anti
df84981954
Every mutation route that returned an untyped dict now declares
response_model at the decorator. MessageResponse covers the eight
{"message": ...} envelopes (change-password, mutate-decky, mutate-
interval, update-deployment-limit, update-global-mutation-interval,
delete-user, update-user-role, reset-user-password). Purpose-built
models cover the richer shapes (DeployResponse for /deckies/deploy,
PurgeResponse for /config/reinit, ReapReportResponse for /reap-orphans,
UserResponse for /config/users). 204-No-Content and Response/
ORJSONResponse routes stay as-is.
The wire shape for clients is unchanged — the envelopes already only
shipped a message field. What changes is that a handler which
accidentally returns a richer dict (e.g. a full user row including
password_hash) would be silently stripped to the declared fields at
serialization time.
Also flips F4/D "expensive LIKE" to accepted (new DA-09) — the /logs
and /attackers search routes LIKE-scan unbounded columns, but both are
admin-gated, limit-capped, and operator rate-limit scope per DA-04.
FTS5 stays a performance TODO, not a security blocker.
16 lines
512 B
Python
16 lines
512 B
Python
"""Generic response shapes used across multiple router domains."""
|
|
from __future__ import annotations
|
|
|
|
from pydantic import BaseModel
|
|
|
|
|
|
class MessageResponse(BaseModel):
|
|
"""Standard envelope for mutations whose only payload is a status message.
|
|
|
|
Pinning the wire shape at the decorator (``response_model=MessageResponse``)
|
|
prevents a handler that accidentally returns a richer dict — e.g. a user
|
|
row with ``password_hash`` — from leaking extra fields to the client.
|
|
"""
|
|
|
|
message: str
|