From 19c6e5d5f262e5c4eca0dcd769d66093eaeddc15 Mon Sep 17 00:00:00 2001
From: nesquena-hermes <[email protected]>
Date: Mon, 25 May 2026 00:17:11 +0000
Subject: [PATCH] Stage-batch14: update passkey test for HERMES_WEBUI_PASSKEY
 feature flag

test_passwordless_mode_keeps_auth_enabled_with_passkeys now sets
HERMES_WEBUI_PASSKEY=1 via monkeypatch since are_passkeys_enabled()
gates on the feature flag.

Adds 2 new tests:
- test_passkey_feature_flag_off_disables_passkeys_even_with_credentials
- test_passkey_feature_flag_via_config
---
 tests/test_passkey_auth.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/tests/test_passkey_auth.py b/tests/test_passkey_auth.py
index 10e7e1fb..46ac3641 100644
--- a/tests/test_passkey_auth.py
+++ b/tests/test_passkey_auth.py
@@ -153,6 +153,8 @@ def test_login_page_has_default_hidden_passkey_button_and_script_wiring():
 
 def test_passwordless_mode_keeps_auth_enabled_with_passkeys(monkeypatch, tmp_path):
     import api.auth as auth
+    # Stage-batch14: passkey support is opt-in default-off behind HERMES_WEBUI_PASSKEY=1
+    monkeypatch.setenv("HERMES_WEBUI_PASSKEY", "1")
     passkeys = _set_paths(monkeypatch, tmp_path)
     passkeys._save_credentials([{"id": "cred-1", "label": "This device"}])
     monkeypatch.setattr(auth, "get_password_hash", lambda: None)
@@ -161,6 +163,28 @@ def test_passwordless_mode_keeps_auth_enabled_with_passkeys(monkeypatch, tmp_pat
     assert auth.is_auth_enabled() is True
 
 
+def test_passkey_feature_flag_off_disables_passkeys_even_with_credentials(monkeypatch, tmp_path):
+    """When HERMES_WEBUI_PASSKEY is unset/0, are_passkeys_enabled() returns False."""
+    import api.auth as auth
+    passkeys = _set_paths(monkeypatch, tmp_path)
+    passkeys._save_credentials([{"id": "cred-1", "label": "This device"}])
+    monkeypatch.delenv("HERMES_WEBUI_PASSKEY", raising=False)
+    monkeypatch.setattr(auth, "get_config", lambda: {}, raising=False)
+    assert auth.are_passkeys_enabled() is False
+
+
+def test_passkey_feature_flag_via_config(monkeypatch, tmp_path):
+    """webui_passkey_enabled: true in config also enables the surface."""
+    import api.auth as auth
+    passkeys = _set_paths(monkeypatch, tmp_path)
+    passkeys._save_credentials([{"id": "cred-1", "label": "This device"}])
+    monkeypatch.delenv("HERMES_WEBUI_PASSKEY", raising=False)
+    # Patch the config import inside _passkey_feature_flag_enabled
+    import api.config
+    monkeypatch.setattr(api.config, "get_config", lambda: {"webui_passkey_enabled": True})
+    assert auth.are_passkeys_enabled() is True
+
+
 def test_passwordless_settings_and_last_passkey_guard_are_wired():
     routes = open("api/routes.py", encoding="utf-8").read()
     panels = open("static/panels.js", encoding="utf-8").read()