feat: implement Phase 1 hardening

- Verify JWT signatures via JWKS in auth.py - Fix broken frontend auth button references - Add Pydantic Settings for env validation (RETENTION_DAYS, CORS_ORIGINS) - Create MongoDB indexes + TTL on startup - Add /health endpoint and CORS middleware - Escape regex input in event queries - Fix dedupe() return calculation in maintenance.py - Replace basic logging with structured structlog JSON logs - Update README and add ROADMAP.md
2026-04-14 11:48:29 +02:00
parent f9f1399f57
commit 4f6e16d64d
12 changed files with 392 additions and 46 deletions
--- a/backend/database.py
+++ b/backend/database.py
@@ -1,6 +1,43 @@
-from pymongo import MongoClient
-from config import MONGO_URI, DB_NAME
+from pymongo import MongoClient, ASCENDING, DESCENDING, TEXT
+from config import MONGO_URI, DB_NAME, RETENTION_DAYS
+import structlog

 client = MongoClient(MONGO_URI)
 db = client[DB_NAME]
 events_collection = db["events"]
+logger = structlog.get_logger("aoc.database")
+
+
+def setup_indexes(max_retries: int = 5, delay: float = 2.0):
+    """Ensure MongoDB indexes exist. Retries on connection errors."""
+    from time import sleep
+
+    for attempt in range(1, max_retries + 1):
+        try:
+            events_collection.create_index("dedupe_key", unique=True, sparse=True)
+            events_collection.create_index([("timestamp", DESCENDING)])
+            events_collection.create_index([("service", ASCENDING), ("timestamp", DESCENDING)])
+            events_collection.create_index("id")
+            events_collection.create_index(
+                [("actor_display", TEXT), ("raw_text", TEXT), ("operation", TEXT)],
+                name="text_search_index",
+            )
+            if RETENTION_DAYS > 0:
+                events_collection.create_index(
+                    [("timestamp", ASCENDING)],
+                    expireAfterSeconds=RETENTION_DAYS * 24 * 60 * 60,
+                    name="ttl_timestamp",
+                )
+            else:
+                try:
+                    events_collection.drop_index("ttl_timestamp")
+                except Exception:
+                    pass
+            logger.info("MongoDB indexes ensured")
+            return
+        except Exception as exc:
+            if attempt == max_retries:
+                logger.error("Failed to ensure MongoDB indexes", error=str(exc))
+                raise
+            logger.warning("MongoDB not ready, retrying...", attempt=attempt, error=str(exc))
+            sleep(delay)