feat: implement Phase 1 hardening

- Verify JWT signatures via JWKS in auth.py - Fix broken frontend auth button references - Add Pydantic Settings for env validation (RETENTION_DAYS, CORS_ORIGINS) - Create MongoDB indexes + TTL on startup - Add /health endpoint and CORS middleware - Escape regex input in event queries - Fix dedupe() return calculation in maintenance.py - Replace basic logging with structured structlog JSON logs - Update README and add ROADMAP.md
2026-04-14 11:48:29 +02:00
parent f9f1399f57
commit 4f6e16d64d
12 changed files with 392 additions and 46 deletions
--- a/README.md
+++ b/README.md
@@ -32,6 +32,12 @@ cp .env.example .env
 # AUTH_ALLOWED_ROLES=Admins,SecurityOps
 # ENABLE_PERIODIC_FETCH=true
 # FETCH_INTERVAL_MINUTES=60
+
+# Optional: data retention (auto-expire old events via MongoDB TTL)
+# RETENTION_DAYS=90
+
+# Optional: CORS origins if the frontend is served separately
+# CORS_ORIGINS=http://localhost:3000,https://app.example.com
 ```

 ## Run with Docker Compose (recommended)
@@ -40,6 +46,7 @@ docker compose up --build
 ```
 - API: http://localhost:8000
 - Frontend: http://localhost:8000
+- Health: http://localhost:8000/health
 - Mongo: localhost:27017 (root/example)

 ## Run locally without Docker
@@ -57,6 +64,7 @@ uvicorn main:app --reload --host 0.0.0.0 --port 8000
 ```

 ## API
+- `GET /health` — health check with MongoDB connectivity status.
 - `GET /api/fetch-audit-logs` — pulls the last 7 days by default (override with `?hours=N`, capped to 30 days) of:
  - Entra directory audit logs (`/auditLogs/directoryAudits`)
  - Exchange/SharePoint/Teams admin audits (via Office 365 Management Activity API)
@@ -89,6 +97,7 @@ Stored document shape (collection `micro_soc.events`):
 ## Quick smoke tests
 With the server running:
 ```bash
+curl http://localhost:8000/health
 curl http://localhost:8000/api/events
 curl http://localhost:8000/api/fetch-audit-logs
 ```