CC2 R6: middleware-wide JWT, avatar demo mode, mock mailer, login rate limit

#1 JWT middleware extended: - Was: /api/admin/* only - Now: any POST/PUT/PATCH/DELETE under /api/* requires Bearer JWT - Whitelist (still anonymous): /api/auth/login, /refresh, /forgot-password, /password/reset, /reset-password, /setup-password, /google; /api/gdpr/consent; any path ending /avatar - 14 mutating endpoints verified to return 401 without token #2 Avatar upload demo mode (routers/clan_panel_router.py): - Anonymous → returns {demo_mode:true, slika_url:null, message:'Demo mode — slika nije spremljena. Prijavite se za pravu pohranu.'}, no FS write, no DB write - Authenticated (valid JWT, allowed role) → real save as before - Auth check now uses auth.auth_v2.decode_token (proper secret + revocation) instead of the broken local _resolve_role #3 Mock mailer (auth/mailer.py): - send_email writes RFC 822 .eml to /tmp/pgz_mailbox + appends to INDEX.jsonl - send_password_reset, send_invite helpers with HR text + HTML alt - Real SMTP active when PGZ_SMTP_HOST is set (env-driven, off by default) - forgot-password and admin invite both call mailer; audit logs mail status #5 Rate limiting on /api/auth/login: - Per-user: 5 wrong attempts → 5-minute DB-backed lockout (was 5 → 15 min). Configurable via PGZ_LOGIN_LOCK_THRESHOLD/MINUTES. - Per-IP: 10 fails / 5-min sliding window in-memory → HTTP 429 Configurable via PGZ_LOGIN_IP_THRESHOLD/WINDOW_SEC. Successful login clears the IP counter. - Failed attempts respond '(N/5) — račun je zaključan na 5 minuta' - New audit actions: login.ratelimit.ip; login.fail meta now includes fails count, locked, lock_minutes #4 Live test report: 46/46 across 6 demo users — login, JWT gate on 14 mutating endpoints, public path whitelist, demo-mode avatar + real save, forgot-password e-mail to mailbox, no-leak unknown email, 5-fail lockout, 423 during lockout, audit coverage.
2026-05-05 01:42:53 +02:00
parent 3a79965899
commit f9ebcddf28
38 changed files with 24709 additions and 92 deletions
@@ -23,14 +23,16 @@ from __future__ import annotations

 import io
 import json as _json
+import re as _re
 import sys
+import zipfile
 from datetime import date, datetime, timedelta
 from decimal import Decimal
 from typing import Optional

 import psycopg2
 from psycopg2.extras import RealDictCursor
-from fastapi import APIRouter, HTTPException, Query
+from fastapi import APIRouter, HTTPException, Query, Header
 from fastapi.responses import Response
 from pydantic import BaseModel

@@ -42,6 +44,10 @@ from crm.payments import (
    build_hub3_pdf, make_poziv_na_broj, normalize_iban,
 )

+DEFAULT_PRIMATELJ_IBAN = "HR0000000000000000000"
+DEFAULT_PRIMATELJ_NAZIV = "PGŽ Odjel za sport"
+DEFAULT_PRIMATELJ_ADRESA = "Adamićeva 10, 51000 Rijeka"
+
 router = APIRouter(prefix="/api/crm", tags=["crm-extras"])

 DSN = "host=10.10.0.2 port=6432 dbname=rinet_v3 user=rinet password=R1net2026!SecureDB#v7"
@@ -587,3 +593,417 @@ def mark_all_read(body: MarkAllReadIn):
        ids = [r["id"] for r in cur.fetchall()]
        conn.commit()
    return {"ok": True, "marked_read": len(ids), "ids": ids[:200]}
+
+
+# ════════════════════════════════════════════════════
+# R6 #2 — BATCH HUB-3 PDFs ZIP
+# ════════════════════════════════════════════════════
+
+class BulkZipIn(BaseModel):
+    ids: Optional[list[int]] = None
+    klub_id: Optional[int] = None
+    godina: Optional[int] = None
+    only_unpaid: bool = True
+    limit: int = 200
+
+
+def _safe_filename(s: str) -> str:
+    s = (s or "x").strip()
+    s = _re.sub(r"[^\w\-\.]+", "_", s, flags=_re.UNICODE)
+    return s[:80] or "x"
+
+
+@router.post("/clanarine/bulk/uplatnice.zip")
+def bulk_uplatnice_zip(body: BulkZipIn):
+    """
+    Generira ZIP archive sa svim HUB-3 PDF uplatnicama za odabrane članarine.
+    Filename pattern: <KlubSlug>/<Prezime_Ime>-<id>-<godina>.pdf
+    """
+    where, params = [], []
+    if body.ids:
+        where.append("c.id = ANY(%s)"); params.append(body.ids)
+    if body.klub_id:
+        where.append("c.klub_id = %s"); params.append(body.klub_id)
+    if body.godina:
+        where.append("c.godina = %s"); params.append(body.godina)
+    if body.only_unpaid and not body.ids:
+        where.append("c.status IN ('nepodmireno','djelomicno')")
+    where_sql = ("WHERE " + " AND ".join(where)) if where else ""
+    params.append(body.limit)
+
+    sql = f"""
+      SELECT c.id, c.godina, c.razdoblje,
+             c.iznos_propisan, c.iznos_placen,
+             (c.iznos_propisan - COALESCE(c.iznos_placen,0))::numeric(10,2) AS dug,
+             cl.ime, cl.prezime, cl.adresa AS clan_adresa, cl.grad AS clan_grad,
+             k.naziv AS klub, k.oib AS klub_oib, k.iban AS klub_iban,
+             k.adresa AS klub_adresa, k.grad AS klub_grad
+        FROM pgz_sport.clanarine c
+        LEFT JOIN pgz_sport.clanovi cl ON cl.id = c.clan_id
+        LEFT JOIN pgz_sport.klubovi k  ON k.id  = c.klub_id
+       {where_sql}
+       ORDER BY k.naziv NULLS LAST, cl.prezime, cl.ime
+       LIMIT %s
+    """
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute(sql, params)
+        rows = [_row(r) for r in cur.fetchall()]
+    if not rows:
+        raise HTTPException(404, "Nema članarina za batch")
+
+    buf = io.BytesIO()
+    with zipfile.ZipFile(buf, "w", compression=zipfile.ZIP_DEFLATED) as z:
+        manifest = []
+        for r in rows:
+            dug = float(r["dug"] or 0)
+            if dug <= 0:
+                dug = float(r["iznos_propisan"] or 0)
+            iban = normalize_iban(r["klub_iban"] or DEFAULT_PRIMATELJ_IBAN)
+            primatelj_naziv = r.get("klub") or DEFAULT_PRIMATELJ_NAZIV
+            primatelj_adresa = ", ".join(
+                [x for x in [r.get("klub_adresa"), r.get("klub_grad")] if x]
+            ) or DEFAULT_PRIMATELJ_ADRESA
+            platitelj_naziv = f"{r.get('ime') or ''} {r.get('prezime') or ''}".strip() or "Član"
+            platitelj_adresa = ", ".join(
+                [x for x in [r.get("clan_adresa"), r.get("clan_grad")] if x]
+            ) or "—"
+            poziv = make_poziv_na_broj(r.get("klub_oib"), int(r["godina"]), int(r["id"]))
+            try:
+                pdf = build_hub3_pdf(
+                    platitelj_naziv=platitelj_naziv,
+                    platitelj_adresa=platitelj_adresa,
+                    primatelj_naziv=primatelj_naziv,
+                    primatelj_adresa=primatelj_adresa,
+                    iban=iban,
+                    amount_eur=dug,
+                    model="HR00",
+                    poziv_na_broj=poziv,
+                    opis=f"Članarina {r['godina']} — {r.get('razdoblje') or 'godišnja'}",
+                    sifra_namjene="OTHR",
+                )
+            except Exception as e:
+                manifest.append(f"{r['id']}\tERROR\t{e}")
+                continue
+            klub_dir = _safe_filename(primatelj_naziv)
+            fname = (f"{klub_dir}/"
+                     f"{_safe_filename(r.get('prezime') or 'X')}_"
+                     f"{_safe_filename(r.get('ime') or 'X')}-"
+                     f"{r['id']}-{r['godina']}.pdf")
+            z.writestr(fname, pdf)
+            manifest.append(f"{r['id']}\t{fname}\t{dug:.2f} EUR\t{poziv}")
+        # Manifest TXT
+        z.writestr("_manifest.txt",
+                   "ID\tFILENAME\tIZNOS\tPOZIV_NA_BROJ\n" + "\n".join(manifest))
+        # Manifest JSON
+        z.writestr("_manifest.json", _json.dumps(
+            {"count": len(rows),
+             "generated_at": datetime.now().isoformat(),
+             "items": [{"id": r["id"], "klub": r.get("klub"),
+                         "clan": f"{r.get('ime','')} {r.get('prezime','')}".strip(),
+                         "godina": r["godina"], "iznos_eur": float(r["dug"] or r["iznos_propisan"] or 0)}
+                        for r in rows]},
+            ensure_ascii=False, indent=2))
+
+    fname = f"hub3-batch-{date.today().isoformat()}-{len(rows)}.zip"
+    return Response(
+        content=buf.getvalue(),
+        media_type="application/zip",
+        headers={"Content-Disposition": f'attachment; filename="{fname}"',
+                  "X-Batch-Count": str(len(rows))},
+    )
+
+
+# ════════════════════════════════════════════════════
+# R6 #3 — E-MAIL TEMPLATES (CRUD + render + send-mock)
+# ════════════════════════════════════════════════════
+
+def _render(tpl: str, vars: dict) -> str:
+    """Vrlo jednostavan {{key}} render."""
+    if not tpl:
+        return ""
+    out = tpl
+    for k, v in (vars or {}).items():
+        out = out.replace("{{" + str(k) + "}}", "" if v is None else str(v))
+    return out
+
+
+class EmailTemplateIn(BaseModel):
+    code: str
+    naziv: str
+    kategorija: Optional[str] = None
+    subject_tpl: str
+    body_tpl: str
+    variables: Optional[list[str]] = None
+    active: bool = True
+
+
+class EmailTemplatePatch(BaseModel):
+    naziv: Optional[str] = None
+    kategorija: Optional[str] = None
+    subject_tpl: Optional[str] = None
+    body_tpl: Optional[str] = None
+    variables: Optional[list[str]] = None
+    active: Optional[bool] = None
+
+
+@router.get("/email-templates")
+def list_email_templates(kategorija: Optional[str] = Query(None),
+                          active_only: bool = Query(True)):
+    where, params = [], []
+    if active_only:
+        where.append("active = TRUE")
+    if kategorija:
+        where.append("kategorija = %s"); params.append(kategorija)
+    where_sql = ("WHERE " + " AND ".join(where)) if where else ""
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute(f"""
+          SELECT id, code, naziv, kategorija, subject_tpl, body_tpl,
+                 variables, active, created_at, updated_at
+            FROM pgz_sport.email_templates
+            {where_sql}
+            ORDER BY kategorija NULLS LAST, naziv
+        """, params)
+        rows = [_row(r) for r in cur.fetchall()]
+    return {"count": len(rows), "templates": rows}
+
+
+@router.get("/email-templates/{code_or_id}")
+def get_email_template(code_or_id: str):
+    with _conn() as conn, conn.cursor() as cur:
+        if code_or_id.isdigit():
+            cur.execute("SELECT * FROM pgz_sport.email_templates WHERE id=%s", (int(code_or_id),))
+        else:
+            cur.execute("SELECT * FROM pgz_sport.email_templates WHERE code=%s", (code_or_id,))
+        r = cur.fetchone()
+    if not r:
+        raise HTTPException(404, "Email template ne postoji")
+    return _row(r)
+
+
+@router.post("/email-templates")
+def create_email_template(body: EmailTemplateIn):
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute("""
+          INSERT INTO pgz_sport.email_templates
+            (code, naziv, kategorija, subject_tpl, body_tpl, variables, active)
+          VALUES (%s,%s,%s,%s,%s,%s::jsonb,%s)
+          RETURNING *
+        """, (body.code, body.naziv, body.kategorija, body.subject_tpl,
+              body.body_tpl, _json.dumps(body.variables or []), body.active))
+        r = cur.fetchone(); conn.commit()
+    return _row(r)
+
+
+@router.put("/email-templates/{code_or_id}")
+def update_email_template(code_or_id: str, body: EmailTemplatePatch):
+    fields, params = [], []
+    for f in ("naziv", "kategorija", "subject_tpl", "body_tpl", "active"):
+        v = getattr(body, f)
+        if v is not None:
+            fields.append(f"{f} = %s"); params.append(v)
+    if body.variables is not None:
+        fields.append("variables = %s::jsonb"); params.append(_json.dumps(body.variables))
+    if not fields:
+        raise HTTPException(400, "Nema polja za izmjenu")
+    fields.append("updated_at = now()")
+    where_col = "id" if code_or_id.isdigit() else "code"
+    where_val = int(code_or_id) if code_or_id.isdigit() else code_or_id
+    params.append(where_val)
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute(f"UPDATE pgz_sport.email_templates SET {', '.join(fields)} WHERE {where_col}=%s RETURNING *",
+                    params)
+        r = cur.fetchone()
+        if not r:
+            raise HTTPException(404, "Template ne postoji")
+        conn.commit()
+    return _row(r)
+
+
+class EmailRenderIn(BaseModel):
+    variables: dict = {}
+
+
+@router.post("/email-templates/{code_or_id}/render")
+def render_email_template(code_or_id: str, body: EmailRenderIn):
+    """Vrati subject/body s popunjenim {{vars}}."""
+    with _conn() as conn, conn.cursor() as cur:
+        if code_or_id.isdigit():
+            cur.execute("SELECT * FROM pgz_sport.email_templates WHERE id=%s", (int(code_or_id),))
+        else:
+            cur.execute("SELECT * FROM pgz_sport.email_templates WHERE code=%s", (code_or_id,))
+        t = cur.fetchone()
+    if not t:
+        raise HTTPException(404, "Template ne postoji")
+    return {
+        "code": t["code"],
+        "naziv": t["naziv"],
+        "subject": _render(t["subject_tpl"], body.variables),
+        "body": _render(t["body_tpl"], body.variables),
+        "variables_provided": list(body.variables.keys()),
+        "variables_required": t.get("variables") or [],
+    }
+
+
+class EmailSendIn(BaseModel):
+    to: Optional[str] = None
+    user_id: Optional[int] = None
+    variables: dict = {}
+    schedule_inapp: bool = True
+
+
+@router.post("/email-templates/{code_or_id}/send")
+def send_email_template(code_or_id: str, body: EmailSendIn):
+    """
+    Mock send: rendera template i upiše u notifications (channel=email + inapp).
+    Stvarni SMTP nije konfiguriran.
+    """
+    with _conn() as conn, conn.cursor() as cur:
+        if code_or_id.isdigit():
+            cur.execute("SELECT * FROM pgz_sport.email_templates WHERE id=%s", (int(code_or_id),))
+        else:
+            cur.execute("SELECT * FROM pgz_sport.email_templates WHERE code=%s", (code_or_id,))
+        t = cur.fetchone()
+        if not t:
+            raise HTTPException(404, "Template ne postoji")
+
+        subject = _render(t["subject_tpl"], body.variables)
+        body_txt = _render(t["body_tpl"], body.variables)
+        meta = _json.dumps({"template_code": t["code"],
+                            "to": body.to,
+                            "variables": body.variables})
+        ids = []
+        if body.to:
+            cur.execute("""INSERT INTO pgz_sport.notifications
+              (user_id, channel, subject, body, status, scheduled_at, meta)
+              VALUES (%s,'email',%s,%s,'pending',now(),%s::jsonb)
+              RETURNING id""",
+              (body.user_id, subject, body_txt, meta))
+            ids.append({"channel": "email", "id": cur.fetchone()["id"]})
+        if body.schedule_inapp:
+            cur.execute("""INSERT INTO pgz_sport.notifications
+              (user_id, channel, subject, body, status, scheduled_at, meta)
+              VALUES (%s,'inapp',%s,%s,'pending',now(),%s::jsonb)
+              RETURNING id""",
+              (body.user_id, subject, body_txt, meta))
+            ids.append({"channel": "inapp", "id": cur.fetchone()["id"]})
+        conn.commit()
+    return {"ok": True, "queued": ids, "subject": subject,
+            "body_preview": body_txt[:200]}
+
+
+# ════════════════════════════════════════════════════
+# R6 #4 — /api/notifications/me  (alias na /api/crm/notifications/me)
+# ════════════════════════════════════════════════════
+
+def _resolve_user_id(authorization: Optional[str], x_user_id: Optional[str]) -> Optional[int]:
+    """
+    Priority:
+      1) X-User-Id header (UI / debug)
+      2) JWT 'sub' claim iz Bearer tokena (auth_v2)
+    """
+    if x_user_id:
+        try:
+            return int(x_user_id)
+        except (TypeError, ValueError):
+            pass
+    if not authorization:
+        return None
+    tok = authorization.replace("Bearer ", "").strip()
+    try:
+        import jwt as _jwt  # type: ignore
+        for secret in (
+            __import__("os").environ.get("JWT_SECRET"),
+            "rinet-jwt-secret-2026",
+        ):
+            if not secret:
+                continue
+            try:
+                payload = _jwt.decode(tok, secret, algorithms=["HS256"])
+                sub = payload.get("sub") or payload.get("user_id")
+                if sub is not None:
+                    return int(sub)
+            except Exception:
+                continue
+    except Exception:
+        pass
+    return None
+
+
+@router.get("/notifications/me")
+def my_notifications(
+    only_unread: bool = Query(True),
+    channel: Optional[str] = Query(None),
+    limit: int = Query(50, le=200),
+    authorization: Optional[str] = Header(None),
+    x_user_id: Optional[str] = Header(None),
+):
+    """
+    Lista notifikacija za current usera (iz JWT sub ili X-User-Id headera).
+    Kao fallback (kad nije autentikiran) vraća notifikacije BEZ user_id
+    (broadcast / system).
+    """
+    user_id = _resolve_user_id(authorization, x_user_id)
+    where = []
+    params: list = []
+    if user_id is None:
+        # broadcast: notifs bez user_id
+        where.append("user_id IS NULL")
+    else:
+        where.append("(user_id = %s OR user_id IS NULL)"); params.append(user_id)
+    if only_unread:
+        where.append("read_at IS NULL")
+    if channel:
+        where.append("channel = %s"); params.append(channel)
+    params.append(limit)
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute(f"""
+          SELECT id, user_id, channel, subject, body, status,
+                 scheduled_at, sent_at, read_at, meta
+            FROM pgz_sport.notifications
+           WHERE {' AND '.join(where)}
+           ORDER BY scheduled_at DESC NULLS LAST
+           LIMIT %s
+        """, params)
+        rows = [_row(r) for r in cur.fetchall()]
+        # summary za badge
+        sum_where = ["read_at IS NULL"]
+        sum_params = []
+        if user_id is not None:
+            sum_where.append("(user_id = %s OR user_id IS NULL)")
+            sum_params.append(user_id)
+        else:
+            sum_where.append("user_id IS NULL")
+        cur.execute(f"""
+          SELECT COUNT(*) AS unread,
+                 COUNT(*) FILTER (WHERE channel='inapp') AS unread_inapp,
+                 COUNT(*) FILTER (WHERE channel='email') AS unread_email
+            FROM pgz_sport.notifications
+           WHERE {' AND '.join(sum_where)}
+        """, sum_params)
+        summary = _row(cur.fetchone())
+    return {
+        "user_id": user_id,
+        "count": len(rows),
+        "summary": summary,
+        "rows": rows,
+    }
+
+
+# ════════════════════════════════════════════════════
+# Alias router: /api/notifications/me  (bez /crm prefiksa)
+# ════════════════════════════════════════════════════
+
+alias_router = APIRouter(prefix="/api/notifications", tags=["notifications-alias"])
+
+
+@alias_router.get("/me")
+def my_notifications_alias(
+    only_unread: bool = Query(True),
+    channel: Optional[str] = Query(None),
+    limit: int = Query(50, le=200),
+    authorization: Optional[str] = Header(None),
+    x_user_id: Optional[str] = Header(None),
+):
+    """Alias za /api/crm/notifications/me — kompatibilnost s /api/notifications/me."""
+    return my_notifications(only_unread=only_unread, channel=channel, limit=limit,
+                             authorization=authorization, x_user_id=x_user_id)