improve web app cq

.env.example

@@ -30,13 +30,17 @@ QUEST__LOGIN__API_KEY=dummy2
 # QUEST__LOGIN__URL=
 # QUEST__LOGIN__QUESTIONID=
 
-QUEST__RESET__API_KEY=dummy3
-# QUEST__RESET__URL=
-# QUEST__RESET__QUESTIONID=
+QUEST__RESET_PASSWORD__API_KEY=dummy3
+# QUEST__RESET_PASSWORD__URL=
+# QUEST__RESET_PASSWORD__QUESTIONID=
 
 # --- Other Overrides (Optional) ---
 # Example of overriding a nested value in the AUTH dictionary
 # AUTH__OTP_TIMEOUT=60
+# Example of overridng web size constraints
+# WEB__COURSE__PAGE_SIZE=5
+# WEB__REVIEW__PAGE_SIZE=10
+# WEB__REVIEW__COMMENT_MIN_LENGTH=30
 
 # Example of overriding a list with a comma-separated string
 # ALLOWED_HOSTS=localhost,127.0.0.1,dev.my-app.com

Makefile

@@ -11,7 +11,7 @@ help:
 	@echo "  collect               - Collects Django static files"
 	@echo "  install-frontend      - Installs frontend dependencies using bun"
 	@echo "  format                - Formats both backend (Python) and frontend (JS/TS/CSS) code"
-	@echo "  format-backend        - Formats Python code using isort and black"
+	@echo "  format-backend        - Formats Python code using ruff check and format"
 	@echo "  format-frontend       - Formats frontend code using prettier"
 	@echo "  lint                  - Lints both backend (Python) and frontend (JS/TS/CSS) code"
 	@echo "  lint-backend          - Lints Python code using ruff"
@@ -45,8 +45,8 @@ format: format-backend format-frontend
 	@echo "All code formatted successfully!"
 
 format-backend:
-	@echo "Formatting backend (Python) code with isort and black..."
-	uv run ruff check --select I . && \
+	@echo "Formatting backend (Python) code with ruff check and format..."
+	uv run ruff check --select I . --fix && \
 	uv run ruff format
 
 format-frontend:

apps/auth/urls.py

@@ -0,0 +1,16 @@
+from django.urls import re_path
+
+from apps.auth import views as auth_views
+
+urlpatterns = [
+    re_path(r"^init/$", auth_views.auth_initiate_api, name="auth_initiate_api"),
+    re_path(r"^verify/$", auth_views.verify_callback_api, name="verify_callback_api"),
+    re_path(
+        r"^password/$",
+        auth_views.auth_reset_password_api,
+        name="auth_reset_password_api",
+    ),
+    re_path(r"^signup/$", auth_views.auth_signup_api, name="auth_signup_api"),
+    re_path(r"^login/$", auth_views.auth_login_api, name="auth_login_api"),
+    re_path(r"^logout/?$", auth_views.auth_logout_api, name="auth_logout_api"),
+]

apps/auth/utils.py

@@ -9,10 +9,13 @@
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.password_validation import validate_password
 from django.core.exceptions import ValidationError
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.response import Response
 
 from apps.web.models import Student
 
+logger = logging.getLogger(__name__)
+
 AUTH_SETTINGS = settings.AUTH
 PASSWORD_LENGTH_MIN = AUTH_SETTINGS["PASSWORD_LENGTH_MIN"]
 PASSWORD_LENGTH_MAX = AUTH_SETTINGS["PASSWORD_LENGTH_MAX"]
@@ -23,22 +26,28 @@
 QUEST_BASE_URL = QUEST_SETTINGS["BASE_URL"]
 
 
+class CSRFCheckSessionAuthentication(SessionAuthentication):
+    def authenticate(self, request):
+        super().enforce_csrf(request)
+        return super().authenticate(request)
+
+
 def get_survey_details(action: str) -> dict[str, Any] | None:
     """
     A single, clean function to get all survey details for a given action.
-    Valid actions: "signup", "login", "reset".
+    Valid actions: "signup", "login", "reset_password".
     """
 
     action_details = QUEST_SETTINGS.get(action.upper())
 
     if not action_details:
-        logging.error("Invalid quest action requested: %s", action)
+        logger.error("Invalid quest action requested: %s", action)
         return None
 
     try:
         question_id = int(action_details.get("QUESTIONID"))
     except (ValueError, TypeError):
-        logging.error(
+        logger.error(
             "Could not parse 'QUESTIONID' for action '%s'. Check your settings.", action
         )
         return None
@@ -66,18 +75,18 @@ async def verify_turnstile_token(
                 },
             )
         if not response.json().get("success"):
-            logging.warning("Turnstile verification failed: %s", response.json())
+            logger.warning("Turnstile verification failed: %s", response.json())
             return False, Response(
                 {"error": "Turnstile verification failed"}, status=403
             )
         return True, None
     except httpx.TimeoutException:
-        logging.error("Turnstile verification timed out")
+        logger.error("Turnstile verification timed out")
         return False, Response(
             {"error": "Turnstile verification timed out"}, status=504
         )
-    except Exception as e:
-        logging.error(f"Error verifying Turnstile token: {e}")
+    except Exception:
+        logger.error("Turnstile verification error")
         return False, Response({"error": "Turnstile verification error"}, status=500)
 
 
@@ -132,19 +141,19 @@ async def get_latest_answer(
             response.raise_for_status()  # Raise an exception for bad status codes
             full_data = response.json()
     except httpx.TimeoutException:
-        logging.exception("Questionnaire API query timed out")
+        logger.error("Questionnaire API query timed out")
         return None, Response(
             {"error": "Questionnaire API query timed out"},
             status=504,
         )
-    except httpx.RequestError as e:
-        logging.exception(f"Error querying questionnaire API: {e}")
+    except httpx.RequestError:
+        logger.error("Error querying questionnaire API")
         return None, Response(
             {"error": "Failed to query questionnaire API"},
             status=500,
         )
-    except Exception as e:
-        logging.exception(f"An unexpected error occurred: {e}")
+    except Exception:
+        logger.error("An unexpected error occurred")
         return None, Response({"error": "An unexpected error occurred"}, status=500)
 
     # Filter and return only the required fields from the first row
@@ -180,7 +189,7 @@ async def get_latest_answer(
             key in filtered_data and filtered_data[key] is not None
             for key in ["id", "submitted_at", "account", "otp"]
         ):
-            logging.warning("Missing required field(s) in questionnaire response")
+            logger.warning("Missing required field(s) in questionnaire response")
             return None, Response(
                 {"error": "Missing required field(s) in questionnaire response"},
                 status=400,
@@ -211,7 +220,8 @@ def rate_password_strength(password: str) -> int:
     if re.search(r"[^a-zA-Z0-9\s]", password):
         score += 1
 
-    length_step = (PASSWORD_LENGTH_MAX - PASSWORD_LENGTH_MIN) // 10
+    length_range = max(1, PASSWORD_LENGTH_MAX - PASSWORD_LENGTH_MIN)
+    length_step = max(1, length_range // 10)
 
     score += (len(password) - PASSWORD_LENGTH_MIN) // length_step