Merge development: security hardening, login fix, chart improvements

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

btc-portfolio/backend/app/auth.py

@@ -1,8 +1,9 @@
+import os
 from datetime import datetime, timedelta
 from jose import JWTError, jwt
 from passlib.context import CryptContext
 
-SECRET_KEY = "change-me-in-production-use-a-long-random-string"
+SECRET_KEY = os.environ.get("SECRET_KEY", "dev-insecure-key-change-me")
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 60 * 24  # 1 day
 

btc-portfolio/backend/app/main.py

@@ -17,8 +17,8 @@ app.add_middleware(
     CORSMiddleware,
     allow_origins=origins,
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allow_headers=["Content-Type", "Authorization"],
 )
 
 app.include_router(users.router)

btc-portfolio/backend/app/routes/purchases.py

@@ -1,6 +1,6 @@
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.orm import Session
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from typing import List
 from datetime import datetime
 
@@ -12,13 +12,13 @@ router = APIRouter()
 
 
 class PurchaseCreate(BaseModel):
-    amount_eur: float
-    price_eur: float
+    amount_eur: float = Field(gt=0, le=10_000_000)
+    price_eur: float = Field(gt=0, le=10_000_000)
 
 
 class PurchaseUpdate(BaseModel):
-    amount_eur: float
-    price_eur: float
+    amount_eur: float = Field(gt=0, le=10_000_000)
+    price_eur: float = Field(gt=0, le=10_000_000)
     created_at: datetime
 
 

btc-portfolio/backend/app/routes/users.py

@@ -1,6 +1,6 @@
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.orm import Session
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 
 from ..database import get_db
 from .. import models
@@ -10,6 +10,11 @@ router = APIRouter()
 
 
 class UserCreate(BaseModel):
+    username: str = Field(min_length=3, max_length=50)
+    password: str = Field(min_length=8)
+
+
+class UserLogin(BaseModel):
     username: str
     password: str
 
@@ -37,7 +42,7 @@ def register(user_in: UserCreate, db: Session = Depends(get_db)):
 
 
 @router.post("/login", response_model=Token)
-def login(user_in: UserCreate, db: Session = Depends(get_db)):
+def login(user_in: UserLogin, db: Session = Depends(get_db)):
     user = db.query(models.User).filter(models.User.username == user_in.username).first()
     if not user or not verify_password(user_in.password, user.password):
         raise HTTPException(status_code=401, detail="Invalid credentials")

btc-portfolio/backend/app/services/btc.py

@@ -1,6 +1,9 @@
+import logging
 import requests
 from datetime import datetime, timezone
 
+logger = logging.getLogger(__name__)
+
 
 def get_btc_history_eur() -> list:
     try:
@@ -11,7 +14,8 @@ def get_btc_history_eur() -> list:
         )
         resp.raise_for_status()
         return resp.json().get("prices", [])  # [[timestamp_ms, price], ...]
-    except Exception:
+    except Exception as e:
+        logger.error(f"Failed to fetch BTC history: {e}")
         return []
 
 
@@ -25,7 +29,8 @@ def get_btc_ohlc_eur(days: int) -> list:
         )
         resp.raise_for_status()
         return resp.json()  # [[timestamp_ms, open, high, low, close], ...]
-    except Exception:
+    except Exception as e:
+        logger.error(f"Failed to fetch BTC OHLC: {e}")
         return []
 
 
@@ -58,5 +63,6 @@ def get_btc_price_eur() -> float:
         )
         resp.raise_for_status()
         return float(resp.json()["bitcoin"]["eur"])
-    except Exception:
+    except Exception as e:
+        logger.error(f"Failed to fetch BTC price: {e}")
         return 0.0

btc-portfolio/backend/app/services/candles.py

@@ -1,10 +1,10 @@
 import logging
-from datetime import datetime, timezone, date as dt_date
+from datetime import datetime, timezone, timedelta, date as dt_date
 
 from sqlalchemy.orm import Session
 
 from ..models import OHLCCandle
-from .btc import get_btc_ohlc_eur, aggregate_to_daily
+from .btc import get_btc_ohlc_eur, aggregate_to_daily, get_btc_history_eur
 
 logger = logging.getLogger(__name__)
 
@@ -30,10 +30,54 @@ def seed_candles(db: Session) -> None:
     logger.info("Candle seed: stored %d daily candles (%s → %s).", len(rows), min(daily.keys()), max(daily.keys()))
 
 
+def seed_historical_prices(db: Session) -> None:
+    """Backfill up to 365 days of daily close prices from CoinGecko market_chart.
+    Uses previous day's close as each day's open to produce red/green candles.
+    Clears entries older than 31 days on each run so the data stays fresh.
+    Real OHLC entries (last 30 days) are never touched.
+    """
+    raw = get_btc_history_eur()
+    if not raw:
+        logger.warning("Historical price seed: CoinGecko returned no data.")
+        return
+
+    prices = {}
+    for ts_ms, price in raw:
+        date = datetime.fromtimestamp(ts_ms / 1000, tz=timezone.utc).strftime("%Y-%m-%d")
+        prices[date] = price
+
+    # Remove stale historical entries (older than 31 days) so they get re-seeded with current data
+    cutoff = (datetime.now(tz=timezone.utc) - timedelta(days=31)).strftime("%Y-%m-%d")
+    db.query(OHLCCandle).filter(OHLCCandle.date < cutoff).delete()
+    db.commit()
+
+    existing = {c.date for c in db.query(OHLCCandle).all()}
+
+    new_rows = []
+    prev_close = None
+    for date, close in sorted(prices.items()):
+        if date in existing:
+            prev_close = close
+            continue
+        open_ = prev_close if prev_close is not None else close
+        high = max(open_, close)
+        low = min(open_, close)
+        new_rows.append(OHLCCandle(date=date, open=open_, high=high, low=low, close=close))
+        prev_close = close
+
+    if new_rows:
+        db.add_all(new_rows)
+        db.commit()
+        logger.info("Historical price seed: stored %d daily entries (%s → %s).", len(new_rows), new_rows[0].date, new_rows[-1].date)
+
+
 def refresh_latest_candles(db: Session) -> None:
     """Add any missing candles up to today. Seeds the DB if empty.
     Also detects and replaces coarse (>2-day gap) legacy data from a previous days=365 seed.
     """
+    # Always backfill historical prices for dates not yet in DB (no-op once populated)
+    seed_historical_prices(db)
+
     # Sparse-data detection: if existing candles have >2-day gaps, wipe and re-seed
     first_two = db.query(OHLCCandle).order_by(OHLCCandle.date.asc()).limit(2).all()
     if len(first_two) == 2: