Canalul web trece de la 100% deschis (hardcodat cont 1) la autentificat si multi-tenant. Un service nou se inregistreaza din browser, primeste o cheie API (o singura data) si o sesiune; contul se creeaza "in asteptare" (active=0) si nu trimite la RAR pana la activarea de catre admin (tools/account.py activate). - users + app/users.py: parole scrypt (salt per-user, eticheta parametri onorata la verify pentru migrare cost), email unic case-insensitive - sesiune: SessionMiddleware (same_site=strict, https_only config) + app/web/session.py (current_account/web_account/require_login->LoginRequired, set_session clear-inainte) - CSRF (app/web/csrf.py) enforce in prod inclusiv pe login/signup + rate-limit in-proces (app/web/ratelimit.py) pe signup si login - signup/login/logout (app/web/auth_routes.py): signup tranzactie atomica, cheie-o-data, log SIGNUP pentru descoperire admin - dashboard + import scoped pe contul sesiunii (regula NULL->cont 1); toate rutele web care ating date sensibile sub require_login; nomenclator ramane global - banner "cont in asteptare" pentru conturi active=0 - gate worker: claim_one LEFT JOIN accounts COALESCE(active,1)=1 (account_id NULL=activ) VERIFY context curat (2 runde): leak cross-account /_fragments/mapari prins+reparat. /code-review high: csrf_token lipsa pe re-randari de eroare, scrypt_params ignorat, login fara rate-limit -- toate reparate. 361 teste pass (de la 313). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
156 lines
4.9 KiB
Python
156 lines
4.9 KiB
Python
"""Teste US-004 (PRD 3.3): GET/POST /login, POST /logout.
|
|
|
|
TDD: testele se scriu INAINTE de implementarea auth_routes.py; la inceput pica (RED),
|
|
dupa implementare trec (GREEN).
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
import re
|
|
import tempfile
|
|
|
|
import pytest
|
|
from starlette.testclient import TestClient
|
|
|
|
|
|
@pytest.fixture()
|
|
def client(monkeypatch):
|
|
tmp = tempfile.mkdtemp()
|
|
monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
|
|
from app.config import get_settings
|
|
get_settings.cache_clear()
|
|
from app.main import app
|
|
with TestClient(app) as c:
|
|
yield c
|
|
get_settings.cache_clear()
|
|
|
|
|
|
@pytest.fixture()
|
|
def client_rl(monkeypatch):
|
|
"""Client cu login_rate_max=2 pentru testul de rate-limit."""
|
|
tmp = tempfile.mkdtemp()
|
|
monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
|
|
monkeypatch.setenv("AUTOPASS_LOGIN_RATE_MAX", "2")
|
|
from app.config import get_settings
|
|
get_settings.cache_clear()
|
|
from app.web import ratelimit
|
|
ratelimit._hits.clear()
|
|
from app.main import app
|
|
with TestClient(app) as c:
|
|
yield c
|
|
get_settings.cache_clear()
|
|
|
|
|
|
def _get_csrf(client, url: str) -> str:
|
|
resp = client.get(url)
|
|
assert resp.status_code == 200
|
|
m = re.search(r'name="csrf_token"\s+value="([^"]+)"', resp.text)
|
|
if not m:
|
|
m = re.search(r'value="([^"]+)"\s+name="csrf_token"', resp.text)
|
|
assert m, f"csrf_token negasit in {url}"
|
|
return m.group(1)
|
|
|
|
|
|
def _create_user(email: str = "test@test.com", password: str = "parolasecreta", active: bool = True):
|
|
"""Creeaza direct un cont + user in DB (fara HTTP)."""
|
|
from app.accounts import create_account
|
|
from app.users import create_user
|
|
from app.db import get_connection
|
|
conn = get_connection()
|
|
try:
|
|
acct_id = create_account(conn, "Service Test", active=active)
|
|
user_id = create_user(conn, acct_id, email, password)
|
|
return acct_id, user_id
|
|
finally:
|
|
conn.close()
|
|
|
|
|
|
def test_login_corect_seteaza_sesiune(client):
|
|
"""Credentiale corecte -> 303 redirect la /; sesiunea are account_id."""
|
|
_create_user("valid@test.com", "parolasecreta", active=True)
|
|
|
|
token = _get_csrf(client, "/login")
|
|
resp = client.post("/login", data={
|
|
"email": "valid@test.com",
|
|
"parola": "parolasecreta",
|
|
"csrf_token": token,
|
|
}, follow_redirects=False)
|
|
|
|
assert resp.status_code == 303
|
|
loc = resp.headers.get("location", "")
|
|
assert loc in ("/", "http://testserver/"), f"Redirect gresit: {loc}"
|
|
|
|
|
|
def test_login_gresit_401_fara_leak(client):
|
|
"""Parola gresita -> 401; mesaj generic fara a dezvalui daca emailul exista."""
|
|
_create_user("real@test.com", "parolasecreta", active=True)
|
|
|
|
token = _get_csrf(client, "/login")
|
|
resp = client.post("/login", data={
|
|
"email": "real@test.com",
|
|
"parola": "gresita",
|
|
"csrf_token": token,
|
|
})
|
|
|
|
assert resp.status_code == 401
|
|
text = resp.text.lower()
|
|
assert "inexistent" not in text, "Raspunsul dezvaluie ca emailul nu exista"
|
|
assert "nu exista" not in text, "Raspunsul dezvaluie ca emailul nu exista"
|
|
|
|
|
|
def test_logout_redirect_login(client):
|
|
"""POST /logout -> 303 redirect la /login."""
|
|
_create_user("logout@test.com", "parolasecreta", active=True)
|
|
|
|
token = _get_csrf(client, "/login")
|
|
client.post("/login", data={
|
|
"email": "logout@test.com",
|
|
"parola": "parolasecreta",
|
|
"csrf_token": token,
|
|
}, follow_redirects=False)
|
|
|
|
# Dupa login, sesiunea e reset -> obtine un token CSRF nou
|
|
token = _get_csrf(client, "/login")
|
|
resp = client.post("/logout", data={"csrf_token": token}, follow_redirects=False)
|
|
|
|
assert resp.status_code == 303
|
|
assert "/login" in resp.headers.get("location", "")
|
|
|
|
|
|
def test_login_cont_inactiv_intra(client):
|
|
"""C18: Login pe cont active=0 trebuie sa functioneze (gate-ul e doar pe trimitere)."""
|
|
_create_user("inactiv@test.com", "parolasecreta", active=False)
|
|
|
|
token = _get_csrf(client, "/login")
|
|
resp = client.post("/login", data={
|
|
"email": "inactiv@test.com",
|
|
"parola": "parolasecreta",
|
|
"csrf_token": token,
|
|
}, follow_redirects=False)
|
|
|
|
assert resp.status_code == 303, (
|
|
"Login pe cont inactiv trebuia sa reuseasca (gate-ul e doar la trimitere, nu la login)"
|
|
)
|
|
|
|
|
|
def test_login_rate_limit_429(client_rl):
|
|
"""Peste login_rate_max incercari (login_rate_max=2) -> 429 la urmatoarea cerere."""
|
|
# Doua incercari (permise)
|
|
for _ in range(2):
|
|
token = _get_csrf(client_rl, "/login")
|
|
client_rl.post("/login", data={
|
|
"email": "nimeni@test.com",
|
|
"parola": "parola_gresita",
|
|
"csrf_token": token,
|
|
})
|
|
|
|
# A treia — trebuie 429
|
|
token = _get_csrf(client_rl, "/login")
|
|
resp = client_rl.post("/login", data={
|
|
"email": "nimeni@test.com",
|
|
"parola": "parola_gresita",
|
|
"csrf_token": token,
|
|
})
|
|
assert resp.status_code == 429, "Peste login_rate_max trebuia 429"
|