1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205"""Pin cookie security flags on the helpers in ``src.auth.cookies``.
These flags are the security surface โ ``HttpOnly``, ``SameSite=Lax``,
``Secure``, ``Max-Age``, ``Path``. The integration round-trip tests assert
*presence* of cookies but not their attributes; if a future hardening pass
flips ``Lax`` โ ``Strict`` or drops ``HttpOnly`` from the session cookie,
those tests stay green even though the cookie is broken or unsafe.
"""
from __future__ import annotations
from collections.abc import Iterator
from datetime import UTC, datetime, timedelta
from typing import Any
import pytest
from fastapi import Response
from pydantic import SecretStr
from src.auth.base import Identity
from src.auth.cookies import clear_session_cookies, set_session_cookies
SESSION_COOKIE = "reflow_session"
def _identity() -> Identity:
now = datetime.now(UTC)
return Identity(
sub="alice",
email=None,
name="alice",
provider_id="basic",
issued_at=now,
expires_at=now + timedelta(seconds=3600),
)
def _parse_cookie_directives(set_cookie_header: str) -> dict[str, str | bool]:
"""Turn a ``Set-Cookie`` value into a directive map.
Boolean directives like ``HttpOnly`` are stored as ``True`` (case-
insensitive); key=value directives keep their value verbatim.
"""
parts = [p.strip() for p in set_cookie_header.split(";") if p.strip()]
result: dict[str, str | bool] = {}
# The first part is "name=value" โ index by lower-cased key for the
# directives that follow (HttpOnly, Secure, SameSite, Max-Age, Path).
name, _, value = parts[0].partition("=")
result["__name"] = name
result["__value"] = value
for directive in parts[1:]:
if "=" in directive:
key, _, val = directive.partition("=")
result[key.lower()] = val
else:
result[directive.lower()] = True
return result
@pytest.fixture
def auth_settings_overridden() -> Iterator[dict[str, Any]]:
"""Patch the global settings singleton + clear cached factories.
Rolls back on teardown so this test file can run alongside others
without polluting the singleton.
"""
from src.auth import factory
from src.config import settings as global_settings
overrides = {
"auth_mode": "basic",
"auth_secret_key": SecretStr("x" * 32),
"auth_session_cookie_name": SESSION_COOKIE,
"auth_session_ttl_seconds": 3600,
"auth_cookie_secure": True,
}
saved = {k: getattr(global_settings, k) for k in overrides}
for k, v in overrides.items():
object.__setattr__(global_settings, k, v)
factory.get_session_store.cache_clear()
factory.get_auth_provider.cache_clear()
try:
yield overrides
finally:
for k, v in saved.items():
object.__setattr__(global_settings, k, v)
factory.get_session_store.cache_clear()
factory.get_auth_provider.cache_clear()
def _set_cookies(response: Response) -> dict[str, dict[str, str | bool]]:
set_session_cookies(response=response, identity=_identity())
headers = response.headers.getlist("set-cookie")
return {
_parse_cookie_directives(h)["__name"]: _parse_cookie_directives(h)
for h in headers
if isinstance(_parse_cookie_directives(h)["__name"], str)
}
@pytest.mark.unit
def test_session_cookie_is_httponly(auth_settings_overridden: dict[str, Any]) -> None:
response = Response()
cookies = _set_cookies(response)
session = cookies[SESSION_COOKIE]
assert session.get("httponly") is True
@pytest.mark.unit
def test_csrf_companion_is_not_httponly(
auth_settings_overridden: dict[str, Any],
) -> None:
"""SPA needs to read the CSRF cookie via document.cookie, so it must
NOT be HttpOnly โ that's load-bearing for double-submit CSRF."""
response = Response()
cookies = _set_cookies(response)
csrf = cookies[f"{SESSION_COOKIE}_csrf"]
assert csrf.get("httponly") is not True
@pytest.mark.unit
def test_both_cookies_use_samesite_lax(
auth_settings_overridden: dict[str, Any],
) -> None:
"""SameSite=Lax (not Strict) โ load-bearing for the OIDC redirect-back
flow. Strict drops the cookie on the post-IdP top-level GET, silently
breaking SSO. Documented in src/auth/oidc โ pinned here."""
response = Response()
cookies = _set_cookies(response)
assert cookies[SESSION_COOKIE]["samesite"].lower() == "lax"
assert cookies[f"{SESSION_COOKIE}_csrf"]["samesite"].lower() == "lax"
@pytest.mark.unit
def test_secure_flag_tracks_setting(
auth_settings_overridden: dict[str, Any],
) -> None:
response = Response()
cookies = _set_cookies(response)
assert cookies[SESSION_COOKIE].get("secure") is True
assert cookies[f"{SESSION_COOKIE}_csrf"].get("secure") is True
@pytest.mark.unit
def test_secure_flag_off_when_disabled(
auth_settings_overridden: dict[str, Any],
) -> None:
"""Disabling auth_cookie_secure (e.g. for local HTTP dev) must drop
the Secure flag from both cookies."""
from src.config import settings
object.__setattr__(settings, "auth_cookie_secure", False)
response = Response()
cookies = _set_cookies(response)
assert cookies[SESSION_COOKIE].get("secure") is not True
assert cookies[f"{SESSION_COOKIE}_csrf"].get("secure") is not True
@pytest.mark.unit
def test_max_age_matches_ttl(auth_settings_overridden: dict[str, Any]) -> None:
response = Response()
cookies = _set_cookies(response)
assert cookies[SESSION_COOKIE]["max-age"] == "3600"
assert cookies[f"{SESSION_COOKIE}_csrf"]["max-age"] == "3600"
@pytest.mark.unit
def test_path_is_root(auth_settings_overridden: dict[str, Any]) -> None:
response = Response()
cookies = _set_cookies(response)
assert cookies[SESSION_COOKIE]["path"] == "/"
assert cookies[f"{SESSION_COOKIE}_csrf"]["path"] == "/"
@pytest.mark.unit
def test_x_auth_cookie_set_sentinel(
auth_settings_overridden: dict[str, Any],
) -> None:
"""The middleware reads this sentinel to suppress sliding-window
re-issue when login/logout already rotated the cookie. Must be set
on every cookie write; otherwise the middleware races."""
response = Response()
set_session_cookies(response=response, identity=_identity())
assert response.headers.get("X-Auth-Cookie-Set") == "1"
@pytest.mark.unit
def test_clear_zeroes_max_age_and_sets_sentinel(
auth_settings_overridden: dict[str, Any],
) -> None:
response = Response()
clear_session_cookies(response)
headers = response.headers.getlist("set-cookie")
cookies = {
_parse_cookie_directives(h)["__name"]: _parse_cookie_directives(h)
for h in headers
}
assert cookies[SESSION_COOKIE]["max-age"] == "0"
assert cookies[f"{SESSION_COOKIE}_csrf"]["max-age"] == "0"
# Session cookie still HttpOnly during clear (so a JS read can't see
# the empty value either); CSRF companion still NOT HttpOnly for symmetry.
assert cookies[SESSION_COOKIE].get("httponly") is True
assert cookies[f"{SESSION_COOKIE}_csrf"].get("httponly") is not True
# Sentinel set so the sliding-window middleware doesn't resurrect.
assert response.headers.get("X-Auth-Cookie-Set") == "1"