da20e83e09
Add Release Scope, Implementation Plan, and Smoke Test for 7 versions: - v0.703: Go Live & Streaming Complet (Phase 7 Finale) - v0.801: UX/UI Polish, Accessibilite & PWA (Phase 8) - v0.802: Cloud Complet, Fichiers & Gear Avance (Phase 8) - v0.803: Securite, Compliance & Outillage Dev (Phase 8) - v0.901: Marketplace Complet & Analytics Avances (Phase 9) - v0.902: Social Complet, Chat & Notifications (Phase 9) - v0.903: Stabilisation v1.0 & Launch Readiness (Phase 9) 21 documents total (3 per version), covering all remaining features needed to reach v1.0 from v0.702.
5.9 KiB
5.9 KiB
Smoke Test v0.803 — Sécurité, Compliance & Outillage Dev
Prérequis
veza-backend-apicompilé et démarré- PostgreSQL avec migrations appliquées jusqu'à 125
.envavecDATABASE_URL,JWT_SECRET- Utilisateur admin et utilisateur standard avec tokens JWT
1. Security Headers (SEC1)
1.1 Headers présents
curl -sI http://localhost:8080/api/v1/health | grep -iE "content-security|x-frame|x-content-type|referrer-policy|permissions-policy"
# Attendu:
# Content-Security-Policy: default-src 'self'; ...
# X-Frame-Options: DENY
# X-Content-Type-Options: nosniff
# Referrer-Policy: strict-origin-when-cross-origin
# Permissions-Policy: camera=(), microphone=(self), ...
1.2 HSTS (production uniquement)
# En mode PRODUCTION:
# Attendu: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# En mode DEV: absent
1.3 Rate limiting global
# Envoyer 150 requêtes rapides depuis une même IP
# Attendu: 429 Too Many Requests après 100 requêtes
2. Audit Logs (SEC2)
2.1 Log automatique
# Effectuer un POST (ex: créer un produit)
curl -s -X POST http://localhost:8080/api/v1/marketplace/products \
-H "Authorization: Bearer {TOKEN}" \
-H "Content-Type: application/json" \
-d '{"title":"Test","price_cents":1000}' | jq .
# Vérifier l'audit log
curl -s "http://localhost:8080/api/v1/admin/audit-logs?limit=1" \
-H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: action="create", resource_type="product", user_id, ip_address
2.2 Filtres audit logs
curl -s "http://localhost:8080/api/v1/admin/audit-logs?action=create&limit=10" \
-H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: uniquement les logs avec action "create"
2.3 Non-admin accès refusé
curl -s http://localhost:8080/api/v1/admin/audit-logs \
-H "Authorization: Bearer {USER_TOKEN}" | jq .
# Attendu: 403 Forbidden
3. Account Deletion (SEC2)
3.1 Supprimer son compte
curl -s -X DELETE http://localhost:8080/api/v1/users/me \
-H "Authorization: Bearer {TOKEN}" | jq .
# Attendu: 200, "Account deleted"
3.2 Vérifier anonymisation
# Tenter de se connecter avec l'ancien email
# Attendu: 401 Unauthorized (email anonymisé)
3.3 Frontend
# Settings → Account → Delete Account
# Vérifier: modal de confirmation avec texte "type DELETE to confirm"
# Vérifier: redirection vers login après suppression
4. OpenAPI/Swagger (DEV1)
4.1 Swagger UI
curl -s http://localhost:8080/swagger/index.html | head -20
# Attendu: HTML de Swagger UI
4.2 OpenAPI spec
curl -s http://localhost:8080/swagger/doc.json | jq '.info.title'
# Attendu: "Veza API"
5. API Keys (DEV1)
5.1 Créer une API key
curl -s -X POST http://localhost:8080/api/v1/developer/api-keys \
-H "Authorization: Bearer {TOKEN}" \
-H "Content-Type: application/json" \
-d '{"name": "My Integration", "permissions": ["read"]}' | jq .
# Attendu: 201, { "key": "veza_sk_...", "name": "My Integration" }
# Note: raw key retournée uniquement à la création
5.2 Auth via X-API-Key
curl -s http://localhost:8080/api/v1/dashboard \
-H "X-API-Key: veza_sk_..." | jq .
# Attendu: 200, dashboard data (authentifié via API key)
5.3 Lister et révoquer
curl -s http://localhost:8080/api/v1/developer/api-keys \
-H "Authorization: Bearer {TOKEN}" | jq .
# Attendu: liste des API keys (sans le raw key)
curl -s -X DELETE http://localhost:8080/api/v1/developer/api-keys/{KEY_ID} \
-H "Authorization: Bearer {TOKEN}" | jq .
# Attendu: 200, key revoked
6. Moderation (ADM1)
6.1 Lister les signalements
curl -s http://localhost:8080/api/v1/admin/reports \
-H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: 200, liste paginée de reports
6.2 Résoudre un signalement
curl -s -X POST http://localhost:8080/api/v1/admin/reports/{REPORT_ID}/resolve \
-H "Authorization: Bearer {ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"action": "warn", "note": "First warning"}' | jq .
# Attendu: 200, report status = resolved
7. Maintenance Mode (ADM1)
7.1 Activer maintenance
# Setter MAINTENANCE_MODE=true dans .env et redémarrer
curl -s http://localhost:8080/api/v1/dashboard | jq .
# Attendu: 503 Service Unavailable, "Platform is under maintenance"
curl -s http://localhost:8080/api/v1/health | jq .
# Attendu: 200 (health exempté)
8. Announcements (ADM1)
8.1 Créer une annonce
curl -s -X POST http://localhost:8080/api/v1/admin/announcements \
-H "Authorization: Bearer {ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"title": "Scheduled Maintenance", "content": "...", "type": "warning"}' | jq .
# Attendu: 201, announcement created
8.2 Annonces actives (public)
curl -s http://localhost:8080/api/v1/announcements/active | jq .
# Attendu: 200, liste des annonces actives
9. Feature Flags (ADM1)
9.1 Lister les flags
curl -s http://localhost:8080/api/v1/admin/feature-flags \
-H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: 200, liste des feature flags avec enabled/disabled
9.2 Toggle un flag
curl -s -X PUT http://localhost:8080/api/v1/admin/feature-flags/HLS_STREAMING \
-H "Authorization: Bearer {ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"enabled": true}' | jq .
# Attendu: 200, flag updated
10. Tests automatisés
cd veza-backend-api && go test ./... -v
cd apps/web && npm run build
11. Documentation
docs/API_REFERENCE.mdsections Security, Audit, API Keys, AdminCHANGELOG.mdcontient entrée v0.803docs/PROJECT_STATE.md: Dernier tag = v0.803docs/FEATURE_STATUS.md: section "Livré en v0.803"- Swagger UI accessible sur /swagger/
git tag v0.803créé