Merge pull request #5 from WithAgency/feature/lef-148-canva-chatfaq-guardar-mis-conversaciones

sthonore · web-flow · commit 35afccb22bb9 · 2025-11-21T09:00:02.000+01:00
lef-148: secure wss and conversation endpoints to rely on django use without leaking sender_uuid
diff --git a/.gitignore b/.gitignore
@@ -250,4 +250,5 @@ back/models/
 *.ipynb
 chat_rag/data/
 chat_rag/examples/
-*/.ragatouille/*
+*/.ragatouille/*
+/back/dump.rdb
diff --git a/admin/nuxt.config.js b/admin/nuxt.config.js
@@ -23,6 +23,9 @@ export default envManager((env) => {
     });
     const viteNuxtConfig = defineNuxtConfig({
         ssr: true,
+        devServer: {
+            port: process.env.NUXT_PORT || 3000,
+        },
         css: ["@/assets/styles/global.scss"],
         buildModules: [],
         modules: [...config.modules, "@pinia/nuxt", "@element-plus/nuxt"],
diff --git a/back/back/apps/broker/consumers/bots/custom_ws.py b/back/back/apps/broker/consumers/bots/custom_ws.py
@@ -27,7 +27,11 @@ async def gather_fsm_def(self):
         return fsm, None if fsm else f"`No FSM found with name {name}`"
 
     async def gather_user_id(self):
-        return self.scope["url_route"]["kwargs"]["sender_id"]
+        # If user is authenticated, use their sender_uuid
+        if self.scope.get("user") and self.scope["user"].is_authenticated:
+            return str(self.scope["user"].sender_uuid)
+        # Otherwise, fall back to URL parameter
+        return self.scope["url_route"]["kwargs"].get("sender_id")
 
     async def gather_initial_conversation_metadata(self):
         params = parse_qs(self.scope["query_string"])
diff --git a/back/back/apps/broker/serializers/messages/custom_ws.py b/back/back/apps/broker/serializers/messages/custom_ws.py
@@ -29,10 +29,16 @@ def to_mml(self, ctx: BotConsumer) -> Union[bool, "Message"]:
         if not self.is_valid():
             return False
 
+        sender_data = self.data["sender"].copy()
+
+        # If user is authenticated, use their sender_uuid as the sender ID
+        if ctx.scope.get("user") and ctx.scope["user"].is_authenticated:
+            sender_data["id"] = str(ctx.scope["user"].sender_uuid)
+
         s = MessageSerializer(
             data={
                 "stack": self.data["stack"],
-                "sender": self.data["sender"],
+                "sender": sender_data,
                 "send_time": int(time.time() * 1000),
                 "conversation": ctx.conversation.pk,
             }
diff --git a/back/back/apps/broker/views/__init__.py b/back/back/apps/broker/views/__init__.py
@@ -100,13 +100,19 @@ def instance_permissions(self, request):
 
     @action(methods=("get",), detail=False, permission_classes=[AllowAny])
     def from_sender(self, request, *args, **kwargs):
-        if not request.query_params.get("sender"):
-            return JsonResponse(
-                {"error": "sender is required"},
-                status=400,
-            )
+        # Use authenticated user's sender_uuid if available, otherwise fall back to query param
+        if request.user.is_authenticated:
+            sender_id = str(request.user.sender_uuid)
+        else:
+            sender_id = request.query_params.get("sender")
+            if not sender_id:
+                return JsonResponse(
+                    {"error": "sender is required"},
+                    status=400,
+                )
+
         results = []
-        for c in Conversation.conversations_from_sender(request.query_params.get("sender")):
+        for c in Conversation.conversations_from_sender(sender_id):
             if error := self._instance_permissions(c, request):
                 return error
             results.append(ConversationSerializer(c).data)
diff --git a/back/back/apps/people/migrations/0007_user_sender_uuid.py b/back/back/apps/people/migrations/0007_user_sender_uuid.py
@@ -0,0 +1,25 @@
+# Generated by Django 5.2.6 on 2025-11-18 00:00
+
+import uuid
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("people", "0006_alter_user_email"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="sender_uuid",
+            field=models.UUIDField(
+                db_index=True,
+                default=uuid.uuid4,
+                editable=False,
+                help_text="Universal sender identifier for lefebvre-chatfaq integration",
+                unique=True,
+            ),
+        ),
+    ]
diff --git a/back/back/apps/people/models.py b/back/back/apps/people/models.py
@@ -99,6 +99,13 @@ class User(UuidPkModel, AbstractBaseUser, PermissionsMixin):
         _("date joined"),
         auto_now_add=True,
     )
+    sender_uuid = models.UUIDField(
+        unique=True,
+        default=uuid4,
+        editable=False,
+        db_index=True,
+        help_text=_("Universal sender identifier for lefebvre-chatfaq integration"),
+    )
     remember_me = models.TextField(
         _("remember me"),
         null=True,
diff --git a/back/back/apps/people/serializers.py b/back/back/apps/people/serializers.py
@@ -37,6 +37,9 @@ class Meta:
 class AuthUserSerializer(serializers.ModelSerializer):
     """
     Serializer used when the user is authenticated on /api/me/
+
+    NOTE: sender_uuid intentionally NOT included here to avoid exposing it to
+    frontend clients. AdminUserSerializer still exposes it for admin use.
     """
 
     class Meta:
diff --git a/back/back/apps/people/views.py b/back/back/apps/people/views.py
@@ -113,8 +113,14 @@ def post(self, request, format=None):
 
 
 class UserAPIViewSet(viewsets.ModelViewSet):
+    """
+    Admin-only CRUD for users. Keep AdminUserSerializer (fields="__all__"),
+    but make access explicit and restricted to admins so sender_uuid is not
+    leaked to non-admins.
+    """
     queryset = User.objects.all()
     serializer_class = AdminUserSerializer
+    permission_classes = [permissions.IsAdminUser]  # Ensure only admins can read/write all fields
     filter_backends = [DjangoFilterBackend, SearchFilter, OrderingFilter]
     filterset_fields = ["id"]
 
diff --git a/back/back/config/middelware.py b/back/back/config/middelware.py
@@ -92,7 +92,9 @@ def has_permission(self, request, view):
             widget = Widget.objects.get(id=widget_id)
         except Widget.DoesNotExist:
             return False
-        if fnmatch.fnmatch(urlparse(origin).netloc, widget.domain):
+        # Compare netloc to netloc (both should be like "localhost:3000")
+        widget_domain_netloc = urlparse(widget.domain).netloc if widget.domain else widget.domain
+        if fnmatch.fnmatch(urlparse(origin).netloc, widget_domain_netloc):
             return True
         return False
 
