feat: v1.0.0 — UX polish, security hardening, code quality

UI/UX: - Bill detail page tab UI (Analysis / Timeline / Votes / Notes) - Topic tag pills on bill detail and listing pages — filtered to known topics, clickable, properly labelled via shared lib/topics.ts - Notes panel always-open in Notes tab; sign-in prompt for guests - Collapsible sidebar with icon-only mode and localStorage persistence - Bills page defaults to has-text filter enabled - Follow mode dropdown transparency fix - Favicon (Landmark icon, blue background) Security: - Fernet encryption for ntfy passwords at rest (app/core/crypto.py) - Separate ENCRYPTION_SECRET_KEY env var; falls back to JWT derivation - ntfy_password no longer returned in GET response — replaced with ntfy_password_set: bool; NotificationSettingsUpdate type for writes - JWT_SECRET_KEY fail-fast on startup if using default placeholder - get_optional_user catches (JWTError, ValueError) only, not Exception Bug fixes & code quality: - Dashboard N+1 topic query replaced with single OR query - notification_utils.py topic follower N+1 replaced with batch query - Note query in bill detail page gated on token (enabled: !!token) - search.py max_length=500 guard against oversized queries - CollectionCreate.validate_name wired up with @field_validator - LLM_RATE_LIMIT_RPM default raised from 10 to 50 Authored by: Jack Levy
2026-03-15 01:10:31 -04:00
parent 4308404cca
commit 9633b4dcb8
24 changed files with 591 additions and 296 deletions
--- a/backend/app/core/crypto.py
+++ b/backend/app/core/crypto.py
@@ -0,0 +1,44 @@
+"""Symmetric encryption for sensitive user prefs (e.g. ntfy password).
+
+Key priority:
+  1. ENCRYPTION_SECRET_KEY env var (recommended — dedicated key, easily rotatable)
+  2. Derived from JWT_SECRET_KEY (fallback for existing installs)
+
+Generate a dedicated key:
+  python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+"""
+import base64
+import hashlib
+
+from cryptography.fernet import Fernet
+
+_PREFIX = "enc:"
+_fernet_instance: Fernet | None = None
+
+
+def _fernet() -> Fernet:
+    global _fernet_instance
+    if _fernet_instance is None:
+        from app.config import settings
+        if settings.ENCRYPTION_SECRET_KEY:
+            # Use dedicated key directly (must be a valid 32-byte base64url key)
+            _fernet_instance = Fernet(settings.ENCRYPTION_SECRET_KEY.encode())
+        else:
+            # Fallback: derive from JWT secret
+            key_bytes = hashlib.sha256(settings.JWT_SECRET_KEY.encode()).digest()
+            _fernet_instance = Fernet(base64.urlsafe_b64encode(key_bytes))
+    return _fernet_instance
+
+
+def encrypt_secret(plaintext: str) -> str:
+    """Encrypt a string and return a prefixed ciphertext."""
+    if not plaintext:
+        return plaintext
+    return _PREFIX + _fernet().encrypt(plaintext.encode()).decode()
+
+
+def decrypt_secret(value: str) -> str:
+    """Decrypt a value produced by encrypt_secret. Returns plaintext as-is (legacy support)."""
+    if not value or not value.startswith(_PREFIX):
+        return value  # legacy plaintext — return unchanged
+    return _fernet().decrypt(value[len(_PREFIX):].encode()).decode()