dc7732ab5f
- Patched request_jwt to strip privileged IDs when signing with public keys - Updated AccountContext and V3 dependencies to preserve JWT payloads for guests - Whitelisted Archive, Post, Event, and other core objects for public read access - Added 'default_qry_str' to Event searchable fields - Added test_e2e_jwt_guest_auth.py for security verification
35 lines
1.1 KiB
Python
35 lines
1.1 KiB
Python
import requests
|
|
import json
|
|
|
|
API_BASE = "https://dev-api.oneskyit.com/v3/crud"
|
|
API_KEY = "IDF68Em5X4HTZlswRNgepQ"
|
|
JOURNAL_ID = "OGQK-02-04-94"
|
|
|
|
# We'll try to patch this journal with an extra field that shouldn't be there
|
|
payload = {
|
|
"name": "Permissive Test Name",
|
|
"unauthorized_field": "I should be ignored",
|
|
"created_on": "2026-01-01T00:00:00" # Technical field usually forbidden
|
|
}
|
|
|
|
def test_permissive_mode():
|
|
headers = {
|
|
"x-aether-api-key": API_KEY,
|
|
"x-no-account-id": "bypass",
|
|
"Content-Type": "application/json"
|
|
}
|
|
|
|
print("\n--- Test 1: Standard Mode (Should FAIL) ---")
|
|
resp = requests.patch(f"{API_BASE}/journal/{JOURNAL_ID}", headers=headers, json=payload)
|
|
print(f"Status: {resp.status_code}")
|
|
print(f"Response: {resp.text}")
|
|
|
|
print("\n--- Test 2: Permissive Mode (Should SUCCEED) ---")
|
|
headers["x-ae-ignore-extra-fields"] = "true"
|
|
resp = requests.patch(f"{API_BASE}/journal/{JOURNAL_ID}", headers=headers, json=payload)
|
|
print(f"Status: {resp.status_code}")
|
|
print(f"Response: {resp.text}")
|
|
|
|
if __name__ == "__main__":
|
|
test_permissive_mode()
|