feat(gui): implement first-run setup wizard (1b-8) (#24)

* feat(gui): implement first-run setup wizard (1b-8) Add a 5-step setup wizard that replaces the single-step /setup: 1. Create Operator - create initial operator account 2. System Settings - configure map tile URL and attribution 3. API Keys - optionally add API keys for adapters 4. Configure Adapters - enable/disable adapters with region picker 5. Finish Setup - review and complete setup Key changes: - Update middleware to handle wizard URL structure and step routing - Add wizard routes for each step with proper auth checks - Create new templates using base_wizard.html for consistent styling - Add audit events for system.update and setup.complete - Update tests for new middleware behavior Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(gui): handle CSRF errors on wizard paths Update csrf_exception_handler to re-render wizard forms with error message instead of redirecting to /login when CSRF validation fails. - /setup/operator: re-render with error - /setup/system: re-render with current system values + error - /setup/keys: re-render with current keys list + error - /setup/adapters: re-render with current adapter config + error - /setup/finish: re-render with summary data + error - /setup: redirect to /setup (middleware routes to appropriate step) Add error display to setup_keys.html and setup_finish.html templates. Add 7 new CSRF handler tests for wizard paths. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(gui): region picker render + click-to-draw Bug A: Maps render blank on /setup/adapters for FIRMS and USGS because Leaflet computed zero dimensions before container layout settled. Fix: add setTimeout invalidateSize() after map creation. Bug B: No click-to-draw functionality - only drag corners. Fix: add L.Control.Draw for rectangle drawing with CREATED event handler to replace existing rectangle. Both fixes applied to: - setup_adapters.html (wizard inline JS) - _region_picker.html (standalone edit page) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(gui): handle revisiting /setup/operator after operator created When an operator already exists, /setup/operator now shows a confirmation page instead of the create form. This prevents: - Unique constraint violations on duplicate username - Silent creation of duplicate operators GET /setup/operator: queries config.operators; if any exist, renders confirmation state with existing_operator context. POST /setup/operator: checks operator count before INSERT; if non-zero, renders confirmation state without inserting. Template updated with conditional to show "Operator Already Configured" message when existing_operator is set. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(csrf): replace fastapi-csrf-protect with session-bound CSRF Fixes CSRF race condition where every GET rotated the CSRF token, causing POST failures when users had multiple tabs or slow connections. Changes: - Remove fastapi-csrf-protect dependency - Add session-bound CSRF tokens stored in config.sessions table - Add pre-auth CSRF for unauthenticated routes (/login, /setup/operator) - Add csrf.py module for pre-auth token generation/validation - Update routes to use new CSRF token handling - Add migration 013 to add csrf_token column to sessions The session-bound approach ensures CSRF tokens remain stable for the duration of a session, eliminating the race condition. Note: Route tests (test_wizard.py, test_adapters.py, etc.) need refactoring to mock get_settings() instead of CsrfProtect dependency. Core auth/CSRF handler tests pass (74 tests). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * test(csrf): update test suite for session-bound CSRF tokens - Add CSRF fixtures to conftest.py for pre-auth and session CSRF - Update test_wizard.py: use bypass_pre_auth_csrf and patch_route_settings - Update test_adapters.py: set request.state.csrf_token and form mock data - Update test_api_keys.py: add CSRF token to form data for POST routes - Update test_streams.py: change return_value to side_effect for CSRF support - Update test_region_picker.py: add CSRF token handling - Update test_config_store.py: set CENTRAL_CSRF_SECRET env var in fixture All 285 tests now pass with session-bound CSRF validation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matt Johnson <mj@k7zvx.com>
2026-05-21 18:14:44 +02:00 · 2026-05-17 22:06:22 -06:00 · 2026-05-17 22:06:22 -06:00 · 494ad1c799
commit 494ad1c799
parent 96ec88883c
28 changed files with 2897 additions and 377 deletions
--- a/tests/test_csrf_race_condition.py
+++ b/tests/test_csrf_race_condition.py
@ -0,0 +1,108 @@
+"""
+Integration test for CSRF race condition fix.
+
+This test verifies that the session-bound CSRF implementation fixes the race
+condition where interleaved GET requests would invalidate CSRF tokens.
+
+See: PR #24 - Central 1b-8 fix-up phase 2
+"""
+
+import pytest
+
+
+class TestCsrfRaceConditionFix:
+    """Verify that interleaved GETs don't break CSRF validation."""
+
+    def test_session_bound_csrf_consistent_across_gets(self):
+        """Session-bound CSRF tokens remain consistent across multiple GETs.
+
+        This was the core bug: fastapi-csrf-protect rotated tokens on every GET,
+        causing race conditions when users had multiple tabs or slow connections.
+        
+        With session-bound CSRF, the token is stored in the session row and
+        remains constant until the session is destroyed.
+        """
+        from unittest.mock import MagicMock, AsyncMock
+        from central.gui.auth import get_session
+        
+        # Mock a session with a csrf_token
+        mock_conn = MagicMock()
+        mock_conn.fetchrow = AsyncMock(return_value={
+            "id": 1,
+            "username": "testuser",
+            "created_at": "2024-01-01T00:00:00Z",
+            "password_changed_at": "2024-01-01T00:00:00Z",
+            "csrf_token": "fixed_csrf_token_12345",
+        })
+        
+        import asyncio
+        
+        async def test():
+            # First GET
+            result1 = await get_session(mock_conn, "test-token")
+            assert result1 is not None
+            op1, csrf1 = result1
+            
+            # Second GET (simulating interleaved request)
+            result2 = await get_session(mock_conn, "test-token")
+            assert result2 is not None
+            op2, csrf2 = result2
+            
+            # CSRF tokens should be identical (the fix!)
+            assert csrf1 == csrf2 == "fixed_csrf_token_12345"
+        
+        asyncio.run(test())
+
+    def test_pre_auth_csrf_tokens_independently_valid(self):
+        """Pre-auth CSRF tokens are independently valid.
+        
+        For unauthenticated routes, each GET generates a new token+cookie pair.
+        Each pair should validate independently, allowing the original token
+        to work even if another GET happened in between.
+        """
+        from central.gui.csrf import generate_pre_auth_csrf, validate_pre_auth_csrf
+        from unittest.mock import MagicMock
+        
+        secret = "testsecret12345678901234567890ab"
+        
+        # First GET generates token1 + cookie1
+        token1, signed1 = generate_pre_auth_csrf(secret)
+        
+        # Second GET generates token2 + cookie2  
+        token2, signed2 = generate_pre_auth_csrf(secret)
+        
+        # Tokens should be different (fresh random tokens)
+        assert token1 != token2
+        assert signed1 != signed2
+        
+        # But each pair should validate independently
+        mock_request1 = MagicMock()
+        mock_request1.cookies = {"central_preauth_csrf": signed1}
+        
+        mock_request2 = MagicMock()
+        mock_request2.cookies = {"central_preauth_csrf": signed2}
+        
+        # Original token still validates with original cookie
+        assert validate_pre_auth_csrf(mock_request1, token1, secret) is True
+        
+        # Second token validates with second cookie
+        assert validate_pre_auth_csrf(mock_request2, token2, secret) is True
+        
+        # Cross-validation should fail
+        assert validate_pre_auth_csrf(mock_request1, token2, secret) is False
+        assert validate_pre_auth_csrf(mock_request2, token1, secret) is False
+
+    def test_csrf_token_generation_is_secure(self):
+        """CSRF tokens are cryptographically secure."""
+        from central.gui.auth import generate_csrf_token
+        
+        # Generate multiple tokens
+        tokens = [generate_csrf_token() for _ in range(100)]
+        
+        # All tokens should be unique
+        assert len(set(tokens)) == 100
+        
+        # Tokens should be 64 hex chars (32 bytes)
+        for token in tokens:
+            assert len(token) == 64
+            assert all(c in "0123456789abcdef" for c in token)