- oauth_initiate: pre-flight check returns 400 with env-var hint when
GOOGLE_CLIENT_ID/SECRET or ONEDRIVE_CLIENT_ID/SECRET are not configured,
preventing opaque MSAL/OAuth library 500 errors on misconfigured servers
- stream_document_content: broad except-clause catches non-CloudConnectionError
exceptions and returns 502 with user-friendly message (was raw 500)
- docker-compose.yml: add volumes: - ./backend:/app to celery-worker so code
changes are picked up by docker compose restart without a rebuild
- CloudStorageView: upload hint paragraph directs users to navigate into a
cloud folder; no DropZone added (no folder context at overview level)
- 3 new backend tests pass; 2 existing tests patched with credential monkeypatch;
full suite: 293 passed, 0 new failures, 1 pre-existing (test_extract_docx)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- "OneDrive OAuth initiate returns HTTP 400 with a descriptive message when ONEDRIVE_CLIENT_ID or ONEDRIVE_CLIENT_SECRET is not configured — not a 500 from MSAL"
- "Google Drive OAuth initiate returns HTTP 400 with a descriptive message when GOOGLE_CLIENT_ID or GOOGLE_CLIENT_SECRET is not configured"
- "stream_document_content returns 502 (not 500) when a cloud backend raises an unexpected exception"
- "celery-worker in docker-compose.yml has a volume mount so code changes are picked up by docker compose restart (no rebuild required)"
- "CloudStorageView shows an upload hint directing users to navigate into a cloud folder to upload files"
artifacts:
- path: "backend/api/cloud.py"
provides: "Pre-flight config check in oauth_initiate for both onedrive and google_drive providers"
- path: "backend/api/documents.py"
provides: "Broad except-clause in stream_document_content catches non-CloudConnectionError exceptions and returns 502"
- path: "docker-compose.yml"
provides: "celery-worker service has volumes: - ./backend:/app matching the backend service"
- path: "frontend/src/views/CloudStorageView.vue"
provides: "Upload hint paragraph shown when connections exist, directing users to navigate into a folder"
via: "Returns 400 with readable error when env vars missing"
- from: "frontend document preview"
to: "GET /api/documents/{id}/content"
via: "Returns 502 instead of 500 on cloud backend failure"
---
<objective>
Close 3 UAT gaps from Phase 5 testing:
1.**OneDrive OAuth 500** (major): When ONEDRIVE_CLIENT_ID/SECRET env vars are not set, MSAL raises an exception that surfaces as a 500 error. Users cannot distinguish misconfiguration from a code bug. Add a pre-flight check that returns 400 with a human-readable message before touching MSAL. Same check for Google Drive.
2.**Cloud document stream opaque 500** (blocker): `stream_document_content` catches `CloudConnectionError` → 503, but any other exception from the cloud backend becomes a raw 500. Add a broad `except Exception` → 502 with a user-friendly message. Also add `volumes: ./backend:/app` to celery-worker in docker-compose.yml so code changes are reflected by `docker compose restart` without a full rebuild.
3.**Upload hint in CloudStorageView** (blocker): The sidebar "Cloud Storage" link now navigates to `/cloud` (CloudStorageView) which shows provider connections but has no DropZone. Users expect to be able to upload there. Adding a DropZone would require knowing which cloud folder to target (not available at this level). Instead, add a clear inline hint: "To upload files, navigate into a cloud folder first."
- backend/tests/test_cloud_api.py (full file: existing fixtures and test patterns)
</read_first>
<behavior>
- GET /api/cloud/oauth/initiate/google_drive with google_client_id="" → 400 {"detail": "Google Drive OAuth is not configured on this server. Set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET in your environment."}
- GET /api/cloud/oauth/initiate/onedrive with onedrive_client_id="" → 400 {"detail": "OneDrive OAuth is not configured on this server. Set ONEDRIVE_CLIENT_ID, ONEDRIVE_CLIENT_SECRET, and ONEDRIVE_TENANT_ID in your environment."}
- GET /api/cloud/oauth/initiate/onedrive with all onedrive env vars set → still attempts MSAL (existing behavior, not broken)
- GET /api/cloud/oauth/initiate/unknown_provider → still 400 "Unsupported OAuth provider" (existing behavior unchanged)
</behavior>
<action>
In backend/api/cloud.py, inside the `oauth_initiate` function, AFTER the existing `VALID_OAUTH_PROVIDERS` check and BEFORE the `if provider == "google_drive":` block, insert two pre-flight checks:
1. For google_drive: immediately before `if provider == "google_drive":`, add:
```
if provider == "google_drive" and (not settings.google_client_id or not settings.google_client_secret):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Google Drive OAuth is not configured on this server. Set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET in your environment.",
)
```
2. For onedrive: immediately before `elif provider == "onedrive":`, add:
```
if provider == "onedrive" and (not settings.onedrive_client_id or not settings.onedrive_client_secret):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="OneDrive OAuth is not configured on this server. Set ONEDRIVE_CLIENT_ID, ONEDRIVE_CLIENT_SECRET, and ONEDRIVE_TENANT_ID in your environment.",
)
```
These checks must fire before the `if provider == "google_drive":` / `elif provider == "onedrive":` blocks — do NOT restructure the if/elif chain.
In backend/tests/test_cloud_api.py, add two tests using `monkeypatch` (pytest) to override settings fields:
1. `test_oauth_initiate_google_drive_not_configured` — monkeypatch `settings.google_client_id = ""` and `settings.google_client_secret = ""`, call GET /api/cloud/oauth/initiate/google_drive as an authenticated regular user, assert 400, assert "GOOGLE_CLIENT_ID" in detail.
2. `test_oauth_initiate_onedrive_not_configured` — monkeypatch `settings.onedrive_client_id = ""`, call GET /api/cloud/oauth/initiate/onedrive, assert 400, assert "ONEDRIVE_CLIENT_ID" in detail.
Use the existing authenticated client fixture from the test file — read the file to find its name before writing tests.
</action>
<acceptance_criteria>
- backend/api/cloud.py oauth_initiate contains `if provider == "google_drive" and (not settings.google_client_id or not settings.google_client_secret)` before the `if provider == "google_drive":` block
- backend/api/cloud.py oauth_initiate contains `if provider == "onedrive" and (not settings.onedrive_client_id or not settings.onedrive_client_secret)` before the `elif provider == "onedrive":` block
- docker-compose.yml (lines 53–100: backend and celery-worker service definitions)
- backend/tests/test_documents_api.py (read to find fixtures for mocking get_storage_backend_for_document)
</read_first>
<behavior>
- GET /api/documents/{id}/content when cloud backend raises CloudConnectionError → 503 "Cloud connection requires re-authentication" (EXISTING, unchanged)
- GET /api/documents/{id}/content when cloud backend raises any other Exception (e.g., aiohttp.ClientError, timeout, generic RuntimeError) → 502 "Cloud backend unreachable. Please try again or reconnect in Settings."
- GET /api/documents/{id}/content for a MinIO document → 200 with file bytes (unchanged, MinIO errors are not affected by the new clause)
In the `stream_document_content` function, find the `except CloudConnectionError as exc:` block (lines ~754–758). IMMEDIATELY AFTER its closing line (`from exc`), add a second except clause:
```python
except Exception as exc:
raise HTTPException(
status_code=502,
detail="Cloud backend unreachable. Please try again or reconnect in Settings.",
Do NOT catch Exception before CloudConnectionError — order matters (specific before broad).
### 2. docker-compose.yml — add volume mount to celery-worker
In the `celery-worker` service block, add a `volumes:` key with the same bind mount as the `backend` service:
```yaml
volumes:
- ./backend:/app
```
Place it after `environment:` and before `extra_hosts:` (or after `extra_hosts:` if that reads more cleanly). Match the indentation of surrounding keys (2 spaces).
Also add `PYTHONDONTWRITEBYTECODE=1` to the celery-worker environment if it is not already there (prevents .pyc files from cluttering the bind-mounted source).
### 3. backend/tests/test_documents_api.py — add test for 502 path
- Create a document with `storage_backend = "google_drive"` (or any non-minio value)
- Mock `get_storage_backend_for_document` to raise `RuntimeError("connection timeout")`
- Call GET /api/documents/{doc.id}/content as the document owner
- Assert 502 and "Cloud backend unreachable" in the response detail
Read existing document stream tests to find the right fixture pattern before writing.
</action>
<acceptance_criteria>
- backend/api/documents.py stream_document_content has `except Exception as exc:` AFTER `except CloudConnectionError as exc:` block, raising HTTPException(502)
- docker-compose.yml celery-worker service has `volumes: - ./backend:/app`
- frontend/src/views/CloudFolderView.vue (for reference — how upload works inside a folder)
</read_first>
<behavior>
- When at /cloud with at least one active connection, a hint paragraph is visible below the connections list: "To upload files, navigate into a cloud folder first."
- The hint does not appear on the empty state (no connections) — that state already directs to Settings.
- Clicking a connection row still navigates to /cloud/{provider}/root (existing behavior unchanged).
- No DropZone component is added to this view (no cloud folder context is available at this level).
</behavior>
<action>
In frontend/src/views/CloudStorageView.vue, inside the `v-else` block (the div that renders the connections list, starting at `<div v-else class="flex flex-col divide-y ...`), add a hint paragraph immediately AFTER the closing `</div>` of the connections list (after the `</div>` that closes `v-for`), still inside the `v-else` wrapper:
To upload files, navigate into a cloud folder first.
</p>
```
The hint must be a sibling of the connections list `<div>`, not nested inside it. Keep both inside the single `v-else` block so the hint is only visible when connections exist.
</action>
<acceptance_criteria>
- CloudStorageView.vue contains `To upload files, navigate into a cloud folder first.` in a `<p>` element inside the `v-else` block
- The `<p>` is NOT inside the `v-else-if="connections.length === 0"` empty state block
- `cd frontend && npm run build` exits 0 with no errors
- No DropZone or UploadProgress imported or rendered in CloudStorageView.vue
</acceptance_criteria>
<verify>
<automated>cd /Users/nik/Documents/Progamming/document_scanner/frontend && npm run build 2>&1 | tail -5</automated>
</verify>
<done>Upload hint added below connections list. Build passes. No DropZone added. Existing connection click behavior unchanged.</done>
</task>
</tasks>
<threat_model>
## Trust Boundaries
| Boundary | Description |
|----------|-------------|
| oauth_initiate preflight | User-supplied provider string already validated; new checks only inspect server-side settings values — no user input involved |
| 502 error message | Static string, no user data reflected in the error detail |
| volume mount | Read-only to container — same bind mount pattern as backend service |
## STRIDE Threat Register
| Threat ID | Category | Component | Disposition | Mitigation Plan |
| T-05-12-01 | Information Disclosure | 400 error message for missing creds | mitigate | Message names env vars (server config), not any user data or secret values — safe to expose |
| T-05-12-02 | Information Disclosure | 502 error message | mitigate | Static string "Cloud backend unreachable" — no stack trace, no exception detail leaked to client |
| T-05-12-03 | Tampering | celery-worker volume mount | accept | Bind mount is same as backend service; only developer-controlled source files are mounted; production deployments use image builds, not bind mounts |
| T-05-12-SC | Tampering | npm/pip installs | mitigate | No new packages installed in this plan |
- Added broad `except Exception → 502` clause after the existing `except CloudConnectionError → 503` in `stream_document_content`
- Cloud backend runtime errors now return a user-friendly "Cloud backend unreachable" message instead of an opaque 500
- Added `volumes: - ./backend:/app` to celery-worker in `docker-compose.yml` — code changes now reflected via `docker compose restart celery-worker` without a full rebuild
- Added 1 new test `test_stream_document_content_cloud_backend_error` in `backend/tests/test_documents.py`
**Task 3 — Upload hint in CloudStorageView (frontend/src/views/CloudStorageView.vue)**
- Added `<p>` hint below the connections list: "To upload files, navigate into a cloud folder first."
- Hint only visible when `connections.length > 0` (not on empty state)
- No DropZone added (no cloud folder context available at this level)
## Key Files Modified
-`backend/api/cloud.py` — pre-flight config checks in oauth_initiate
-`backend/api/documents.py` — broad 502 except-clause in stream_document_content
-`docker-compose.yml` — volume mount for celery-worker
-`frontend/src/views/CloudStorageView.vue` — upload hint paragraph
-`backend/tests/test_cloud.py` — 2 new pre-flight tests; 2 existing tests patched
-`backend/tests/test_documents.py` — 1 new 502 path test
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
curo1305