OSIT-AE-API-FastAPI/tests/archive/repro_security_bypass.py

import requests
import sys

BASE_URL = "http://dev-api.oneskyit.com" # Standard Dev Domain
OBJ_TYPE = "journal"
ENDPOINT = f"{BASE_URL}/v3/crud/{OBJ_TYPE}/schema"

# Replace with the key found from DB query
VALID_API_KEY = "dummy_key_placeholder" 

def test_request(description, headers, expected_status):
    print(f"Testing: {description}")
    try:
        response = requests.get(ENDPOINT, headers=headers, timeout=10)
        status = response.status_code
        result = "PASS" if status == expected_status else "FAIL"
        print(f"   Status: {status} (Expected: {expected_status}) -> {result}")
        if result == "FAIL":
            print(f"   Response: {response.text[:200]}...")
        return result == "PASS"
    except Exception as e:
        print(f"   Error: {e}")
        return False

def main():
    if len(sys.argv) > 1:
        global VALID_API_KEY
        VALID_API_KEY = sys.argv[1]

    print(f"--- Security Bypass Test (Target: {ENDPOINT}) ---")
    
    # Case 1: No Auth
    # Expected: 403 Forbidden (Account context required)
    test_request("No Auth Headers", {}, 403)

    # Case 2: Vulnerability Check (Bypass Header Only)
    # AFTER FIX: Expected 403 (Protected)
    test_request("Bypass Header Only (Vulnerability Check)", {"x-no-account-id": "bypass"}, 403)

    # Case 3: Invalid API Key + Bypass Header
    # Expected: 403 Forbidden
    test_request("Bypass Header + Invalid Key", {"x-no-account-id": "bypass", "x-aether-api-key": "invalid-key-12345"}, 403)

    # Case 4: Valid API Key + Bypass Header
    # Expected: 200 OK
    if VALID_API_KEY != "dummy_key_placeholder":
        test_request("Bypass Header + Valid Key", {"x-no-account-id": "bypass", "x-aether-api-key": VALID_API_KEY}, 200)
    else:
        print("Skipping Case 4 (No Valid API Key provided)")

if __name__ == "__main__":
    main()