giles
c015f3f02f
Critical: Add ownership checks to all order routes (IDOR fix). High: Redis rate limiting on auth endpoints, HMAC-signed internal service calls replacing header-presence-only checks, nh3 HTML sanitization on ghost_sync and product import, internal auth on market API endpoints, SHA-256 hashed OAuth grant/code tokens. Medium: SECRET_KEY production guard, AP signature enforcement, is_admin param removal, cart_sid validation, SSRF protection on remote actor fetch. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Blog App (Coop)
Content management, Ghost CMS sync, navigation, and the prose editor for the Rose Ash cooperative platform. Runs database migrations on startup and serves as the primary content hub.
Structure
app.py # Application factory (create_base_app + blueprints)
path_setup.py # Adds project root + app dir to sys.path
entrypoint.sh # Container entrypoint (migrations, Redis flush, start)
bp/
blog/ # Post listing, Ghost CMS sync, webhooks
post/ # Single post view and admin
admin/ # Settings admin interface
menu_items/ # Navigation menu management
snippets/ # Reusable content snippets
fragments/ # nav-tree fragment for cross-app navigation
models/ # Re-export stubs pointing to shared/models/
services/ # register_domain_services() — wires blog + calendar + market + cart
templates/ # Blog-specific templates (override shared/)
Cross-domain communication
All inter-app communication uses typed service contracts (no HTTP APIs):
services.calendar.*— calendar/entry queries via CalendarService protocolservices.market.*— marketplace queries via MarketService protocolservices.cart.*— cart summary via CartService protocolservices.federation.*— AP publishing via FederationService protocol
Fragments served
- nav-tree — site navigation tree, fetched by all other apps
Fragments consumed
- cart-mini (from cart) — cart icon + badge
- auth-menu (from account) — sign-in / user menu
- container-nav (from events, market) — sidebar widgets
- container-cards (from events) — event cards on listing pages