0e7097ed1b
First-attempt commit3a5c6e184only captured the .gitignore change; the pre-commit hook silently dropped the 343 staged moves/deletes during lint-staged's "no matching task" path. This commit re-applies the intended J1 content on top ofbec75f143(which was pushed in parallel). Uses --no-verify because: - J1 only touches .md/.json/.log/.png/binaries — zero code that would benefit from lint-staged, typecheck, or vitest - The hook demonstrated it corrupts pure-rename commits in this repo - Explicitly authorized by user for this one commit Changes (343 total: 169 deletions + 174 renames): Binaries purged (~167 MB): - veza-backend-api/{server,modern-server,encrypt_oauth_tokens,seed,seed-v2} Generated reports purged: - 9 apps/web/lint_report*.json (~32 MB) - 8 apps/web/tsc_*.{log,txt} + ts_*.log (TS error snapshots) - 3 apps/web/storybook_*.json (1375+ stored errors) - apps/web/{build_errors*,build_output,final_errors}.txt - 70 veza-backend-api/coverage*.out + coverage_groups/ (~4 MB) - 3 veza-backend-api/internal/handlers/*.bak Root cleanup: - 54 audit-*.png (visual regression baselines, ~11 MB) - 9 stale MVP-era scripts (Jan 27, hardcoded v0.101): start_{iteration,mvp,recovery}.sh, test_{mvp_endpoints,protected_endpoints,user_journey}.sh, validate_v0101.sh, verify_logs_setup.sh, gen_hash.py Session docs archived (not deleted — preserved under docs/archive/): - 78 apps/web/*.md → docs/archive/frontend-sessions-2026/ - 43 veza-backend-api/*.md → docs/archive/backend-sessions-2026/ - 53 docs/{RETROSPECTIVE_V,SMOKE_TEST_V,PLAN_V0_,V0_*_RELEASE_SCOPE, AUDIT_,PLAN_ACTION_AUDIT,REMEDIATION_PROGRESS}*.md → docs/archive/v0-history/ README.md and CONTRIBUTING.md preserved in apps/web/ and veza-backend-api/. Note: The .gitignore rules preventing recurrence were already pushed in3a5c6e184and remain in place — this commit does not modify .gitignore. Refs: AUDIT_REPORT.md §11
5.9 KiB
5.9 KiB
Smoke Test v0.803 — Sécurité, Compliance & Outillage Dev
Prérequis
veza-backend-apicompilé et démarré- PostgreSQL avec migrations appliquées jusqu'à 125
.envavecDATABASE_URL,JWT_SECRET- Utilisateur admin et utilisateur standard avec tokens JWT
1. Security Headers (SEC1)
1.1 Headers présents
curl -sI http://localhost:8080/api/v1/health | grep -iE "content-security|x-frame|x-content-type|referrer-policy|permissions-policy"
# Attendu:
# Content-Security-Policy: default-src 'self'; ...
# X-Frame-Options: DENY
# X-Content-Type-Options: nosniff
# Referrer-Policy: strict-origin-when-cross-origin
# Permissions-Policy: camera=(), microphone=(self), ...
1.2 HSTS (production uniquement)
# En mode PRODUCTION:
# Attendu: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# En mode DEV: absent
1.3 Rate limiting global
# Envoyer 150 requêtes rapides depuis une même IP
# Attendu: 429 Too Many Requests après 100 requêtes
2. Audit Logs (SEC2)
2.1 Log automatique
# Effectuer un POST (ex: créer un produit)
curl -s -X POST http://localhost:8080/api/v1/marketplace/products \
-H "Authorization: Bearer {TOKEN}" \
-H "Content-Type: application/json" \
-d '{"title":"Test","price_cents":1000}' | jq .
# Vérifier l'audit log
curl -s "http://localhost:8080/api/v1/admin/audit-logs?limit=1" \
-H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: action="create", resource_type="product", user_id, ip_address
2.2 Filtres audit logs
curl -s "http://localhost:8080/api/v1/admin/audit-logs?action=create&limit=10" \
-H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: uniquement les logs avec action "create"
2.3 Non-admin accès refusé
curl -s http://localhost:8080/api/v1/admin/audit-logs \
-H "Authorization: Bearer {USER_TOKEN}" | jq .
# Attendu: 403 Forbidden
3. Account Deletion (SEC2)
3.1 Supprimer son compte
curl -s -X DELETE http://localhost:8080/api/v1/users/me \
-H "Authorization: Bearer {TOKEN}" | jq .
# Attendu: 200, "Account deleted"
3.2 Vérifier anonymisation
# Tenter de se connecter avec l'ancien email
# Attendu: 401 Unauthorized (email anonymisé)
3.3 Frontend
# Settings → Account → Delete Account
# Vérifier: modal de confirmation avec texte "type DELETE to confirm"
# Vérifier: redirection vers login après suppression
4. OpenAPI/Swagger (DEV1)
4.1 Swagger UI
curl -s http://localhost:8080/swagger/index.html | head -20
# Attendu: HTML de Swagger UI
4.2 OpenAPI spec
curl -s http://localhost:8080/swagger/doc.json | jq '.info.title'
# Attendu: "Veza API"
5. API Keys (DEV1)
5.1 Créer une API key
curl -s -X POST http://localhost:8080/api/v1/developer/api-keys \
-H "Authorization: Bearer {TOKEN}" \
-H "Content-Type: application/json" \
-d '{"name": "My Integration", "permissions": ["read"]}' | jq .
# Attendu: 201, { "key": "veza_sk_...", "name": "My Integration" }
# Note: raw key retournée uniquement à la création
5.2 Auth via X-API-Key
curl -s http://localhost:8080/api/v1/dashboard \
-H "X-API-Key: veza_sk_..." | jq .
# Attendu: 200, dashboard data (authentifié via API key)
5.3 Lister et révoquer
curl -s http://localhost:8080/api/v1/developer/api-keys \
-H "Authorization: Bearer {TOKEN}" | jq .
# Attendu: liste des API keys (sans le raw key)
curl -s -X DELETE http://localhost:8080/api/v1/developer/api-keys/{KEY_ID} \
-H "Authorization: Bearer {TOKEN}" | jq .
# Attendu: 200, key revoked
6. Moderation (ADM1)
6.1 Lister les signalements
curl -s http://localhost:8080/api/v1/admin/reports \
-H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: 200, liste paginée de reports
6.2 Résoudre un signalement
curl -s -X POST http://localhost:8080/api/v1/admin/reports/{REPORT_ID}/resolve \
-H "Authorization: Bearer {ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"action": "warn", "note": "First warning"}' | jq .
# Attendu: 200, report status = resolved
7. Maintenance Mode (ADM1)
7.1 Activer maintenance
# Setter MAINTENANCE_MODE=true dans .env et redémarrer
curl -s http://localhost:8080/api/v1/dashboard | jq .
# Attendu: 503 Service Unavailable, "Platform is under maintenance"
curl -s http://localhost:8080/api/v1/health | jq .
# Attendu: 200 (health exempté)
8. Announcements (ADM1)
8.1 Créer une annonce
curl -s -X POST http://localhost:8080/api/v1/admin/announcements \
-H "Authorization: Bearer {ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"title": "Scheduled Maintenance", "content": "...", "type": "warning"}' | jq .
# Attendu: 201, announcement created
8.2 Annonces actives (public)
curl -s http://localhost:8080/api/v1/announcements/active | jq .
# Attendu: 200, liste des annonces actives
9. Feature Flags (ADM1)
9.1 Lister les flags
curl -s http://localhost:8080/api/v1/admin/feature-flags \
-H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: 200, liste des feature flags avec enabled/disabled
9.2 Toggle un flag
curl -s -X PUT http://localhost:8080/api/v1/admin/feature-flags/HLS_STREAMING \
-H "Authorization: Bearer {ADMIN_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"enabled": true}' | jq .
# Attendu: 200, flag updated
10. Tests automatisés
cd veza-backend-api && go test ./... -v
cd apps/web && npm run build
11. Documentation
docs/API_REFERENCE.mdsections Security, Audit, API Keys, AdminCHANGELOG.mdcontient entrée v0.803docs/PROJECT_STATE.md: Dernier tag = v0.803docs/FEATURE_STATUS.md: section "Livré en v0.803"- Swagger UI accessible sur /swagger/
git tag v0.803créé