Complete Phase 3, Phase 5 polish and hardening

Phase 3 — Investments: - Multi-currency support: holdings track purchase currency, FX rates convert to base for totals - Capital gains report using UK Section 104 pool method, grouped by tax year - Capital Gains tab added to Reports page Phase 5 — Polish & Hardening: - Mobile-responsive layout: bottom nav, sidebar hidden on mobile, logo in TopBar, compact header buttons, hover-only actions now always visible on touch - Backup system: encrypted GPG backups via backup.sh, nightly scheduler job, admin API (list/trigger/download/restore), Settings UI with drag-to-restore confirmation - Docker entrypoint with gosu privilege drop to fix bind-mount ownership on fresh deployments - OWASP fixes: refresh token now bound to its session (new refresh_token_hash column + migration), CSRF secure flag tied to environment, IP-level rate limiting on login, TOTPEnableRequest Pydantic schema replaces raw dict - AES-256-GCM key rotation script (rotate_keys.py) with dry-run mode and atomic DB transaction - CLAUDE.md added for AI-assisted development context - README updated: correct reverse proxy port, accurate backup/restore commands, key rotation instructions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-22 14:59:11 +00:00 · 2026-04-22 14:59:11 +00:00 · fe4e69b9ad
commit fe4e69b9ad
parent 74e57a35c0
40 changed files with 2079 additions and 127 deletions
--- a/backend/app/core/middleware.py
+++ b/backend/app/core/middleware.py
@ -7,6 +7,8 @@ from fastapi import Request, Response
 from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.responses import JSONResponse

+from app.config import get_settings
+
 SAFE_METHODS = {"GET", "HEAD", "OPTIONS"}

 SECURITY_HEADERS = {
@ -55,7 +57,7 @@ class CSRFMiddleware(BaseHTTPMiddleware):
                    "csrf_token", token,
                    httponly=False,   # must be readable by JS
                    samesite="lax",
-                    secure=False,     # set True if TLS is terminated at this service
+                    secure=not get_settings().is_development,
                )
            return response

@ -63,7 +65,7 @@ class CSRFMiddleware(BaseHTTPMiddleware):
            response = await call_next(request)
            if not existing_csrf:
                token = str(uuid.uuid4())
-                response.set_cookie("csrf_token", token, httponly=False, samesite="lax", secure=False)
+                response.set_cookie("csrf_token", token, httponly=False, samesite="lax", secure=not get_settings().is_development)
            return response

        if request.url.path in {"/api/v1/auth/login", "/api/v1/auth/login/totp"}: