Codebase hardening: 102 fixes across 35+ files

Deep audit identified 106 findings; 102 fixed, 4 deferred. Covers 8 areas: - Settings & deploy: env-gated DEBUG/SECRET_KEY, HTTPS headers, gunicorn, celery worker - Auth (registered_user): password write_only, request.data fixes, transaction safety, proper HTTP status codes - Workout app: IDOR protection, get_object_or_404, prefetch_related N+1 fixes, transaction.atomic - Video/scripts: path traversal sanitization, HLS trigger guard, auth on cache wipe - Models (exercise/equipment/muscle/superset): null-safe __str__, stable IDs, prefetch support - Generator views: helper for registered_user lookup, logger.exception, bulk_update, transaction wrapping - Generator core (rules/selector/generator): push-pull ratio, type affinity normalization, modality checks, side-pair exact match, word-boundary regex, equipment cache clearing - Generator services (plan_builder/analyzer/normalizer): transaction.atomic, muscle cache, bulk_update, glutes classification fix Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 22:29:14 -06:00
parent 63b57a83ab
commit c80c66c2e5
58 changed files with 3363 additions and 1049 deletions
--- a/werkout-frontend/next.config.mjs
+++ b/werkout-frontend/next.config.mjs
@@ -21,14 +21,12 @@ const nextConfig = {
  },
  async rewrites() {
    const djangoUrl = process.env.DJANGO_INTERNAL_URL || "http://localhost:8000";
-    // Helper: for each Django prefix, create two rewrites:
-    //   1. with trailing slash preserved
-    //   2. without trailing slash → add it (Django requires trailing slashes)
-    const djangoPrefixes = [
+    // Prefixes that have NO conflicting Next.js page routes
+    const safePrefixes = [
      "media", "registered_user", "exercise", "muscle",
-      "equipment", "workout", "generator", "videos", "admin",
+      "equipment", "generator", "videos", "admin", "static",
    ];
-    return djangoPrefixes.flatMap((prefix) => [
+    const rules = safePrefixes.flatMap((prefix) => [
      {
        source: `/${prefix}/:path*/`,
        destination: `${djangoUrl}/${prefix}/:path*/`,
@@ -38,6 +36,24 @@ const nextConfig = {
        destination: `${djangoUrl}/${prefix}/:path*/`,
      },
    ]);
+    // "workout" conflicts with Next.js page route /workout/[workoutId],
+    // so only rewrite specific Django sub-paths (not bare /workout/<id>).
+    const workoutApiPaths = [
+      "all", "complete", "completed", "create",
+      "planned_workouts", "plan_workout", "add_from_files",
+    ];
+    for (const sub of workoutApiPaths) {
+      rules.push(
+        { source: `/workout/${sub}/`, destination: `${djangoUrl}/workout/${sub}/` },
+        { source: `/workout/${sub}`, destination: `${djangoUrl}/workout/${sub}/` },
+      );
+    }
+    // /workout/<id>/details/ — the <id> segment followed by "details"
+    rules.push(
+      { source: "/workout/:id/details/", destination: `${djangoUrl}/workout/:id/details/` },
+      { source: "/workout/:id/details", destination: `${djangoUrl}/workout/:id/details/` },
+    );
+    return rules;
  },
 };