import pytest from l4d2web.app import create_app from l4d2web.auth import hash_password from l4d2web.db import init_db, session_scope from l4d2web.models import User @pytest.fixture def client(tmp_path, monkeypatch): db_url = f"sqlite:///{tmp_path/'auth.db'}" monkeypatch.setenv("DATABASE_URL", db_url) app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"}) init_db() return app.test_client() @pytest.fixture def seed_user(tmp_path, monkeypatch): db_url = f"sqlite:///{tmp_path/'seed.db'}" monkeypatch.setenv("DATABASE_URL", db_url) app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"}) init_db() with app.app_context(): with session_scope() as session: user = User(username="alice", password_digest=hash_password("secret"), admin=False) session.add(user) session.flush() user_id = user.id return user_id def test_login_page_renders_form(client) -> None: response = client.get("/login") text = response.get_data(as_text=True) assert response.status_code == 200 assert '
None: response = client.get("/login?next=/%5Cevil.com") text = response.get_data(as_text=True) assert response.status_code == 200 assert 'name="next"' not in text assert "evil.com" not in text def test_login_calls_verify_password_for_unknown_user(client, monkeypatch) -> None: calls: list[tuple[str, str]] = [] def tracking_verify(raw: str, digest: str) -> bool: calls.append((raw, digest)) return False monkeypatch.setattr("l4d2web.routes.auth_routes.verify_password", tracking_verify) response = client.post("/login", data={"username": "ghost", "password": "guess"}) assert response.status_code == 401 assert len(calls) == 1, "verify_password must run on unknown users to equalize timing" assert calls[0][0] == "guess" def test_signup_routes_are_gone(client) -> None: assert client.get("/signup").status_code == 404 assert client.post("/signup", data={"username": "alice", "password": "secret"}).status_code == 404 def test_login_redirects_to_safe_next(client) -> None: with session_scope() as session: session.add(User(username="alice", password_digest=hash_password("secret"), admin=False)) response = client.post( "/login", data={"username": "alice", "password": "secret", "next": "/servers"}, ) assert response.status_code == 302 assert response.headers["Location"].endswith("/servers") def test_login_ignores_unsafe_next(client) -> None: with session_scope() as session: session.add(User(username="alice", password_digest=hash_password("secret"), admin=False)) response = client.post( "/login", data={"username": "alice", "password": "secret", "next": "https://example.com/steal"}, ) assert response.status_code == 302 assert response.headers["Location"].endswith("/dashboard") def test_login_ignores_backslash_next(client) -> None: with session_scope() as session: session.add(User(username="alice", password_digest=hash_password("secret"), admin=False)) response = client.post( "/login", data={"username": "alice", "password": "secret", "next": "/\\evil.com"}, ) assert response.status_code == 302 assert response.headers["Location"].endswith("/dashboard") def test_login_ignores_percent_encoded_backslash_next(client) -> None: with session_scope() as session: session.add(User(username="alice", password_digest=hash_password("secret"), admin=False)) response = client.post( "/login", data={"username": "alice", "password": "secret", "next": "/%5Cevil.com"}, ) assert response.status_code == 302 assert response.headers["Location"].endswith("/dashboard") def test_login_sets_session(client) -> None: with session_scope() as session: session.add(User(username="alice", password_digest=hash_password("secret"), admin=False)) response = client.post("/login", data={"username": "alice", "password": "secret"}) assert response.status_code == 302 with client.session_transaction() as sess: assert sess.get("user_id") is not None def test_create_user_cli_uses_environment_password(tmp_path, monkeypatch) -> None: db_url = f"sqlite:///{tmp_path/'create_user.db'}" monkeypatch.setenv("DATABASE_URL", db_url) monkeypatch.setenv("LEFT4ME_ADMIN_PASSWORD", "secret") app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"}) init_db() result = app.test_cli_runner().invoke(args=["create-user", "admin", "--admin"]) assert result.exit_code == 0 assert "created user admin" in result.output with session_scope() as session: user = session.query(User).filter_by(username="admin").one() assert user.admin is True def test_create_user_cli_rejects_empty_environment_password(tmp_path, monkeypatch) -> None: db_url = f"sqlite:///{tmp_path/'empty_password.db'}" monkeypatch.setenv("DATABASE_URL", db_url) monkeypatch.setenv("LEFT4ME_ADMIN_PASSWORD", "") app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"}) init_db() result = app.test_cli_runner().invoke(args=["create-user", "admin", "--admin"]) assert result.exit_code != 0 assert "password must not be empty" in result.output def test_create_user_cli_rejects_duplicate_username(tmp_path, monkeypatch) -> None: db_url = f"sqlite:///{tmp_path/'duplicate_user.db'}" monkeypatch.setenv("DATABASE_URL", db_url) monkeypatch.setenv("LEFT4ME_ADMIN_PASSWORD", "secret") app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"}) init_db() with session_scope() as session: session.add(User(username="admin", password_digest=hash_password("secret"), admin=True)) result = app.test_cli_runner().invoke(args=["create-user", "admin", "--admin"]) assert result.exit_code != 0 assert "user already exists" in result.output