feat(config): web_auth_required ON implicit (login obligatoriu pe rutele web)

Inverseaza default-ul C12: rutele web cer sesiune + CSRF implicit (sigur pentru prod). Dev rapid pe contul 1 = opt-out explicit AUTOPASS_WEB_AUTH_REQUIRED=false. Testele de comportament import/dashboard marcate explicit dev-mode; test nou blocheaza default-ul. 394 teste pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 18:27:09 +00:00
parent b92055eb01
commit 958b182e8e
5 changed files with 25 additions and 3 deletions
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -15,6 +15,9 @@ from fastapi.testclient import TestClient
 def client(monkeypatch):
    tmp = tempfile.mkdtemp()
    monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
+    # Comportament in mod dev (fallback cont 1, fara login/CSRF); auth web e
+    # default ON in prod — testat separat in test_web_*.
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
    from app.config import get_settings

    get_settings.cache_clear()
--- a/tests/test_import_ui.py
+++ b/tests/test_import_ui.py
@@ -26,6 +26,9 @@ import pytest
 def client(monkeypatch):
    tmp = tempfile.mkdtemp()
    monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
+    # Comportament in mod dev (fallback cont 1, fara login/CSRF); auth web e
+    # default ON in prod — testat separat in test_web_*.
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
    from app.config import get_settings

    get_settings.cache_clear()
--- a/tests/test_import_web_scope.py
+++ b/tests/test_import_web_scope.py
@@ -46,6 +46,9 @@ def _csrf_from(html: str) -> str:
 def env(monkeypatch):
    tmp = tempfile.mkdtemp()
    monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "scope.db"))
+    # Scoping testat prin monkeypatch require_login pe acct_a/acct_b; rulam in mod
+    # dev (CSRF skip fara sesiune) — auth web e default ON in prod, testat in test_web_*.
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
    from app.config import get_settings
    get_settings.cache_clear()
    from app.main import app
--- a/tests/test_web_session.py
+++ b/tests/test_web_session.py
@@ -147,3 +147,15 @@ def test_ruta_protejata_cu_sesiune_trece(client_auth):
    resp = client_auth.get("/protected")
    assert resp.status_code == 200
    assert resp.json()["account_id"] == 5
+
+
+def test_web_auth_required_default_true(monkeypatch):
+    """Default-ul de productie: auth web e ON daca AUTOPASS_WEB_AUTH_REQUIRED nu e setat.
+
+    Dev rapid pe cont 1 = opt-out explicit (AUTOPASS_WEB_AUTH_REQUIRED=false).
+    """
+    monkeypatch.delenv("AUTOPASS_WEB_AUTH_REQUIRED", raising=False)
+    from app.config import Settings, get_settings
+    get_settings.cache_clear()
+    assert Settings().web_auth_required is True
+    get_settings.cache_clear()