Harden auth, redaction, upload size checks, and compose token requirements

2026-02-21 13:48:55 -03:00
parent 5792586a90
commit 3cbad053cc
21 changed files with 1168 additions and 85 deletions
--- a/backend/app/api/routes_settings.py
+++ b/backend/app/api/routes_settings.py
@@ -1,6 +1,6 @@
-"""API routes for managing persistent single-user application settings."""
+"""Admin-only API routes for managing persistent single-user application settings."""

-from fastapi import APIRouter
+from fastapi import APIRouter, HTTPException

 from app.schemas.settings import (
    AppSettingsUpdateRequest,
@@ -18,6 +18,7 @@ from app.schemas.settings import (
    UploadDefaultsResponse,
 )
 from app.services.app_settings import (
+    AppSettingsValidationError,
    TASK_OCR_HANDWRITING,
    TASK_ROUTING_CLASSIFICATION,
    TASK_SUMMARY_GENERATION,
@@ -179,16 +180,19 @@ def set_app_settings(payload: AppSettingsUpdateRequest) -> AppSettingsResponse:
    if payload.predefined_tags is not None:
        predefined_tags_payload = [item.model_dump(exclude_none=True) for item in payload.predefined_tags]

-    updated = update_app_settings(
-        providers=providers_payload,
-        tasks=tasks_payload,
-        upload_defaults=upload_defaults_payload,
-        display=display_payload,
-        processing_log_retention=processing_log_retention_payload,
-        handwriting_style=handwriting_style_payload,
-        predefined_paths=predefined_paths_payload,
-        predefined_tags=predefined_tags_payload,
-    )
+    try:
+        updated = update_app_settings(
+            providers=providers_payload,
+            tasks=tasks_payload,
+            upload_defaults=upload_defaults_payload,
+            display=display_payload,
+            processing_log_retention=processing_log_retention_payload,
+            handwriting_style=handwriting_style_payload,
+            predefined_paths=predefined_paths_payload,
+            predefined_tags=predefined_tags_payload,
+        )
+    except AppSettingsValidationError as error:
+        raise HTTPException(status_code=400, detail=str(error)) from error
    return _build_response(updated)


@@ -203,14 +207,17 @@ def reset_settings_to_defaults() -> AppSettingsResponse:
 def set_handwriting_settings(payload: HandwritingSettingsUpdateRequest) -> AppSettingsResponse:
    """Updates handwriting transcription settings and returns the resulting configuration."""

-    updated = update_handwriting_settings(
-        enabled=payload.enabled,
-        openai_base_url=payload.openai_base_url,
-        openai_model=payload.openai_model,
-        openai_timeout_seconds=payload.openai_timeout_seconds,
-        openai_api_key=payload.openai_api_key,
-        clear_openai_api_key=payload.clear_openai_api_key,
-    )
+    try:
+        updated = update_handwriting_settings(
+            enabled=payload.enabled,
+            openai_base_url=payload.openai_base_url,
+            openai_model=payload.openai_model,
+            openai_timeout_seconds=payload.openai_timeout_seconds,
+            openai_api_key=payload.openai_api_key,
+            clear_openai_api_key=payload.clear_openai_api_key,
+        )
+    except AppSettingsValidationError as error:
+        raise HTTPException(status_code=400, detail=str(error)) from error
    return _build_response(updated)