Merge branch 'chore/production-readiness-docs' into develop

.codex/project.md

@@ -121,14 +121,22 @@ enabled_profiles:
 
 Work must happen on the current feature branch for the task.
 
+## Git Workflow Policy
+
+- `develop` is the integration branch.
+- `main` is reserved for stable releases.
+- For non-trivial changes, Codex MUST work on a dedicated task branch.
+- Allowed task branch prefixes: `feature/`, `fix/`, `docs/`, `chore/`.
+- Codex MUST NOT merge into `develop` or `main`.
+- Codex may commit only on the current task branch after required checks pass.
+- The human operator reviews, merges, pushes, and deletes branches.
+
 Allowed branch prefixes when a new branch is explicitly needed:
 
 - `feature/`
 - `fix/`
-- `hotfix/`
 - `chore/`
 - `docs/`
-- `refactor/`
 
 Do not merge task branches into `develop`. Leave integration to the repository owner or a separate explicit request.
 

.env.example

@@ -12,10 +12,10 @@ FRONTEND_PORT=8080
 
 DJANGO_SECRET_KEY=change-me
 DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1
-DJANGO_CSRF_TRUSTED_ORIGINS=http://localhost:8080
+DJANGO_CSRF_TRUSTED_ORIGINS=http://localhost
 DJANGO_DEBUG=true
-CORS_ALLOWED_ORIGINS=http://localhost:4200,http://localhost:8080,http://localhost
+CORS_ALLOWED_ORIGINS=http://localhost:4200,http://localhost
-SITE_BASE_URL=http://localhost:8080
+SITE_BASE_URL=http://localhost
 TIME_ZONE=Europe/Rome
 EMAIL_BACKEND=django.core.mail.backends.console.EmailBackend
 DEFAULT_FROM_EMAIL=no-reply@azionelab.local
@@ -29,3 +29,6 @@ POSTGRES_PORT=5432
 DATABASE_URL=postgres://azionelab:change-me@postgres:5432/azionelab
 
 ENVIRONMENT=local
+
+# Local convention: nginx is the public entrypoint on http://localhost.
+# If you change the published nginx port, update SITE_BASE_URL and trusted origins to match.

backend/azionelab/settings.py

@@ -24,7 +24,7 @@ def csv_env(name, default=""):
 ALLOWED_HOSTS = csv_env("DJANGO_ALLOWED_HOSTS", "localhost,127.0.0.1")
 CSRF_TRUSTED_ORIGINS = csv_env("DJANGO_CSRF_TRUSTED_ORIGINS")
 CORS_ALLOWED_ORIGINS = csv_env("CORS_ALLOWED_ORIGINS")
-SITE_BASE_URL = os.environ.get("SITE_BASE_URL", "http://localhost:8080").rstrip("/")
+SITE_BASE_URL = os.environ.get("SITE_BASE_URL", "http://localhost").rstrip("/")
 
 INSTALLED_APPS = [
     "django.contrib.admin",
@@ -123,4 +123,11 @@ REST_FRAMEWORK = {
     "DEFAULT_PARSER_CLASSES": [
         "rest_framework.parsers.JSONParser",
     ],
+    "DEFAULT_THROTTLE_RATES": {
+        # Small-theatre defaults: stricter on public booking flows, looser for staff operations.
+        "reservation_create": "20/hour",
+        "reservation_confirm": "60/hour",
+        "check_in_preview": "600/hour",
+        "check_in_confirm": "600/hour",
+    },
 }

backend/bookings/admin.py

@@ -40,8 +40,8 @@ class ReservationAdminForm(forms.ModelForm):
 class ReservationTokenInline(admin.TabularInline):
     model = ReservationToken
     extra = 0
-    readonly_fields = ("token_hash", "used_at", "created_at")
+    readonly_fields = ("used_at", "created_at")
-    fields = ("purpose", "token_hash", "expires_at", "used_at", "created_at")
+    fields = ("purpose", "expires_at", "used_at", "created_at")
     can_delete = False
 
 
@@ -231,13 +231,10 @@ class ReservationAdmin(admin.ModelAdmin):
 
 @admin.register(ReservationToken)
 class ReservationTokenAdmin(admin.ModelAdmin):
-    list_display = ("reservation", "purpose", "expires_at", "used_at", "created_at", "token_preview")
+    list_display = ("reservation", "purpose", "expires_at", "used_at", "created_at")
     list_filter = ("purpose", "expires_at", "used_at", "created_at")
     search_fields = ("reservation__name", "reservation__email", "token_hash")
-    readonly_fields = ("token_hash", "created_at", "used_at")
+    readonly_fields = ("created_at", "used_at")
+    exclude = ("token_hash",)
     list_select_related = ("reservation", "reservation__performance")
     autocomplete_fields = ("reservation",)
-
-    @admin.display(description="Token hash")
-    def token_preview(self, obj):
-        return obj.token_hash[:12]

backend/bookings/services.py

@@ -113,16 +113,19 @@ def create_pending_reservation(
             expires_at=confirmation_expires_at,
         )
 
+        transaction.on_commit(
+            lambda reservation=reservation, raw_confirmation_token=raw_confirmation_token: send_confirmation_email(
+                reservation=reservation,
+                raw_confirmation_token=raw_confirmation_token,
+            )
+        )
+
     result = PendingReservationResult(
         reservation=reservation,
         confirmation_token=confirmation_token,
         raw_confirmation_token=raw_confirmation_token,
         available_seats=available_seats,
     )
-    send_confirmation_email(
-        reservation=result.reservation,
-        raw_confirmation_token=result.raw_confirmation_token,
-    )
     return result
 
 
@@ -195,22 +198,22 @@ def confirm_reservation_from_token(raw_token):
         available_seats=available_seats - reservation.party_size,
         qr_code_image=generate_check_in_qr_base64(
             reservation=reservation,
-            raw_check_in_token=raw_token,
+            raw_check_in_token=raw_check_in_token,
         ),
-        qr_code_url=build_check_in_preview_url(raw_token),
+        qr_code_url=build_check_in_preview_url(raw_check_in_token),
     )
 
 
 def retrieve_reservation_qr_from_token(raw_token):
     try:
-        confirmation_token = ReservationToken.objects.select_related("reservation").get(
+        check_in_token = ReservationToken.objects.select_related("reservation").get_valid_token(
-            token_hash=ReservationToken.hash_token(raw_token),
+            raw_token,
-            purpose=ReservationToken.Purpose.CONFIRMATION,
+            ReservationToken.Purpose.CHECK_IN,
         )
     except ReservationToken.DoesNotExist as exc:
-        raise InvalidToken("Confirmation token is invalid.") from exc
+        raise InvalidToken("Check-in token is invalid.") from exc
 
-    reservation = confirmation_token.reservation
+    reservation = check_in_token.reservation
     if reservation.status != Reservation.Status.CONFIRMED:
         raise ReservationNotConfirmed("Reservation must be confirmed before QR retrieval.")
 

backend/bookings/test_admin.py

@@ -53,6 +53,7 @@ class ReservationAdminTests(TestCase):
         self.assertContains(response, "The reservation stays pending")
 
     def test_admin_can_create_manual_reservation_with_standard_email_flow(self):
+        with self.captureOnCommitCallbacks(execute=True):
             response = self.client.post(
                 reverse("admin:bookings_reservation_add"),
                 {
@@ -82,3 +83,29 @@ class ReservationAdminTests(TestCase):
             "https://tickets.azionelab.example/api/reservations/confirm/?token=",
             mail.outbox[0].body,
         )
+
+    def test_token_hash_is_hidden_in_token_admin_views(self):
+        reservation = Reservation.objects.create(
+            performance=self.performance,
+            name="Maria Rossi",
+            email="maria@example.com",
+            party_size=2,
+        )
+        token, _ = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+
+        changelist_response = self.client.get(reverse("admin:bookings_reservationtoken_changelist"))
+        change_response = self.client.get(
+            reverse("admin:bookings_reservationtoken_change", args=[token.id]),
+        )
+
+        self.assertEqual(changelist_response.status_code, 200)
+        self.assertEqual(change_response.status_code, 200)
+        self.assertNotContains(changelist_response, token.token_hash)
+        self.assertNotContains(change_response, token.token_hash)
+        self.assertContains(change_response, token.get_purpose_display())
+        self.assertContains(change_response, "Expires at")
+        self.assertContains(change_response, "Used at")

backend/bookings/test_api.py

@@ -1,4 +1,5 @@
 from datetime import timedelta
+from unittest.mock import patch
 
 from django.core import mail
 from django.urls import reverse
@@ -9,6 +10,7 @@ from rest_framework.test import APITestCase
 
 from bookings.models import Reservation
 from bookings.services import generate_confirmation_token
+from bookings.views import ReservationConfirmThrottle, ReservationCreateThrottle
 from shows.models import Performance, Show, Venue
 
 
@@ -63,6 +65,7 @@ class BookingApiTests(APITestCase):
 
     @override_settings(SITE_BASE_URL="https://tickets.azionelab.example")
     def test_reservation_creation_success(self):
+        with self.captureOnCommitCallbacks(execute=True):
             response = self.client.post(
                 reverse("api-reservation-create", kwargs={"performance_id": self.performance.id}),
                 {
@@ -87,6 +90,48 @@ class BookingApiTests(APITestCase):
             mail.outbox[0].body,
         )
 
+    def test_reservation_creation_schedules_email_after_commit(self):
+        with self.captureOnCommitCallbacks(execute=False) as callbacks:
+            response = self.client.post(
+                reverse("api-reservation-create", kwargs={"performance_id": self.performance.id}),
+                {
+                    "name": "Maria Rossi",
+                    "email": "maria@example.com",
+                    "party_size": 2,
+                },
+                format="json",
+            )
+
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+        self.assertEqual(len(callbacks), 1)
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_reservation_creation_is_throttled(self):
+        with patch.dict(ReservationCreateThrottle.THROTTLE_RATES, {"reservation_create": "1/minute"}, clear=False):
+            with self.captureOnCommitCallbacks(execute=True):
+                first_response = self.client.post(
+                    reverse("api-reservation-create", kwargs={"performance_id": self.performance.id}),
+                    {
+                        "name": "Maria Rossi",
+                        "email": "maria@example.com",
+                        "party_size": 1,
+                    },
+                    format="json",
+                )
+
+            second_response = self.client.post(
+                reverse("api-reservation-create", kwargs={"performance_id": self.performance.id}),
+                {
+                    "name": "Maria Rossi",
+                    "email": "maria@example.com",
+                    "party_size": 1,
+                },
+                format="json",
+            )
+
+        self.assertEqual(first_response.status_code, status.HTTP_201_CREATED)
+        self.assertEqual(second_response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
+
     def test_reservation_creation_with_insufficient_seats(self):
         response = self.client.post(
             reverse("api-reservation-create", kwargs={"performance_id": self.performance.id}),
@@ -123,6 +168,7 @@ class BookingApiTests(APITestCase):
                 "https://tickets.azionelab.example/api/check-ins/preview/?token="
             )
         )
+        self.assertNotIn(raw_token, response.data["qr_code_url"])
         self.assertNotIn("token", response.data)
         self.assertTrue(response.data["qr_code_image"].startswith("data:image/png;base64,"))
         self.assertEqual(reservation.status, Reservation.Status.CONFIRMED)
@@ -170,8 +216,55 @@ class BookingApiTests(APITestCase):
         self.assertEqual(second_response.status_code, status.HTTP_409_CONFLICT)
         self.assertEqual(second_response.data["status"], "already_confirmed")
 
+    def test_confirmation_is_throttled(self):
+        with patch.dict(ReservationConfirmThrottle.THROTTLE_RATES, {"reservation_confirm": "1/minute"}, clear=False):
+            first_reservation = self.create_reservation(email="first@example.com")
+            _, first_raw_token = generate_confirmation_token(first_reservation)
+            second_reservation = self.create_reservation(email="second@example.com")
+            _, second_raw_token = generate_confirmation_token(second_reservation)
+
+            first_response = self.client.post(
+                reverse("api-reservation-confirm"),
+                {"token": first_raw_token},
+                format="json",
+            )
+            second_response = self.client.post(
+                reverse("api-reservation-confirm"),
+                {"token": second_raw_token},
+                format="json",
+            )
+
+        self.assertEqual(first_response.status_code, status.HTTP_200_OK)
+        self.assertEqual(second_response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
+
     @override_settings(SITE_BASE_URL="https://tickets.azionelab.example")
     def test_qr_retrieval_success_for_confirmed_reservation(self):
+        reservation = self.create_reservation()
+        _, raw_token = generate_confirmation_token(reservation)
+        confirmation_response = self.client.post(
+            reverse("api-reservation-confirm"),
+            {"token": raw_token},
+            format="json",
+        )
+        check_in_token = confirmation_response.data["qr_code_url"].split("token=", 1)[1]
+
+        response = self.client.get(
+            reverse("api-reservation-qr"),
+            {"token": check_in_token},
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["reservation_id"], reservation.id)
+        self.assertTrue(
+            response.data["qr_code_url"].startswith(
+                "https://tickets.azionelab.example/api/check-ins/preview/?token="
+            )
+        )
+        self.assertTrue(response.data["qr_code_image"].startswith("data:image/png;base64,"))
+        self.assertNotIn("email", response.data)
+        self.assertNotIn("name", response.data)
+
+    def test_qr_retrieval_rejects_confirmation_token(self):
         reservation = self.create_reservation()
         _, raw_token = generate_confirmation_token(reservation)
         self.client.post(
@@ -185,16 +278,8 @@ class BookingApiTests(APITestCase):
             {"token": raw_token},
         )
 
-        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
-        self.assertEqual(response.data["reservation_id"], reservation.id)
+        self.assertEqual(response.data["status"], "invalid_token")
-        self.assertTrue(
-            response.data["qr_code_url"].startswith(
-                "https://tickets.azionelab.example/api/check-ins/preview/?token="
-            )
-        )
-        self.assertTrue(response.data["qr_code_image"].startswith("data:image/png;base64,"))
-        self.assertNotIn("email", response.data)
-        self.assertNotIn("name", response.data)
 
     def test_qr_retrieval_fails_for_invalid_token(self):
         response = self.client.get(
@@ -214,8 +299,8 @@ class BookingApiTests(APITestCase):
             {"token": raw_token},
         )
 
-        self.assertEqual(response.status_code, status.HTTP_409_CONFLICT)
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
-        self.assertEqual(response.data["status"], "reservation_not_confirmed")
+        self.assertEqual(response.data["status"], "invalid_token")
         self.assertEqual(reservation.status, Reservation.Status.PENDING)
 
     def create_reservation(self, **overrides):

backend/bookings/test_services.py

@@ -19,6 +19,7 @@ from bookings.services import (
     confirm_reservation_from_token,
     create_pending_reservation,
     generate_confirmation_token,
+    retrieve_reservation_qr_from_token,
 )
 from shows.models import Performance, Show, Venue
 
@@ -64,7 +65,8 @@ class BookingServiceTests(TestCase):
         EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend",
         SITE_BASE_URL="https://tickets.azionelab.example",
     )
-    def test_create_pending_reservation_sends_confirmation_email(self):
+    def test_create_pending_reservation_sends_confirmation_email_after_commit(self):
+        with self.captureOnCommitCallbacks(execute=True) as callbacks:
             result = create_pending_reservation(
                 performance_id=self.performance.id,
                 name="Maria Rossi",
@@ -72,6 +74,7 @@ class BookingServiceTests(TestCase):
                 party_size=1,
             )
 
+        self.assertEqual(len(callbacks), 1)
         self.assertEqual(len(mail.outbox), 1)
         self.assertEqual(mail.outbox[0].to, ["maria@example.com"])
         self.assertIn(result.raw_confirmation_token, mail.outbox[0].body)
@@ -80,9 +83,23 @@ class BookingServiceTests(TestCase):
             mail.outbox[0].body,
         )
 
+    @override_settings(EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend")
+    def test_create_pending_reservation_defers_email_until_commit(self):
+        with self.captureOnCommitCallbacks(execute=False) as callbacks:
+            create_pending_reservation(
+                performance_id=self.performance.id,
+                name="Maria Rossi",
+                email="maria@example.com",
+                party_size=1,
+            )
+
+        self.assertEqual(len(callbacks), 1)
+        self.assertEqual(len(mail.outbox), 0)
+
     @patch("bookings.emailing.send_mail", side_effect=RuntimeError("SMTP down"))
     def test_create_pending_reservation_logs_email_failure_without_crashing(self, mocked_send_mail):
         with self.assertLogs("bookings.emailing", level="ERROR") as captured_logs:
+            with self.captureOnCommitCallbacks(execute=True):
                 result = create_pending_reservation(
                     performance_id=self.performance.id,
                     name="Maria Rossi",
@@ -130,7 +147,7 @@ class BookingServiceTests(TestCase):
         self.assertEqual(result.available_seats, 1)
         self.assertEqual(
             result.qr_code_url,
-            build_check_in_preview_url(raw_token),
+            build_check_in_preview_url(result.raw_check_in_token),
         )
         self.assertTrue(
             result.qr_code_url.startswith(
@@ -139,6 +156,19 @@ class BookingServiceTests(TestCase):
         )
         self.assertTrue(result.qr_code_image.startswith("data:image/png;base64,"))
 
+    @override_settings(SITE_BASE_URL="https://tickets.azionelab.example")
+    def test_confirmation_token_cannot_be_reused_as_qr_or_check_in_token(self):
+        reservation = self.create_reservation()
+        _, raw_token = generate_confirmation_token(reservation)
+
+        result = confirm_reservation_from_token(raw_token)
+
+        self.assertNotEqual(raw_token, result.raw_check_in_token)
+        self.assertNotEqual(
+            build_check_in_preview_url(raw_token),
+            result.qr_code_url,
+        )
+
     @override_settings(SITE_BASE_URL="https://tickets.azionelab.example")
     def test_qr_code_is_generated_for_confirmed_reservation(self):
         reservation = self.create_reservation(
@@ -171,6 +201,28 @@ class BookingServiceTests(TestCase):
                 raw_check_in_token="opaque-check-in-token",
             )
 
+    def test_qr_retrieval_rejects_confirmation_token(self):
+        reservation = self.create_reservation()
+        _, raw_confirmation_token = generate_confirmation_token(reservation)
+        confirm_reservation_from_token(raw_confirmation_token)
+
+        with self.assertRaises(InvalidToken):
+            retrieve_reservation_qr_from_token(raw_confirmation_token)
+
+    def test_qr_retrieval_accepts_check_in_token(self):
+        reservation = self.create_reservation()
+        _, raw_confirmation_token = generate_confirmation_token(reservation)
+        result = confirm_reservation_from_token(raw_confirmation_token)
+
+        qr_result = retrieve_reservation_qr_from_token(result.raw_check_in_token)
+
+        self.assertEqual(qr_result.reservation, reservation)
+        self.assertEqual(
+            qr_result.qr_code_url,
+            build_check_in_preview_url(result.raw_check_in_token),
+        )
+        self.assertTrue(qr_result.qr_code_image.startswith("data:image/png;base64,"))
+
     def test_confirmation_fails_when_capacity_is_exhausted(self):
         Reservation.objects.create(
             performance=self.performance,

backend/bookings/views.py

@@ -1,7 +1,8 @@
 from django.shortcuts import get_object_or_404
 from rest_framework import status
-from rest_framework.decorators import api_view
+from rest_framework.decorators import api_view, throttle_classes
 from rest_framework.response import Response
+from rest_framework.throttling import AnonRateThrottle
 
 from shows.models import Performance
 
@@ -25,7 +26,16 @@ from .services import (
 )
 
 
+class ReservationCreateThrottle(AnonRateThrottle):
+    scope = "reservation_create"
+
+
+class ReservationConfirmThrottle(AnonRateThrottle):
+    scope = "reservation_confirm"
+
+
 @api_view(["POST"])
+@throttle_classes([ReservationCreateThrottle])
 def create_reservation(request, performance_id):
     get_object_or_404(Performance, pk=performance_id, show__is_published=True)
 
@@ -60,6 +70,7 @@ def create_reservation(request, performance_id):
 
 
 @api_view(["GET", "POST"])
+@throttle_classes([ReservationConfirmThrottle])
 def confirm_reservation(request):
     payload = request.query_params if request.method == "GET" else request.data
     serializer = ReservationConfirmSerializer(data=payload)

backend/checkins/services.py

@@ -98,18 +98,13 @@ def _get_reservation_for_check_in_token(raw_token, *, lock_token=False):
     try:
         token = queryset.get(
             token_hash=ReservationToken.hash_token(raw_token),
+            purpose=ReservationToken.Purpose.CHECK_IN,
         )
     except ReservationToken.DoesNotExist as exc:
         raise InvalidToken("Check-in token is invalid.") from exc
 
-    if token.purpose == ReservationToken.Purpose.CHECK_IN:
     if token.used_at is not None or token.is_expired:
         raise InvalidToken("Check-in token is invalid.")
-    elif token.purpose == ReservationToken.Purpose.CONFIRMATION:
-        if token.reservation.status != Reservation.Status.CONFIRMED:
-            raise InvalidToken("Check-in token is invalid.")
-    else:
-        raise InvalidToken("Check-in token is invalid.")
 
     return token.reservation
 

backend/checkins/test_api.py

@@ -1,13 +1,16 @@
 from datetime import timedelta
+from unittest.mock import patch
 
 from django.contrib.auth import get_user_model
 from django.urls import reverse
+from django.test.utils import override_settings
 from django.utils import timezone
 from rest_framework import status
 from rest_framework.test import APITestCase
 
 from bookings.models import Reservation, ReservationToken
 from checkins.models import CheckIn
+from checkins.views import CheckInPreviewThrottle
 from shows.models import Performance, Show, Venue
 
 
@@ -87,6 +90,46 @@ class CheckInApiTests(APITestCase):
         self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
         self.assertEqual(response.data["status"], "invalid_token")
 
+    def test_preview_rejects_confirmation_token(self):
+        reservation = self.create_reservation()
+        _, raw_token = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+        self.client.force_authenticate(user=self.staff_user)
+
+        response = self.client.post(
+            reverse("api-check-in-preview"),
+            {"token": raw_token},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(response.data["status"], "invalid_token")
+
+    def test_preview_is_throttled_for_staff_user(self):
+        with patch.dict(CheckInPreviewThrottle.THROTTLE_RATES, {"check_in_preview": "1/minute"}, clear=False):
+            first_reservation = self.create_reservation(email="first@example.com")
+            _, first_raw_token = self.create_check_in_token(first_reservation)
+            second_reservation = self.create_reservation(email="second@example.com")
+            _, second_raw_token = self.create_check_in_token(second_reservation)
+            self.client.force_authenticate(user=self.staff_user)
+
+            first_response = self.client.post(
+                reverse("api-check-in-preview"),
+                {"token": first_raw_token},
+                format="json",
+            )
+            second_response = self.client.post(
+                reverse("api-check-in-preview"),
+                {"token": second_raw_token},
+                format="json",
+            )
+
+        self.assertEqual(first_response.status_code, status.HTTP_200_OK)
+        self.assertEqual(second_response.status_code, status.HTTP_429_TOO_MANY_REQUESTS)
+
     def test_check_in_success_as_staff_user(self):
         reservation = self.create_reservation()
         _, raw_token = self.create_check_in_token(reservation)
@@ -171,6 +214,25 @@ class CheckInApiTests(APITestCase):
         self.assertEqual(second_response.data["status"], "already_checked_in")
         self.assertEqual(CheckIn.objects.filter(reservation=reservation).count(), 1)
 
+    def test_check_in_rejects_confirmation_token(self):
+        reservation = self.create_reservation()
+        _, raw_token = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+        self.client.force_authenticate(user=self.staff_user)
+
+        response = self.client.post(
+            reverse("api-check-in-confirm"),
+            {"token": raw_token},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(response.data["status"], "invalid_token")
+        self.assertFalse(CheckIn.objects.filter(reservation=reservation).exists())
+
     def create_reservation(self, **overrides):
         data = {
             "performance": self.performance,

backend/checkins/test_services.py

@@ -62,6 +62,17 @@ class CheckInServiceTests(TestCase):
         with self.assertRaises(InvalidToken):
             preview_check_in_token("invalid-token", staff_user=self.staff_user)
 
+    def test_preview_rejects_confirmation_token_even_for_confirmed_reservation(self):
+        reservation = self.create_reservation()
+        _, raw_token = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+
+        with self.assertRaises(InvalidToken):
+            preview_check_in_token(raw_token, staff_user=self.staff_user)
+
     def test_check_in_succeeds_for_confirmed_reservation(self):
         reservation = self.create_reservation()
         _, raw_token = self.create_check_in_token(reservation)
@@ -114,6 +125,17 @@ class CheckInServiceTests(TestCase):
         with self.assertRaises(MissingStaffUser):
             confirm_check_in_from_token(raw_token, staff_user=None)
 
+    def test_check_in_rejects_confirmation_token_even_for_confirmed_reservation(self):
+        reservation = self.create_reservation()
+        _, raw_token = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+
+        with self.assertRaises(InvalidToken):
+            confirm_check_in_from_token(raw_token, staff_user=self.staff_user)
+
     def create_reservation(self, **overrides):
         data = {
             "performance": self.performance,

backend/checkins/views.py

@@ -1,8 +1,9 @@
 from rest_framework import status
 from rest_framework.authentication import BasicAuthentication, SessionAuthentication
-from rest_framework.decorators import api_view, authentication_classes, permission_classes
+from rest_framework.decorators import api_view, authentication_classes, permission_classes, throttle_classes
 from rest_framework.permissions import BasePermission, IsAuthenticated
 from rest_framework.response import Response
+from rest_framework.throttling import UserRateThrottle
 
 from .serializers import (
     CheckInConfirmResponseSerializer,
@@ -19,19 +20,22 @@ from .services import (
 )
 
 
+class CheckInPreviewThrottle(UserRateThrottle):
+    scope = "check_in_preview"
+
+
+class CheckInConfirmThrottle(UserRateThrottle):
+    scope = "check_in_confirm"
+
+
 class IsStaffUser(BasePermission):
     def has_permission(self, request, view):
         return bool(request.user and request.user.is_staff)
 
-
+@api_view(["POST"])
-def staff_check_in_view(view_func):
+@authentication_classes([BasicAuthentication, SessionAuthentication])
-    view_func = permission_classes([IsAuthenticated, IsStaffUser])(view_func)
+@permission_classes([IsAuthenticated, IsStaffUser])
-    view_func = authentication_classes([BasicAuthentication, SessionAuthentication])(view_func)
+@throttle_classes([CheckInPreviewThrottle])
-    view_func = api_view(["POST"])(view_func)
-    return view_func
-
-
-@staff_check_in_view
 def check_in_preview(request):
     serializer = CheckInTokenSerializer(data=request.data)
     serializer.is_valid(raise_exception=True)
@@ -73,7 +77,10 @@ def check_in_preview(request):
     return Response(response_serializer.data)
 
 
-@staff_check_in_view
+@api_view(["POST"])
+@authentication_classes([BasicAuthentication, SessionAuthentication])
+@permission_classes([IsAuthenticated, IsStaffUser])
+@throttle_classes([CheckInConfirmThrottle])
 def check_in_confirm(request):
     serializer = CheckInTokenSerializer(data=request.data)
     serializer.is_valid(raise_exception=True)

docs/api-contract.md

@@ -204,7 +204,7 @@ Response `200 OK`:
   "reservation_id": 123,
   "status": "confirmed",
   "party_size": 2,
-  "qr_code_url": "https://example.org/api/reservations/123/qr-code/"
+  "qr_code_url": "https://example.org/api/check-ins/preview/?token=opaque-check-in-token"
 }
 ```
 
@@ -222,13 +222,14 @@ Status codes:
 GET /api/reservations/{id}/qr-code/
 ```
 
-Returns the generated QR code for a confirmed reservation. Access must be protected by a valid QR token, signed URL, or equivalent control so that reservation IDs are not enough to retrieve QR codes.
+Returns the generated QR code for a confirmed reservation. Access must be protected by a valid opaque `check_in` token, signed URL, or equivalent control so that reservation IDs are not enough to retrieve QR codes.
 
 Response `200 OK`:
 
 ```json
 {
   "reservation_id": 123,
+  "qr_code_url": "https://example.org/api/check-ins/preview/?token=opaque-check-in-token",
   "qr_code_image": "data:image/png;base64,...",
   "printable": true
 }

docs/booking-flow.md

@@ -25,7 +25,7 @@ Availability shown to visitors is informational. The backend recalculates availa
    - requested seats do not exceed currently available seats.
 6. The backend creates a `pending` reservation.
 7. The backend creates a random opaque confirmation token.
-8. The backend sends an email with a confirmation link.
+8. After the transaction commits successfully, the backend sends an email with a confirmation link.
 9. The frontend tells the visitor to check their email.
 
 The reservation is not confirmed at this stage.
@@ -45,8 +45,8 @@ The reservation is not confirmed at this stage.
 6. The backend recalculates confirmed reservations for the performance.
 7. The backend confirms the reservation only if enough seats remain.
 8. The backend marks the confirmation token as used.
-9. The backend creates a QR verification token.
+9. The backend creates a separate `check_in` token for QR verification.
-10. The backend generates a QR code containing the opaque QR token or a verification URL.
+10. The backend generates a QR code containing only the opaque check-in token or a verification URL built from that token.
 11. The backend returns or sends the QR code to the visitor.
 
 If there is no longer enough capacity, the backend must not confirm the reservation.
@@ -111,7 +111,7 @@ This operational flow should still follow the same backend rules as the public b
 2. the backend validates booking availability and capacity;
 3. the backend creates a `pending` reservation;
 4. the backend creates the normal confirmation token;
-5. the backend sends the standard confirmation email;
+5. after the reservation transaction commits, the backend sends the standard confirmation email;
 6. the guest still confirms through the email link before the reservation becomes confirmed and usable for check-in.
 
 ## Duplicate Check-In

docs/deployment.md

@@ -1,5 +1,28 @@
 # Deployment
 
+## Production Readiness
+
+Before a real deployment, treat `.env.example` as local-development only. Create a separate `.env` for production and replace all placeholder values.
+
+Required production changes:
+
+- set `DJANGO_DEBUG=false`;
+- set a strong random `DJANGO_SECRET_KEY`;
+- set `DJANGO_ALLOWED_HOSTS` to the real public hostnames only;
+- set `DJANGO_CSRF_TRUSTED_ORIGINS` to the real public HTTPS origins;
+- set `SITE_BASE_URL` to the real public HTTPS base URL used for confirmation emails and QR/check-in links;
+- replace the console email backend with real SMTP settings and a valid sender address;
+- publish only nginx and terminate HTTPS at nginx or a trusted upstream reverse proxy;
+- keep `collectstatic --noinput` in the deployment flow before `up -d`;
+- persist the PostgreSQL named volume and configure tested backups before accepting bookings;
+- create the first admin account explicitly with `python manage.py createsuperuser`.
+
+Reverse proxy and HTTPS notes:
+
+- the current nginx template listens on plain HTTP port `80` only and must be adapted for production TLS;
+- if TLS is terminated by another reverse proxy, forward the public host and scheme correctly so generated links remain accurate;
+- keep `SITE_BASE_URL`, `DJANGO_ALLOWED_HOSTS`, and `DJANGO_CSRF_TRUSTED_ORIGINS` aligned with the final public URL.
+
 AzioneLab should deploy with a simple Docker Compose topology:
 
 - `nginx`: public reverse proxy and static frontend server;
@@ -92,17 +115,28 @@ Generated QR codes may also be generated on demand instead of stored as files. I
 
 Copy `.env.example` to `.env` and replace all placeholder values before running or deploying the stack.
 
+`.env.example` is intentionally local-dev oriented. Do not use it unchanged for production.
+
 Required backend configuration:
 
 - `DJANGO_SECRET_KEY`;
 - `DJANGO_ALLOWED_HOSTS`;
 - `DJANGO_CSRF_TRUSTED_ORIGINS`;
+- `DJANGO_DEBUG=false`;
 - `CORS_ALLOWED_ORIGINS`;
+- `SITE_BASE_URL`;
 - `TIME_ZONE`;
 - `DATABASE_URL` or equivalent database settings;
 - email host, port, username, password, TLS settings, and sender address;
 - public site URL used to build confirmation and QR verification links.
 
+Local Docker convention:
+
+- use nginx as the public entrypoint at `http://localhost`;
+- set `SITE_BASE_URL=http://localhost`;
+- keep `DJANGO_CSRF_TRUSTED_ORIGINS` and browser-facing `CORS_ALLOWED_ORIGINS` aligned with that public URL;
+- if you publish nginx on a different port, update `SITE_BASE_URL` and trusted origins to the same host and port.
+
 Required database configuration:
 
 - database name;
@@ -142,6 +176,7 @@ Expected production-style flow:
 docker compose --env-file .env -f infra/docker/compose.yml build
 docker compose --env-file .env -f infra/docker/compose.yml run --rm backend python manage.py migrate
 docker compose --env-file .env -f infra/docker/compose.yml run --rm backend python manage.py collectstatic --noinput
+docker compose --env-file .env -f infra/docker/compose.yml run --rm backend python manage.py createsuperuser
 docker compose --env-file .env -f infra/docker/compose.yml up -d
 ```
 

docs/security-notes.md

@@ -36,6 +36,9 @@ Rules:
 - do not encode personal data in tokens;
 - store token hashes when practical;
 - treat raw tokens as secrets;
+- keep confirmation tokens and check-in tokens separate by purpose;
+- allow confirmation tokens only for reservation confirmation;
+- allow check-in tokens only for QR retrieval and check-in validation;
 - mark one-time confirmation tokens as used after successful confirmation;
 - expire confirmation tokens after a reasonable period;
 - keep QR tokens valid only for the intended performance and check-in period where practical.
@@ -144,9 +147,20 @@ Deployment should follow least privilege:
 - avoid privileged containers;
 - use explicit image tags rather than `latest`;
 - persist PostgreSQL data in a named volume;
+- run production with `DJANGO_DEBUG=false`;
+- use a strong private `DJANGO_SECRET_KEY`;
+- restrict `DJANGO_ALLOWED_HOSTS` and `DJANGO_CSRF_TRUSTED_ORIGINS` to the real public deployment hosts;
+- keep `SITE_BASE_URL` set to the real public HTTPS URL so email and QR links are correct;
 - configure TLS for production;
 - serve static and media files without exposing private files.
 
+Operational production notes:
+
+- `.env.example` is for local development and examples only, not direct production use;
+- replace the console email backend with real SMTP settings before sending reservation emails;
+- create admin accounts explicitly and protect them with strong passwords and limited access;
+- keep verified database backups for the PostgreSQL volume before accepting live bookings.
+
 ## Logging
 
 Logs should help diagnose operational issues without exposing sensitive data.
@@ -165,7 +179,7 @@ Do not log:
 
 Initial residual risks:
 
-- synchronous email can make booking responses depend on SMTP availability;
+- synchronous email after commit can still add latency to booking requests even though it no longer runs inside the reservation transaction;
 - QR codes can be copied, so duplicate check-in prevention must be reliable;
 - staff account compromise would expose admin and check-in functionality;
 - retention and deletion rules for personal data still need a project policy.