Files
unslothai--unsloth/studio/backend/tests/test_api_key_expiry.py
T
wehub-resource-sync e93507a09c
Lockfile supply-chain audit / lockfile supply-chain audit (push) Has been cancelled
Windows Studio GGUF CI / GPU prebuilt resolves without Visual Studio (push) Has been cancelled
Windows Studio GGUF CI / setup.ps1 unit tests (VS 2026 / CMake guard) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2022) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-2025-vs2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-latest) (push) Has been cancelled
Windows Studio Update CI / Studio Updating Tests (push) Has been cancelled
Wheel CI / Wheel build + content sanity + import smoke (push) Has been cancelled
Lint CI / Source lint (Python + shell + YAML + JSON + safety nets) (push) Has been cancelled
MLX CI on Mac M1 / dispatch (push) Has been cancelled
Security audit / advisory audit (pip + npm + cargo) (push) Has been cancelled
Security audit / pip scan-packages :: extras (push) Has been cancelled
Security audit / pip scan-packages :: studio (push) Has been cancelled
Security audit / pip scan-packages :: hf-stack (push) Has been cancelled
Security audit / npm scan-packages (Studio frontend tarballs) (push) Has been cancelled
Security audit / workflow-trigger lint (pull_request_target / cache-poisoning) (push) Has been cancelled
Security audit / pytest tests/security (push) Has been cancelled
Security audit / npm provenance + new install-script diff (push) Has been cancelled
Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Backend CI / (Python 3.10) (push) Has been cancelled
Backend CI / (Python 3.11) (push) Has been cancelled
Backend CI / (Python 3.12) (push) Has been cancelled
Backend CI / (Python 3.13) (push) Has been cancelled
Backend CI / Repo tests (CPU) (push) Has been cancelled
Frontend CI / Frontend build + bundle sanity (push) Has been cancelled
Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Mac Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Mac Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-14) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15-intel) (push) Has been cancelled
Mac Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26-intel) (push) Has been cancelled
Mac Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Tauri CI / Tauri Linux debug build (no codesign) (push) Has been cancelled
Mac Studio Update CI / Studio Updating Tests (push) Has been cancelled
Studio UI CI / Chat UI Tests (push) Has been cancelled
Windows Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Windows Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Update CI / Studio Updating Tests (push) Has been cancelled
Core / Core (HF=default + TRL=default) (push) Has been cancelled
Core / Core (HF=4.57.6 + TRL<1) (push) Has been cancelled
Core / Core (HF=latest + TRL=latest) (push) Has been cancelled
Core / llama.cpp build + smoke (push) Has been cancelled
Windows Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Windows Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Windows Studio GGUF CI / JSON, images (push) Has been cancelled
Windows Studio GGUF CI / Studio install + inference without Visual Studio (push) Has been cancelled
Studio export capability / capability (macos-latest) (push) Has been cancelled
Studio export capability / capability (ubuntu-latest) (push) Has been cancelled
Studio export capability / capability (windows-latest) (push) Has been cancelled
Cross-platform parity / parity (macos-latest) (push) Has been cancelled
Cross-platform parity / parity (windows-latest) (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Studio load-orchestrator CI / test (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:59:56 +08:00

199 lines
6.3 KiB
Python

# SPDX-License-Identifier: AGPL-3.0-only
# Copyright 2026-present the Unsloth AI Inc. team. All rights reserved. See /studio/LICENSE.AGPL-3.0
"""Expiry enforcement for API keys (tz-aware ``expires_at``) and JWT access
tokens (``exp`` claim). Both must surface as 401 on protected routes."""
from __future__ import annotations
import asyncio
import secrets
from datetime import datetime, timedelta, timezone
import pytest
from fastapi import HTTPException
from fastapi.security import HTTPAuthorizationCredentials
from auth import storage
from auth.authentication import create_access_token, get_current_subject
@pytest.fixture(autouse = True)
def isolated_auth_db(tmp_path, monkeypatch):
monkeypatch.setattr(storage, "DB_PATH", tmp_path / "auth.db")
monkeypatch.setattr(storage, "_BOOTSTRAP_PW_PATH", tmp_path / ".bootstrap_password")
monkeypatch.setattr(storage, "_bootstrap_password", None)
monkeypatch.setattr(storage, "_api_key_pbkdf2_salt_cache", None)
storage._reset_api_key_hash_cache()
yield
storage._reset_api_key_hash_cache()
def seed_user():
storage.create_initial_user(
username = storage.DEFAULT_ADMIN_USERNAME,
password = "human-password-123",
jwt_secret = secrets.token_urlsafe(64),
)
def iso_from_now(**delta):
return (datetime.now(timezone.utc) + timedelta(**delta)).isoformat()
def make_key(expires_at):
raw, _row = storage.create_api_key(
username = storage.DEFAULT_ADMIN_USERNAME,
name = "test",
expires_at = expires_at,
)
return raw
def subject_of(token):
"""Run the real FastAPI auth dependency against a bearer token."""
credentials = HTTPAuthorizationCredentials(scheme = "Bearer", credentials = token)
return asyncio.run(get_current_subject(credentials))
# --- validate_api_key (storage layer) ---------------------------------------
def test_unexpired_key_validates():
seed_user()
assert (
storage.validate_api_key(make_key(iso_from_now(days = 1))) == storage.DEFAULT_ADMIN_USERNAME
)
def test_never_expiring_key_validates():
seed_user()
assert storage.validate_api_key(make_key(None)) == storage.DEFAULT_ADMIN_USERNAME
def test_expired_key_rejected():
seed_user()
assert storage.validate_api_key(make_key(iso_from_now(seconds = -1))) is None
def test_key_expiring_far_in_past_rejected():
seed_user()
assert storage.validate_api_key(make_key(iso_from_now(days = -30))) is None
def test_revoked_key_rejected():
seed_user()
raw, row = storage.create_api_key(
username = storage.DEFAULT_ADMIN_USERNAME,
name = "doomed",
expires_at = iso_from_now(days = 1),
)
storage.revoke_api_key(storage.DEFAULT_ADMIN_USERNAME, int(row["id"]))
assert storage.validate_api_key(raw) is None
def test_unknown_key_rejected():
seed_user()
assert storage.validate_api_key(storage.API_KEY_PREFIX + secrets.token_hex(16)) is None
# --- get_current_subject (route dependency) ---------------------------------
def test_dependency_accepts_unexpired_key():
seed_user()
assert subject_of(make_key(iso_from_now(days = 1))) == storage.DEFAULT_ADMIN_USERNAME
def test_dependency_rejects_expired_key_as_401():
seed_user()
with pytest.raises(HTTPException) as exc:
subject_of(make_key(iso_from_now(seconds = -1)))
assert exc.value.status_code == 401
assert exc.value.detail == "Invalid or expired API key"
# --- JWT access-token expiry ------------------------------------------------
def test_dependency_accepts_unexpired_jwt():
seed_user()
token = create_access_token(storage.DEFAULT_ADMIN_USERNAME, timedelta(minutes = 5))
assert subject_of(token) == storage.DEFAULT_ADMIN_USERNAME
def test_dependency_rejects_expired_jwt_as_401():
seed_user()
token = create_access_token(storage.DEFAULT_ADMIN_USERNAME, timedelta(seconds = -1))
with pytest.raises(HTTPException) as exc:
subject_of(token)
assert exc.value.status_code == 401
assert exc.value.detail == "Invalid or expired token"
# --- derivation cache: speeds repeats without bypassing checks --------------
def test_cache_skips_pbkdf2_on_repeat(monkeypatch):
seed_user()
raw = make_key(iso_from_now(days = 1))
assert storage.validate_api_key(raw) == storage.DEFAULT_ADMIN_USERNAME # warms cache
calls = {"n": 0}
real = storage._pbkdf2_api_key
def counting(key):
calls["n"] += 1
return real(key)
monkeypatch.setattr(storage, "_pbkdf2_api_key", counting)
assert storage.validate_api_key(raw) == storage.DEFAULT_ADMIN_USERNAME
assert storage.validate_api_key(raw) == storage.DEFAULT_ADMIN_USERNAME
assert calls["n"] == 0 # served from cache, KDF not re-run
def test_cache_does_not_bypass_revocation():
seed_user()
raw, row = storage.create_api_key(
username = storage.DEFAULT_ADMIN_USERNAME,
name = "revoke-after-cache",
expires_at = iso_from_now(days = 1),
)
assert storage.validate_api_key(raw) == storage.DEFAULT_ADMIN_USERNAME # cached
storage.revoke_api_key(storage.DEFAULT_ADMIN_USERNAME, int(row["id"]))
assert storage.validate_api_key(raw) is None # cache hit still re-checks is_active
def test_cache_does_not_bypass_expiry():
seed_user()
# Expires between the two calls: the first warms the cache, the second is still rejected.
near = (datetime.now(timezone.utc) + timedelta(milliseconds = 600)).isoformat()
raw = make_key(near)
assert storage.validate_api_key(raw) == storage.DEFAULT_ADMIN_USERNAME
import time
time.sleep(0.8)
assert storage.validate_api_key(raw) is None
def test_unknown_key_not_cached():
seed_user()
bogus = storage.API_KEY_PREFIX + secrets.token_hex(16)
assert storage.validate_api_key(bogus) is None
cache_id = storage._api_key_cache_id(bogus)
assert cache_id not in storage._api_key_hash_cache # spam can't grow the cache
def test_create_api_key_route_stores_tz_aware_expiry():
from datetime import datetime as _dt
seed_user()
raw, row = storage.create_api_key(
username = storage.DEFAULT_ADMIN_USERNAME,
name = "route",
expires_at = iso_from_now(days = 30),
)
parsed = _dt.fromisoformat(row["expires_at"])
assert parsed.tzinfo is not None # tz-aware: comparison in validate_api_key won't raise
assert storage.validate_api_key(raw) == storage.DEFAULT_ADMIN_USERNAME