Scott.Idem/OSIT-AE-API-FastAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
development
OSIT-AE-API-FastAPI/tests/archive/test_e2e_jwt_guest_auth.py
Scott Idem 37c84de57b chore(tests): consolidate E2E test suite into standardized primary scripts 
- Combined 10+ one-off tests into 4 primary functional suites (Search, Auth, Lifecycle, Vision).
- Archived original scripts to tests/archive/.
- Updated README with the new standardized inventory.
- Applied clean output formatting across the new suite.
2026-02-03 16:50:18 -05:00

95 lines
3.4 KiB
Python
Raw Permalink Blame History

import requests
import json
import jwt # Used only for local decoding/verification of the received token
import sys
# Configuration
BASE_URL = "https://dev-api.oneskyit.com"
API_KEY = "IDF68Em5X4HTZlswRNgepQ"
def test_request_jwt_security():
print("\n--- Test 1: request_jwt Security (Over the Network) ---")
# Attempt to request a token with an injected account_id
# The backend should now strip this account_id because we aren't using a signing key
params = {
"account_id": "999999",
"json_str": json.dumps({"mode": "guest", "test": True})
}
headers = {
"X-Aether-API-Key": API_KEY
}
url = f"{BASE_URL}/api/request_jwt"
print(f"Calling: {url}")
try:
response = requests.get(url, params=params, headers=headers)
print(f"Status: {response.status_code}")
data = response.json()
token = data.get('data', {}).get('jwt')
if not token:
print(f"❌ No token returned. Response: {json.dumps(data, indent=2)}")
return None
print(f"Token Received: {token[:30]}...")
# We can't verify the signature without the secret, but we can inspect the payload
# using unverified decode to see if the server stripped the ID before signing.
decoded = jwt.decode(token, options={"verify_signature": False})
print(f"Unverified Payload: {decoded}")
if decoded.get('account_id') is None:
print("✅ SUCCESS: 'account_id' was successfully stripped by the server.")
else:
print(f"❌ FAILURE: 'account_id' was present! Security Patch not active. Value: {decoded.get('account_id')}")
sys.exit(1)
return token
except Exception as e:
print(f"❌ Error during request: {e}")
return None
def test_guest_access(guest_token):
print("\n--- Test 2: Guest Access with Token ---")
headers = {
"X-Aether-API-Key": API_KEY
}
params = {"jwt": guest_token}
# 1. Test Public Object (site_domain) - Should succeed (200)
print("\n[A] Testing Public Read (site_domain)...")
url_public = f"{BASE_URL}/v3/crud/site_domain/search"
resp_public = requests.post(url_public, json={"q": "%"}, headers=headers, params=params)
print(f"Status: {resp_public.status_code}")
if resp_public.status_code == 200:
print("✅ SUCCESS: Guest token allowed access to public object.")
else:
print(f"❌ FAILURE: Status {resp_public.status_code}. Msg: {resp_public.text}")
# 2. Test Private Object (journal) - Should be blocked (403)
print("\n[B] Testing Private Read (journal)...")
url_private = f"{BASE_URL}/v3/crud/journal/search"
resp_private = requests.post(url_private, json={"q": "%"}, headers=headers, params=params)
print(f"Status: {resp_private.status_code}")
if resp_private.status_code == 403:
print("✅ SUCCESS: Guest correctly blocked from private object (403 Forbidden).")
else:
print(f"❌ FAILURE: Guest was NOT blocked. Status: {resp_private.status_code}")
if __name__ == "__main__":
print(f"Starting E2E JWT Guest Auth Tests against {BASE_URL}\n")
token = test_request_jwt_security()
if token:
test_guest_access(token)
else:
print("❌ Token request failed, skipping access tests.")
print("\nTests Complete.")
Reference in New Issue View Git Blame Copy Permalink