[FIX] apply data server sync, fix via code review comments

Author: bnbong

backend/app/api/me.py

@@ -5,9 +5,12 @@
 GET /me/collection — registered users only (guests have no persistent collection)
 """
 
-from fastapi import APIRouter, Depends
+import time
+
+from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.orm import Session
 
+from app.config import settings
 from app.database import get_db
 from app.dependencies import get_current_user, require_registered
 from app.models.db import User
@@ -16,10 +19,10 @@
 from app.schemas.progress import (
     CollectionUnlockRequest,
     CollectionUnlockResponse,
-    CurrencyUpdateRequest,
-    CurrencyUpdateResponse,
     ProgressMergeRequest,
     ProgressMergeResponse,
+    RewardClaimRequest,
+    RewardClaimResponse,
 )
 
 router = APIRouter(prefix="/me", tags=["me"])
@@ -107,17 +110,35 @@ def merge_progress(
     )
 
 
-@router.put("/currency", response_model=CurrencyUpdateResponse)
-def update_currency(
-    req: CurrencyUpdateRequest,
+# Per-user rate-limit state for single-play reward claims.
+# Key: user_id, Value: last claim timestamp.
+_reward_last_claim: dict[str, float] = {}
+
+
+@router.post("/reward", response_model=RewardClaimResponse)
+def claim_reward(
+    req: RewardClaimRequest,
     user: User = Depends(require_registered),
     db: Session = Depends(get_db),
-) -> CurrencyUpdateResponse:
+) -> RewardClaimResponse:
     """
-    Persist the exact wallet amount for the authenticated registered user.
+    Claim a delta-based currency reward from a single-player game.
+
+    The server validates:
+      - amount does not exceed REWARD_SINGLE_PLAY_MAX
+      - minimum cooldown between claims (rate-limit)
     """
-    profile_repo.set_currency(db, user.profile, req.currency)
-    return CurrencyUpdateResponse(currency=req.currency)
+    if req.amount > settings.REWARD_SINGLE_PLAY_MAX:
+        raise HTTPException(status_code=422, detail="Reward amount exceeds maximum")
+
+    now = time.monotonic()
+    last = _reward_last_claim.get(user.id, 0.0)
+    if now - last < settings.REWARD_SINGLE_PLAY_COOLDOWN_SECONDS:
+        raise HTTPException(status_code=429, detail="Reward claim too frequent")
+    _reward_last_claim[user.id] = now
+
+    profile_repo.add_currency(db, user.profile, req.amount)
+    return RewardClaimResponse(granted=req.amount, currency=user.profile.currency)
 
 
 @router.post("/collection/unlock", response_model=CollectionUnlockResponse)

backend/app/config.py

@@ -77,6 +77,17 @@ class Settings(BaseSettings):
     LOG_LEVEL: str = "INFO"
     ADMIN_TOKEN: str = ""
 
+    # Reward constants (must match client-side values for single-player validation).
+    REWARD_VICTORY_BASE: int = 100
+    REWARD_VICTORY_PER_ROUND: int = 10
+    REWARD_DEFEAT_BASE: int = 30
+    REWARD_DEFEAT_PER_ROUND: int = 5
+    # Maximum reward the server will accept from a single-play claim.
+    # Victory at round 10 = 100 + 10*10 = 200; generous cap at 500.
+    REWARD_SINGLE_PLAY_MAX: int = 500
+    # Rate-limit: minimum seconds between single-play reward claims.
+    REWARD_SINGLE_PLAY_COOLDOWN_SECONDS: int = 30
+
     # CORS — comma-separated origins, or ["*"] for wide-open dev.
     # Production example: "https://fallin.example.com,https://web.fallin.example.com"
     CORS_ORIGINS: list[str] = ["*"]

backend/app/main.py

@@ -64,12 +64,13 @@ async def lifespan(app: FastAPI):
 @app.get("/healthz", tags=["ops"])
 def health_check():
     """Liveness probe. Verifies the DB connection pool is healthy."""
+    db = SessionLocal()
     try:
-        db = SessionLocal()
         db.execute(text("SELECT 1"))
-        db.close()
     except Exception:
         return {"status": "degraded", "db": "unreachable"}
+    finally:
+        db.close()
     return {"status": "ok"}
 
 

backend/app/repositories/profile_repo.py

@@ -20,3 +20,12 @@ def set_currency(db: Session, profile: Profile, currency: int) -> Profile:
     db.commit()
     db.refresh(profile)
     return profile
+
+
+def add_currency(db: Session, profile: Profile, delta: int) -> Profile:
+    """Atomically add *delta* to the profile's wallet (can be negative)."""
+    profile.currency = max(0, profile.currency + delta)
+    profile.updated_at = _utcnow()
+    db.commit()
+    db.refresh(profile)
+    return profile

backend/app/schemas/progress.py

@@ -3,10 +3,12 @@
 
 These endpoints are intentionally narrow:
   - initial merge of local single-player progress into a registered account
-  - exact currency updates after in-game earn/spend events
+  - delta-based reward claims with server-side validation
   - idempotent soldier unlock writes
 """
 
+from typing import Literal
+
 from pydantic import BaseModel, Field
 
 
@@ -21,11 +23,18 @@ class ProgressMergeResponse(BaseModel):
     total_collected: int
 
 
-class CurrencyUpdateRequest(BaseModel):
-    currency: int = Field(ge=0)
+class RewardClaimRequest(BaseModel):
+    """Delta-based reward claim with reason for server validation."""
+
+    amount: int = Field(ge=0)
+    reason: Literal[
+        "single_play_victory",
+        "single_play_defeat",
+    ]
 
 
-class CurrencyUpdateResponse(BaseModel):
+class RewardClaimResponse(BaseModel):
+    granted: int
     currency: int
 
 

backend/app/services/nickname_service.py

@@ -94,6 +94,9 @@ def validate_nickname(raw: str) -> str:
     if not _ALLOWED_RE.match(nick):
         raise NicknameError("닉네임에는 한글, 영문, 숫자, 밑줄(_), 공백만 사용할 수 있습니다.")
 
+    if "  " in nick:
+        raise NicknameError("닉네임에 연속된 공백은 사용할 수 없습니다.")
+
     if _ALL_DIGITS_RE.match(nick):
         raise NicknameError("닉네임은 숫자만으로 구성될 수 없습니다.")
 

backend/app/services/report_service.py

@@ -25,6 +25,7 @@
 from __future__ import annotations
 
 import logging
+import re
 from typing import Optional
 
 from sqlalchemy.orm import Session
@@ -35,6 +36,7 @@
 logger = logging.getLogger("fall_in.report")
 
 _DETAILS_MAX_LEN = 280
+_HTML_TAG_RE = re.compile(r"<[^>]+>")
 
 
 class ReportError(ValueError):
@@ -76,10 +78,10 @@ def submit_report(
     if reporter_user_id and reporter_user_id == reported_user_id:
         raise ReportError("자기 자신을 신고할 수 없습니다.")
 
-    # Sanitise optional details.
+    # Sanitise optional details: strip HTML tags, then trim.
     clean_details: Optional[str] = None
     if details:
-        clean_details = details.strip()[:_DETAILS_MAX_LEN]
+        clean_details = _HTML_TAG_RE.sub("", details).strip()[:_DETAILS_MAX_LEN]
         if not clean_details:
             clean_details = None
 

backend/app/ws/handler.py

@@ -1046,6 +1046,8 @@ async def _continue_after_round_settlement(
     presence_manager.cancel_round_settlement_timeout(match.match_id)
 
     if summary.game_over:
+        rewards = _calculate_match_rewards(match, summary)
+        _grant_match_rewards(match, rewards)
         await manager.broadcast_to_room(
             room_code,
             {
@@ -1054,6 +1056,7 @@ async def _continue_after_round_settlement(
                     "match_id": match.match_id,
                     "winner_seat": summary.winner_seat,
                     "final_scores": summary.total_scores,
+                    "rewards": rewards,
                 },
             },
         )
@@ -1108,6 +1111,57 @@ def _apply_mmr_update(match, winner_seat: int) -> None:
         db.close()
 
 
+# ---------------------------------------------------------------------------
+# Reward helper (PR-09)
+# ---------------------------------------------------------------------------
+
+
+def _calculate_match_rewards(
+    match, summary
+) -> dict[int, int]:
+    """Return {seat_index: reward_amount} for every seat in the match."""
+    rewards: dict[int, int] = {}
+    for seat_index in match.seats:
+        is_winner = seat_index == summary.winner_seat
+        if is_winner:
+            amount = (
+                settings.REWARD_VICTORY_BASE
+                + summary.round_number * settings.REWARD_VICTORY_PER_ROUND
+            )
+        else:
+            amount = (
+                settings.REWARD_DEFEAT_BASE
+                + summary.round_number * settings.REWARD_DEFEAT_PER_ROUND
+            )
+        rewards[seat_index] = amount
+    return rewards
+
+
+def _grant_match_rewards(match, rewards: dict[int, int]) -> None:
+    """Persist currency rewards for registered human seats."""
+    from app.database import SessionLocal
+    from app.repositories import profile_repo
+    from app.repositories import user_repo as _user_repo
+
+    db = SessionLocal()
+    try:
+        for seat_index, amount in rewards.items():
+            seat = match.seats.get(seat_index)
+            if seat is None or seat.account_type != "registered" or seat.user_id is None:
+                continue
+            user = _user_repo.get_by_id(db, seat.user_id)
+            if user is None or user.profile is None:
+                continue
+            profile_repo.add_currency(db, user.profile, amount)
+    except Exception:
+        logger.exception(
+            "reward_grant_failed",
+            extra={"match_id": match.match_id},
+        )
+    finally:
+        db.close()
+
+
 # ---------------------------------------------------------------------------
 # Quick-match handlers (PR-06)
 # ---------------------------------------------------------------------------

backend/tests/test_collection.py

@@ -254,10 +254,15 @@ def test_merge_progress_uses_max_currency_and_union_collection(self, client, db:
         assert data["collected_soldier_ids"] == [11, 42, 77]
         assert data["total_collected"] == 3
 
-    def test_currency_update_persists_exact_wallet_amount(self, client):
+    def test_reward_claim_adds_currency(self, client):
         token = _register_and_get_token(client, "currency@example.com", nickname="Wallet")
-        resp = client.put("/me/currency", headers=_auth(token), json={"currency": 35})
+        resp = client.post(
+            "/me/reward",
+            headers=_auth(token),
+            json={"amount": 35, "reason": "single_play_victory"},
+        )
         assert resp.status_code == 200
+        assert resp.json()["granted"] == 35
         assert resp.json()["currency"] == 35
 
         profile = client.get("/me/profile", headers=_auth(token))
@@ -294,7 +299,11 @@ def test_guest_cannot_write_progress(self, client):
             headers=_auth(token),
             json={"currency": 50, "collected_soldier_ids": [7]},
         )
-        update = client.put("/me/currency", headers=_auth(token), json={"currency": 50})
+        update = client.post(
+            "/me/reward",
+            headers=_auth(token),
+            json={"amount": 50, "reason": "single_play_victory"},
+        )
         unlock = client.post(
             "/me/collection/unlock",
             headers=_auth(token),

backend/tests/test_match.py

@@ -868,6 +868,7 @@ def revoke_match_tokens(self, match_id: str) -> None:
                         "match_id": match.match_id,
                         "winner_seat": 0,
                         "final_scores": {0: 12, 1: 40, 2: 66, 3: 66},
+                        "rewards": {0: 130, 1: 45, 2: 45, 3: 45},
                     },
                 },
             )