refactor: comprehensive codebase review — security, performance, quality, UX

Security: - Fix NUT protocol command injection (validate names against safe regex) - Enable Jinja2 autoescape=True to prevent HTML injection via external data - Add WebhookProviderConfig validation model Performance: - Shared aiohttp.ClientSession singleton (replaces 40+ per-request sessions) - Fix 4 N+1 queries with batch IN loads (poller, scheduler, memory, broadcast) - asyncio.gather for Gitea commands and notification dispatcher - Add DB indexes on NotificationTrackerState.tracker_id, CommandTrackerListener - LRU cache for compiled Jinja2 templates - Daily EventLog cleanup job (90-day retention) - 30s HTTP timeout on all external calls - GROUP BY for target type counts (replaces 7 sequential queries) Code quality: - Extract get_owned_entity() helper (replaces 11 duplicate functions) - Extract slot_helpers.py (load_slots, save_slots, render_template_preview) - Extract command_utils.py (tracker lookup, last event, collection IDs) - Extract http_session.py (shared session lifecycle) - Provider connection validation dedup (3x → 1 helper) - Command dispatch tables replacing if/elif chains - Album+links fetch helper (fetch_albums_with_links) - Provider dispatch polymorphism (list_provider_collections) - Immutable _enrich_assets (no longer mutates in-place) - Fix _format_assets return type + handler unpacking Frontend: - Fix 18+ hardcoded English strings → t() with new i18n keys (en + ru) - Mobile "More" nav panel with provider filter and search - Shared Button.svelte component (4 variants, 2 sizes) - Shared ErrorBanner.svelte component (8 pages updated) - SvelteKit goto() replacing window.location.href - Dashboard grid fixed for 4 cards, paginator opacity consistency Functionality: - max_instances=1 on scheduler jobs (prevents duplicate events) - Webhook provider in watcher (prevents error spam) - Fix stale SQLModel reference in poller - Gitea get_repo() direct API call
2026-03-28 13:22:26 +03:00
parent 616b221c92
commit b803d004e1
65 changed files with 1934 additions and 1498 deletions
@@ -3,8 +3,6 @@
 import logging
 from typing import Any

-import aiohttp
-
 from sqlmodel import select
 from sqlmodel.ext.asyncio.session import AsyncSession

@@ -90,19 +88,21 @@ async def _send_telegram_broadcast(target: NotificationTarget, message: str, rec
    if not receivers:
        return {"success": False, "error": "No receivers configured"}

+    from .http_session import get_http_session
+    http = await get_http_session()
+
    results: list[dict] = []
-    async with aiohttp.ClientSession() as session:
-        client = TelegramClient(session, bot_token)
-        for recv in receivers:
-            chat_id = recv.get("chat_id")
-            if not chat_id:
-                continue
-            result = await client.send_message(
-                chat_id=str(chat_id),
-                text=message,
-                disable_web_page_preview=bool(disable_preview),
-            )
-            results.append(result)
+    client = TelegramClient(http, bot_token)
+    for recv in receivers:
+        chat_id = recv.get("chat_id")
+        if not chat_id:
+            continue
+        result = await client.send_message(
+            chat_id=str(chat_id),
+            text=message,
+            disable_web_page_preview=bool(disable_preview),
+        )
+        results.append(result)

    return _aggregate(results)

@@ -113,15 +113,17 @@ async def _send_webhook_broadcast(target: NotificationTarget, message: str, rece
    if not receivers:
        return {"success": False, "error": "No receivers configured"}

+    from .http_session import get_http_session
+    http = await get_http_session()
+
    results: list[dict] = []
-    async with aiohttp.ClientSession() as session:
-        for recv in receivers:
-            url = recv.get("url")
-            headers = recv.get("headers", {})
-            if not url:
-                continue
-            client = WebhookClient(session, url, headers)
-            results.append(await client.send({"message": message, "event_type": "notification"}))
+    for recv in receivers:
+        url = recv.get("url")
+        headers = recv.get("headers", {})
+        if not url:
+            continue
+        client = WebhookClient(http, url, headers)
+        results.append(await client.send({"message": message, "event_type": "notification"}))

    return _aggregate(results)

@@ -178,22 +180,24 @@ async def _send_webhook_like_broadcast(target: NotificationTarget, message: str,
    if not receivers:
        return {"success": False, "error": "No receivers configured"}

+    from .http_session import get_http_session
+    http = await get_http_session()
+
    results: list[dict] = []
-    async with aiohttp.ClientSession() as session:
-        if target.type == "discord":
-            from notify_bridge_core.notifications.discord.client import DiscordClient
-            client = DiscordClient(session)
-            for recv in receivers:
-                url = recv.get("webhook_url")
-                if url:
-                    results.append(await client.send(url, message, username=target.config.get("username")))
-        elif target.type == "slack":
-            from notify_bridge_core.notifications.slack.client import SlackClient
-            client = SlackClient(session)
-            for recv in receivers:
-                url = recv.get("webhook_url")
-                if url:
-                    results.append(await client.send(url, message, username=target.config.get("username")))
+    if target.type == "discord":
+        from notify_bridge_core.notifications.discord.client import DiscordClient
+        client = DiscordClient(http)
+        for recv in receivers:
+            url = recv.get("webhook_url")
+            if url:
+                results.append(await client.send(url, message, username=target.config.get("username")))
+    elif target.type == "slack":
+        from notify_bridge_core.notifications.slack.client import SlackClient
+        client = SlackClient(http)
+        for recv in receivers:
+            url = recv.get("webhook_url")
+            if url:
+                results.append(await client.send(url, message, username=target.config.get("username")))

    return _aggregate(results)

@@ -207,18 +211,20 @@ async def _send_ntfy_broadcast(target: NotificationTarget, message: str, receive
        return {"success": False, "error": "No receivers configured"}

    from notify_bridge_core.notifications.ntfy.client import NtfyClient
+    from .http_session import get_http_session
+    http = await get_http_session()
+
    results: list[dict] = []
-    async with aiohttp.ClientSession() as session:
-        client = NtfyClient(session)
-        for recv in receivers:
-            topic = recv.get("topic")
-            if topic:
-                results.append(await client.send(
-                    server_url, topic, message,
-                    title="Notify Bridge",
-                    priority=recv.get("priority", 3),
-                    auth_token=auth_token,
-                ))
+    client = NtfyClient(http)
+    for recv in receivers:
+        topic = recv.get("topic")
+        if topic:
+            results.append(await client.send(
+                server_url, topic, message,
+                title="Notify Bridge",
+                priority=recv.get("priority", 3),
+                auth_token=auth_token,
+            ))

    return _aggregate(results)

@@ -243,13 +249,15 @@ async def _send_matrix_broadcast(target: NotificationTarget, message: str, recei
    if not receivers:
        return {"success": False, "error": "No receivers configured"}

+    from .http_session import get_http_session
+    http = await get_http_session()
+
    results: list[dict] = []
-    async with aiohttp.ClientSession() as http:
-        client = MatrixClient(http, homeserver, access_token)
-        for recv in receivers:
-            room_id = recv.get("room_id")
-            if room_id:
-                results.append(await client.send_message(room_id, message, html_message=message))
+    client = MatrixClient(http, homeserver, access_token)
+    for recv in receivers:
+        room_id = recv.get("room_id")
+        if room_id:
+            results.append(await client.send_message(room_id, message, html_message=message))

    return _aggregate(results)