jack/PocketVeto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
88 Commits 2 Branches 2 Tags
main
Commit Graph

7 Commits

Author SHA1 Message Date
Jack Levy
d6ebbf75d0 security: brute-force protection on auth endpoints (v1.1.0) 
- Nginx rate limit: 20 req/min per IP on /api/auth/login and /register
- slowapi rate limit: 10/min on login, 5/hour on register (Redis-backed)
- Real client IP extracted from X-Forwarded-For for accurate per-IP limiting

Authored by: Jack Levy
 2026-03-15 18:07:53 -04:00
Jack Levy
47bc8babc2 fix: remove debug fwd field from nginx log format 
Authored by: Jack Levy
 2026-03-15 17:50:00 -04:00
Jack Levy
63b95b4dcd debug: log X-Forwarded-For header explicitly to diagnose NPM passthrough 
Authored by: Jack Levy
 2026-03-15 17:47:10 -04:00
Jack Levy
5952443cc6 feat: Nginx real IP extraction and access logging 
Trust NPM proxy subnets, extract real client IP from X-Forwarded-For,
log with referrer and user agent.

Authored by: Jack Levy
 2026-03-15 17:42:13 -04:00
Jack Levy
73881b2404 feat(notifications): follow modes, milestone alerts, notification enhancements 
Follow Modes (neutral / pocket_veto / pocket_boost):
- Alembic migration 0013 adds follow_mode column to follows table
- FollowButton rewritten as mode-aware dropdown for bills; simple toggle for members/topics
- PATCH /api/follows/{id}/mode endpoint with validation
- Dispatcher filters pocket_veto follows (suppress new_document/new_amendment events)
- Dispatcher adds ntfy Actions header for pocket_boost follows

Change-driven (milestone) Alerts:
- New notification_utils.py with shared emit helpers and 30-min dedup
- congress_poller emits bill_updated events on milestone action text
- llm_processor replaced with shared emit util (also notifies member/topic followers)

Notification Enhancements:
- ntfy priority levels (high for bill_updated, default for others)
- Quiet hours (UTC): dispatcher holds events outside allowed window
- Digest mode (daily/weekly): send_notification_digest Celery beat task
- Notification history endpoint + Recent Alerts UI section
- Enriched following page (bill titles, member photos/details via sub-components)
- Follow mode test buttons in admin settings panel

Infrastructure:
- nginx: switch upstream blocks to set $variable proxy_pass so Docker DNS
  re-resolves upstream IPs after container rebuilds (valid=10s)
- TROUBLESHOOTING.md documenting common Docker/nginx/postgres gotchas

Authored-By: Jack Levy
 2026-03-01 15:09:13 -05:00
Jack Levy
e91e202eb4 fix(nginx): add Docker DNS resolver to prevent stale upstream IPs 
Without resolver 127.0.0.11, nginx caches upstream IPs at startup and
returns 502 after container restarts until manually reloaded.

Authored-By: Jack Levy
 2026-02-28 22:51:46 -05:00
Jack Levy
e418dd9ae0 Initial commit 2026-02-28 21:08:19 -05:00