feat: build core API, fraud engine, notifier, and frontend

Phase 1 — Core API (Go): - Events, guests, tokens, RSVPs CRUD on PostgreSQL via pgx/v5 - HMAC-signed per-guest tokens with format validation - Health endpoint with DB ping, slog JSON logging, graceful shutdown Phase 2 — NATS + Fraud Engine: - NATS JetStream pub/sub with explicit-ack consumers - Python/FastAPI fraud engine with heuristic risk scoring (fingerprint mismatch, IP change, missing signals, repeated access) - gRPC sync scoring with 250ms fail-open timeout - Per-guest baseline tracking; risk bands low/medium/high/block Phase 3 — Notifications + Frontend: - Notification worker scaffolding (Twilio/SES stubs, retry/backoff) - Nuxt 3 frontend with Tailwind dark theme + brand green - Live monitor via WebSocket with auto-reconnect - Activity history endpoint backfills monitor with RSVPs + scored access checks (including blocked attempts) UX polish: - Marketing-friendly landing page (hero mockup, how-it-works, features, use cases, testimonials, FAQ, final CTA) - Animated layered card mockups on landing + new-event page - Plus-ones stepper, RSVP status badges, filter buttons - Friendly access-check labels (Verified/Review/Suspicious/Blocked) - Dashboard hydration fix via ClientOnly wrapper Infrastructure: - docker-compose for full local dev (postgres, nats, api, fraud-engine, notifier, frontend) - Multi-stage Dockerfiles, non-root UID 1000 - Integration tests with testcontainers-go Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 21:08:56 +01:00
parent f760fc3e21
commit 3f8bc58ca9
89 changed files with 22729 additions and 0 deletions
@@ -0,0 +1,81 @@
+from datetime import UTC, datetime
+from uuid import uuid4
+
+from app.schemas import AccessAttempted
+from app.scoring import HeuristicScorer, risk_band
+
+
+def _evt(
+    *,
+    guest_id=None,
+    fingerprint=None,
+    ip=None,
+    user_agent="Mozilla/5.0",
+):
+    return AccessAttempted(
+        event_id=uuid4(),
+        guest_id=guest_id or uuid4(),
+        token_id=uuid4(),
+        access_log_id=uuid4(),
+        fingerprint=fingerprint,
+        ip_address=ip,
+        user_agent=user_agent,
+        occurred_at=datetime.now(UTC),
+    )
+
+
+def test_first_access_with_full_signals_is_low_risk():
+    scorer = HeuristicScorer()
+    evt = _evt(
+        fingerprint={"ua": "Chrome", "platform": "macOS"},
+        ip="203.0.113.7",
+    )
+    res = scorer.score(evt)
+    assert res.score <= 30
+    assert risk_band(res.score) == "low"
+
+
+def test_fingerprint_change_drives_score_up():
+    scorer = HeuristicScorer()
+    guest = uuid4()
+    first = _evt(guest_id=guest, fingerprint={"ua": "Chrome"}, ip="203.0.113.7")
+    scorer.score(first)
+
+    second = _evt(guest_id=guest, fingerprint={"ua": "Safari"}, ip="203.0.113.7")
+    res = scorer.score(second)
+
+    assert res.score >= 40
+    assert any("fingerprint" in r for r in res.reasons)
+
+
+def test_ip_change_and_fingerprint_change_classify_high_or_block():
+    scorer = HeuristicScorer()
+    guest = uuid4()
+    scorer.score(_evt(guest_id=guest, fingerprint={"ua": "Chrome"}, ip="203.0.113.7"))
+
+    suspicious = _evt(
+        guest_id=guest,
+        fingerprint={"ua": "Curl/8"},
+        ip="198.51.100.42",
+        user_agent=None,
+    )
+    res = scorer.score(suspicious)
+
+    assert res.score >= 60
+    assert risk_band(res.score) in {"high", "block"}
+
+
+def test_missing_fingerprint_and_user_agent_flagged():
+    scorer = HeuristicScorer()
+    res = scorer.score(_evt(fingerprint=None, ip="203.0.113.1", user_agent=None))
+    assert "no device fingerprint provided" in res.reasons
+    assert "missing user agent" in res.reasons
+
+
+def test_score_clamped_to_0_100():
+    scorer = HeuristicScorer()
+    # 10 successive accesses with no fingerprint, no UA, changing IPs
+    guest = uuid4()
+    for i in range(12):
+        res = scorer.score(_evt(guest_id=guest, fingerprint=None, ip=f"10.0.{i}.1", user_agent=None))
+        assert 0 <= res.score <= 100