Nautilus/ledgerdock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix auth route response injection crash

Browse Source
This commit is contained in:
Beda Schmid
2026-03-01 21:43:09 -03:00
parent 26eae1a09b
commit 3cccf2e0e8
2 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/app/api/routes_auth.py
View File

@@ -26,13 +26,12 @@ from app.services.auth_login_throttle import (
clear_login_throttle, clear_login_throttle,
record_failed_login_attempt, record_failed_login_attempt,
) )
from app.services.authentication import authenticate_user, issue_user_session, revoke_auth_session
try: try:
from fastapi import Response from fastapi import Response
except (ImportError, AttributeError): except (ImportError, AttributeError):
from fastapi.responses import Response from fastapi.responses import Response
from app.services.authentication import authenticate_user, issue_user_session, revoke_auth_session
router = APIRouter(prefix="/auth", tags=["auth"]) router = APIRouter(prefix="/auth", tags=["auth"])
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@@ -132,7 +131,7 @@ def _clear_session_cookies(response: Response) -> None:
def login( def login(
payload: AuthLoginRequest, payload: AuthLoginRequest,
request: Request, request: Request,
response: Response | None = None, response: Response,
session: Session = Depends(get_session), session: Session = Depends(get_session),
) -> AuthLoginResponse: ) -> AuthLoginResponse:
"""Authenticates credentials with throttle protection and returns issued session metadata.""" """Authenticates credentials with throttle protection and returns issued session metadata."""
@@ -241,7 +240,7 @@ def me(context: AuthContext = Depends(require_user_or_admin)) -> AuthSessionResp
@router.post("/logout", response_model=AuthLogoutResponse) @router.post("/logout", response_model=AuthLogoutResponse)
def logout( def logout(
response: Response | None = None, response: Response,
context: AuthContext = Depends(require_user_or_admin), context: AuthContext = Depends(require_user_or_admin),
session: Session = Depends(get_session), session: Session = Depends(get_session),
) -> AuthLogoutResponse: ) -> AuthLogoutResponse:

13
backend/tests/test_security_controls.py
View File

@@ -784,6 +784,15 @@ class AuthLoginRouteThrottleTests(unittest.TestCase):
self.commit_count += 1 self.commit_count += 1
@staticmethod
def _response_stub() -> SimpleNamespace:
"""Builds a minimal response object for direct route invocation."""
return SimpleNamespace(
set_cookie=lambda *_args, **_kwargs: None,
delete_cookie=lambda *_args, **_kwargs: None,
)
@staticmethod @staticmethod
def _request_stub(ip_address: str = "203.0.113.2", user_agent: str = "unit-test") -> SimpleNamespace: def _request_stub(ip_address: str = "203.0.113.2", user_agent: str = "unit-test") -> SimpleNamespace:
"""Builds request-like object containing client host and user-agent header fields.""" """Builds request-like object containing client host and user-agent header fields."""
@@ -810,6 +819,7 @@ class AuthLoginRouteThrottleTests(unittest.TestCase):
auth_routes_module.login( auth_routes_module.login(
payload=payload, payload=payload,
request=self._request_stub(), request=self._request_stub(),
response=self._response_stub(),
session=session, session=session,
) )
self.assertEqual(raised.exception.status_code, 429) self.assertEqual(raised.exception.status_code, 429)
@@ -839,6 +849,7 @@ class AuthLoginRouteThrottleTests(unittest.TestCase):
auth_routes_module.login( auth_routes_module.login(
payload=payload, payload=payload,
request=self._request_stub(), request=self._request_stub(),
response=self._response_stub(),
session=session, session=session,
) )
self.assertEqual(raised.exception.status_code, 429) self.assertEqual(raised.exception.status_code, 429)
@@ -876,6 +887,7 @@ class AuthLoginRouteThrottleTests(unittest.TestCase):
response = auth_routes_module.login( response = auth_routes_module.login(
payload=payload, payload=payload,
request=self._request_stub(), request=self._request_stub(),
response=self._response_stub(),
session=session, session=session,
) )
self.assertEqual(response.access_token, "session-token") self.assertEqual(response.access_token, "session-token")
@@ -893,6 +905,7 @@ class AuthLoginRouteThrottleTests(unittest.TestCase):
auth_routes_module.login( auth_routes_module.login(
payload=payload, payload=payload,
request=self._request_stub(), request=self._request_stub(),
response=self._response_stub(),
session=session, session=session,
) )
self.assertEqual(raised.exception.status_code, 503) self.assertEqual(raised.exception.status_code, 503)