feat(api): pin response_model on dict-returning mutation routes
Every mutation route that returned an untyped dict now declares
response_model at the decorator. MessageResponse covers the eight
{"message": ...} envelopes (change-password, mutate-decky, mutate-
interval, update-deployment-limit, update-global-mutation-interval,
delete-user, update-user-role, reset-user-password). Purpose-built
models cover the richer shapes (DeployResponse for /deckies/deploy,
PurgeResponse for /config/reinit, ReapReportResponse for /reap-orphans,
UserResponse for /config/users). 204-No-Content and Response/
ORJSONResponse routes stay as-is.
The wire shape for clients is unchanged — the envelopes already only
shipped a message field. What changes is that a handler which
accidentally returns a richer dict (e.g. a full user row including
password_hash) would be silently stripped to the declared fields at
serialization time.
Also flips F4/D "expensive LIKE" to accepted (new DA-09) — the /logs
and /attackers search routes LIKE-scan unbounded columns, but both are
admin-gated, limit-capped, and operator rate-limit scope per DA-04.
FTS5 stays a performance TODO, not a security blocker.
This commit is contained in:
@@ -8,8 +8,9 @@ from decnet.web.dependencies import require_admin, invalidate_user_cache, repo
|
||||
from decnet.web.router.config.api_get_config import invalidate_list_users_cache
|
||||
from decnet.web.db.models import (
|
||||
CreateUserRequest,
|
||||
UpdateUserRoleRequest,
|
||||
MessageResponse,
|
||||
ResetUserPasswordRequest,
|
||||
UpdateUserRoleRequest,
|
||||
UserResponse,
|
||||
)
|
||||
|
||||
@@ -19,6 +20,7 @@ router = APIRouter()
|
||||
@router.post(
|
||||
"/config/users",
|
||||
tags=["Configuration"],
|
||||
response_model=UserResponse,
|
||||
responses={
|
||||
400: {"description": "Bad Request (e.g. malformed JSON)"},
|
||||
401: {"description": "Could not validate credentials"},
|
||||
@@ -56,6 +58,7 @@ async def api_create_user(
|
||||
@router.delete(
|
||||
"/config/users/{user_uuid}",
|
||||
tags=["Configuration"],
|
||||
response_model=MessageResponse,
|
||||
responses={
|
||||
401: {"description": "Could not validate credentials"},
|
||||
403: {"description": "Admin access required / cannot delete self"},
|
||||
@@ -81,6 +84,7 @@ async def api_delete_user(
|
||||
@router.put(
|
||||
"/config/users/{user_uuid}/role",
|
||||
tags=["Configuration"],
|
||||
response_model=MessageResponse,
|
||||
responses={
|
||||
400: {"description": "Bad Request (e.g. malformed JSON)"},
|
||||
401: {"description": "Could not validate credentials"},
|
||||
@@ -111,6 +115,7 @@ async def api_update_user_role(
|
||||
@router.put(
|
||||
"/config/users/{user_uuid}/reset-password",
|
||||
tags=["Configuration"],
|
||||
response_model=MessageResponse,
|
||||
responses={
|
||||
400: {"description": "Bad Request (e.g. malformed JSON)"},
|
||||
401: {"description": "Could not validate credentials"},
|
||||
|
||||
Reference in New Issue
Block a user