a9bbb668b5
Replaces nginx basic auth with a proper per-user session system:
- auth_utils.py: bcrypt password hashing, JWT cookie creation/decode
- auth_middleware.py: validates JWT cookie on all routes except /login,
/health, /static/, and webhook endpoints (/channels/, /webhook/)
- routers/ui.py: GET /login, POST /login, POST /logout,
GET /{username}/{persona} — serves index.html with CORTEX_CONFIG injected
- static/login.html: minimal login form (dark theme, matches UI)
- main.py: registers SessionAuthMiddleware + ui.router
- config.py: jwt_secret, jwt_expire_days settings
- manage_passwords.py: CLI tool to set/check/list user passwords
- app.js: reads window.CORTEX_CONFIG (user + persona), sends both on
every /chat and /orchestrate request; persona name shown in header;
logout button (⏏) added to header
- requirements.txt: bcrypt, PyJWT, python-multipart
- .env.default: JWT_SECRET, JWT_EXPIRE_DAYS documented
- tests: client fixture injects JWT cookie; security test assertions
updated for URL-normalized path traversal paths (still secure, codes differ)
All 80 tests pass.
Setup for a new user:
python manage_passwords.py set scott
python manage_passwords.py set holly
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
69 lines
2.2 KiB
Python
69 lines
2.2 KiB
Python
"""
|
|
Tests for GET/PUT /files/* — allowed set enforcement, read/write, IDENTITY.md.
|
|
"""
|
|
import pytest
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_list(client):
|
|
r = await client.get("/files")
|
|
assert r.status_code == 200
|
|
files = r.json()["files"]
|
|
names = [f["name"] for f in files]
|
|
assert "SOUL.md" in names
|
|
assert "IDENTITY.md" in names
|
|
assert "USER.md" in names
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_get_allowed(client):
|
|
r = await client.get("/files/IDENTITY.md")
|
|
assert r.status_code == 200
|
|
assert "content" in r.json()
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_get_not_in_allowed(client):
|
|
"""Files outside the ALLOWED set should return 404, not the file content."""
|
|
for name in ("TASKS.json", "CRONS.json", "SCRATCH.md", "../config.py", ".env"):
|
|
r = await client.get(f"/files/{name}")
|
|
assert r.status_code == 404, f"Expected 404 for {name}, got {r.status_code}"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_put_and_get(client):
|
|
"""Write a new value and read it back."""
|
|
content = "# Updated PROTOCOLS\nTest content."
|
|
r = await client.put("/files/PROTOCOLS.md", json={"content": content})
|
|
assert r.status_code == 200
|
|
assert r.json()["ok"] is True
|
|
|
|
r2 = await client.get("/files/PROTOCOLS.md")
|
|
assert r2.status_code == 200
|
|
assert r2.json()["content"] == content
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_put_not_allowed(client):
|
|
# '../../etc/passwd' normalizes to '/etc/passwd' at the ASGI layer —
|
|
# no route handles PUT there, so 404 or 405 are both acceptable safe responses.
|
|
r = await client.put("/files/../../etc/passwd", json={"content": "pwned"})
|
|
assert r.status_code in (404, 405)
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_get_missing_but_allowed(client, home_root):
|
|
"""An allowed file that doesn't exist yet returns 404."""
|
|
# Temporarily remove MEMORY_MID.md
|
|
f = home_root / "scott" / "persona" / "inara" / "MEMORY_MID.md"
|
|
existed = f.exists()
|
|
if existed:
|
|
backup = f.read_text()
|
|
f.unlink()
|
|
try:
|
|
r = await client.get("/files/MEMORY_MID.md")
|
|
assert r.status_code == 404
|
|
finally:
|
|
if existed:
|
|
f.write_text(backup)
|