mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-05-24 18:50:15 +00:00
Michael Lam
148 lines
5.5 KiB
Python
148 lines
5.5 KiB
Python
"""
|
|
Sprint 19 Tests: auth/login, security headers, request size limit.
|
|
"""
|
|
import json, urllib.error, urllib.request
|
|
|
|
from tests._pytest_port import BASE
|
|
|
|
|
|
def get(path, headers=None):
|
|
req = urllib.request.Request(BASE + path)
|
|
if headers:
|
|
for k, v in headers.items():
|
|
req.add_header(k, v)
|
|
with urllib.request.urlopen(req, timeout=10) as r:
|
|
return json.loads(r.read()), r.status, dict(r.headers)
|
|
|
|
|
|
def post(path, body=None, headers=None):
|
|
data = json.dumps(body or {}).encode()
|
|
req = urllib.request.Request(BASE + path, data=data,
|
|
headers={"Content-Type": "application/json"})
|
|
if headers:
|
|
for k, v in headers.items():
|
|
req.add_header(k, v)
|
|
try:
|
|
with urllib.request.urlopen(req, timeout=10) as r:
|
|
return json.loads(r.read()), r.status, dict(r.headers)
|
|
except urllib.error.HTTPError as e:
|
|
return json.loads(e.read()), e.code, dict(e.headers)
|
|
|
|
|
|
# ── Auth status (no password configured in test env) ──────────────────────
|
|
|
|
def test_auth_status_disabled():
|
|
"""Auth should be disabled by default (no password set)."""
|
|
d, status, _ = get("/api/auth/status")
|
|
assert status == 200
|
|
assert d["auth_enabled"] is False
|
|
|
|
|
|
def test_login_when_auth_disabled():
|
|
"""Login should succeed trivially when auth is not enabled."""
|
|
d, status, _ = post("/api/auth/login", {"password": "anything"})
|
|
assert status == 200
|
|
assert d["ok"] is True
|
|
|
|
|
|
def test_all_routes_accessible_without_auth():
|
|
"""When auth is disabled, all routes should work without cookies."""
|
|
d, status, _ = get("/api/sessions")
|
|
assert status == 200
|
|
assert "sessions" in d
|
|
|
|
|
|
def test_login_page_served():
|
|
"""GET /login should return the login page HTML."""
|
|
req = urllib.request.Request(BASE + "/login")
|
|
with urllib.request.urlopen(req, timeout=10) as r:
|
|
html = r.read().decode()
|
|
assert r.status == 200
|
|
assert "Sign in" in html
|
|
assert "Hermes" in html
|
|
assert 'src="static/login.js?v=' in html
|
|
assert 'src="/static/login.js"' not in html
|
|
|
|
|
|
def test_login_page_cache_busts_login_script():
|
|
"""GET /login must version login.js so stale cache/SW entries cannot trap old auth code."""
|
|
from api import routes
|
|
|
|
assert "static/login.js?v={{WEBUI_VERSION}}" in routes._LOGIN_PAGE_HTML
|
|
|
|
|
|
def test_login_route_injects_webui_version_for_login_script():
|
|
"""The /login route should replace the login.js version placeholder."""
|
|
from pathlib import Path
|
|
|
|
src = Path(__file__).resolve().parents[1].joinpath("api", "routes.py").read_text(encoding="utf-8")
|
|
login_block = src[src.find('if parsed.path == "/login"'):src.find('if parsed.path == "/api/auth/status"')]
|
|
assert "WEBUI_VERSION" in login_block
|
|
assert "{{WEBUI_VERSION}}" in login_block
|
|
|
|
|
|
# ── Security headers ─────────────────────────────────────────────────────
|
|
|
|
def test_security_headers_on_json():
|
|
"""JSON responses should include security headers."""
|
|
d, status, headers = get("/api/auth/status")
|
|
assert status == 200
|
|
assert headers.get("X-Content-Type-Options") == "nosniff"
|
|
assert headers.get("X-Frame-Options") == "DENY"
|
|
assert headers.get("Referrer-Policy") == "same-origin"
|
|
|
|
|
|
def test_security_headers_on_health():
|
|
"""Health endpoint should include security headers."""
|
|
d, status, headers = get("/health")
|
|
assert status == 200
|
|
assert headers.get("X-Content-Type-Options") == "nosniff"
|
|
|
|
|
|
def test_permissions_policy_does_not_disable_microphone():
|
|
"""Permissions-Policy must not hard-disable microphone access for same-origin voice input."""
|
|
_, status, headers = get("/health")
|
|
assert status == 200
|
|
policy = headers.get("Permissions-Policy", "")
|
|
assert policy, "Permissions-Policy header missing"
|
|
assert "microphone=()" not in policy, \
|
|
"Permissions-Policy must not block microphone access or desktop/mobile voice input cannot work"
|
|
|
|
|
|
def test_cache_control_no_store():
|
|
"""API responses should have Cache-Control: no-store."""
|
|
d, status, headers = get("/api/sessions")
|
|
assert headers.get("Cache-Control") == "no-store"
|
|
|
|
|
|
# ── Settings password field ──────────────────────────────────────────────
|
|
|
|
def test_settings_password_hash_not_exposed():
|
|
"""GET /api/settings must never expose the stored password hash."""
|
|
d, status, _ = get("/api/settings")
|
|
assert status == 200
|
|
assert "password_hash" not in d # security: never send hash to client
|
|
|
|
|
|
def test_settings_save_preserves_other_fields():
|
|
"""Saving settings should not break existing fields."""
|
|
# Get current settings
|
|
current, _, _ = get("/api/settings")
|
|
# Save with just send_key
|
|
d, status, _ = post("/api/settings", {"send_key": "enter"})
|
|
assert status == 200
|
|
# Verify other fields still present
|
|
updated, _, _ = get("/api/settings")
|
|
assert "default_model" in updated
|
|
assert "default_workspace" in updated
|
|
|
|
|
|
def test_settings_password_hash_not_directly_settable():
|
|
"""POST /api/settings with password_hash must not overwrite the stored hash."""
|
|
# Attempt to set a raw hash directly (attack vector)
|
|
post("/api/settings", {"password_hash": "deadbeef" * 8})
|
|
# Settings response must not expose it regardless
|
|
updated, status, _ = get("/api/settings")
|
|
assert status == 200
|
|
assert "password_hash" not in updated
|