# Smoke Test v0.803 — Sécurité, Compliance & Outillage Dev ## Prérequis - `veza-backend-api` compilé et démarré - PostgreSQL avec migrations appliquées jusqu'à 125 - `.env` avec `DATABASE_URL`, `JWT_SECRET` - Utilisateur admin et utilisateur standard avec tokens JWT --- ## 1. Security Headers (SEC1) ### 1.1 Headers présents ```bash curl -sI http://localhost:8080/api/v1/health | grep -iE "content-security|x-frame|x-content-type|referrer-policy|permissions-policy" # Attendu: # Content-Security-Policy: default-src 'self'; ... # X-Frame-Options: DENY # X-Content-Type-Options: nosniff # Referrer-Policy: strict-origin-when-cross-origin # Permissions-Policy: camera=(), microphone=(self), ... ``` ### 1.2 HSTS (production uniquement) ```bash # En mode PRODUCTION: # Attendu: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload # En mode DEV: absent ``` ### 1.3 Rate limiting global ```bash # Envoyer 150 requêtes rapides depuis une même IP # Attendu: 429 Too Many Requests après 100 requêtes ``` --- ## 2. Audit Logs (SEC2) ### 2.1 Log automatique ```bash # Effectuer un POST (ex: créer un produit) curl -s -X POST http://localhost:8080/api/v1/marketplace/products \ -H "Authorization: Bearer {TOKEN}" \ -H "Content-Type: application/json" \ -d '{"title":"Test","price_cents":1000}' | jq . # Vérifier l'audit log curl -s "http://localhost:8080/api/v1/admin/audit-logs?limit=1" \ -H "Authorization: Bearer {ADMIN_TOKEN}" | jq . # Attendu: action="create", resource_type="product", user_id, ip_address ``` ### 2.2 Filtres audit logs ```bash curl -s "http://localhost:8080/api/v1/admin/audit-logs?action=create&limit=10" \ -H "Authorization: Bearer {ADMIN_TOKEN}" | jq . # Attendu: uniquement les logs avec action "create" ``` ### 2.3 Non-admin accès refusé ```bash curl -s http://localhost:8080/api/v1/admin/audit-logs \ -H "Authorization: Bearer {USER_TOKEN}" | jq . # Attendu: 403 Forbidden ``` --- ## 3. Account Deletion (SEC2) ### 3.1 Supprimer son compte ```bash curl -s -X DELETE http://localhost:8080/api/v1/users/me \ -H "Authorization: Bearer {TOKEN}" | jq . # Attendu: 200, "Account deleted" ``` ### 3.2 Vérifier anonymisation ```bash # Tenter de se connecter avec l'ancien email # Attendu: 401 Unauthorized (email anonymisé) ``` ### 3.3 Frontend ```bash # Settings → Account → Delete Account # Vérifier: modal de confirmation avec texte "type DELETE to confirm" # Vérifier: redirection vers login après suppression ``` --- ## 4. OpenAPI/Swagger (DEV1) ### 4.1 Swagger UI ```bash curl -s http://localhost:8080/swagger/index.html | head -20 # Attendu: HTML de Swagger UI ``` ### 4.2 OpenAPI spec ```bash curl -s http://localhost:8080/swagger/doc.json | jq '.info.title' # Attendu: "Veza API" ``` --- ## 5. API Keys (DEV1) ### 5.1 Créer une API key ```bash curl -s -X POST http://localhost:8080/api/v1/developer/api-keys \ -H "Authorization: Bearer {TOKEN}" \ -H "Content-Type: application/json" \ -d '{"name": "My Integration", "permissions": ["read"]}' | jq . # Attendu: 201, { "key": "veza_sk_...", "name": "My Integration" } # Note: raw key retournée uniquement à la création ``` ### 5.2 Auth via X-API-Key ```bash curl -s http://localhost:8080/api/v1/dashboard \ -H "X-API-Key: veza_sk_..." | jq . # Attendu: 200, dashboard data (authentifié via API key) ``` ### 5.3 Lister et révoquer ```bash curl -s http://localhost:8080/api/v1/developer/api-keys \ -H "Authorization: Bearer {TOKEN}" | jq . # Attendu: liste des API keys (sans le raw key) curl -s -X DELETE http://localhost:8080/api/v1/developer/api-keys/{KEY_ID} \ -H "Authorization: Bearer {TOKEN}" | jq . # Attendu: 200, key revoked ``` --- ## 6. Moderation (ADM1) ### 6.1 Lister les signalements ```bash curl -s http://localhost:8080/api/v1/admin/reports \ -H "Authorization: Bearer {ADMIN_TOKEN}" | jq . # Attendu: 200, liste paginée de reports ``` ### 6.2 Résoudre un signalement ```bash curl -s -X POST http://localhost:8080/api/v1/admin/reports/{REPORT_ID}/resolve \ -H "Authorization: Bearer {ADMIN_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"action": "warn", "note": "First warning"}' | jq . # Attendu: 200, report status = resolved ``` --- ## 7. Maintenance Mode (ADM1) ### 7.1 Activer maintenance ```bash # Setter MAINTENANCE_MODE=true dans .env et redémarrer curl -s http://localhost:8080/api/v1/dashboard | jq . # Attendu: 503 Service Unavailable, "Platform is under maintenance" curl -s http://localhost:8080/api/v1/health | jq . # Attendu: 200 (health exempté) ``` --- ## 8. Announcements (ADM1) ### 8.1 Créer une annonce ```bash curl -s -X POST http://localhost:8080/api/v1/admin/announcements \ -H "Authorization: Bearer {ADMIN_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"title": "Scheduled Maintenance", "content": "...", "type": "warning"}' | jq . # Attendu: 201, announcement created ``` ### 8.2 Annonces actives (public) ```bash curl -s http://localhost:8080/api/v1/announcements/active | jq . # Attendu: 200, liste des annonces actives ``` --- ## 9. Feature Flags (ADM1) ### 9.1 Lister les flags ```bash curl -s http://localhost:8080/api/v1/admin/feature-flags \ -H "Authorization: Bearer {ADMIN_TOKEN}" | jq . # Attendu: 200, liste des feature flags avec enabled/disabled ``` ### 9.2 Toggle un flag ```bash curl -s -X PUT http://localhost:8080/api/v1/admin/feature-flags/HLS_STREAMING \ -H "Authorization: Bearer {ADMIN_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"enabled": true}' | jq . # Attendu: 200, flag updated ``` --- ## 10. Tests automatisés ```bash cd veza-backend-api && go test ./... -v cd apps/web && npm run build ``` --- ## 11. Documentation - [ ] `docs/API_REFERENCE.md` sections Security, Audit, API Keys, Admin - [ ] `CHANGELOG.md` contient entrée v0.803 - [ ] `docs/PROJECT_STATE.md` : Dernier tag = v0.803 - [ ] `docs/FEATURE_STATUS.md` : section "Livré en v0.803" - [ ] Swagger UI accessible sur /swagger/ - [ ] `git tag v0.803` créé