feat(security): implement safe guest auth flow and harden request_jwt

- Patched request_jwt to strip privileged IDs when signing with public keys - Updated AccountContext and V3 dependencies to preserve JWT payloads for guests - Whitelisted Archive, Post, Event, and other core objects for public read access - Added 'default_qry_str' to Event searchable fields - Added test_e2e_jwt_guest_auth.py for security verification
2026-01-20 14:56:56 -05:00
parent 8a22ac324c
commit dc7732ab5f
11 changed files with 179 additions and 16 deletions
--- a/tests/test_permissive_mode.py
+++ b/tests/test_permissive_mode.py
@@ -0,0 +1,34 @@
+import requests
+import json
+
+API_BASE = "https://dev-api.oneskyit.com/v3/crud"
+API_KEY = "IDF68Em5X4HTZlswRNgepQ"
+JOURNAL_ID = "OGQK-02-04-94"
+
+# We'll try to patch this journal with an extra field that shouldn't be there
+payload = {
+    "name": "Permissive Test Name",
+    "unauthorized_field": "I should be ignored",
+    "created_on": "2026-01-01T00:00:00" # Technical field usually forbidden
+}
+
+def test_permissive_mode():
+    headers = {
+        "x-aether-api-key": API_KEY,
+        "x-no-account-id": "bypass",
+        "Content-Type": "application/json"
+    }
+
+    print("\n--- Test 1: Standard Mode (Should FAIL) ---")
+    resp = requests.patch(f"{API_BASE}/journal/{JOURNAL_ID}", headers=headers, json=payload)
+    print(f"Status: {resp.status_code}")
+    print(f"Response: {resp.text}")
+
+    print("\n--- Test 2: Permissive Mode (Should SUCCEED) ---")
+    headers["x-ae-ignore-extra-fields"] = "true"
+    resp = requests.patch(f"{API_BASE}/journal/{JOURNAL_ID}", headers=headers, json=payload)
+    print(f"Status: {resp.status_code}")
+    print(f"Response: {resp.text}")
+
+if __name__ == "__main__":
+    test_permissive_mode()