feat(web): self-onboarding multi-tenant + auth sesiune (PRD 3.3a)
Canalul web trece de la 100% deschis (hardcodat cont 1) la autentificat si multi-tenant. Un service nou se inregistreaza din browser, primeste o cheie API (o singura data) si o sesiune; contul se creeaza "in asteptare" (active=0) si nu trimite la RAR pana la activarea de catre admin (tools/account.py activate). - users + app/users.py: parole scrypt (salt per-user, eticheta parametri onorata la verify pentru migrare cost), email unic case-insensitive - sesiune: SessionMiddleware (same_site=strict, https_only config) + app/web/session.py (current_account/web_account/require_login->LoginRequired, set_session clear-inainte) - CSRF (app/web/csrf.py) enforce in prod inclusiv pe login/signup + rate-limit in-proces (app/web/ratelimit.py) pe signup si login - signup/login/logout (app/web/auth_routes.py): signup tranzactie atomica, cheie-o-data, log SIGNUP pentru descoperire admin - dashboard + import scoped pe contul sesiunii (regula NULL->cont 1); toate rutele web care ating date sensibile sub require_login; nomenclator ramane global - banner "cont in asteptare" pentru conturi active=0 - gate worker: claim_one LEFT JOIN accounts COALESCE(active,1)=1 (account_id NULL=activ) VERIFY context curat (2 runde): leak cross-account /_fragments/mapari prins+reparat. /code-review high: csrf_token lipsa pe re-randari de eroare, scrypt_params ignorat, login fara rate-limit -- toate reparate. 361 teste pass (de la 313). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
155
tests/test_web_login.py
Normal file
155
tests/test_web_login.py
Normal file
@@ -0,0 +1,155 @@
|
||||
"""Teste US-004 (PRD 3.3): GET/POST /login, POST /logout.
|
||||
|
||||
TDD: testele se scriu INAINTE de implementarea auth_routes.py; la inceput pica (RED),
|
||||
dupa implementare trec (GREEN).
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import os
|
||||
import re
|
||||
import tempfile
|
||||
|
||||
import pytest
|
||||
from starlette.testclient import TestClient
|
||||
|
||||
|
||||
@pytest.fixture()
|
||||
def client(monkeypatch):
|
||||
tmp = tempfile.mkdtemp()
|
||||
monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
|
||||
from app.config import get_settings
|
||||
get_settings.cache_clear()
|
||||
from app.main import app
|
||||
with TestClient(app) as c:
|
||||
yield c
|
||||
get_settings.cache_clear()
|
||||
|
||||
|
||||
@pytest.fixture()
|
||||
def client_rl(monkeypatch):
|
||||
"""Client cu login_rate_max=2 pentru testul de rate-limit."""
|
||||
tmp = tempfile.mkdtemp()
|
||||
monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
|
||||
monkeypatch.setenv("AUTOPASS_LOGIN_RATE_MAX", "2")
|
||||
from app.config import get_settings
|
||||
get_settings.cache_clear()
|
||||
from app.web import ratelimit
|
||||
ratelimit._hits.clear()
|
||||
from app.main import app
|
||||
with TestClient(app) as c:
|
||||
yield c
|
||||
get_settings.cache_clear()
|
||||
|
||||
|
||||
def _get_csrf(client, url: str) -> str:
|
||||
resp = client.get(url)
|
||||
assert resp.status_code == 200
|
||||
m = re.search(r'name="csrf_token"\s+value="([^"]+)"', resp.text)
|
||||
if not m:
|
||||
m = re.search(r'value="([^"]+)"\s+name="csrf_token"', resp.text)
|
||||
assert m, f"csrf_token negasit in {url}"
|
||||
return m.group(1)
|
||||
|
||||
|
||||
def _create_user(email: str = "test@test.com", password: str = "parolasecreta", active: bool = True):
|
||||
"""Creeaza direct un cont + user in DB (fara HTTP)."""
|
||||
from app.accounts import create_account
|
||||
from app.users import create_user
|
||||
from app.db import get_connection
|
||||
conn = get_connection()
|
||||
try:
|
||||
acct_id = create_account(conn, "Service Test", active=active)
|
||||
user_id = create_user(conn, acct_id, email, password)
|
||||
return acct_id, user_id
|
||||
finally:
|
||||
conn.close()
|
||||
|
||||
|
||||
def test_login_corect_seteaza_sesiune(client):
|
||||
"""Credentiale corecte -> 303 redirect la /; sesiunea are account_id."""
|
||||
_create_user("valid@test.com", "parolasecreta", active=True)
|
||||
|
||||
token = _get_csrf(client, "/login")
|
||||
resp = client.post("/login", data={
|
||||
"email": "valid@test.com",
|
||||
"parola": "parolasecreta",
|
||||
"csrf_token": token,
|
||||
}, follow_redirects=False)
|
||||
|
||||
assert resp.status_code == 303
|
||||
loc = resp.headers.get("location", "")
|
||||
assert loc in ("/", "http://testserver/"), f"Redirect gresit: {loc}"
|
||||
|
||||
|
||||
def test_login_gresit_401_fara_leak(client):
|
||||
"""Parola gresita -> 401; mesaj generic fara a dezvalui daca emailul exista."""
|
||||
_create_user("real@test.com", "parolasecreta", active=True)
|
||||
|
||||
token = _get_csrf(client, "/login")
|
||||
resp = client.post("/login", data={
|
||||
"email": "real@test.com",
|
||||
"parola": "gresita",
|
||||
"csrf_token": token,
|
||||
})
|
||||
|
||||
assert resp.status_code == 401
|
||||
text = resp.text.lower()
|
||||
assert "inexistent" not in text, "Raspunsul dezvaluie ca emailul nu exista"
|
||||
assert "nu exista" not in text, "Raspunsul dezvaluie ca emailul nu exista"
|
||||
|
||||
|
||||
def test_logout_redirect_login(client):
|
||||
"""POST /logout -> 303 redirect la /login."""
|
||||
_create_user("logout@test.com", "parolasecreta", active=True)
|
||||
|
||||
token = _get_csrf(client, "/login")
|
||||
client.post("/login", data={
|
||||
"email": "logout@test.com",
|
||||
"parola": "parolasecreta",
|
||||
"csrf_token": token,
|
||||
}, follow_redirects=False)
|
||||
|
||||
# Dupa login, sesiunea e reset -> obtine un token CSRF nou
|
||||
token = _get_csrf(client, "/login")
|
||||
resp = client.post("/logout", data={"csrf_token": token}, follow_redirects=False)
|
||||
|
||||
assert resp.status_code == 303
|
||||
assert "/login" in resp.headers.get("location", "")
|
||||
|
||||
|
||||
def test_login_cont_inactiv_intra(client):
|
||||
"""C18: Login pe cont active=0 trebuie sa functioneze (gate-ul e doar pe trimitere)."""
|
||||
_create_user("inactiv@test.com", "parolasecreta", active=False)
|
||||
|
||||
token = _get_csrf(client, "/login")
|
||||
resp = client.post("/login", data={
|
||||
"email": "inactiv@test.com",
|
||||
"parola": "parolasecreta",
|
||||
"csrf_token": token,
|
||||
}, follow_redirects=False)
|
||||
|
||||
assert resp.status_code == 303, (
|
||||
"Login pe cont inactiv trebuia sa reuseasca (gate-ul e doar la trimitere, nu la login)"
|
||||
)
|
||||
|
||||
|
||||
def test_login_rate_limit_429(client_rl):
|
||||
"""Peste login_rate_max incercari (login_rate_max=2) -> 429 la urmatoarea cerere."""
|
||||
# Doua incercari (permise)
|
||||
for _ in range(2):
|
||||
token = _get_csrf(client_rl, "/login")
|
||||
client_rl.post("/login", data={
|
||||
"email": "nimeni@test.com",
|
||||
"parola": "parola_gresita",
|
||||
"csrf_token": token,
|
||||
})
|
||||
|
||||
# A treia — trebuie 429
|
||||
token = _get_csrf(client_rl, "/login")
|
||||
resp = client_rl.post("/login", data={
|
||||
"email": "nimeni@test.com",
|
||||
"parola": "parola_gresita",
|
||||
"csrf_token": token,
|
||||
})
|
||||
assert resp.status_code == 429, "Peste login_rate_max trebuia 429"
|
||||
Reference in New Issue
Block a user