Trilltechnician/hack-house
1
2
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
82a04f3e12
hack-house/tests/conftest.py
leetcrypt e7bacc93da fix(security): comprehensive security hardening — TLS, HMAC WS auth, rate limiting, IP leak prevention 
CRITICAL fixes:
- Auto-generated self-signed TLS certs (HTTPS/WSS by default)
- Removed session_key from /srp/verify response (was sent in plaintext)
- Replaced with HMAC-SHA256 ws_token for WebSocket authentication

HIGH fixes:
- WebSocket auth now validates ws_token via hmac.compare_digest()
- /clear endpoint requires Bearer admin_token (printed at server start)
- Password no longer required as CLI arg — supports env var + getpass prompt
- Removed user_ip from Message model (no longer broadcast to clients)

MEDIUM fixes:
- Rate limiter on /srp/init and /srp/verify (10 req/min/IP)
- MessageStore capped at 1000 messages (prevents RAM DoS)
- access_log disabled (was leaking request metadata)

LOW fixes:
- Username sanitization against rich markup injection
- Dead code removed from helpers.py

All 79 tests passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-25 20:30:40 -07:00

46 lines
1.1 KiB
Python
Raw Blame History

import sys
from pathlib import Path
sys.path.insert(0, str(Path(__file__).parent.parent))
import uuid
import pytest
from sanic_testing import TestManager
import os
from sanic import Sanic
from sanic_ext import Extend
from cmd_chat.server.managers import ConnectionManager
from cmd_chat.server.stores import MessageStore, UserSessionStore
from cmd_chat.server.srp_auth import SRPAuthManager
from cmd_chat.server.routes import register_routes
@pytest.fixture
def app():
name = f"test-{uuid.uuid4().hex[:8]}"
app = Sanic(name)
Extend(app)
app.ctx.message_store = MessageStore()
app.ctx.session_store = UserSessionStore()
app.ctx.connection_manager = ConnectionManager()
app.ctx.srp_manager = SRPAuthManager("testpassword")
app.ctx.room_salt = os.urandom(16)
app.ctx.ws_secret = os.urandom(32)
app.ctx.admin_token = "test-admin-token"
from cmd_chat.server.helpers import RateLimiter
app.ctx.rate_limiter = RateLimiter(max_requests=100, window_seconds=60)
app.ctx.cleanup_task = None
register_routes(app)
TestManager(app)
return app
@pytest.fixture
def test_client(app):
return app.test_client
Reference in New Issue View Git Blame Copy Permalink