dictia-public

Innova-AI/dictia-public

Fork 0

Commit Graph

Author	SHA1	Message	Date
Allison	3b324ad0b9	fix(auth): B-2.2 review fixes — Tailwind path + WCAG + race + flash + tests C-1: Add templates/register.html (and templates/auth/**) to tailwind.config.js content array so utility classes used by the signup template don't get purged on next build. Rebuilt static/css/marketing.css; verified text-brand-navy/90 and min-h-[calc(100vh-62px)] are now compiled. I-1: Replace flash() calls for missing required consents with WTForms field-level errors (form.consent_cgu.errors.append / form.consent_confidentialite .errors.append). Errors render inline next to each consent checkbox via {% if form.consent_cgu.errors %}<p role="alert">…</p>{% endif %}. Prevents session-backed flash messages from leaking across unrelated navigations. I-2: Wrap user creation + flush in IntegrityError retry loop (max 5 attempts); import IntegrityError from sqlalchemy.exc. Absorbs the inherent race between _generate_unique_username's lookup and the subsequent flush under concurrent signups. Added docstring note to _generate_unique_username explaining the wrapper. I-3: Move db.create_all() inside the try/finally in test_signup_route_csrf_enforced so WTF_CSRF_ENABLED is restored even if table creation fails. I-4: Pin test_signup_rejects_duplicate_email assertion to status_code == 200 (WTForms validate_email raises ValidationError → form fails validation → fall-through to default 200 render_template). I-5: Add id="password-help" to the password help paragraph and aria-describedby="password-help" to the password input so screen readers announce the password requirements when the field is focused. I-6: Bump flash banner text colors from -700/-800 to -900 variants (text-amber-900, text-blue-900, text-red-900, text-green-900) for safer WCAG 2.2 AA contrast against the -50 backgrounds. Same bump applied to the new consent and password inline error renders.	2026-04-27 22:43:00 -04:00
Allison	d2fc1f03ed	feat(auth): B-2.2 signup Loi 25-compliant (4 consent checkboxes) Refondre /register en /signup avec consentement granulaire (LPRPSP art. 14): - SignupLoi25Form (Flask-WTF) remplace RegistrationForm - 4 BooleanField séparés: cgu, confidentialite (obligatoires) + marketing, analytics (optionnels). Chaque consentement crée 1 row ConsentLog avec ip_address (CF-Connecting-IP > remote_addr), user_agent (tronqué 500), version='2026-04-27' (B-2.9 substituera LEGAL_VERSION canonique). - Marketing/analytics non cochés -> ConsentLog row avec granted=False (refus explicite tracé pour audit Loi 25). - /register reste 302 -> /signup (backward compat). - Username auto-généré unique depuis email local-part (max 20, alphanum, suffixe numérique sur collision). - name = "{first_name} {last_name}".strip() persisté dans User.name (pas de colonnes first_name/last_name au modèle). - send_verification_email() existant réutilisé (smtplib via env SMTP_*). Template register.html refondu IN PLACE pour étendre marketing/base.html: - 4 checkboxes dans <fieldset>+<legend>, AUCUNE pré-cochée - WCAG 2.2 AA: focus-visible outlines, aria-required, label for=, role=alert - OQLF: NBSP via \| safe pour "Loi 25" Tests: 9 cas couvrent GET 200, refus CGU, refus RPRP, happy path 4 rows, capture IP+UA, duplicate email, username collision, /register redirect, CSRF enforcement. Pattern test_consent_log.py (no conftest, env setup avant imports, app_context, db.create_all/drop_all). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-27 22:29:12 -04:00

Author

SHA1

Message

Date

Allison

3b324ad0b9

fix(auth): B-2.2 review fixes — Tailwind path + WCAG + race + flash + tests

C-1: Add templates/register.html (and templates/auth/**) to tailwind.config.js
content array so utility classes used by the signup template don't get purged
on next build. Rebuilt static/css/marketing.css; verified text-brand-navy/90
and min-h-[calc(100vh-62px)] are now compiled.

I-1: Replace flash() calls for missing required consents with WTForms
field-level errors (form.consent_cgu.errors.append / form.consent_confidentialite
.errors.append). Errors render inline next to each consent checkbox via
{% if form.consent_cgu.errors %}<p role="alert">…</p>{% endif %}. Prevents
session-backed flash messages from leaking across unrelated navigations.

I-2: Wrap user creation + flush in IntegrityError retry loop (max 5 attempts);
import IntegrityError from sqlalchemy.exc. Absorbs the inherent race between
_generate_unique_username's lookup and the subsequent flush under concurrent
signups. Added docstring note to _generate_unique_username explaining the
wrapper.

I-3: Move db.create_all() inside the try/finally in
test_signup_route_csrf_enforced so WTF_CSRF_ENABLED is restored even if
table creation fails.

I-4: Pin test_signup_rejects_duplicate_email assertion to status_code == 200
(WTForms validate_email raises ValidationError → form fails validation →
fall-through to default 200 render_template).

I-5: Add id="password-help" to the password help paragraph and
aria-describedby="password-help" to the password input so screen readers
announce the password requirements when the field is focused.

I-6: Bump flash banner text colors from -700/-800 to -900 variants
(text-amber-900, text-blue-900, text-red-900, text-green-900) for safer
WCAG 2.2 AA contrast against the -50 backgrounds. Same bump applied to the
new consent and password inline error renders.

2026-04-27 22:43:00 -04:00

Allison

d2fc1f03ed

feat(auth): B-2.2 signup Loi 25-compliant (4 consent checkboxes)

Refondre /register en /signup avec consentement granulaire (LPRPSP art. 14):
- SignupLoi25Form (Flask-WTF) remplace RegistrationForm
- 4 BooleanField séparés: cgu, confidentialite (obligatoires) + marketing,
  analytics (optionnels). Chaque consentement crée 1 row ConsentLog avec
  ip_address (CF-Connecting-IP > remote_addr), user_agent (tronqué 500),
  version='2026-04-27' (B-2.9 substituera LEGAL_VERSION canonique).
- Marketing/analytics non cochés -> ConsentLog row avec granted=False
  (refus explicite tracé pour audit Loi 25).
- /register reste 302 -> /signup (backward compat).
- Username auto-généré unique depuis email local-part (max 20, alphanum,
  suffixe numérique sur collision).
- name = "{first_name} {last_name}".strip() persisté dans User.name
  (pas de colonnes first_name/last_name au modèle).
- send_verification_email() existant réutilisé (smtplib via env SMTP_*).

Template register.html refondu IN PLACE pour étendre marketing/base.html:
- 4 checkboxes dans <fieldset>+<legend>, AUCUNE pré-cochée
- WCAG 2.2 AA: focus-visible outlines, aria-required, label for=, role=alert
- OQLF: NBSP via | safe pour "Loi&nbsp;25"

Tests: 9 cas couvrent GET 200, refus CGU, refus RPRP, happy path 4 rows,
capture IP+UA, duplicate email, username collision, /register redirect,
CSRF enforcement. Pattern test_consent_log.py (no conftest, env setup
avant imports, app_context, db.create_all/drop_all).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-27 22:29:12 -04:00

2 Commits