Document dynamic security review checklists
This commit is contained in:
Codex Agent
@@ -1 +1 @@
|
||||
fotospiel-app-vel
|
||||
fotospiel-app-vc3
|
||||
|
||||
@@ -57,6 +57,48 @@ The backend exposes `/api/_testing/...` endpoints (local/testing env only):
|
||||
|
||||
Playwright fixtures (`tests/ui/helpers/test-fixtures.ts`) provide helpers that wrap these endpoints.
|
||||
|
||||
## Security Review (Dynamic Tests)
|
||||
|
||||
This section provides a staged, repeatable checklist for dynamic security reviews across product surfaces. It complements the UI suites above and is intended for staging/test environments.
|
||||
|
||||
### Environment Assumptions (Required)
|
||||
- **Run in staging/test only** — never against production data.
|
||||
- **Dedicated test tenants/users** — use seeded accounts (see above) and avoid real customer data.
|
||||
- **Sandbox billing** — Paddle sandbox and mock webhook endpoints only.
|
||||
- **Testing token enabled** — set `E2E_TESTING_TOKEN` and ensure the backend accepts it for `/api/_testing/*`.
|
||||
- **Stable base URL** — set `E2E_BASE_URL` to the target environment (`http://localhost:8000` or staging).
|
||||
- **Email sink** — use `/api/_testing/mailbox` instead of real email delivery.
|
||||
- **Rate limits** — keep request volume low; avoid concurrent fuzzing unless explicitly safe.
|
||||
|
||||
### Checklist: Marketing + Public API (Dynamic)
|
||||
1) **Public routes**: `/de`, `/en`, `/de/packages`, `/de/blog`, `/de/kontakt` render with expected locale and canonical/hreflang tags.
|
||||
2) **Redirect hygiene**: non‑prefixed routes redirect to locale (`/contact` → `/de/kontakt` or `/en/contact`).
|
||||
3) **Contact form**: validation errors for missing fields; honeypot rejects bot payload; throttle returns 429 on excessive posts.
|
||||
4) **Public API**: `GET /api/v1/events/{token}` and `/photos` reject invalid/expired tokens with 404/410 (no sensitive info).
|
||||
5) **Abuse controls**: upload endpoints return 429 when rate‑limited; no 500s on malformed payloads.
|
||||
6) **CORS**: public API does not allow wildcard origins for authenticated endpoints.
|
||||
|
||||
### Checklist: Guest PWA (Dynamic)
|
||||
1) **Join token**: valid token joins, invalid/expired token shows safe error (no leakage).
|
||||
2) **Permissions**: guest cannot access tenant/admin endpoints; 401/403 as expected.
|
||||
3) **Uploads**: file type + size limits enforced; invalid uploads fail gracefully.
|
||||
4) **Offline mode**: queued uploads don’t leak data; resync uses same join token.
|
||||
5) **Likes/tasks**: actions scoped to event; cross‑event access denied.
|
||||
|
||||
### Checklist: Event Admin (Dynamic)
|
||||
1) **Login flow**: correct error on invalid creds; throttling kicks in after repeated attempts.
|
||||
2) **Tenant isolation**: admin cannot access other tenants’ events/photos (403/404).
|
||||
3) **Join token lifecycle**: regenerate/disable token invalidates old links immediately.
|
||||
4) **Moderation controls**: only admin can approve/hide; guest cannot mutate.
|
||||
5) **Exports**: admin‑only endpoints require auth; signed URLs expire as expected.
|
||||
|
||||
### Checklist: Webhooks/Billing (Dynamic)
|
||||
1) **Signature validation**: invalid signature is rejected (401/403) and logged.
|
||||
2) **Freshness**: stale timestamps are rejected; replayed webhook payloads are idempotent.
|
||||
3) **Paddle sandbox flow**: use `/api/_testing/checkout/sessions/{session}/simulate-paddle` to simulate success/failure; verify ledger updates.
|
||||
4) **Webhook retries**: transient failures produce retry‑safe behavior (no duplicate ledger entries).
|
||||
5) **Error handling**: malformed payload returns 4xx (not 500), with minimal error detail.
|
||||
|
||||
## Suite Layout & Goals
|
||||
|
||||
| Suite | Location | Primary Coverage |
|
||||
|
||||
Reference in New Issue
Block a user