curo/kite - kite - Gitea: Git with a cup of tea

curo/kite

Fork 0

Commit Graph

Author	SHA1	Message	Date
curo1305	a5f202b069	Fix Phase 3 UAT blockers: MinIO presigned URL hostname, CORS, admin flush→commit, auth refresh race Bugs fixed: - minio_backend.py: generate_presigned_put_url and presigned_get_url used internal _client (minio:9000) instead of _public_client (localhost:9000). Browser received ERR_NAME_NOT_RESOLVED. Fixed by using _public_client with region='us-east-1' to skip region-discovery HTTP request from inside the container. - docker-compose.yml: MINIO_API_CORS_ALLOW_ORIGIN was set from CORS_ORIGINS which uses pydantic JSON list format '["http://localhost:5173"]'. MinIO expected a plain string and never matched the origin. Fixed to use FRONTEND_URL instead. - admin.py: All write handlers (create_user, update_user_status, update_user_quota, update_ai_config) used session.flush() without session.commit(). Changes appeared to succeed (response reflected in-memory state) but rolled back on session close. Fixed by replacing flush() with commit() in all four write handlers. - auth.js: Concurrent refresh() calls from QuotaBar and App.vue on page reload caused a token rotation race — first call rotated the cookie, second arrived with stale cookie and cleared accessToken. Fixed by deduplicating with a shared in-flight promise (_refreshInFlight). Phase 3 UAT: 9/10 pass. UAT-3 (QuotaBar visual) pending browser confirmation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-25 11:30:41 +02:00
curo1305	5950a3f5c2	feat(03-03): wire get_current_user into /api/topics/*; add load_topics_for_user; POST /api/admin/topics - api/topics.py: add get_current_user dep to all 5 handlers (list, create, update, delete, suggest) - list_topics: uses load_topics_for_user (system topics + user's own) with user-scoped doc counts - create_topic: passes user_id=current_user.id (never creates system topics via regular endpoint) - update_topic/delete_topic: ownership assertion — system topics and other users' topics return 404 - api/admin.py: add SystemTopicCreate model + POST /api/admin/topics (user_id=NULL, admin-only) - services/storage.py: add or_ import; load_topics_for_user (D-17); create_topic gains user_id param with namespace-scoped dedup; topic_doc_counts gains optional user_id for user-scoped counts; add load_topics_for_user to __all__ - services/classifier.py: replace load_topics with load_topics_for_user(doc.user_id); pass user_id=doc.user_id to create_topic for AI-suggested topics (D-11) - Tests: update all topic tests to pass auth headers; implement test_topic_namespace, test_admin_create_system_topic, test_regular_user_cannot_create_system_topic, test_topics_require_auth	2026-05-23 20:15:44 +02:00
curo1305	f94e8d8b4a	feat(02-04): implement admin API endpoints — user CRUD, quota management, AI config - GET /api/admin/users: list users (safe fields only, ordered by created_at) - POST /api/admin/users: create user (password_must_change=True, quota init) - PATCH /api/admin/users/{id}/status: deactivate/reactivate with sole-admin guard - POST /api/admin/users/{id}/password-reset: Celery email dispatch (no token returned) - GET /api/admin/users/{id}/quota: quota view with MB helpers - PATCH /api/admin/users/{id}/quota: quota adjust with below-usage warning - PATCH /api/admin/users/{id}/ai-config: assign AI provider/model per user - _user_to_dict() whitelist helper prevents password_hash/credentials_enc leakage - No impersonation endpoint (ADMIN-07 enforced by omission) - get_current_admin Depends() on every handler (SEC-07) - Updated backend/main.py to include admin_router - Fixed test: mock send_reset_email.delay to avoid Redis in unit tests	2026-05-22 20:01:37 +02:00

Author

SHA1

Message

Date

curo1305

a5f202b069

Fix Phase 3 UAT blockers: MinIO presigned URL hostname, CORS, admin flush→commit, auth refresh race

Bugs fixed:
- minio_backend.py: generate_presigned_put_url and presigned_get_url used internal
  _client (minio:9000) instead of _public_client (localhost:9000). Browser received
  ERR_NAME_NOT_RESOLVED. Fixed by using _public_client with region='us-east-1' to
  skip region-discovery HTTP request from inside the container.

- docker-compose.yml: MINIO_API_CORS_ALLOW_ORIGIN was set from CORS_ORIGINS which
  uses pydantic JSON list format '["http://localhost:5173"]'. MinIO expected a plain
  string and never matched the origin. Fixed to use FRONTEND_URL instead.

- admin.py: All write handlers (create_user, update_user_status, update_user_quota,
  update_ai_config) used session.flush() without session.commit(). Changes appeared
  to succeed (response reflected in-memory state) but rolled back on session close.
  Fixed by replacing flush() with commit() in all four write handlers.

- auth.js: Concurrent refresh() calls from QuotaBar and App.vue on page reload caused
  a token rotation race — first call rotated the cookie, second arrived with stale
  cookie and cleared accessToken. Fixed by deduplicating with a shared in-flight
  promise (_refreshInFlight).

Phase 3 UAT: 9/10 pass. UAT-3 (QuotaBar visual) pending browser confirmation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-25 11:30:41 +02:00

curo1305

5950a3f5c2

feat(03-03): wire get_current_user into /api/topics/*; add load_topics_for_user; POST /api/admin/topics

- api/topics.py: add get_current_user dep to all 5 handlers (list, create, update, delete, suggest)
- list_topics: uses load_topics_for_user (system topics + user's own) with user-scoped doc counts
- create_topic: passes user_id=current_user.id (never creates system topics via regular endpoint)
- update_topic/delete_topic: ownership assertion — system topics and other users' topics return 404
- api/admin.py: add SystemTopicCreate model + POST /api/admin/topics (user_id=NULL, admin-only)
- services/storage.py: add or_ import; load_topics_for_user (D-17); create_topic gains user_id param with namespace-scoped dedup; topic_doc_counts gains optional user_id for user-scoped counts; add load_topics_for_user to __all__
- services/classifier.py: replace load_topics with load_topics_for_user(doc.user_id); pass user_id=doc.user_id to create_topic for AI-suggested topics (D-11)
- Tests: update all topic tests to pass auth headers; implement test_topic_namespace, test_admin_create_system_topic, test_regular_user_cannot_create_system_topic, test_topics_require_auth

2026-05-23 20:15:44 +02:00

curo1305

f94e8d8b4a

feat(02-04): implement admin API endpoints — user CRUD, quota management, AI config

- GET /api/admin/users: list users (safe fields only, ordered by created_at)
- POST /api/admin/users: create user (password_must_change=True, quota init)
- PATCH /api/admin/users/{id}/status: deactivate/reactivate with sole-admin guard
- POST /api/admin/users/{id}/password-reset: Celery email dispatch (no token returned)
- GET /api/admin/users/{id}/quota: quota view with MB helpers
- PATCH /api/admin/users/{id}/quota: quota adjust with below-usage warning
- PATCH /api/admin/users/{id}/ai-config: assign AI provider/model per user
- _user_to_dict() whitelist helper prevents password_hash/credentials_enc leakage
- No impersonation endpoint (ADMIN-07 enforced by omission)
- get_current_admin Depends() on every handler (SEC-07)
- Updated backend/main.py to include admin_router
- Fixed test: mock send_reset_email.delay to avoid Redis in unit tests

2026-05-22 20:01:37 +02:00

3 Commits