#!/usr/bin/env python3 """ Test that session security constants don't change unexpectedly. These tests ensure session timeouts and security settings remain consistent. Changing these values affects user experience and security. """ from datetime import timedelta import pytest class TestSessionConstants: """ Verify session timeout and security constants. These values affect how long users stay logged in and the security properties of their sessions. """ def test_session_timeout_is_2_hours(self): """ Verify the default session timeout is 2 hours. This is the timeout for users who don't check "remember me". Changing this affects user experience. """ from local_deep_research.web.auth.session_manager import ( SessionManager, ) manager = SessionManager() expected = timedelta(hours=2) assert manager.session_timeout == expected, ( f"Session timeout changed!\n" f"Expected: {expected}\n" f"Actual: {manager.session_timeout}\n\n" "This affects how long users stay logged in.\n" "If intentional, update this test." ) def test_remember_me_timeout_is_30_days(self): """ Verify the "remember me" session timeout is 30 days. This is the timeout for users who check "remember me". Changing this affects user experience. """ from local_deep_research.web.auth.session_manager import ( SessionManager, ) manager = SessionManager() expected = timedelta(days=30) assert manager.remember_me_timeout == expected, ( f"Remember me timeout changed!\n" f"Expected: {expected}\n" f"Actual: {manager.remember_me_timeout}\n\n" "This affects how long 'remember me' sessions last.\n" "If intentional, update this test." ) def test_flask_session_lifetime_matches_session_timeout(self): """ Verify Flask's PERMANENT_SESSION_LIFETIME matches session_timeout. These should be in sync to avoid confusing behavior. """ # Import the value directly from app_factory configuration # This is the value in seconds expected_seconds = 7200 # 2 hours # We can't easily test the Flask config without creating an app, # so we just verify the expected value is documented here. # The actual config is set in app_factory.py line 221. assert expected_seconds == 2 * 60 * 60, ( "PERMANENT_SESSION_LIFETIME should be 2 hours (7200 seconds)" ) class TestSessionSecurity: """ Verify session security settings. These settings protect against various attacks. """ def test_session_cookie_settings_documented(self): """ Document expected session cookie security settings. These are set in app_factory.py and should not be weakened. """ # Expected settings (from app_factory.py): expected_settings = { "SESSION_COOKIE_HTTPONLY": True, # Prevents JavaScript access "SESSION_COOKIE_SAMESITE": "Lax", # CSRF protection # SESSION_COOKIE_SECURE is conditional on HTTPS } # This test documents the expected values. # The actual testing of Flask config would require app context. for setting, expected_value in expected_settings.items(): assert expected_value is not None, ( f"{setting} should be configured for security" ) if __name__ == "__main__": pytest.main([__file__, "-v"])