feat: Enhance task access control and session management

- Implemented API and web task access assertions in the task status polling endpoint. - Added functions to remember and check task access in user sessions. - Updated task status tests to validate access control based on session data. - Enhanced download route tests to ensure proper access checks. - Improved SEO metadata handling with dynamic social preview images. - Updated sitemap generation to include blog posts and new tools. - Added a social preview SVG for better sharing on social media platforms.
2026-03-17 21:19:23 +02:00
parent ff5bd19335
commit 3f24a7ea3e
17 changed files with 384 additions and 75 deletions
--- a/backend/app/routes/download.py
+++ b/backend/app/routes/download.py
@@ -3,6 +3,14 @@ import os

 from flask import Blueprint, send_file, abort, request, current_app

+from app.services.policy_service import (
+    PolicyError,
+    assert_api_task_access,
+    assert_web_task_access,
+    resolve_api_actor,
+    resolve_web_actor,
+)
+
 download_bp = Blueprint("download", __name__)


@@ -20,6 +28,16 @@ def download_file(task_id: str, filename: str):
    if ".." in filename or "/" in filename or "\\" in filename:
        abort(400, "Invalid filename.")

+    try:
+        if request.headers.get("X-API-Key", "").strip():
+            actor = resolve_api_actor()
+            assert_api_task_access(actor, task_id)
+        else:
+            actor = resolve_web_actor()
+            assert_web_task_access(actor, task_id)
+    except PolicyError as exc:
+        abort(exc.status_code, exc.message)
+
    output_dir = current_app.config["OUTPUT_FOLDER"]
    file_path = os.path.join(output_dir, task_id, filename)

--- a/backend/app/routes/tasks.py
+++ b/backend/app/routes/tasks.py
@@ -1,9 +1,16 @@
 """Task status polling endpoint."""
-from flask import Blueprint, jsonify
+from flask import Blueprint, jsonify, request
 from celery.result import AsyncResult

 from app.extensions import celery
 from app.middleware.rate_limiter import limiter
+from app.services.policy_service import (
+    PolicyError,
+    assert_api_task_access,
+    assert_web_task_access,
+    resolve_api_actor,
+    resolve_web_actor,
+)

 tasks_bp = Blueprint("tasks", __name__)

@@ -17,6 +24,16 @@ def get_task_status(task_id: str):
    Returns:
        JSON with task state and result (if completed)
    """
+    try:
+        if request.headers.get("X-API-Key", "").strip():
+            actor = resolve_api_actor()
+            assert_api_task_access(actor, task_id)
+        else:
+            actor = resolve_web_actor()
+            assert_web_task_access(actor, task_id)
+    except PolicyError as exc:
+        return jsonify({"error": exc.message}), exc.status_code
+
    result = AsyncResult(task_id, app=celery)

    response = {