Samir Boulahtit
7c43d6f4a2
Eliminate all 103 errors and 96 warnings from the architecture validator: Phase 1 - Validator rules & YAML: - Add NAM-001/NAM-002 exceptions for module-scoped router/service files - Fix API-004 to detect # public comments on decorator lines - Add module-specific exception bases to EXC-004 valid_bases - Exclude storefront files from AUTH-004 store context check - Add SVC-006 exceptions for loyalty service atomic commits - Fix _get_rule() to search naming_rules and auth_rules categories - Use plain # CODE comments instead of # noqa: CODE for custom rules Phase 2 - Billing module (5 route files): - Move _resolve_store_to_merchant to subscription_service - Move tier/feature queries to feature_service, admin_subscription_service - Extract 22 inline Pydantic schemas to billing/schemas/billing.py - Replace all HTTPException with domain exceptions Phase 3 - Loyalty module (4 routes + points_service): - Add 7 domain exceptions (Apple auth, enrollment, device registration) - Add service methods to card_service, program_service, apple_wallet_service - Move all db.query() from routes to service layer - Fix SVC-001: replace HTTPException in points_service with domain exception Phase 4 - Remaining modules: - tenancy: move store stats queries to admin_service - cms: move platform resolution to content_page_service, add NoPlatformSubscriptionException - messaging: move user/customer lookups to messaging_service - Add ConfigDict(from_attributes=True) to ContentPageResponse Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
176 lines
6.4 KiB
YAML
176 lines
6.4 KiB
YAML
# Architecture Rules - Authentication & Authorization Rules
|
|
# Rules for auth patterns and multi-tenancy
|
|
|
|
auth_rules:
|
|
|
|
- id: "AUTH-001"
|
|
name: "Use JWT tokens in Authorization header"
|
|
severity: "error"
|
|
description: |
|
|
Authentication must use JWT tokens in Authorization: Bearer header
|
|
pattern:
|
|
file_pattern:
|
|
- "app/api/**/*.py"
|
|
- "app/modules/*/routes/api/**/*.py"
|
|
enforcement: "middleware"
|
|
|
|
- id: "AUTH-002"
|
|
name: "Role-based access control with Depends"
|
|
severity: "error"
|
|
description: |
|
|
Use Depends(get_current_admin/vendor/customer) for role checks
|
|
pattern:
|
|
file_pattern:
|
|
- "app/api/v1/**/*.py"
|
|
- "app/modules/*/routes/api/**/*.py"
|
|
required: "Depends\\(get_current_"
|
|
|
|
- id: "AUTH-003"
|
|
name: "Never store plain passwords"
|
|
severity: "error"
|
|
description: |
|
|
Always hash passwords with bcrypt before storing
|
|
pattern:
|
|
file_pattern: "app/services/auth_service.py"
|
|
required: "bcrypt"
|
|
|
|
- id: "AUTH-004"
|
|
name: "Vendor context pattern - use appropriate dependency for endpoint type"
|
|
severity: "error"
|
|
description: |
|
|
Two vendor context patterns exist - use the appropriate one:
|
|
|
|
1. STOREFRONT ENDPOINTS (public, no authentication required):
|
|
- Use: vendor: Vendor = Depends(require_vendor_context())
|
|
- Vendor is detected from URL/subdomain/domain
|
|
- File pattern: app/api/v1/storefront/**/*.py, app/modules/*/routes/api/storefront*.py
|
|
- Mark as public with: # public
|
|
|
|
2. VENDOR API ENDPOINTS (authenticated):
|
|
- Use: current_user.token_vendor_id from JWT token
|
|
- Or use permission dependencies: require_vendor_permission(), require_vendor_owner
|
|
- These dependencies get vendor from token and set request.state.vendor
|
|
- File pattern: app/api/v1/vendor/**/*.py
|
|
|
|
DEPRECATED for vendor APIs:
|
|
- require_vendor_context() - only for storefront endpoints
|
|
- getattr(request.state, "vendor", None) without permission dependency
|
|
|
|
See: docs/backend/vendor-in-token-architecture.md
|
|
pattern:
|
|
file_pattern:
|
|
- "app/api/v1/vendor/**/*.py"
|
|
- "app/modules/*/routes/api/store*.py"
|
|
anti_patterns:
|
|
- "require_vendor_context\\(\\)"
|
|
file_pattern:
|
|
- "app/api/v1/storefront/**/*.py"
|
|
- "app/modules/*/routes/api/storefront*.py"
|
|
required_patterns:
|
|
- "require_vendor_context\\(\\)|# public"
|
|
|
|
- id: "AUTH-005"
|
|
name: "Routes must use UserContext, not User model attributes"
|
|
severity: "error"
|
|
description: |
|
|
When using current_user from dependency injection, it is a UserContext
|
|
(Pydantic schema), NOT a User (SQLAlchemy model). Do not access:
|
|
|
|
FORBIDDEN (SQLAlchemy relationships/columns not in UserContext):
|
|
- current_user.admin_platforms → Use accessible_platform_ids
|
|
- current_user.vendors → Use token_vendor_id
|
|
- current_user.owned_companies → Query via service
|
|
- current_user.hashed_password → Never needed in routes
|
|
- current_user.created_at → Query User if needed
|
|
- current_user.updated_at → Query User if needed
|
|
|
|
CORRECT ALTERNATIVES:
|
|
- current_user.accessible_platform_ids # list[int] | None
|
|
- current_user.token_platform_id # Selected platform from JWT
|
|
- current_user.token_vendor_id # Vendor from JWT
|
|
- current_user.is_super_admin # Boolean
|
|
- current_user.can_access_platform(id) # Helper method
|
|
|
|
See: docs/architecture/user-context-pattern.md
|
|
pattern:
|
|
file_pattern: "app/modules/*/routes/**/*.py"
|
|
anti_patterns:
|
|
- "current_user\\.admin_platforms"
|
|
- "current_user\\.vendors"
|
|
- "current_user\\.owned_companies"
|
|
- "current_user\\.hashed_password"
|
|
|
|
- id: "AUTH-006"
|
|
name: "JWT token context fields must be defined in UserContext"
|
|
severity: "error"
|
|
description: |
|
|
When adding new context to JWT tokens, ensure the field is:
|
|
|
|
1. Added to UserContext schema (models/schema/auth.py)
|
|
2. Extracted in verify_token() (middleware/auth.py)
|
|
3. Attached to User in get_current_user() (middleware/auth.py)
|
|
4. Copied in UserContext.from_user() method
|
|
|
|
Pattern: token_* prefix for JWT-derived fields
|
|
- token_platform_id, token_platform_code (admin platform context)
|
|
- token_vendor_id, token_vendor_code, token_vendor_role (vendor context)
|
|
|
|
If getattr(current_user, "token_X", None) is needed, the field is missing
|
|
from UserContext and should be added.
|
|
|
|
See: docs/architecture/user-context-pattern.md
|
|
pattern:
|
|
file_pattern: "app/modules/*/routes/**/*.py"
|
|
anti_patterns:
|
|
- "getattr\\(current_user,\\s*['\"]token_"
|
|
|
|
- id: "AUTH-007"
|
|
name: "Response models must match available UserContext data"
|
|
severity: "error"
|
|
description: |
|
|
When returning user data from endpoints that use UserContext:
|
|
|
|
1. Do NOT return LoginResponse(user=current_user) if LoginResponse.user
|
|
expects UserResponse with created_at/updated_at
|
|
|
|
2. Create dedicated response models for different contexts:
|
|
- LoginResponse: Full user data (from login, has timestamps)
|
|
- PlatformSelectResponse: Token + platform info (no user data)
|
|
- TokenRefreshResponse: Just new token data
|
|
|
|
3. If user timestamps are needed, query the User model explicitly
|
|
|
|
See: docs/architecture/user-context-pattern.md
|
|
pattern:
|
|
file_pattern: "app/modules/*/routes/**/*.py"
|
|
enforcement: "review"
|
|
|
|
# ============================================================================
|
|
# MULTI-TENANCY RULES
|
|
# ============================================================================
|
|
|
|
multi_tenancy_rules:
|
|
|
|
- id: "MT-001"
|
|
name: "All queries must be scoped to vendor_id"
|
|
severity: "error"
|
|
description: |
|
|
In vendor/shop contexts, all database queries must filter by vendor_id
|
|
pattern:
|
|
file_pattern:
|
|
- "app/services/**/*.py"
|
|
- "app/modules/*/services/**/*.py"
|
|
context: "vendor_shop"
|
|
required_pattern: ".filter\\(.*vendor_id.*\\)"
|
|
|
|
- id: "MT-002"
|
|
name: "No cross-vendor data access"
|
|
severity: "error"
|
|
description: |
|
|
Queries must never access data from other vendors
|
|
pattern:
|
|
file_pattern:
|
|
- "app/services/**/*.py"
|
|
- "app/modules/*/services/**/*.py"
|
|
enforcement: "database_query_level"
|