Extract CORS/auth/secret helpers into digest.web.security#12
Merged
Conversation
Continue breaking up src/digest/web/app.py by moving the CORS, API-auth, and secret-redaction helpers and their configuration constants into a focused digest.web.security module (following the feedback/schedule/run_progress/sources pattern). - New digest.web.security holds the seven config constants and nine helpers (_cors_allowed_origins, _cors_allow_origin_regex, _web_api_auth_mode, _web_api_token, _web_api_token_header, _api_auth_decision, _is_secret_key, _redact_secrets, _rehydrate_redacted_value) - app.py re-imports the eight route-facing helpers; _is_secret_key and the non-route constants stay internal - os/re/hmac are no longer imported in app.py (all uses lived in the cluster) - test_web_security/test_web_cors import the security symbols from their new owner module - Relocate the allowlisted detect-secrets finding (REDACTED_SECRET) in the baseline from app.py to security.py (same secret, no new finding) app.py drops from 1875 to 1751 lines; no behavior change. ruff/bandit/ detect-secrets clean and all 254 backend tests pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01GRvYFEnkge3dkDJRMmBTyh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Final planned
app.pyextraction (after #9, #10, #11).Change
Move the CORS, API-auth, and secret-redaction helpers + their config constants from
web/app.pyinto a newdigest.web.securitymodule:constants (
DEFAULT_WEB_CORS_ORIGINS,DEFAULT_WEB_CORS_ORIGIN_REGEX,DEFAULT_WEB_API_AUTH_MODE,DEFAULT_WEB_API_TOKEN_HEADER,ALLOWED_WEB_API_AUTH_MODES,REDACTED_SECRET,SECRET_KEY_RE) and functions (_cors_allowed_origins,_cors_allow_origin_regex,_web_api_auth_mode,_web_api_token,_web_api_token_header,_api_auth_decision,_is_secret_key,_redact_secrets,_rehydrate_redacted_value).app.pyre-imports the eight route-facing helpers (CORS + auth middleware);_is_secret_keyand the non-route constants stay internal to the new module.os,re, andhmacare no longer imported inapp.py— all their uses lived in the moved cluster.test_web_security/test_web_corsimport the security symbols fromdigest.web.security(their new owner).REDACTED_SECRET) in.secrets.baselinefromapp.pytosecurity.py— same secret, no new finding.web/app.py: 1875 → 1751 LOC.Cumulative (session)
web/app.py: 2589 → 1751 LOC (−838, −32%) via four focused, re-exporting modules —schedule,run_progress,sources,security— each verbatim, no behavior change.Verification (mirrors CI)
ruff check src tests: clean; bandit clean; detect-secrets clean🤖 Generated with Claude Code
https://claude.ai/code/session_01GRvYFEnkge3dkDJRMmBTyh
Generated by Claude Code