feat: Add invoicing feature implementation plan, improve security logging, and enable CSRF protection.

Author: ashwin31

backend/common/audit_log.py

@@ -152,13 +152,13 @@ def _log(
 
         # Log to Python logger
         log_level = logging.INFO if success else logging.WARNING
-        user_email = user.email if user else "anonymous"
-        org_name = org.name if org else "none"
+        user_id = str(user.id) if user else "anonymous"
+        org_id = str(org.id) if org else "none"
 
         logger.log(
             log_level,
-            f"{event_type} | user={user_email} | org={org_name} | "
-            f"ip={request_info.get('ip_address')} | {description}",
+            f"{event_type} | user_id={user_id} | org_id={org_id} | "
+            f"ip={request_info.get('ip_address')} | success={success}",
         )
 
     def login_success(self, user, org, request=None):

backend/common/external_auth.py

@@ -46,7 +46,7 @@ def authenticate(self, request):
             return (profile.user, None)
 
         except Org.DoesNotExist:
-            logger.warning(f"Invalid API key attempted: {api_key[:8]}...")
+            logger.warning("Invalid API key attempted")
             raise AuthenticationFailed("Invalid API Key")
 
 

backend/common/middleware/get_company.py

@@ -137,5 +137,5 @@ def _process_api_key_auth(self, request, api_key):
             logger.debug(f"Set org context from API key: org={organization.id}")
 
         except Org.DoesNotExist:
-            logger.warning(f"Invalid API key attempted: {api_key[:8]}...")
+            logger.warning("Invalid API key attempted")
             raise AuthenticationFailed("Invalid API Key")

backend/common/views/auth_views.py

@@ -392,8 +392,8 @@ def post(self, request):
                 status=status.HTTP_200_OK,
             )
 
-        except TokenError as e:
-            return Response({"error": str(e)}, status=status.HTTP_401_UNAUTHORIZED)
+        except TokenError:
+            return Response({"error": "Invalid or expired token"}, status=status.HTTP_401_UNAUTHORIZED)
         except User.DoesNotExist:
             return Response(
                 {"error": "User not found"}, status=status.HTTP_401_UNAUTHORIZED

backend/crm/settings.py

@@ -46,6 +46,7 @@
     "whitenoise.middleware.WhiteNoiseMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",  # CSRF protection
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",