Use session_secret for signed auth session tokens

2026-04-09 21:30:08 +02:00
parent 6eab47f7ba
commit 208f98dc97
8 changed files with 136 additions and 12 deletions
--- a/backend/tests/test_routers/test_auth.py
+++ b/backend/tests/test_routers/test_auth.py
@@ -54,6 +54,7 @@ class TestLogin:
        body = response.json()
        assert "token" in body
        assert len(body["token"]) > 0
+        assert "." in body["token"]
        assert "expires_at" in body

    async def test_login_sets_cookie(self, client: AsyncClient) -> None:
@@ -64,6 +65,7 @@ class TestLogin:
        )
        assert response.status_code == 200
        assert "bangui_session" in response.cookies
+        assert "." in response.cookies["bangui_session"]

    async def test_login_fails_with_wrong_password(
        self, client: AsyncClient
--- a/backend/tests/test_services/test_auth_service.py
+++ b/backend/tests/test_services/test_auth_service.py
@@ -119,6 +119,30 @@ class TestValidateSession:
        validated = await auth_service.validate_session(db, session.token)
        assert validated.token == session.token

+    async def test_validate_accepts_signed_token(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """validate_session() accepts a token signed with the configured secret."""
+        session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
+        signed_token = auth_service.sign_session_token(session.token, "test-secret")
+        validated = await auth_service.validate_session(
+            db, signed_token, session_secret="test-secret"
+        )
+        assert validated.token == session.token
+
+    async def test_validate_rejects_tampered_signed_token(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """validate_session() rejects signed tokens with an invalid signature."""
+        session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
+        signed_token = auth_service.sign_session_token(session.token, "test-secret")
+        tampered_token = signed_token[:-1] + ("0" if signed_token[-1] != "0" else "1")
+
+        with pytest.raises(ValueError, match="invalid"):
+            await auth_service.validate_session(
+                db, tampered_token, session_secret="test-secret"
+            )
+
    async def test_validate_raises_for_unknown_token(
        self, db: aiosqlite.Connection
    ) -> None:
@@ -157,3 +181,14 @@ class TestLogout:
        await auth_service.logout(db, session.token)
        stored = await session_repo.get_session(db, session.token)
        assert stored is None
+
+    async def test_logout_accepts_signed_token(self, db: aiosqlite.Connection) -> None:
+        """logout() accepts a signed token and revokes the underlying raw session."""
+        from app.repositories import session_repo
+
+        session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
+        signed_token = auth_service.sign_session_token(session.token, "test-secret")
+        await auth_service.logout(db, signed_token, session_secret="test-secret")
+
+        stored = await session_repo.get_session(db, session.token)
+        assert stored is None