feat: FASE 7 - Polish & Testing (security, i18n, test suite, docs)

Security hardening: CORS lockdown, rate limiting middleware con sliding
window e eviction IP stale, security headers (CSP, HSTS, X-Frame-Options),
session cookie hardening, filename sanitization upload.

i18n completion: internazionalizzati barcode.js e csv-export.js con bridge
window.BARCODE_I18N/CSV_I18N, aggiornati .po IT/EN con 27 nuove stringhe.

Tablet UX: touch target 44px per dispositivi coarse pointer.

Test suite: 101 test totali (76 server + 25 client), copertura completa
di tutti i router API, autenticazione, ruoli, CRUD, SPC, file upload,
security integration. Infrastruttura SQLite async in-memory con fixtures.

Fix critici: MissingGreenlet in recipe_service (selectinload eager),
route ordering tasks.py, auth_service bcrypt diretto, Measurement.id
Integer per SQLite.

Documentazione: API.md (riferimento completo 40+ endpoint),
DEPLOYMENT.md (guida produzione con Docker/Nginx/SSL),
USER_GUIDE.md (manuale utente per ruolo).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/tests/test_files.py

@@ -0,0 +1,175 @@
+"""Tests for files router (/api/files)."""
+import io
+import os
+import tempfile
+from pathlib import Path
+from unittest.mock import patch
+
+import pytest
+from httpx import AsyncClient
+
+from models.user import User
+from tests.conftest import auth_headers
+
+
+class TestUploadFile:
+    """POST /api/files/upload tests."""
+
+    async def test_upload_image(
+        self, client: AsyncClient, maker_user: User, tmp_path: Path
+    ):
+        """Maker can upload a valid image."""
+        # Create a minimal valid JPEG (1x1 pixel)
+        jpeg_bytes = (
+            b"\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x00\x00\x01"
+            b"\x00\x01\x00\x00\xff\xdb\x00C\x00\x08\x06\x06\x07\x06"
+            b"\x05\x08\x07\x07\x07\t\t\x08\n\x0c\x14\r\x0c\x0b\x0b"
+            b"\x0c\x19\x12\x13\x0f\x14\x1d\x1a\x1f\x1e\x1d\x1a\x1c"
+            b"\x1c $.\' \",#\x1c\x1c(7),01444\x1f\'9=82<.342\xff\xc0"
+            b"\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4"
+            b"\x00\x1f\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00"
+            b"\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06"
+            b"\x07\x08\t\n\x0b\xff\xc4\x00\xb5\x10\x00\x02\x01\x03"
+            b"\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00\x01}\x01\x02"
+            b"\x03\x00\x04\x11\x05\x12!1A\x06\x13Qa\x07\"q\x142\x81"
+            b"\x91\xa1\x08#B\xb1\xc1\x15R\xd1\xf0$3br\x82\t\n\x16"
+            b"\x17\x18\x19\x1a%&\'()*456789:CDEFGHIJSTUVWXYZcdefghij"
+            b"stuvwxyz\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94"
+            b"\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8"
+            b"\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3"
+            b"\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7"
+            b"\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea"
+            b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xda\x00"
+            b"\x08\x01\x01\x00\x00?\x00T\xdb\xae\x8e\xd3H\xa5(?"
+            b"\xff\xd9"
+        )
+
+        # Patch settings.upload_path to use tmp_path
+        with patch("routers.files.settings") as mock_settings:
+            mock_settings.upload_path = tmp_path
+            mock_settings.max_upload_size_mb = 50
+
+            resp = await client.post(
+                "/api/files/upload",
+                headers=auth_headers(maker_user),
+                files={"file": ("test.jpg", io.BytesIO(jpeg_bytes), "image/jpeg")},
+            )
+
+        assert resp.status_code == 200
+        data = resp.json()
+        assert "file_path" in data
+        assert data["file_type"] == "image/jpeg"
+        assert data["file_size"] > 0
+
+    async def test_upload_invalid_type(
+        self, client: AsyncClient, maker_user: User
+    ):
+        """Uploading a disallowed file type returns 400."""
+        resp = await client.post(
+            "/api/files/upload",
+            headers=auth_headers(maker_user),
+            files={
+                "file": ("malware.exe", io.BytesIO(b"MZ\x00\x00"), "application/x-msdownload")
+            },
+        )
+        assert resp.status_code == 400
+        assert "not allowed" in resp.json()["detail"]
+
+    async def test_upload_too_large(
+        self, client: AsyncClient, maker_user: User
+    ):
+        """Uploading a file that exceeds size limit returns 400."""
+        # Create a large file content
+        large_content = b"\x00" * (51 * 1024 * 1024)  # 51MB
+
+        with patch("routers.files.settings") as mock_settings:
+            mock_settings.max_upload_size_mb = 50
+            mock_settings.upload_path = Path(tempfile.mkdtemp())
+
+            resp = await client.post(
+                "/api/files/upload",
+                headers=auth_headers(maker_user),
+                files={
+                    "file": ("big.jpg", io.BytesIO(large_content), "image/jpeg")
+                },
+            )
+
+        assert resp.status_code == 400
+        assert "exceeds" in resp.json()["detail"]
+
+
+class TestGetFile:
+    """GET /api/files/{file_path} tests."""
+
+    async def test_get_file(
+        self, client: AsyncClient, maker_user: User, tmp_path: Path
+    ):
+        """Authenticated user can retrieve an uploaded file."""
+        # Create a test file in tmp_path
+        test_file = tmp_path / "testfile.txt"
+        test_file.write_text("hello test")
+
+        with patch("routers.files.settings") as mock_settings:
+            mock_settings.upload_path = tmp_path
+
+            resp = await client.get(
+                "/api/files/testfile.txt",
+                headers=auth_headers(maker_user),
+            )
+
+        assert resp.status_code == 200
+
+    async def test_get_file_not_found(
+        self, client: AsyncClient, maker_user: User, tmp_path: Path
+    ):
+        """Requesting a non-existent file returns 404."""
+        with patch("routers.files.settings") as mock_settings:
+            mock_settings.upload_path = tmp_path
+
+            resp = await client.get(
+                "/api/files/nonexistent.png",
+                headers=auth_headers(maker_user),
+            )
+
+        assert resp.status_code == 404
+
+
+class TestDeleteFile:
+    """DELETE /api/files/{file_path} tests."""
+
+    async def test_delete_file(
+        self, client: AsyncClient, maker_user: User, tmp_path: Path
+    ):
+        """Maker can delete a file."""
+        test_file = tmp_path / "deleteme.txt"
+        test_file.write_text("delete me")
+
+        with patch("routers.files.settings") as mock_settings:
+            mock_settings.upload_path = tmp_path
+
+            resp = await client.delete(
+                "/api/files/deleteme.txt",
+                headers=auth_headers(maker_user),
+            )
+
+        assert resp.status_code == 204
+        assert not test_file.exists()
+
+
+class TestFilenameSanitization:
+    """Path traversal protection tests."""
+
+    async def test_path_traversal_blocked(
+        self, client: AsyncClient, maker_user: User, tmp_path: Path
+    ):
+        """Path traversal attempt returns 403 or 404."""
+        with patch("routers.files.settings") as mock_settings:
+            mock_settings.upload_path = tmp_path
+
+            resp = await client.get(
+                "/api/files/../../etc/passwd",
+                headers=auth_headers(maker_user),
+            )
+
+        # Should be blocked by security check
+        assert resp.status_code in (403, 404)