senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
veza/veza-backend-api/internal/api/routes_moderation.go
senke b0a46040f1
Some checks failed
Backend API CI / test-unit (push) Failing after 0s
Details
Backend API CI / test-integration (push) Failing after 0s
Details
feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days 
TASK-SFIX-001: MFA enforcement for privileged roles
- Add RequireMFA() middleware, TwoFactorChecker interface, SetTwoFactorChecker()
- Apply to all 3 admin route groups (platform, moderation, core)
- Returns 403 "mfa_setup_required" if admin/moderator without 2FA
- Regular users bypass the check
- Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 5

TASK-SFIX-002: Refresh token TTL alignment
- jwt_service.go: RefreshTokenTTL 14d→7d, RememberMeRefreshTokenTTL 30d→7d
- handlers/auth.go: Cookie max-age and session expiresIn → 7d across
  Login, LoginWith2FA, Register, Refresh handlers
- middleware/auth.go: Session auto-refresh default 30d→7d
- Ref: ORIGIN_SECURITY_FRAMEWORK.md Rule 4

TASK-SFIX-003: 5 unit tests — all PASS
- TestRequireMFA_AdminWithoutMFA, TestRequireMFA_AdminWithMFA
- TestRequireMFA_RegularUserNotAffected
- TestRefreshTokenTTL_Is7Days, TestAccessTokenTTL_Is5Minutes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 06:53:27 +01:00

59 lines
2.1 KiB
Go
Raw Blame History

package api
import (
"veza-backend-api/internal/core/moderation"
"veza-backend-api/internal/services"
"github.com/gin-gonic/gin"
)
// setupModerationRoutes registers advanced moderation routes (v0.11.2 F411-F420)
func (r *APIRouter) setupModerationRoutes(router *gin.RouterGroup) {
moderationService := services.NewModerationService(r.db.GormDB, r.logger)
moderationHandler := moderation.NewModerationHandler(moderationService, r.logger)
// Admin moderation routes (require auth + admin + MFA)
admin := router.Group("/admin/moderation")
{
if r.config.AuthMiddleware != nil {
admin.Use(r.config.AuthMiddleware.RequireAuth())
admin.Use(r.config.AuthMiddleware.RequireAdmin())
admin.Use(r.config.AuthMiddleware.RequireMFA()) // SFIX-001: MFA obligatoire pour admin
}
// F411: Moderation queue
admin.GET("/queue", moderationHandler.GetModerationQueue)
admin.POST("/reports/:id/process", moderationHandler.ProcessReport)
admin.POST("/reports/:id/assign", moderationHandler.AssignReport)
// F413: Spam detections
admin.GET("/spam", moderationHandler.GetSpamDetections)
// F414: Audio fingerprints
admin.GET("/fingerprints", moderationHandler.GetPendingFingerprints)
admin.POST("/fingerprints/:trackId/review", moderationHandler.ReviewFingerprint)
// F415: Strikes & appeals (admin view)
admin.GET("/users/:userId/strikes", moderationHandler.GetUserStrikes)
admin.GET("/appeals", moderationHandler.GetPendingAppeals)
admin.POST("/appeals/:strikeId/resolve", moderationHandler.ResolveAppeal)
// Stats
admin.GET("/stats", moderationHandler.GetModerationStats)
}
// User-facing routes (require auth only)
protected := router.Group("")
{
if r.config.AuthMiddleware != nil {
protected.Use(r.config.AuthMiddleware.RequireAuth())
}
// F412: Enhanced reporting (any authenticated user)
protected.POST("/reports", moderationHandler.CreateEnhancedReport)
// F415: User's own strikes and appeals
protected.GET("/me/strikes", moderationHandler.GetMyStrikes)
protected.POST("/strikes/:strikeId/appeal", moderationHandler.AppealStrike)
}
}
Reference in a new issue View git blame Copy permalink