mirror of
https://github.com/zvx-echo6/central.git
synced 2026-05-21 18:14:44 +02:00
malice
494ad1c799* feat(gui): implement first-run setup wizard (1b-8) Add a 5-step setup wizard that replaces the single-step /setup: 1. Create Operator - create initial operator account 2. System Settings - configure map tile URL and attribution 3. API Keys - optionally add API keys for adapters 4. Configure Adapters - enable/disable adapters with region picker 5. Finish Setup - review and complete setup Key changes: - Update middleware to handle wizard URL structure and step routing - Add wizard routes for each step with proper auth checks - Create new templates using base_wizard.html for consistent styling - Add audit events for system.update and setup.complete - Update tests for new middleware behavior Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(gui): handle CSRF errors on wizard paths Update csrf_exception_handler to re-render wizard forms with error message instead of redirecting to /login when CSRF validation fails. - /setup/operator: re-render with error - /setup/system: re-render with current system values + error - /setup/keys: re-render with current keys list + error - /setup/adapters: re-render with current adapter config + error - /setup/finish: re-render with summary data + error - /setup: redirect to /setup (middleware routes to appropriate step) Add error display to setup_keys.html and setup_finish.html templates. Add 7 new CSRF handler tests for wizard paths. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(gui): region picker render + click-to-draw Bug A: Maps render blank on /setup/adapters for FIRMS and USGS because Leaflet computed zero dimensions before container layout settled. Fix: add setTimeout invalidateSize() after map creation. Bug B: No click-to-draw functionality - only drag corners. Fix: add L.Control.Draw for rectangle drawing with CREATED event handler to replace existing rectangle. Both fixes applied to: - setup_adapters.html (wizard inline JS) - _region_picker.html (standalone edit page) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(gui): handle revisiting /setup/operator after operator created When an operator already exists, /setup/operator now shows a confirmation page instead of the create form. This prevents: - Unique constraint violations on duplicate username - Silent creation of duplicate operators GET /setup/operator: queries config.operators; if any exist, renders confirmation state with existing_operator context. POST /setup/operator: checks operator count before INSERT; if non-zero, renders confirmation state without inserting. Template updated with conditional to show "Operator Already Configured" message when existing_operator is set. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(csrf): replace fastapi-csrf-protect with session-bound CSRF Fixes CSRF race condition where every GET rotated the CSRF token, causing POST failures when users had multiple tabs or slow connections. Changes: - Remove fastapi-csrf-protect dependency - Add session-bound CSRF tokens stored in config.sessions table - Add pre-auth CSRF for unauthenticated routes (/login, /setup/operator) - Add csrf.py module for pre-auth token generation/validation - Update routes to use new CSRF token handling - Add migration 013 to add csrf_token column to sessions The session-bound approach ensures CSRF tokens remain stable for the duration of a session, eliminating the race condition. Note: Route tests (test_wizard.py, test_adapters.py, etc.) need refactoring to mock get_settings() instead of CsrfProtect dependency. Core auth/CSRF handler tests pass (74 tests). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * test(csrf): update test suite for session-bound CSRF tokens - Add CSRF fixtures to conftest.py for pre-auth and session CSRF - Update test_wizard.py: use bypass_pre_auth_csrf and patch_route_settings - Update test_adapters.py: set request.state.csrf_token and form mock data - Update test_api_keys.py: add CSRF token to form data for POST routes - Update test_streams.py: change return_value to side_effect for CSRF support - Update test_region_picker.py: add CSRF token handling - Update test_config_store.py: set CENTRAL_CSRF_SECRET env var in fixture All 285 tests now pass with session-bound CSRF validation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Matt Johnson <mj@k7zvx.com>
200 lines
7.4 KiB
Python
200 lines
7.4 KiB
Python
"""Tests for setup gate middleware."""
|
|
|
|
import pytest
|
|
from unittest.mock import AsyncMock, MagicMock, patch
|
|
from starlette.testclient import TestClient
|
|
from fastapi import FastAPI
|
|
|
|
from central.gui.middleware import SetupGateMiddleware
|
|
|
|
|
|
class TestSetupGateMiddleware:
|
|
"""Tests for SetupGateMiddleware."""
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_allows_setup_subpath_when_incomplete(self):
|
|
"""SetupGateMiddleware allows /setup/operator when setup_complete=False."""
|
|
mock_pool = MagicMock()
|
|
mock_conn = MagicMock()
|
|
mock_conn.fetchrow = AsyncMock(return_value={"setup_complete": False})
|
|
mock_conn.__aenter__ = AsyncMock(return_value=mock_conn)
|
|
mock_conn.__aexit__ = AsyncMock()
|
|
mock_pool.acquire = MagicMock(return_value=mock_conn)
|
|
|
|
with patch("central.gui.middleware.get_pool", return_value=mock_pool):
|
|
app = FastAPI()
|
|
|
|
@app.get("/setup/operator")
|
|
async def setup_operator():
|
|
return {"message": "operator"}
|
|
|
|
app.add_middleware(SetupGateMiddleware)
|
|
client = TestClient(app)
|
|
|
|
response = client.get("/setup/operator")
|
|
assert response.status_code == 200
|
|
assert response.json() == {"message": "operator"}
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_redirects_setup_base_to_wizard_step(self):
|
|
"""SetupGateMiddleware redirects /setup to wizard step when incomplete."""
|
|
mock_pool = MagicMock()
|
|
mock_conn = MagicMock()
|
|
mock_conn.fetchrow = AsyncMock(return_value={"setup_complete": False})
|
|
mock_conn.fetchval = AsyncMock(return_value=0) # No operators
|
|
mock_conn.__aenter__ = AsyncMock(return_value=mock_conn)
|
|
mock_conn.__aexit__ = AsyncMock()
|
|
mock_pool.acquire = MagicMock(return_value=mock_conn)
|
|
|
|
with patch("central.gui.middleware.get_pool", return_value=mock_pool):
|
|
app = FastAPI()
|
|
|
|
@app.get("/setup")
|
|
async def setup():
|
|
return {"message": "setup"}
|
|
|
|
@app.get("/setup/operator")
|
|
async def setup_operator():
|
|
return {"message": "operator"}
|
|
|
|
app.add_middleware(SetupGateMiddleware)
|
|
client = TestClient(app, follow_redirects=False)
|
|
|
|
response = client.get("/setup")
|
|
assert response.status_code == 302
|
|
assert response.headers["location"] == "/setup/operator"
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_allows_health_when_incomplete(self):
|
|
"""SetupGateMiddleware allows /health regardless of setup state."""
|
|
mock_pool = MagicMock()
|
|
mock_conn = MagicMock()
|
|
mock_conn.fetchrow = AsyncMock(return_value={"setup_complete": False})
|
|
mock_conn.__aenter__ = AsyncMock(return_value=mock_conn)
|
|
mock_conn.__aexit__ = AsyncMock()
|
|
mock_pool.acquire = MagicMock(return_value=mock_conn)
|
|
|
|
with patch("central.gui.middleware.get_pool", return_value=mock_pool):
|
|
app = FastAPI()
|
|
|
|
@app.get("/health")
|
|
async def health():
|
|
return {"status": "ok"}
|
|
|
|
app.add_middleware(SetupGateMiddleware)
|
|
client = TestClient(app)
|
|
|
|
response = client.get("/health")
|
|
assert response.status_code == 200
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_redirects_other_routes_when_incomplete(self):
|
|
"""SetupGateMiddleware redirects non-setup routes when setup_complete=False."""
|
|
mock_pool = MagicMock()
|
|
mock_conn = MagicMock()
|
|
mock_conn.fetchrow = AsyncMock(return_value={"setup_complete": False})
|
|
mock_conn.__aenter__ = AsyncMock(return_value=mock_conn)
|
|
mock_conn.__aexit__ = AsyncMock()
|
|
mock_pool.acquire = MagicMock(return_value=mock_conn)
|
|
|
|
with patch("central.gui.middleware.get_pool", return_value=mock_pool):
|
|
app = FastAPI()
|
|
|
|
@app.get("/")
|
|
async def index():
|
|
return {"message": "home"}
|
|
|
|
@app.get("/setup")
|
|
async def setup():
|
|
return {"message": "setup"}
|
|
|
|
app.add_middleware(SetupGateMiddleware)
|
|
client = TestClient(app, follow_redirects=False)
|
|
|
|
response = client.get("/")
|
|
assert response.status_code == 302
|
|
assert response.headers["location"] == "/setup"
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_allows_all_routes_when_complete(self):
|
|
"""SetupGateMiddleware allows all routes when setup_complete=True."""
|
|
mock_pool = MagicMock()
|
|
mock_conn = MagicMock()
|
|
mock_conn.fetchrow = AsyncMock(return_value={"setup_complete": True})
|
|
mock_conn.__aenter__ = AsyncMock(return_value=mock_conn)
|
|
mock_conn.__aexit__ = AsyncMock()
|
|
mock_pool.acquire = MagicMock(return_value=mock_conn)
|
|
|
|
with patch("central.gui.middleware.get_pool", return_value=mock_pool):
|
|
app = FastAPI()
|
|
|
|
@app.get("/")
|
|
async def index():
|
|
return {"message": "home"}
|
|
|
|
app.add_middleware(SetupGateMiddleware)
|
|
client = TestClient(app)
|
|
|
|
response = client.get("/")
|
|
assert response.status_code == 200
|
|
assert response.json() == {"message": "home"}
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_allows_static_when_incomplete(self):
|
|
"""SetupGateMiddleware allows /static routes when setup_complete=False."""
|
|
mock_pool = MagicMock()
|
|
mock_conn = MagicMock()
|
|
mock_conn.fetchrow = AsyncMock(return_value={"setup_complete": False})
|
|
mock_conn.__aenter__ = AsyncMock(return_value=mock_conn)
|
|
mock_conn.__aexit__ = AsyncMock()
|
|
mock_pool.acquire = MagicMock(return_value=mock_conn)
|
|
|
|
with patch("central.gui.middleware.get_pool", return_value=mock_pool):
|
|
app = FastAPI()
|
|
|
|
@app.get("/static/test.css")
|
|
async def static():
|
|
return "css"
|
|
|
|
app.add_middleware(SetupGateMiddleware)
|
|
client = TestClient(app)
|
|
|
|
response = client.get("/static/test.css")
|
|
assert response.status_code == 200
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_redirects_setup_when_complete(self):
|
|
"""SetupGateMiddleware redirects /setup/* to / when setup_complete=True."""
|
|
mock_pool = MagicMock()
|
|
mock_conn = MagicMock()
|
|
mock_conn.fetchrow = AsyncMock(return_value={"setup_complete": True})
|
|
mock_conn.__aenter__ = AsyncMock(return_value=mock_conn)
|
|
mock_conn.__aexit__ = AsyncMock()
|
|
mock_pool.acquire = MagicMock(return_value=mock_conn)
|
|
|
|
with patch("central.gui.middleware.get_pool", return_value=mock_pool):
|
|
app = FastAPI()
|
|
|
|
@app.get("/")
|
|
async def index():
|
|
return {"message": "home"}
|
|
|
|
@app.get("/setup")
|
|
async def setup():
|
|
return {"message": "setup"}
|
|
|
|
@app.get("/setup/operator")
|
|
async def setup_operator():
|
|
return {"message": "operator"}
|
|
|
|
app.add_middleware(SetupGateMiddleware)
|
|
client = TestClient(app, follow_redirects=False)
|
|
|
|
# Both /setup and /setup/operator should redirect to /
|
|
response = client.get("/setup")
|
|
assert response.status_code == 302
|
|
assert response.headers["location"] == "/"
|
|
|
|
response = client.get("/setup/operator")
|
|
assert response.status_code == 302
|
|
assert response.headers["location"] == "/"
|