fix: harden startup security — require strong secrets, restrict CORS
- decnet/env.py: DECNET_JWT_SECRET and DECNET_ADMIN_PASSWORD are now
required env vars; startup raises ValueError if unset or set to a
known-bad default ("admin", "password", etc.)
- decnet/env.py: add DECNET_CORS_ORIGINS (comma-separated, defaults to
http://localhost:8080) replacing the previous allow_origins=["*"]
- decnet/web/api.py: use DECNET_CORS_ORIGINS and tighten allow_methods
and allow_headers to explicit lists
- tests/conftest.py: set required env vars at module level so test
collection works without real credentials
- tests/test_web_api.py, test_web_api_fuzz.py: use DECNET_ADMIN_PASSWORD
from env instead of hardcoded "admin"
Closes DEBT-001, DEBT-002, DEBT-004
This commit is contained in:
@@ -6,6 +6,7 @@ from fastapi.testclient import TestClient
|
||||
|
||||
from decnet.web.api import app
|
||||
from decnet.web.dependencies import repo
|
||||
from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
|
||||
|
||||
|
||||
@pytest.fixture(autouse=True)
|
||||
@@ -29,7 +30,7 @@ def test_login_success() -> None:
|
||||
# The TestClient context manager triggers startup/shutdown events
|
||||
response = client.post(
|
||||
"/api/v1/auth/login",
|
||||
json={"username": "admin", "password": "admin"}
|
||||
json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}
|
||||
)
|
||||
assert response.status_code == 200
|
||||
data = response.json()
|
||||
@@ -57,7 +58,7 @@ def test_login_failure() -> None:
|
||||
def test_change_password() -> None:
|
||||
with TestClient(app) as client:
|
||||
# First login to get token
|
||||
login_resp = client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
|
||||
login_resp = client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD})
|
||||
token = login_resp.json()["access_token"]
|
||||
|
||||
# Try changing password with wrong old password
|
||||
@@ -71,17 +72,17 @@ def test_change_password() -> None:
|
||||
# Change password successfully
|
||||
resp2 = client.post(
|
||||
"/api/v1/auth/change-password",
|
||||
json={"old_password": "admin", "new_password": "new_secure_password"},
|
||||
json={"old_password": DECNET_ADMIN_PASSWORD, "new_password": "new_secure_password"},
|
||||
headers={"Authorization": f"Bearer {token}"}
|
||||
)
|
||||
assert resp2.status_code == 200
|
||||
|
||||
# Verify old password no longer works
|
||||
resp3 = client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
|
||||
resp3 = client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD})
|
||||
assert resp3.status_code == 401
|
||||
|
||||
# Verify new password works and must_change_password is False
|
||||
resp4 = client.post("/api/v1/auth/login", json={"username": "admin", "password": "new_secure_password"})
|
||||
resp4 = client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": "new_secure_password"})
|
||||
assert resp4.status_code == 200
|
||||
assert resp4.json()["must_change_password"] is False
|
||||
|
||||
@@ -96,7 +97,7 @@ def test_get_logs_success() -> None:
|
||||
with TestClient(app) as client:
|
||||
login_response = client.post(
|
||||
"/api/v1/auth/login",
|
||||
json={"username": "admin", "password": "admin"}
|
||||
json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}
|
||||
)
|
||||
token = login_response.json()["access_token"]
|
||||
|
||||
@@ -119,7 +120,7 @@ def test_get_stats_success() -> None:
|
||||
with TestClient(app) as client:
|
||||
login_response = client.post(
|
||||
"/api/v1/auth/login",
|
||||
json={"username": "admin", "password": "admin"}
|
||||
json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD}
|
||||
)
|
||||
token = login_response.json()["access_token"]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user