romfast/rar-autopass
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
958b182e8e08b5edac6d12d2a20bcc9a5489a3a2
rar-autopass/tests/test_mapari_scope.py
Claude Agent 504b490d3b feat(web): self-onboarding multi-tenant + auth sesiune (PRD 3.3a) 
Canalul web trece de la 100% deschis (hardcodat cont 1) la autentificat si
multi-tenant. Un service nou se inregistreaza din browser, primeste o cheie API
(o singura data) si o sesiune; contul se creeaza "in asteptare" (active=0) si nu
trimite la RAR pana la activarea de catre admin (tools/account.py activate).

- users + app/users.py: parole scrypt (salt per-user, eticheta parametri onorata
  la verify pentru migrare cost), email unic case-insensitive
- sesiune: SessionMiddleware (same_site=strict, https_only config) + app/web/session.py
  (current_account/web_account/require_login->LoginRequired, set_session clear-inainte)
- CSRF (app/web/csrf.py) enforce in prod inclusiv pe login/signup + rate-limit
  in-proces (app/web/ratelimit.py) pe signup si login
- signup/login/logout (app/web/auth_routes.py): signup tranzactie atomica,
  cheie-o-data, log SIGNUP pentru descoperire admin
- dashboard + import scoped pe contul sesiunii (regula NULL->cont 1); toate rutele
  web care ating date sensibile sub require_login; nomenclator ramane global
- banner "cont in asteptare" pentru conturi active=0
- gate worker: claim_one LEFT JOIN accounts COALESCE(active,1)=1 (account_id NULL=activ)

VERIFY context curat (2 runde): leak cross-account /_fragments/mapari prins+reparat.
/code-review high: csrf_token lipsa pe re-randari de eroare, scrypt_params ignorat,
login fara rate-limit -- toate reparate. 361 teste pass (de la 313).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 16:43:21 +00:00

78 lines
2.8 KiB
Python
Raw Blame History

"""Teste C6: /_fragments/mapari scoped pe sesiune (task #7 fix leak cross-account).
TDD: testele confirma mai intai ca leak-ul exista (RED), apoi fix-ul il inchide (GREEN).
"""
from __future__ import annotations
import json
import os
import tempfile
import pytest
from fastapi.testclient import TestClient
@pytest.fixture()
def env(monkeypatch):
tmp = tempfile.mkdtemp()
monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "mapari.db"))
from app.config import get_settings
get_settings.cache_clear()
from app.main import app
with TestClient(app, follow_redirects=False) as c:
from app.db import get_connection
conn = get_connection()
from app.accounts import create_account
acct_a = create_account(conn, "Cont A Mapari")
acct_b = create_account(conn, "Cont B Mapari")
yield c, conn, acct_a, acct_b
conn.close()
get_settings.cache_clear()
def _insert_needs_mapping(conn, account_id, cod_op):
payload = json.dumps({"vin": "VIN001", "nr_inmatriculare": "B01TST",
"data_prestatie": "2026-06-01", "odometru_final": "1000",
"prestatii": [{"cod_op_service": cod_op, "denumire": cod_op}]})
conn.execute(
"INSERT INTO submissions (idempotency_key, account_id, status, payload_json) "
"VALUES (?, ?, 'needs_mapping', ?)",
(f"key_{account_id}_{cod_op}", account_id, payload),
)
def test_fragment_mapari_scoped_pe_cont(env, monkeypatch):
"""/_fragments/mapari arata doar op-urile contului din sesiune, nu ale altuia."""
client, conn, acct_a, acct_b = env
_insert_needs_mapping(conn, acct_a, "OP-DOAR-A")
_insert_needs_mapping(conn, acct_b, "OP-DOAR-B")
import app.web.routes as routes
monkeypatch.setattr("app.web.routes.require_login", lambda r: acct_a)
r = client.get("/_fragments/mapari")
assert r.status_code == 200
assert "OP-DOAR-A" in r.text
assert "OP-DOAR-B" not in r.text
monkeypatch.setattr("app.web.routes.require_login", lambda r: acct_b)
r = client.get("/_fragments/mapari")
assert r.status_code == 200
assert "OP-DOAR-B" in r.text
assert "OP-DOAR-A" not in r.text
def test_fragment_mapari_nelogat_redirect(monkeypatch):
"""web_auth_required=True + fara sesiune -> 303 /login."""
tmp = tempfile.mkdtemp()
monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "mapari_auth.db"))
monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "true")
from app.config import get_settings
get_settings.cache_clear()
from app.main import app
with TestClient(app, follow_redirects=False) as c:
r = c.get("/_fragments/mapari")
assert r.status_code == 303
assert "/login" in r.headers.get("location", "")
get_settings.cache_clear()
Reference in New Issue View Git Blame Copy Permalink