kin: BATON-SEC-001 pre-commit hook + httpx logging hardening

sec: pre-commit hook + httpx exception logging hardening
1. .pre-commit-config.yaml — local pygrep hook блокирует коммиты с токенами формата \d{9,10}:AA[A-Za-z0-9_-]{35} (Telegram bot tokens). Проверено: срабатывает на токен, пропускает чистые файлы. 2. backend/telegram.py — три функции (send_registration_notification, answer_callback_query, edit_message_text) логировали exc напрямую, что раскрывало BOT_TOKEN в URL httpx-исключений в journalctl. Заменено на type(exc).__name__ — только тип ошибки, без URL. Refs: #1303, #1309, #1283 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 10:56:01 +02:00 · 2026-03-21 10:55:34 +02:00 · 2026-03-21 09:37:57 +02:00 · 2026-03-21 09:34:21 +02:00 · 2026-03-21 09:34:21 +02:00 · 2026-03-21 09:34:18 +02:00
8 changed files with 259 additions and 23 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,11 @@
+repos:
+  - repo: local
+    hooks:
+      - id: no-telegram-bot-token
+        name: Block Telegram bot tokens
+        # Matches tokens of format: 1234567890:AAFisjLS-yO_AmwqMjpBQgfV9qlHnexZlMs
+        # Pattern: 9-10 digits, colon, "AA", then 35 alphanumeric/dash/underscore chars
+        entry: '\d{9,10}:AA[A-Za-z0-9_-]{35}'
+        language: pygrep
+        types: [text]
+        exclude: '^\.pre-commit-config\.yaml$'
--- a/backend/config.py
+++ b/backend/config.py
@ -22,7 +22,7 @@ WEBHOOK_ENABLED: bool = os.getenv("WEBHOOK_ENABLED", "true").lower() == "true"
 FRONTEND_ORIGIN: str = os.getenv("FRONTEND_ORIGIN", "http://localhost:3000")
 APP_URL: str | None = os.getenv("APP_URL")  # Публичный URL приложения для keep-alive self-ping
 ADMIN_TOKEN: str = _require("ADMIN_TOKEN")
-ADMIN_CHAT_ID: str = os.getenv("ADMIN_CHAT_ID", "5694335584")
+ADMIN_CHAT_ID: str = _require("ADMIN_CHAT_ID")
 VAPID_PRIVATE_KEY: str = os.getenv("VAPID_PRIVATE_KEY", "")
 VAPID_PUBLIC_KEY: str = os.getenv("VAPID_PUBLIC_KEY", "")
 VAPID_CLAIMS_EMAIL: str = os.getenv("VAPID_CLAIMS_EMAIL", "")
--- a/backend/db.py
+++ b/backend/db.py
@ -341,9 +341,10 @@ async def get_registration(reg_id: int) -> Optional[dict]:


 async def update_registration_status(reg_id: int, status: str) -> bool:
+    """Update registration status only if currently 'pending'. Returns False if already processed."""
    async with _get_conn() as conn:
        async with conn.execute(
-            "UPDATE registrations SET status = ? WHERE id = ?",
+            "UPDATE registrations SET status = ? WHERE id = ? AND status = 'pending'",
            (status, reg_id),
        ) as cur:
            changed = cur.rowcount > 0
--- a/backend/main.py
+++ b/backend/main.py
@ -240,7 +240,11 @@ async def _handle_callback_query(cb: dict) -> None:
        return

    if action == "approve":
-        await db.update_registration_status(reg_id, "approved")
+        updated = await db.update_registration_status(reg_id, "approved")
+        if not updated:
+            # Already processed (not pending) — ack the callback and stop
+            await telegram.answer_callback_query(callback_query_id)
+            return
        if chat_id and message_id:
            await telegram.edit_message_text(
                chat_id, message_id, f"✅ Пользователь {reg['login']} одобрен"
@ -254,7 +258,10 @@ async def _handle_callback_query(cb: dict) -> None:
                )
            )
    elif action == "reject":
-        await db.update_registration_status(reg_id, "rejected")
+        updated = await db.update_registration_status(reg_id, "rejected")
+        if not updated:
+            await telegram.answer_callback_query(callback_query_id)
+            return
        if chat_id and message_id:
            await telegram.edit_message_text(
                chat_id, message_id, f"❌ Пользователь {reg['login']} отклонён"
--- a/backend/telegram.py
+++ b/backend/telegram.py
@ -106,7 +106,8 @@ async def send_registration_notification(
                    resp.text,
                )
    except Exception as exc:
-        logger.error("send_registration_notification error: %s", exc)
+        # Do not log exc directly — httpx exceptions embed the full API URL with BOT_TOKEN
+        logger.error("send_registration_notification error: %s", type(exc).__name__)


 async def answer_callback_query(callback_query_id: str) -> None:
@ -118,7 +119,8 @@ async def answer_callback_query(callback_query_id: str) -> None:
            if resp.status_code != 200:
                logger.error("answerCallbackQuery failed %s: %s", resp.status_code, resp.text)
    except Exception as exc:
-        logger.error("answerCallbackQuery error: %s", exc)
+        # Do not log exc directly — httpx exceptions embed the full API URL with BOT_TOKEN
+        logger.error("answerCallbackQuery error: %s", type(exc).__name__)


 async def edit_message_text(chat_id: str | int, message_id: int, text: str) -> None:
@ -132,7 +134,8 @@ async def edit_message_text(chat_id: str | int, message_id: int, text: str) -> N
            if resp.status_code != 200:
                logger.error("editMessageText failed %s: %s", resp.status_code, resp.text)
    except Exception as exc:
-        logger.error("editMessageText error: %s", exc)
+        # Do not log exc directly — httpx exceptions embed the full API URL with BOT_TOKEN
+        logger.error("editMessageText error: %s", type(exc).__name__)


 async def set_webhook(url: str, secret: str) -> None:
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -22,6 +22,7 @@ os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
 os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
 os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
 os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
+os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")

 # ── 2. aiosqlite monkey-patch ────────────────────────────────────────────────
 import aiosqlite
@ -69,14 +70,20 @@ def temp_db():

 # ── 5. App client factory ────────────────────────────────────────────────────

-def make_app_client():
+def make_app_client(capture_send_requests: list | None = None):
    """
    Async context manager that:
    1. Assigns a fresh temp-file DB path
    2. Mocks Telegram setWebhook, sendMessage, answerCallbackQuery, editMessageText
    3. Runs the FastAPI lifespan (startup → test → shutdown)
    4. Yields an httpx.AsyncClient wired to the app
+
+    Args:
+        capture_send_requests: if provided, each sendMessage request body (dict) is
+            appended to this list, enabling HTTP-level assertions on chat_id, text, etc.
    """
+    import json as _json
+
    tg_set_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/setWebhook"
    send_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/sendMessage"
    get_me_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/getMe"
@ -95,9 +102,18 @@ def make_app_client():
            mock_router.post(tg_set_url).mock(
                return_value=httpx.Response(200, json={"ok": True, "result": True})
            )
-            mock_router.post(send_url).mock(
-                return_value=httpx.Response(200, json={"ok": True})
-            )
+            if capture_send_requests is not None:
+                def _capture_send(request: httpx.Request) -> httpx.Response:
+                    try:
+                        capture_send_requests.append(_json.loads(request.content))
+                    except Exception:
+                        pass
+                    return httpx.Response(200, json={"ok": True})
+                mock_router.post(send_url).mock(side_effect=_capture_send)
+            else:
+                mock_router.post(send_url).mock(
+                    return_value=httpx.Response(200, json={"ok": True})
+                )
            mock_router.post(answer_cb_url).mock(
                return_value=httpx.Response(200, json={"ok": True})
            )
--- a/tests/test_baton_008.py
+++ b/tests/test_baton_008.py
@ -21,6 +21,7 @@ os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
 os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
 os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
 os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
+os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")

 from unittest.mock import AsyncMock, patch

@ -167,20 +168,23 @@ async def test_auth_register_422_short_password():

@pytest.mark.asyncio
 async def test_auth_register_sends_notification_to_admin():
-    """Registration triggers send_registration_notification with correct data."""
-    calls: list[dict] = []
+    """Registration triggers real HTTP sendMessage to ADMIN_CHAT_ID with correct login/email."""
+    from backend import config as _cfg

-    async def _capture(reg_id, login, email, created_at):
-        calls.append({"reg_id": reg_id, "login": login, "email": email})
+    captured: list[dict] = []
+    async with make_app_client(capture_send_requests=captured) as client:
+        resp = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
+        assert resp.status_code == 201
+        await asyncio.sleep(0)

-    async with make_app_client() as client:
-        with patch("backend.telegram.send_registration_notification", side_effect=_capture):
-            await client.post("/api/auth/register", json=_VALID_PAYLOAD)
-            await asyncio.sleep(0)
-
-    assert len(calls) == 1, f"Expected 1 notification call, got {len(calls)}"
-    assert calls[0]["login"] == _VALID_PAYLOAD["login"]
-    assert calls[0]["email"] == _VALID_PAYLOAD["email"]
+    admin_chat_id = str(_cfg.ADMIN_CHAT_ID)
+    admin_msgs = [r for r in captured if str(r.get("chat_id")) == admin_chat_id]
+    assert len(admin_msgs) >= 1, (
+        f"Expected sendMessage to ADMIN_CHAT_ID={admin_chat_id!r}, captured: {captured}"
+    )
+    text = admin_msgs[0].get("text", "")
+    assert _VALID_PAYLOAD["login"] in text, f"Expected login in text: {text!r}"
+    assert _VALID_PAYLOAD["email"] in text, f"Expected email in text: {text!r}"


 # ---------------------------------------------------------------------------
--- a/tests/test_fix_013.py
+++ b/tests/test_fix_013.py
@ -0,0 +1,194 @@
+"""
+Tests for BATON-FIX-013: CORS allow_methods — добавить GET для /health эндпоинтов.
+
+Acceptance criteria:
+1. CORSMiddleware в main.py содержит "GET" в allow_methods.
+2. OPTIONS preflight /health с Origin и Access-Control-Request-Method: GET
+   возвращает 200/204 и содержит GET в Access-Control-Allow-Methods.
+3. OPTIONS preflight /api/health — аналогично.
+4. GET /health возвращает 200 (regression guard vs. allow_methods=['POST'] only).
+"""
+from __future__ import annotations
+
+import os
+
+os.environ.setdefault("BOT_TOKEN", "test-bot-token")
+os.environ.setdefault("CHAT_ID", "-1001234567890")
+os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
+os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
+os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
+os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
+os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
+
+import pytest
+
+from tests.conftest import make_app_client
+
+_ORIGIN = "http://localhost:3000"
+# allow_headers = ["Content-Type", "Authorization"] — X-Custom-Header не разрешён,
+# поэтому preflight с X-Custom-Header вернёт 400. Используем Content-Type.
+_PREFLIGHT_HEADER = "Content-Type"
+
+
+# ---------------------------------------------------------------------------
+# Criterion 1 — Static: CORSMiddleware.allow_methods must contain "GET"
+# ---------------------------------------------------------------------------
+
+
+def test_cors_middleware_allow_methods_contains_get() -> None:
+    """app.user_middleware CORSMiddleware должен содержать 'GET' в allow_methods."""
+    from fastapi.middleware.cors import CORSMiddleware
+
+    from backend.main import app
+
+    cors_mw = next(
+        (m for m in app.user_middleware if m.cls is CORSMiddleware), None
+    )
+    assert cors_mw is not None, "CORSMiddleware не найден в app.user_middleware"
+    allow_methods = cors_mw.kwargs.get("allow_methods", [])
+    assert "GET" in allow_methods, (
+        f"CORSMiddleware.allow_methods={allow_methods!r} не содержит 'GET'"
+    )
+
+
+def test_cors_middleware_allow_methods_contains_head() -> None:
+    """allow_methods должен содержать 'HEAD' для корректной работы preflight."""
+    from fastapi.middleware.cors import CORSMiddleware
+
+    from backend.main import app
+
+    cors_mw = next(
+        (m for m in app.user_middleware if m.cls is CORSMiddleware), None
+    )
+    assert cors_mw is not None
+    allow_methods = cors_mw.kwargs.get("allow_methods", [])
+    assert "HEAD" in allow_methods, (
+        f"CORSMiddleware.allow_methods={allow_methods!r} не содержит 'HEAD'"
+    )
+
+
+def test_cors_middleware_allow_methods_contains_options() -> None:
+    """allow_methods должен содержать 'OPTIONS' для корректной обработки preflight."""
+    from fastapi.middleware.cors import CORSMiddleware
+
+    from backend.main import app
+
+    cors_mw = next(
+        (m for m in app.user_middleware if m.cls is CORSMiddleware), None
+    )
+    assert cors_mw is not None
+    allow_methods = cors_mw.kwargs.get("allow_methods", [])
+    assert "OPTIONS" in allow_methods, (
+        f"CORSMiddleware.allow_methods={allow_methods!r} не содержит 'OPTIONS'"
+    )
+
+
+# ---------------------------------------------------------------------------
+# Criterion 2 — Preflight OPTIONS /health includes GET in Allow-Methods
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_health_preflight_options_returns_success_status() -> None:
+    """OPTIONS preflight /health должен вернуть 200 или 204."""
+    async with make_app_client() as client:
+        response = await client.options(
+            "/health",
+            headers={
+                "Origin": _ORIGIN,
+                "Access-Control-Request-Method": "GET",
+                "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
+            },
+        )
+    assert response.status_code in (200, 204), (
+        f"OPTIONS /health вернул {response.status_code}, ожидался 200 или 204"
+    )
+
+
+@pytest.mark.asyncio
+async def test_health_preflight_options_allow_methods_contains_get() -> None:
+    """OPTIONS preflight /health: Access-Control-Allow-Methods должен содержать GET."""
+    async with make_app_client() as client:
+        response = await client.options(
+            "/health",
+            headers={
+                "Origin": _ORIGIN,
+                "Access-Control-Request-Method": "GET",
+                "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
+            },
+        )
+    allow_methods_header = response.headers.get("access-control-allow-methods", "")
+    assert "GET" in allow_methods_header, (
+        f"Access-Control-Allow-Methods={allow_methods_header!r} не содержит 'GET'"
+    )
+
+
+# ---------------------------------------------------------------------------
+# Criterion 3 — Preflight OPTIONS /api/health includes GET in Allow-Methods
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_api_health_preflight_options_returns_success_status() -> None:
+    """OPTIONS preflight /api/health должен вернуть 200 или 204."""
+    async with make_app_client() as client:
+        response = await client.options(
+            "/api/health",
+            headers={
+                "Origin": _ORIGIN,
+                "Access-Control-Request-Method": "GET",
+                "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
+            },
+        )
+    assert response.status_code in (200, 204), (
+        f"OPTIONS /api/health вернул {response.status_code}, ожидался 200 или 204"
+    )
+
+
+@pytest.mark.asyncio
+async def test_api_health_preflight_options_allow_methods_contains_get() -> None:
+    """OPTIONS preflight /api/health: Access-Control-Allow-Methods должен содержать GET."""
+    async with make_app_client() as client:
+        response = await client.options(
+            "/api/health",
+            headers={
+                "Origin": _ORIGIN,
+                "Access-Control-Request-Method": "GET",
+                "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
+            },
+        )
+    allow_methods_header = response.headers.get("access-control-allow-methods", "")
+    assert "GET" in allow_methods_header, (
+        f"Access-Control-Allow-Methods={allow_methods_header!r} не содержит 'GET'"
+    )
+
+
+# ---------------------------------------------------------------------------
+# Criterion 4 — GET /health returns 200 (regression guard)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.asyncio
+async def test_health_get_returns_200_regression_guard() -> None:
+    """GET /health должен вернуть 200 — regression guard против allow_methods=['POST'] only."""
+    async with make_app_client() as client:
+        response = await client.get(
+            "/health",
+            headers={"Origin": _ORIGIN},
+        )
+    assert response.status_code == 200, (
+        f"GET /health вернул {response.status_code}, ожидался 200"
+    )
+
+
+@pytest.mark.asyncio
+async def test_api_health_get_returns_200_regression_guard() -> None:
+    """GET /api/health должен вернуть 200 — regression guard против allow_methods=['POST'] only."""
+    async with make_app_client() as client:
+        response = await client.get(
+            "/api/health",
+            headers={"Origin": _ORIGIN},
+        )
+    assert response.status_code == 200, (
+        f"GET /api/health вернул {response.status_code}, ожидался 200"
+    )
Author	SHA1	Message	Date
Gros Frumos	a0dc6a7b22	kin: BATON-SEC-001 pre-commit hook + httpx logging hardening	2026-03-21 10:56:01 +02:00
Gros Frumos	dd556e2f05	sec: pre-commit hook + httpx exception logging hardening 1. .pre-commit-config.yaml — local pygrep hook блокирует коммиты с токенами формата \d{9,10}:AA[A-Za-z0-9_-]{35} (Telegram bot tokens). Проверено: срабатывает на токен, пропускает чистые файлы. 2. backend/telegram.py — три функции (send_registration_notification, answer_callback_query, edit_message_text) логировали exc напрямую, что раскрывало BOT_TOKEN в URL httpx-исключений в journalctl. Заменено на type(exc).__name__ — только тип ошибки, без URL. Refs: #1303, #1309, #1283 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 10:55:34 +02:00
Gros Frumos	5401363ea9	kin: BATON-FIX-013 CORS allow_methods: добавить GET для /health эндпоинтов	2026-03-21 09:37:57 +02:00
Gros Frumos	c7661d7c1e	Merge branch 'BATON-008-backend_dev'	2026-03-21 09:34:21 +02:00
Gros Frumos	fde7f57a7a	kin: BATON-008-backend_dev	2026-03-21 09:34:21 +02:00
Gros Frumos	35eef641fd	Merge branch 'BATON-FIX-013-backend_dev'	2026-03-21 09:34:18 +02:00
Gros Frumos	283ff61dc5	fix: sync allow_methods с main — добавить HEAD и OPTIONS	2026-03-21 09:33:53 +02:00
Gros Frumos	6d5d84a882	fix: CORS allow_methods добавить GET для /health эндпоинтов CORSMiddleware: allow_methods=['POST'] → ['GET', 'POST'] Позволяет браузерам делать GET-запросы к /health и /api/health без CORS-блокировки. BATON-FIX-013	2026-03-21 09:33:09 +02:00