feat(web): self-onboarding multi-tenant + auth sesiune (PRD 3.3a)

Canalul web trece de la 100% deschis (hardcodat cont 1) la autentificat si multi-tenant. Un service nou se inregistreaza din browser, primeste o cheie API (o singura data) si o sesiune; contul se creeaza "in asteptare" (active=0) si nu trimite la RAR pana la activarea de catre admin (tools/account.py activate). - users + app/users.py: parole scrypt (salt per-user, eticheta parametri onorata la verify pentru migrare cost), email unic case-insensitive - sesiune: SessionMiddleware (same_site=strict, https_only config) + app/web/session.py (current_account/web_account/require_login->LoginRequired, set_session clear-inainte) - CSRF (app/web/csrf.py) enforce in prod inclusiv pe login/signup + rate-limit in-proces (app/web/ratelimit.py) pe signup si login - signup/login/logout (app/web/auth_routes.py): signup tranzactie atomica, cheie-o-data, log SIGNUP pentru descoperire admin - dashboard + import scoped pe contul sesiunii (regula NULL->cont 1); toate rutele web care ating date sensibile sub require_login; nomenclator ramane global - banner "cont in asteptare" pentru conturi active=0 - gate worker: claim_one LEFT JOIN accounts COALESCE(active,1)=1 (account_id NULL=activ) VERIFY context curat (2 runde): leak cross-account /_fragments/mapari prins+reparat. /code-review high: csrf_token lipsa pe re-randari de eroare, scrypt_params ignorat, login fara rate-limit -- toate reparate. 361 teste pass (de la 313). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 16:43:21 +00:00
parent 748ab8b289
commit 504b490d3b
29 changed files with 2264 additions and 106 deletions
--- a/tests/test_mapari_scope.py
+++ b/tests/test_mapari_scope.py
@@ -0,0 +1,77 @@
+"""Teste C6: /_fragments/mapari scoped pe sesiune (task #7 fix leak cross-account).
+
+TDD: testele confirma mai intai ca leak-ul exista (RED), apoi fix-ul il inchide (GREEN).
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import tempfile
+
+import pytest
+from fastapi.testclient import TestClient
+
+
+@pytest.fixture()
+def env(monkeypatch):
+    tmp = tempfile.mkdtemp()
+    monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "mapari.db"))
+    from app.config import get_settings
+    get_settings.cache_clear()
+    from app.main import app
+    with TestClient(app, follow_redirects=False) as c:
+        from app.db import get_connection
+        conn = get_connection()
+        from app.accounts import create_account
+        acct_a = create_account(conn, "Cont A Mapari")
+        acct_b = create_account(conn, "Cont B Mapari")
+        yield c, conn, acct_a, acct_b
+        conn.close()
+    get_settings.cache_clear()
+
+
+def _insert_needs_mapping(conn, account_id, cod_op):
+    payload = json.dumps({"vin": "VIN001", "nr_inmatriculare": "B01TST",
+                          "data_prestatie": "2026-06-01", "odometru_final": "1000",
+                          "prestatii": [{"cod_op_service": cod_op, "denumire": cod_op}]})
+    conn.execute(
+        "INSERT INTO submissions (idempotency_key, account_id, status, payload_json) "
+        "VALUES (?, ?, 'needs_mapping', ?)",
+        (f"key_{account_id}_{cod_op}", account_id, payload),
+    )
+
+
+def test_fragment_mapari_scoped_pe_cont(env, monkeypatch):
+    """/_fragments/mapari arata doar op-urile contului din sesiune, nu ale altuia."""
+    client, conn, acct_a, acct_b = env
+    _insert_needs_mapping(conn, acct_a, "OP-DOAR-A")
+    _insert_needs_mapping(conn, acct_b, "OP-DOAR-B")
+
+    import app.web.routes as routes
+    monkeypatch.setattr("app.web.routes.require_login", lambda r: acct_a)
+    r = client.get("/_fragments/mapari")
+    assert r.status_code == 200
+    assert "OP-DOAR-A" in r.text
+    assert "OP-DOAR-B" not in r.text
+
+    monkeypatch.setattr("app.web.routes.require_login", lambda r: acct_b)
+    r = client.get("/_fragments/mapari")
+    assert r.status_code == 200
+    assert "OP-DOAR-B" in r.text
+    assert "OP-DOAR-A" not in r.text
+
+
+def test_fragment_mapari_nelogat_redirect(monkeypatch):
+    """web_auth_required=True + fara sesiune -> 303 /login."""
+    tmp = tempfile.mkdtemp()
+    monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "mapari_auth.db"))
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "true")
+    from app.config import get_settings
+    get_settings.cache_clear()
+    from app.main import app
+    with TestClient(app, follow_redirects=False) as c:
+        r = c.get("/_fragments/mapari")
+        assert r.status_code == 303
+        assert "/login" in r.headers.get("location", "")
+    get_settings.cache_clear()