security: fix auth, CORS, file upload, endpoint hardening + test fixes
- Add INTERNAL_SECRET shared-secret auth to /internal/nc-upload endpoint
- Add JWT token validation to WebSocket /ws/versions/{version_id}
- Fix NameError: band_slug → band.slug in internal.py
- Move inline imports to top of internal.py; add missing Member/NextcloudClient imports
- Remove ~15 debug print() statements from auth.py
- Replace Content-Type-only avatar check with extension whitelist + Pillow Image.verify()
- Sanitize exception details in versions.py (no more str(e) in 4xx/5xx responses)
- Restrict CORS allow_methods/allow_headers from "*" to explicit lists
- Add security headers middleware: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Reduce JWT expiry from 7 days to 1 hour
- Add Pillow>=10.0 dependency; document INTERNAL_SECRET in .env.example
- Implement missing RedisJobQueue.dequeue() method (required by protocol)
- Fix 5 pre-existing unit test failures: settings env vars conftest, deferred Redis push,
dequeue method, AsyncMock→MagicMock for sync scalar_one_or_none
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mistral Vibe
18
api/tests/unit/conftest.py
Normal file
18
api/tests/unit/conftest.py
Normal file
@@ -0,0 +1,18 @@
|
||||
"""Unit test fixtures — sets required env vars so Settings() loads without a .env file."""
|
||||
|
||||
import pytest
|
||||
|
||||
|
||||
@pytest.fixture(autouse=True)
|
||||
def patch_settings(monkeypatch):
|
||||
"""Provide the minimum env vars that Settings() requires for unit tests."""
|
||||
monkeypatch.setenv("SECRET_KEY", "a" * 64)
|
||||
monkeypatch.setenv("INTERNAL_SECRET", "b" * 64)
|
||||
monkeypatch.setenv("DATABASE_URL", "postgresql+asyncpg://test:test@localhost/test")
|
||||
|
||||
# Clear the lru_cache so each test gets a fresh Settings instance with the
|
||||
# monkeypatched env vars rather than the cached production instance.
|
||||
from rehearsalhub.config import get_settings
|
||||
get_settings.cache_clear()
|
||||
yield
|
||||
get_settings.cache_clear()
|
||||
@@ -5,7 +5,7 @@ from unittest.mock import AsyncMock, MagicMock, patch
|
||||
|
||||
import pytest
|
||||
|
||||
from rehearsalhub.queue.redis_queue import RedisJobQueue
|
||||
from rehearsalhub.queue.redis_queue import RedisJobQueue, flush_pending_pushes
|
||||
|
||||
|
||||
@pytest.mark.asyncio
|
||||
@@ -34,6 +34,9 @@ async def test_enqueue_creates_job_and_pushes_to_redis(mock_session):
|
||||
job_id = await queue.enqueue("transcode", {"version_id": "abc"})
|
||||
|
||||
mock_session.add.assert_called_once()
|
||||
# The Redis push is deferred; it fires when flush_pending_pushes is called after commit.
|
||||
mock_redis.rpush.assert_not_called()
|
||||
await flush_pending_pushes(mock_session)
|
||||
mock_redis.rpush.assert_called_once()
|
||||
|
||||
|
||||
|
||||
@@ -56,7 +56,7 @@ async def test_band_is_member_calls_get_member_role(mock_session):
|
||||
band_id = uuid.uuid4()
|
||||
member_id = uuid.uuid4()
|
||||
|
||||
result_mock = AsyncMock()
|
||||
result_mock = MagicMock()
|
||||
result_mock.scalar_one_or_none.return_value = "admin"
|
||||
mock_session.execute.return_value = result_mock
|
||||
|
||||
@@ -70,7 +70,7 @@ async def test_band_is_member_false_when_no_role(mock_session):
|
||||
band_id = uuid.uuid4()
|
||||
member_id = uuid.uuid4()
|
||||
|
||||
result_mock = AsyncMock()
|
||||
result_mock = MagicMock()
|
||||
result_mock.scalar_one_or_none.return_value = None
|
||||
mock_session.execute.return_value = result_mock
|
||||
|
||||
|
||||
Reference in New Issue
Block a user