mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 14:31:25 +00:00
d88c2151cb
* Add REST API for holdings and trades (Discussion #905) - Trades: GET index (filter by account_id, account_ids, start_date, end_date), GET show, POST create (buy/sell with security_id or ticker), PATCH update, DELETE destroy. Create restricted to accounts that support trades (investment or crypto exchange). Uses existing Trade::CreateForm for creation. - Holdings: GET index (filter by account_id, account_ids, date, start_date, end_date, security_id), GET show. Read-only; scoped to family. - Auth: read scope for index/show; write scope for create/update/destroy. - Responses: JSON via jbuilder (trade: id, date, amount, qty, price, account, security, category; holding: id, date, qty, price, amount, account, security, avg_cost). Pagination for index endpoints (page, per_page). Co-authored-by: Cursor <cursoragent@cursor.com> * API v1 holdings & trades: validation, docs, specs - Holdings: validate date params, return 400 for invalid dates (parse_date!) - Trades: validate start_date/end_date, return 422 for invalid dates - Trades: accept buy/sell and inflow/outflow in update (trade_sell_from_type_or_nature?) - Trades view: nil guard for trade.security - Trades apply_filters: single join(:entry) when filtering - OpenAPI: add Trade/TradeCollection schemas, ErrorResponse.errors - Add spec/requests/api/v1/holdings_spec.rb and trades_spec.rb (rswag) - Regenerate docs/api/openapi.yaml Co-authored-by: Cursor <cursoragent@cursor.com> * CI: fix Brakeman and test rate-limit failures - Disable Rack::Attack in test (use existing enabled flag) so parallel API tests no longer hit 429 from shared api_ip throttle - Add Brakeman ignore for trades_controller trade_params mass-assignment (account_id/security_id validated in create/update) - Trades/holdings API and OpenAPI spec updates Co-authored-by: Cursor <cursoragent@cursor.com> * Trades: partial qty/price update fallback; fix PATCH OpenAPI schema - Fall back to existing trade qty/price when only one is supplied so sign normalisation and amount recalculation always run - OpenAPI: remove top-level qty, price, investment_activity_label, category_id from PATCH body; document entryable_attributes only Co-authored-by: Cursor <cursoragent@cursor.com> * Trades: fix update/DELETE OpenAPI and avoid sell-trade corruption - Only run qty/price normalisation when client sends qty or price; preserve existing trade direction when type/nature omitted - OpenAPI: remove duplicate PATCH path param; add 422 for PATCH; document DELETE 200 body (DeleteResponse) Co-authored-by: Cursor <cursoragent@cursor.com> * API: flat trade update params, align holdings errors, spec/OpenAPI fixes - Trades update: accept flat params (qty, price, type, etc.), build entryable_attributes in build_entry_params_for_update (match transactions) - Holdings: ArgumentError → 422 validation_failed; parse_date!(value, name) with safe message; extract render_validation_error, log_and_render_error - Specs: path id required (trades, holdings); trades delete 200 DeleteResponse; remove holdings 500; trades update body flat; holdings 422 invalid date - OpenAPI: PATCH trade request body flat Co-authored-by: Cursor <cursoragent@cursor.com> * OpenAPI: add 422 invalid date filter to holdings index Co-authored-by: Cursor <cursoragent@cursor.com> * API consistency and RSwag doc-only fixes - Trades: use render_validation_error in all 4 validation paths; safe_per_page_param case/when - Holdings: set_holding to family.holdings.find; price as Money.format in API; safe_per_page_param case/when - Swagger: Holding qty/price descriptions (Quantity of shares held, Formatted price per share) - RSwag: trades delete and valuations 201 use bare run_test! (documentation only, no expect) Co-authored-by: Cursor <cursoragent@cursor.com> * Fix index-vs-show visibility inconsistencies and preserve custom activity labels - Add account status filter to set_holding to match index behavior - Add visible scope to set_trade to match index behavior - Preserve existing investment_activity_label when updating qty/price Co-authored-by: Cursor <cursoragent@cursor.com> * Trades: clearer validation for non-numeric qty/price Return 'must be valid numbers' when qty or price is non-numeric (e.g. abc) instead of misleading 'must be present and positive'. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: mkdev11 <jaysmth689+github@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
77 lines
2.4 KiB
Ruby
77 lines
2.4 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class Rack::Attack
|
|
# Enable Rack::Attack only in production and staging (disable in test/development to avoid rate-limit flakiness)
|
|
enabled = Rails.env.production? || Rails.env.staging?
|
|
self.enabled = enabled
|
|
|
|
# Throttle requests to the OAuth token endpoint
|
|
throttle("oauth/token", limit: 10, period: 1.minute) do |request|
|
|
request.ip if request.path == "/oauth/token"
|
|
end
|
|
|
|
# Throttle admin endpoints to prevent brute-force attacks
|
|
# More restrictive than general API limits since admin access is sensitive
|
|
throttle("admin/ip", limit: 10, period: 1.minute) do |request|
|
|
request.ip if request.path.start_with?("/admin/")
|
|
end
|
|
|
|
# Determine limits based on self-hosted mode
|
|
self_hosted = Rails.application.config.app_mode.self_hosted?
|
|
|
|
# Throttle API requests per access token
|
|
throttle("api/requests", limit: self_hosted ? 10_000 : 100, period: 1.hour) do |request|
|
|
if request.path.start_with?("/api/")
|
|
# Extract access token from Authorization header
|
|
auth_header = request.get_header("HTTP_AUTHORIZATION")
|
|
if auth_header&.start_with?("Bearer ")
|
|
token = auth_header.split(" ").last
|
|
"api_token:#{Digest::SHA256.hexdigest(token)}"
|
|
else
|
|
# Fall back to IP-based limiting for unauthenticated requests
|
|
"api_ip:#{request.ip}"
|
|
end
|
|
end
|
|
end
|
|
|
|
# More permissive throttling for API requests by IP (for development/testing)
|
|
throttle("api/ip", limit: self_hosted ? 20_000 : 200, period: 1.hour) do |request|
|
|
request.ip if request.path.start_with?("/api/")
|
|
end
|
|
|
|
# Block requests that appear to be malicious
|
|
blocklist("block malicious requests") do |request|
|
|
# Block requests with suspicious user agents
|
|
suspicious_user_agents = [
|
|
/sqlmap/i,
|
|
/nmap/i,
|
|
/nikto/i,
|
|
/masscan/i
|
|
]
|
|
|
|
user_agent = request.user_agent
|
|
suspicious_user_agents.any? { |pattern| user_agent =~ pattern } if user_agent
|
|
end
|
|
|
|
# Configure response for throttled requests
|
|
self.throttled_responder = lambda do |request|
|
|
[
|
|
429, # status
|
|
{
|
|
"Content-Type" => "application/json",
|
|
"Retry-After" => "60"
|
|
},
|
|
[ { error: "Rate limit exceeded. Try again later." }.to_json ]
|
|
]
|
|
end
|
|
|
|
# Configure response for blocked requests
|
|
self.blocklisted_responder = lambda do |request|
|
|
[
|
|
403, # status
|
|
{ "Content-Type" => "application/json" },
|
|
[ { error: "Request blocked." }.to_json ]
|
|
]
|
|
end
|
|
end
|