Merge remote-tracking branch 'origin/main' into 33-frontend-looks-like-logged-in-even-after-token-expires

# Conflicts:
#	.github/workflows/run-tests.yml

.github/workflows/deploy-pr.yaml

@@ -100,7 +100,8 @@ jobs:
             --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \
             --set image.digest="$DIGEST" \
             --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \
-            --set-string database.password="$DB_PASSWORD"
+            --set-string database.password="$DB_PASSWORD" \
+            --set-string database.encryptionSecret="$PR"
 
       - name: Post preview URLs as PR comment
         uses: actions/github-script@v7

.github/workflows/deploy-prod.yaml

@@ -111,3 +111,4 @@ jobs:
             --set-string oauth.csas.clientId="$CSAS_CLIENT_ID" \
             --set-string oauth.csas.clientSecret="$CSAS_CLIENT_SECRET" \
             --set-string sentry_dsn="$SENTRY_DSN" \
+            --set-string database.encryptionSecret="${{ secrets.PROD_DB_ENCRYPTION_KEY }}"

.github/workflows/run-tests.yml

@@ -2,11 +2,21 @@ name: Run Python Tests
 permissions:
   contents: read
 
+# -----------------
+# --- Triggers ----
+# -----------------
+# This section defines when the workflow will run.
 on:
   workflow_call:
 
+# -----------------
+# ------ Jobs -----
+# -----------------
+# A workflow is made up of one or more jobs that can run in parallel or sequentially.
 jobs:
+  # A descriptive name for your job
   build-and-test:
+    # Specifies the virtual machine to run the job on. 'ubuntu-latest' is a common and cost-effective choice.
     runs-on: ubuntu-latest
 
     # 1) Start a MariaDB service container for tests

7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py

@@ -0,0 +1,47 @@
+"""Add encrypted type
+
+Revision ID: 46b9e702e83f
+Revises: 1f2a3c4d5e6f
+Create Date: 2025-10-29 13:26:24.568523
+
+"""
+from typing import Sequence, Union
+
+import sqlalchemy_utils
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import mysql
+
+# revision identifiers, used by Alembic.
+revision: str = '46b9e702e83f'
+down_revision: Union[str, Sequence[str], None] = '1f2a3c4d5e6f'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('transaction', 'amount',
+               existing_type=mysql.FLOAT(),
+               type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(),
+               existing_nullable=False)
+    op.alter_column('transaction', 'description',
+               existing_type=mysql.VARCHAR(length=255),
+               type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(),
+               existing_nullable=True)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('transaction', 'description',
+               existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(),
+               type_=mysql.VARCHAR(length=255),
+               existing_nullable=True)
+    op.alter_column('transaction', 'amount',
+               existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(),
+               type_=mysql.FLOAT(),
+               existing_nullable=False)
+    # ### end Alembic commands ###

7project/backend/app/app.py

@@ -124,10 +124,6 @@ async def root():
 async def authenticated_route(user: User = Depends(current_active_verified_user)):
     return {"message": f"Hello {user.email}!"}
 
-@fastApi.get("/sentry-debug")
-async def trigger_error():
-    division_by_zero = 1 / 0
-
 
 @fastApi.get("/debug/scrape/csas/all", tags=["debug"])
 async def debug_scrape_csas_all():

7project/backend/app/models/transaction.py

@@ -1,15 +1,21 @@
+import os
 from fastapi_users_db_sqlalchemy import GUID
 from sqlalchemy import Column, Integer, String, Float, ForeignKey, Date, func
 from sqlalchemy.orm import relationship
+from sqlalchemy_utils import EncryptedType
+from sqlalchemy_utils.types.encrypted.encrypted_type import FernetEngine
+
 from app.core.base import Base
 from app.models.categories import association_table
 
+SECRET_KEY = os.environ.get("DB_ENCRYPTION_KEY", "localdev")
+
 
 class Transaction(Base):
     __tablename__ = "transaction"
     id = Column(Integer, primary_key=True, autoincrement=True)
-    amount = Column(Float, nullable=False)
-    description = Column(String(length=255), nullable=True)
+    amount = Column(EncryptedType(Float, SECRET_KEY, engine=FernetEngine), nullable=False)
+    description = Column(EncryptedType(String(length=255), SECRET_KEY, engine=FernetEngine), nullable=True)
     date = Column(Date, nullable=False, server_default=func.current_date())
     user_id = Column(GUID, ForeignKey("user.id"), nullable=False)
 

7project/backend/requirements.txt

@@ -54,6 +54,7 @@ sentry-sdk==2.42.0
 six==1.17.0
 sniffio==1.3.1
 SQLAlchemy==2.0.43
+SQLAlchemy-Utils==0.42.0
 starlette==0.48.0
 tomli==2.2.1
 typing-inspection==0.4.1

7project/charts/myapp-chart/templates/app-deployment.yaml

@@ -101,6 +101,11 @@ spec:
                 secretKeyRef:
                   name: prod
                   key: SENTRY_DSN
+            - name: DB_ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: DB_ENCRYPTION_KEY
           livenessProbe:
             httpGet:
               path: /

7project/charts/myapp-chart/templates/prod.yaml

@@ -18,3 +18,4 @@ stringData:
   RABBITMQ_PASSWORD: {{ .Values.rabbitmq.password | default "" | quote }}
   RABBITMQ_USERNAME: {{ .Values.rabbitmq.username | quote }}
   SENTRY_DSN: {{ .Values.sentry_dsn | quote }}
+  DB_ENCRYPTION_KEY: {{ required "Set .Values.database.encryptionSecret" .Values.database.encryptionSecret | quote }}

7project/charts/myapp-chart/templates/worker-deployment.yaml

@@ -20,7 +20,7 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
-              drop: ["ALL"]
+              drop: [ "ALL" ]
           command:
             - celery
             - -A
@@ -80,3 +80,8 @@ spec:
                 secretKeyRef:
                   name: prod
                   key: CSAS_CLIENT_SECRET
+            - name: DB_ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: prod
+                  key: DB_ENCRYPTION_KEY

7project/charts/myapp-chart/values.yaml

@@ -75,3 +75,4 @@ database:
   userName: app-demo-user
   secretName: app-demo-database-secret
   password: ""
+  encryptionSecret: ""

requirements.txt

@@ -1,72 +0,0 @@
-aio-pika==9.5.6
-aiormq==6.8.1
-aiosqlite==0.21.0
-alembic==1.16.5
-amqp==5.3.1
-annotated-types==0.7.0
-anyio==4.11.0
-argon2-cffi==23.1.0
-argon2-cffi-bindings==25.1.0
-asyncmy==0.2.9
-bcrypt==4.3.0
-billiard==4.2.2
-celery==5.5.3
-certifi==2025.10.5
-cffi==2.0.0
-click==8.1.8
-click-didyoumean==0.3.1
-click-plugins==1.1.1.2
-click-repl==0.3.0
-cryptography==46.0.1
-dnspython==2.7.0
-email_validator==2.2.0
-exceptiongroup==1.3.0
-fastapi==0.117.1
-fastapi-users==14.0.1
-fastapi-users-db-sqlalchemy==7.0.0
-greenlet==3.2.4
-h11==0.16.0
-httpcore==1.0.9
-httptools==0.6.4
-httpx==0.28.1
-httpx-oauth==0.16.1
-idna==3.10
-iniconfig==2.3.0
-kombu==5.5.4
-makefun==1.16.0
-Mako==1.3.10
-MarkupSafe==3.0.2
-multidict==6.6.4
-packaging==25.0
-pamqp==3.3.0
-pluggy==1.6.0
-prompt_toolkit==3.0.52
-propcache==0.3.2
-pwdlib==0.2.1
-pycparser==2.23
-pydantic==2.11.9
-pydantic_core==2.33.2
-Pygments==2.19.2
-PyJWT==2.10.1
-PyMySQL==1.1.2
-pytest==8.4.2
-pytest-asyncio==1.2.0
-python-dateutil==2.9.0.post0
-python-dotenv==1.1.1
-python-multipart==0.0.20
-PyYAML==6.0.2
-six==1.17.0
-sniffio==1.3.1
-SQLAlchemy==2.0.43
-starlette==0.48.0
-tomli==2.2.1
-typing-inspection==0.4.1
-typing_extensions==4.15.0
-tzdata==2025.2
-uvicorn==0.37.0
-uvloop==0.21.0
-vine==5.1.0
-watchfiles==1.1.0
-wcwidth==0.2.14
-websockets==15.0.1
-yarl==1.20.1