reviewed

2025-12-20 22:38:39 +01:00 · 2025-12-20 22:38:39 +01:00 · a31bd8246c
commit a31bd8246c
parent a56a4c076a
10 changed files with 15 additions and 71 deletions
--- a/backend/routes/audit.py
+++ b/backend/routes/audit.py
@ -114,4 +114,3 @@ async def get_sum_records(
        per_page=per_page,
        total_pages=total_pages,
    )
-
--- a/backend/routes/auth.py
+++ b/backend/routes/auth.py
@ -8,6 +8,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from auth import (
    ACCESS_TOKEN_EXPIRE_MINUTES,
    COOKIE_NAME,
+    COOKIE_SECURE,
    get_password_hash,
    get_user_by_email,
    authenticate_user,
@ -30,7 +31,7 @@ def set_auth_cookie(response: Response, token: str) -> None:
        key=COOKIE_NAME,
        value=token,
        httponly=True,
-        secure=False,  # Set to True in production with HTTPS
+        secure=COOKIE_SECURE,
        samesite="lax",
        max_age=ACCESS_TOKEN_EXPIRE_MINUTES * 60,
    )
@ -132,4 +133,3 @@ async def get_me(
 ) -> UserResponse:
    """Get the current authenticated user's info."""
    return await build_user_response(current_user, db)
-
--- a/backend/routes/counter.py
+++ b/backend/routes/counter.py
@ -51,4 +51,3 @@ async def increment_counter(
    db.add(record)
    await db.commit()
    return {"value": counter.value}
-
--- a/backend/routes/invites.py
+++ b/backend/routes/invites.py
@ -20,7 +20,8 @@ from schemas import (
 )


-router = APIRouter(tags=["invites"])
+router = APIRouter(prefix="/api/invites", tags=["invites"])
+admin_router = APIRouter(prefix="/api/admin", tags=["admin"])

 MAX_INVITE_COLLISION_RETRIES = 3

@ -41,11 +42,7 @@ def build_invite_response(invite: Invite) -> InviteResponse:
    )


-# =============================================================================
-# Public Endpoints
-# =============================================================================
-
-@router.get("/api/invites/{identifier}/check", response_model=InviteCheckResponse)
+@router.get("/{identifier}/check", response_model=InviteCheckResponse)
 async def check_invite(
    identifier: str,
    db: AsyncSession = Depends(get_db),
@ -69,11 +66,7 @@ async def check_invite(
    return InviteCheckResponse(valid=True, status=invite.status.value)


-# =============================================================================
-# User Endpoints (requires VIEW_OWN_INVITES permission)
-# =============================================================================
-
-@router.get("/api/invites", response_model=list[UserInviteResponse])
+@router.get("", response_model=list[UserInviteResponse])
 async def get_my_invites(
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(require_permission(Permission.VIEW_OWN_INVITES)),
@ -100,11 +93,7 @@ async def get_my_invites(
    ]


-# =============================================================================
-# Admin Endpoints (requires MANAGE_INVITES permission)
-# =============================================================================
-
-@router.get("/api/admin/users", response_model=list[AdminUserResponse])
+@admin_router.get("/users", response_model=list[AdminUserResponse])
 async def list_users_for_admin(
    db: AsyncSession = Depends(get_db),
    _current_user: User = Depends(require_permission(Permission.MANAGE_INVITES)),
@ -115,7 +104,7 @@ async def list_users_for_admin(
    return [AdminUserResponse(id=u.id, email=u.email) for u in users]


-@router.post("/api/admin/invites", response_model=InviteResponse)
+@admin_router.post("/invites", response_model=InviteResponse)
 async def create_invite(
    data: InviteCreate,
    db: AsyncSession = Depends(get_db),
@ -163,7 +152,7 @@ async def create_invite(
    return build_invite_response(invite)


-@router.get("/api/admin/invites", response_model=PaginatedInviteRecords)
+@admin_router.get("/invites", response_model=PaginatedInviteRecords)
 async def list_all_invites(
    page: int = Query(1, ge=1),
    per_page: int = Query(10, ge=1, le=100),
@ -216,7 +205,7 @@ async def list_all_invites(
    )


-@router.post("/api/admin/invites/{invite_id}/revoke", response_model=InviteResponse)
+@admin_router.post("/invites/{invite_id}/revoke", response_model=InviteResponse)
 async def revoke_invite(
    invite_id: int,
    db: AsyncSession = Depends(get_db),
@ -244,4 +233,3 @@ async def revoke_invite(
    await db.refresh(invite)

    return build_invite_response(invite)
-
--- a/backend/routes/profile.py
+++ b/backend/routes/profile.py
@ -91,4 +91,3 @@ async def update_profile(
        nostr_npub=current_user.nostr_npub,
        godfather_email=godfather_email,
    )
-
--- a/backend/routes/sum.py
+++ b/backend/routes/sum.py
@ -28,4 +28,3 @@ async def calculate_sum(
    db.add(record)
    await db.commit()
    return SumResponse(a=data.a, b=data.b, result=result)
-