Goal
Constrain movie create/update payloads so stored metadata and artwork URLs stay within expected bounds.
Context
Movie schemas allow broad strings/lists, and artwork handling has multiple policy surfaces: validation, rendering, CSP, and poster caching. This issue should make those policies line up so malformed metadata is rejected early and artwork URLs do not become a privacy or rendering risk.
Suggested Scope
- Add Pydantic length limits, list limits, numeric ranges, and external ID patterns where missing.
- Review poster/backdrop URL handling and decide whether to use allowlisted hosts, local cache/proxy-only URLs, or stricter URL validation.
- Keep existing valid imports and provider-enriched updates working.
- Add regression tests around oversize values, malformed IDs, invalid URLs, and valid provider URLs.
- Update docs if the accepted artwork URL policy changes.
Files or Areas
api/schemas/movie.py
api/services/movie_updates.py
api/services/poster_cache.py
api/routers/movies.py
templates/movie_detail.html
tests/test_movie_metadata.py
tests/test_movie_flags.py
tests/test_poster_cache.py
Out of Scope
- Bulk editing live movie records
- Pulling private database contents into fixtures
- Replacing the whole metadata import pipeline
- Expanding CSP to accept arbitrary image hosts without a documented policy
Acceptance Criteria
- Oversized or malformed metadata is rejected early with clear validation errors.
- Artwork URL policy is consistent between validation, caching, rendering, and CSP.
- Existing valid imports/updates still pass.
- Tests use synthetic movie data and fake URLs only.
Verification
pytest tests/test_movie_metadata.py tests/test_poster_cache.py
- Any focused create/update route tests added by the PR
- Optional manual check: update a synthetic movie with valid and invalid artwork URLs in a local dev database.
Contributor Notes
This is security/data-quality work. Please keep the PR narrow, use synthetic data, and avoid committing private exports, provider payloads, or live database rows.
Goal
Constrain movie create/update payloads so stored metadata and artwork URLs stay within expected bounds.
Context
Movie schemas allow broad strings/lists, and artwork handling has multiple policy surfaces: validation, rendering, CSP, and poster caching. This issue should make those policies line up so malformed metadata is rejected early and artwork URLs do not become a privacy or rendering risk.
Suggested Scope
Files or Areas
api/schemas/movie.pyapi/services/movie_updates.pyapi/services/poster_cache.pyapi/routers/movies.pytemplates/movie_detail.htmltests/test_movie_metadata.pytests/test_movie_flags.pytests/test_poster_cache.pyOut of Scope
Acceptance Criteria
Verification
pytest tests/test_movie_metadata.py tests/test_poster_cache.pyContributor Notes
This is security/data-quality work. Please keep the PR narrow, use synthetic data, and avoid committing private exports, provider payloads, or live database rows.