/purchases", auth_header="Bearer same_token_value_abc")
+        key1, _ = _get_rate_limit_key(req1)
+        key2, _ = _get_rate_limit_key(req2)
+        assert key1 == key2
+
+    def test_key_does_not_contain_raw_token_suffix(self):
+        raw_token = "my_secret_jwt_token_xyz"
+        req = self._make_request("/purchases", auth_header=f"Bearer {raw_token}")
+        key, _ = _get_rate_limit_key(req)
+        assert raw_token[-16:] not in key
+        assert raw_token not in key
+
+
+class TestRedisSlidingWindowFallback:
+    @pytest.mark.asyncio
+    async def test_fallback_on_redis_connection_error(self):
+        mock_redis = AsyncMock()
+        mock_redis.pipeline.return_value = AsyncMock()
+        pipe_mock = AsyncMock()
+        pipe_mock.execute.side_effect = Exception("Connection refused")
+        mock_redis.pipeline.return_value = pipe_mock
+
+        limiter = RedisSlidingWindow(mock_redis, max_requests=5, window_seconds=60)
+        allowed, remaining, retry = await limiter.is_allowed("test-key")
+        assert allowed is True
+        assert remaining == 4
+
+    @pytest.mark.asyncio
+    async def test_fallback_on_redis_error_during_pipeline(self):
+        mock_redis = AsyncMock()
+        pipe_mock = AsyncMock()
+        pipe_mock.execute.side_effect = Exception("Redis error")
+        mock_redis.pipeline.return_value = pipe_mock
+
+        limiter = RedisSlidingWindow(mock_redis, max_requests=3, window_seconds=60)
+        allowed, remaining, retry = await limiter.is_allowed("test-key")
+        assert allowed is True
+

@pytest.mark.asyncio
 async def test_rate_limit_returns_429(client):
-    """Public endpoint should return 429 after limit exceeded."""
-    # The default limit is 60/min — we won't hit it in normal tests,
-    # but we verify the middleware adds rate limit headers.
    resp = await client.get("/public/inflation")
    assert "x-ratelimit-limit" in resp.headers
    assert "x-ratelimit-remaining" in resp.headers
@@ -51,36 +186,6 @@ async def test_rate_limit_returns_429(client):

@pytest.mark.asyncio
 async def test_health_skips_rate_limit(client):
-    """Health endpoint should not have rate limit headers."""
    resp = await client.get("/health")
    assert resp.status_code == 200
    assert "x-ratelimit-limit" not in resp.headers
-
-
-class TestGetRateLimitKey:
-    def _make_request(self, auth_header: str = "") -> MagicMock:
-        req = MagicMock()
-        req.url.path = "/purchases"
-        req.headers = {"authorization": auth_header} if auth_header else {}
-        return req
-
-    def test_distinct_tokens_produce_distinct_keys(self):
-        req1 = self._make_request("Bearer token_alpha_12345")
-        req2 = self._make_request("Bearer token_beta_67890")
-        key1, _ = _get_rate_limit_key(req1)
-        key2, _ = _get_rate_limit_key(req2)
-        assert key1 != key2
-
-    def test_same_token_produces_same_key(self):
-        req1 = self._make_request("Bearer same_token_value_abc")
-        req2 = self._make_request("Bearer same_token_value_abc")
-        key1, _ = _get_rate_limit_key(req1)
-        key2, _ = _get_rate_limit_key(req2)
-        assert key1 == key2
-
-    def test_key_does_not_contain_raw_token_suffix(self):
-        raw_token = "my_secret_jwt_token_xyz"
-        req = self._make_request(f"Bearer {raw_token}")
-        key, _ = _get_rate_limit_key(req)
-        assert raw_token[-16:] not in key
-        assert raw_token not in key
@@ -71,3 +71,97 @@ async def test_public_inflation(client, public_data):
    data = resp.json()
    assert "categories" in data
    assert "cartsnitch_index" in data
+
+
+@pytest.mark.asyncio
+async def test_trend_invalid_uuid(client):
+    resp = await client.get("/public/trends/not-a-uuid")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_trend_days_zero(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/trends/{pid}?days=0")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_trend_days_negative(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/trends/{pid}?days=-1")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_trend_days_over_max(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/trends/{pid}?days=999")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_trend_days_valid(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/trends/{pid}?days=30")
+    assert resp.status_code == 200
+    assert "product_name" in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_store_comparison_empty_list(client):
+    resp = await client.get("/public/store-comparison")
+    assert resp.status_code == 400
+    assert "detail" in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_store_comparison_category_xss(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(
+        f"/public/store-comparison?product_ids={pid}&category=<script>alert(1)</script>"
+    )
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_store_comparison_category_sql_injection(client, public_data):
+    pid = str(public_data["product"].id)
+    resp = await client.get(f"/public/store-comparison?product_ids={pid}&category='; DROP TABLE--")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_inflation_invalid_period(client, public_data):
+    resp = await client.get("/public/inflation?period=10years")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()
+
+
+@pytest.mark.asyncio
+async def test_inflation_valid_periods(client, public_data):
+    for period in ["all-time", "1y", "6m", "3m", "1m"]:
+        resp = await client.get(f"/public/inflation?period={period}")
+        assert resp.status_code == 200, f"period={period} failed"
+
+
+@pytest.mark.asyncio
+async def test_inflation_category_too_long(client, public_data):
+    long_category = "x" * 200
+    resp = await client.get(f"/public/inflation?category={long_category}")
+    assert resp.status_code == 422
+    assert "detail" in resp.json()
+    assert "stack" not in resp.json()