b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
70 lines
2.9 KiB
Python
70 lines
2.9 KiB
Python
"""Regression guard for PR #61281 (mobile/hosted dashboard OAuth).
|
|
|
|
The PR removed the *client-side* ``X-Hermes-Session-Token`` requirement from
|
|
the dashboard OAuth mutation calls (``web/src/lib/api.ts``) so that
|
|
cookie-authenticated hosted/mobile sessions can start provider logins. The
|
|
safety of that change rests entirely on the *server* still gating those
|
|
endpoints: in gated mode the ``gated_auth_middleware`` verifies the session
|
|
cookie before the handler runs, and ``_require_token`` defers to it.
|
|
|
|
These tests pin that server-side gate for the exact endpoints whose
|
|
client-side token gate was removed. Without them, a future change that
|
|
re-broke ``_require_token``'s gated-mode branch (e.g. letting it fall through
|
|
without a session) would still pass the PR's ``api.test.ts`` suite, because
|
|
those tests only mock ``fetch`` and never touch the server.
|
|
"""
|
|
|
|
import pytest
|
|
from fastapi.testclient import TestClient
|
|
|
|
from hermes_cli import web_server
|
|
from hermes_cli.dashboard_auth import clear_providers, register_provider
|
|
from tests.hermes_cli.conftest_dashboard_auth import StubAuthProvider
|
|
|
|
|
|
@pytest.fixture
|
|
def gated_app():
|
|
"""A gated (``auth_required``) dashboard with no session cookie set."""
|
|
clear_providers()
|
|
register_provider(StubAuthProvider())
|
|
prev_host = getattr(web_server.app.state, "bound_host", None)
|
|
prev_port = getattr(web_server.app.state, "bound_port", None)
|
|
prev_required = getattr(web_server.app.state, "auth_required", None)
|
|
web_server.app.state.bound_host = "fly-app.fly.dev"
|
|
web_server.app.state.bound_port = 443
|
|
web_server.app.state.auth_required = True
|
|
client = TestClient(web_server.app, base_url="https://fly-app.fly.dev")
|
|
yield client
|
|
clear_providers()
|
|
web_server.app.state.bound_host = prev_host
|
|
web_server.app.state.bound_port = prev_port
|
|
web_server.app.state.auth_required = prev_required
|
|
|
|
|
|
class TestOAuthMutationEndpointsGatedWithoutCookie:
|
|
"""No cookie in gated mode -> 401 on every endpoint whose client-side
|
|
session-token gate PR #61281 removed."""
|
|
|
|
def test_env_reveal_requires_cookie(self, gated_app):
|
|
r = gated_app.post("/api/env/reveal", json={"key": "OPENAI_API_KEY"})
|
|
assert r.status_code == 401
|
|
|
|
def test_oauth_disconnect_requires_cookie(self, gated_app):
|
|
r = gated_app.delete("/api/providers/oauth/anthropic")
|
|
assert r.status_code == 401
|
|
|
|
def test_oauth_start_requires_cookie(self, gated_app):
|
|
r = gated_app.post("/api/providers/oauth/anthropic/start", json={})
|
|
assert r.status_code == 401
|
|
|
|
def test_oauth_submit_requires_cookie(self, gated_app):
|
|
r = gated_app.post(
|
|
"/api/providers/oauth/anthropic/submit",
|
|
json={"session_id": "sid", "code": "abc"},
|
|
)
|
|
assert r.status_code == 401
|
|
|
|
def test_oauth_cancel_session_requires_cookie(self, gated_app):
|
|
r = gated_app.delete("/api/providers/oauth/sessions/sid")
|
|
assert r.status_code == 401
|