cs_betty/api
1
0
Fork 0
forked from cartsnitch/api
Code Pull Requests 2 Activity
148 Commits 16 Branches 0 Tags
b4ad1407967091c5ff91ba881b104d7766d39a2e
Commit Graph

5 Commits

Author SHA1 Message Date
Barcode Betty b4ad140796 Fix mypy typecheck errors and FK format mismatch in test fixtures 
Three categories of pre-existing CI failure on PR #42:

1. typecheck (mypy src/cartsnitch_api, 9 errors):
   - src/cartsnitch_api/config.py:89 — Settings() needs required secret
     args that only exist in env at runtime; suppress with
     type: ignore[call-arg]
   - src/cartsnitch_api/cache.py:38 — redis-py returns Any/bytes,
     normalize to str before returning from get()
   - src/cartsnitch_api/middleware/rate_limit.py:128,131,134 — three
     limiter globals were inferred as RedisSlidingWindow on the if
     branch then re-assigned InMemorySlidingWindow on else; declare
     them as RateLimitBackend up front
   - src/cartsnitch_api/middleware/rate_limit.py:181,187 —
     RateLimitBackend Protocol didn't declare max_requests even
     though both InMemorySlidingWindow and RedisSlidingWindow expose
     it; add max_requests: int to the Protocol

2. test (FK constraint on purchases.user_id):
   - tests/conftest.py:_create_test_user_and_session stored user_id
     as 32-char hex; test_e2e conftest reads it via raw SQL and wraps
     in uuid.UUID (36 chars) before passing to Purchase.user_id, so
     the FK never matched. Switch back to str(uuid.uuid4()) (36 chars)
     so the stored value and the FK bind value use the same format.

3. Verify lint + format clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-02 12:57:54 +00:00
Barcode Betty 8a4c194e39 feat: Redis-backed rate limiting with stricter auth limits 
- Add rate_limit_auth_requests (5/min) and rate_limit_auth_window_seconds (60) settings
- Add rate_limit_redis_enabled flag for opt-in Redis usage
- Refactor _SlidingWindowCounter into InMemorySlidingWindow class
- Add RedisSlidingWindow using sorted sets with fallback to in-memory
- Add third _auth_strict_limiter for POST /auth/* paths (5 req/min)
- Add protocol-based backend selection at module load time
- Update tests for auth strict limiter and Redis fallback behavior

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-15 02:10:02 +00:00
Paperclip 26f3415eab feat: Redis-backed rate limiting with stricter auth limits 
- Add rate_limit_auth_requests (5/min) and rate_limit_auth_window_seconds (60)
  settings to config.py
- Refactor rate_limit.py to use protocol/ABC pattern with InMemorySlidingWindow
  and RedisSlidingWindow implementations
- Add RedisSlidingWindow using sorted sets for distributed rate limiting
- Add auth_strict_limiter for /auth/* POST endpoints (5 req/min per IP)
- Fall back to in-memory when Redis is unavailable
- Update tests to cover new functionality

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 15:46:52 +00:00
CartSnitch Engineer Bot b5df9aba1e fix(security): use SHA-256 hash for rate limit key instead of token suffix 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-14 11:36:17 +00:00
Coupon Carl b7e6f637a7 feat: merge cartsnitch/api into api/ subdirectory 
Consolidate API gateway service into monorepo.
Squashed from https://github.com/cartsnitch/api main (89bacb1).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-28 02:24:02 +00:00