phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): require email authentication every login

Browse Source 
CRITICAL SECURITY FIX:
- Email code required EVERY login (authentication, not verification)
- DNS TXT check cached separately (domain verification)
- New auth_sessions table for per-login state
- Codes hashed with SHA-256, constant-time comparison
- Max 3 attempts, 10-minute session expiry
- OAuth params stored server-side (security improvement)

New files:
- services/auth_session.py
- migrations 004, 005
- ADR-010: domain verification vs user authentication

312 tests passing, 86.21% coverage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil Skentelbery
2025-11-22 15:16:26 -07:00
parent 9b50f359a6
commit 9135edfe84
17 changed files with 3457 additions and 529 deletions
Download Patch File Download Diff File Expand all files Collapse all files

331
tests/integration/api/test_authorization_flow.py
View File

@@ -3,9 +3,12 @@ Integration tests for authorization endpoint flow.
Tests the complete authorization endpoint behavior including parameter validation,
client metadata fetching, consent form rendering, and code generation.
Updated for the session-based authentication flow (ADR-010).
"""
import tempfile
from datetime import datetime, timedelta
from pathlib import Path
from unittest.mock import AsyncMock, Mock, patch
@@ -184,7 +187,7 @@ class TestAuthorizationEndpointRedirectErrors:
class TestAuthorizationConsentPage:
"""Tests for the consent page rendering."""
"""Tests for the consent page rendering (after email verification)."""
@pytest.fixture
def complete_params(self):
@@ -199,131 +202,279 @@ class TestAuthorizationConsentPage:
"me": "https://user.example.com",
}
def test_valid_request_shows_consent_page(self, auth_client, complete_params, mock_happ_fetch):
"""Test valid authorization request shows consent page."""
response = auth_client.get("/authorize", params=complete_params)
def test_valid_request_shows_verification_page(self, auth_app, complete_params, mock_happ_fetch):
"""Test valid authorization request shows verification page (not consent directly)."""
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from sqlalchemy import text
import tempfile
assert response.status_code == 200
assert "text/html" in response.headers["content-type"]
# Page should contain client information
assert "app.example.com" in response.text or "Test Application" in response.text
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db = Database(f"sqlite:///{db_path}")
db.initialize()
def test_consent_page_contains_required_fields(self, auth_client, complete_params, mock_happ_fetch):
"""Test consent page contains all required form fields."""
response = auth_client.get("/authorize", params=complete_params)
# Setup DNS-verified domain
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
assert response.status_code == 200
# Check for hidden form fields that will be POSTed
assert "client_id" in response.text
assert "redirect_uri" in response.text
assert "code_challenge" in response.text
# Create mock services
mock_dns = Mock()
mock_dns.verify_txt_record.return_value = True
def test_consent_page_displays_client_metadata(self, auth_client, complete_params, mock_happ_fetch):
"""Test consent page displays client h-app metadata."""
response = auth_client.get("/authorize", params=complete_params)
mock_email = Mock()
mock_email.send_verification_code = Mock()
assert response.status_code == 200
# Should show client name from h-app
assert "Test Application" in response.text or "app.example.com" in response.text
mock_html = Mock()
mock_html.fetch.return_value = '<html><a href="mailto:test@example.com" rel="me">Email</a></html>'
def test_consent_page_preserves_state(self, auth_client, complete_params, mock_happ_fetch):
"""Test consent page preserves state parameter."""
response = auth_client.get("/authorize", params=complete_params)
from gondulf.services.relme_parser import RelMeParser
mock_relme = RelMeParser()
assert response.status_code == 200
assert "test123" in response.text
mock_session = Mock()
mock_session.create_session.return_value = {
"session_id": "test_session_123",
"verification_code": "123456",
"expires_at": datetime.utcnow() + timedelta(minutes=10)
}
auth_app.dependency_overrides[get_database] = lambda: db
auth_app.dependency_overrides[get_dns_service] = lambda: mock_dns
auth_app.dependency_overrides[get_email_service] = lambda: mock_email
auth_app.dependency_overrides[get_html_fetcher] = lambda: mock_html
auth_app.dependency_overrides[get_relme_parser] = lambda: mock_relme
auth_app.dependency_overrides[get_auth_session_service] = lambda: mock_session
try:
with TestClient(auth_app) as client:
response = client.get("/authorize", params=complete_params)
assert response.status_code == 200
assert "text/html" in response.headers["content-type"]
# Should show verification page (email auth required every login)
assert "Verify Your Identity" in response.text
finally:
auth_app.dependency_overrides.clear()
class TestAuthorizationConsentSubmission:
"""Tests for consent form submission."""
"""Tests for consent form submission (via session-based flow)."""
@pytest.fixture
def consent_form_data(self):
"""Valid consent form data."""
return {
def test_consent_submission_redirects_with_code(self, auth_app):
"""Test consent submission redirects to client with authorization code."""
from gondulf.dependencies import get_auth_session_service, get_code_storage
# Mock verified session
mock_session = Mock()
mock_session.get_session.return_value = {
"session_id": "test_session_123",
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": True, # Session is verified
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"me": "https://user.example.com",
"scope": "",
"response_type": "code"
}
mock_session.delete_session = Mock()
def test_consent_submission_redirects_with_code(self, auth_client, consent_form_data):
"""Test consent submission redirects to client with authorization code."""
response = auth_client.post(
"/authorize/consent",
data=consent_form_data,
follow_redirects=False
)
auth_app.dependency_overrides[get_auth_session_service] = lambda: mock_session
assert response.status_code == 302
location = response.headers["location"]
assert location.startswith("https://app.example.com/callback")
assert "code=" in location
assert "state=test123" in location
try:
with TestClient(auth_app) as client:
response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
def test_consent_submission_generates_unique_codes(self, auth_client, consent_form_data):
assert response.status_code == 302
location = response.headers["location"]
assert location.startswith("https://app.example.com/callback")
assert "code=" in location
assert "state=test123" in location
finally:
auth_app.dependency_overrides.clear()
def test_consent_submission_generates_unique_codes(self, auth_app):
"""Test each consent generates a unique authorization code."""
# First submission
response1 = auth_client.post(
"/authorize/consent",
data=consent_form_data,
follow_redirects=False
)
location1 = response1.headers["location"]
from gondulf.dependencies import get_auth_session_service
# Second submission
response2 = auth_client.post(
"/authorize/consent",
data=consent_form_data,
follow_redirects=False
)
location2 = response2.headers["location"]
# Mock verified session
mock_session = Mock()
mock_session.get_session.return_value = {
"session_id": "test_session_123",
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": True,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": "",
"response_type": "code"
}
mock_session.delete_session = Mock()
# Extract codes
from tests.conftest import extract_code_from_redirect
code1 = extract_code_from_redirect(location1)
code2 = extract_code_from_redirect(location2)
auth_app.dependency_overrides[get_auth_session_service] = lambda: mock_session
assert code1 != code2
try:
with TestClient(auth_app) as client:
# First submission
response1 = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
location1 = response1.headers["location"]
def test_authorization_code_stored_for_exchange(self, auth_client, consent_form_data):
# Second submission
response2 = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
location2 = response2.headers["location"]
# Extract codes
from tests.conftest import extract_code_from_redirect
code1 = extract_code_from_redirect(location1)
code2 = extract_code_from_redirect(location2)
assert code1 != code2
finally:
auth_app.dependency_overrides.clear()
def test_authorization_code_stored_for_exchange(self, auth_app):
"""Test authorization code is stored for later token exchange."""
response = auth_client.post(
"/authorize/consent",
data=consent_form_data,
follow_redirects=False
)
from gondulf.dependencies import get_auth_session_service
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(response.headers["location"])
# Mock verified session
mock_session = Mock()
mock_session.get_session.return_value = {
"session_id": "test_session_123",
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": True,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": "",
"response_type": "code"
}
mock_session.delete_session = Mock()
# Code should be non-empty and URL-safe
assert code is not None
assert len(code) > 20 # Should be a substantial code
auth_app.dependency_overrides[get_auth_session_service] = lambda: mock_session
try:
with TestClient(auth_app) as client:
response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(response.headers["location"])
# Code should be non-empty and URL-safe
assert code is not None
assert len(code) > 20 # Should be a substantial code
finally:
auth_app.dependency_overrides.clear()
class TestAuthorizationSecurityHeaders:
"""Tests for security headers on authorization endpoints."""
def test_authorization_page_has_security_headers(self, auth_client, mock_happ_fetch):
def test_authorization_page_has_security_headers(self, auth_app, mock_happ_fetch):
"""Test authorization page includes security headers."""
params = {
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"response_type": "code",
"state": "test123",
"code_challenge": "abc123",
"code_challenge_method": "S256",
"me": "https://user.example.com",
}
response = auth_client.get("/authorize", params=params)
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from sqlalchemy import text
import tempfile
assert "X-Frame-Options" in response.headers
assert "X-Content-Type-Options" in response.headers
assert response.headers["X-Frame-Options"] == "DENY"
with tempfile.TemporaryDirectory() as tmpdir:
db_path = Path(tmpdir) / "test.db"
db = Database(f"sqlite:///{db_path}")
db.initialize()
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
mock_dns = Mock()
mock_dns.verify_txt_record.return_value = True
mock_email = Mock()
mock_email.send_verification_code = Mock()
mock_html = Mock()
mock_html.fetch.return_value = '<html><a href="mailto:test@example.com" rel="me">Email</a></html>'
from gondulf.services.relme_parser import RelMeParser
mock_relme = RelMeParser()
mock_session = Mock()
mock_session.create_session.return_value = {
"session_id": "test_session_123",
"verification_code": "123456",
"expires_at": datetime.utcnow() + timedelta(minutes=10)
}
auth_app.dependency_overrides[get_database] = lambda: db
auth_app.dependency_overrides[get_dns_service] = lambda: mock_dns
auth_app.dependency_overrides[get_email_service] = lambda: mock_email
auth_app.dependency_overrides[get_html_fetcher] = lambda: mock_html
auth_app.dependency_overrides[get_relme_parser] = lambda: mock_relme
auth_app.dependency_overrides[get_auth_session_service] = lambda: mock_session
try:
params = {
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"response_type": "code",
"state": "test123",
"code_challenge": "abc123",
"code_challenge_method": "S256",
"me": "https://user.example.com",
}
with TestClient(auth_app) as client:
response = client.get("/authorize", params=params)
assert "X-Frame-Options" in response.headers
assert "X-Content-Type-Options" in response.headers
assert response.headers["X-Frame-Options"] == "DENY"
finally:
auth_app.dependency_overrides.clear()
def test_error_pages_have_security_headers(self, auth_client):
"""Test error pages include security headers."""

520
tests/integration/api/test_authorization_verification.py
View File

@@ -1,10 +1,13 @@
"""
Integration tests for authorization endpoint domain verification.
Tests the security fix that requires domain verification before showing the consent page.
Tests the authentication flow that requires email verification on EVERY login.
See ADR-010 for the architectural decision.
Key principle: Email code is AUTHENTICATION (every login), not domain verification.
"""
from datetime import datetime
from datetime import datetime, timedelta
from unittest.mock import AsyncMock, Mock, patch
import pytest
@@ -25,40 +28,43 @@ def valid_auth_params():
}
def create_mock_verification_service(start_success=True, verify_success=True, start_error="dns_verification_failed"):
"""Create a mock verification service with configurable behavior."""
def create_mock_dns_service(verify_success=True):
"""Create a mock DNS service."""
mock_service = Mock()
if start_success:
mock_service.start_verification.return_value = {
"success": True,
"email": "t***@example.com",
"verification_method": "email"
}
else:
mock_service.start_verification.return_value = {
"success": False,
"error": start_error
}
if verify_success:
mock_service.verify_email_code.return_value = {
"success": True,
"email": "test@example.com"
}
else:
mock_service.verify_email_code.return_value = {
"success": False,
"error": "invalid_code"
}
mock_service.code_storage = Mock()
mock_service.code_storage.get.return_value = "test@example.com"
mock_service.create_authorization_code.return_value = "test_auth_code_12345"
mock_service.verify_txt_record.return_value = verify_success
return mock_service
def create_mock_email_service():
"""Create a mock email service."""
mock_service = Mock()
mock_service.send_verification_code = Mock()
return mock_service
def create_mock_html_fetcher(email="test@example.com"):
"""Create a mock HTML fetcher that returns a page with rel=me email."""
mock_fetcher = Mock()
if email:
html = f'''
<html>
<body>
<a href="mailto:{email}" rel="me">Email</a>
</body>
</html>
'''
else:
html = '<html><body></body></html>'
mock_fetcher.fetch.return_value = html
return mock_fetcher
def create_mock_relme_parser():
"""Create a real RelMeParser (it's simple enough)."""
from gondulf.services.relme_parser import RelMeParser
return RelMeParser()
def create_mock_happ_parser():
"""Create a mock h-app parser."""
from gondulf.services.happ_parser import ClientMetadata
@@ -72,6 +78,55 @@ def create_mock_happ_parser():
return mock_parser
def create_mock_auth_session_service(session_id="test_session_123", code="123456", verified=False):
"""Create a mock auth session service."""
from gondulf.services.auth_session import (
AuthSessionService,
CodeVerificationError,
SessionNotFoundError,
)
mock_service = Mock(spec=AuthSessionService)
mock_service.create_session.return_value = {
"session_id": session_id,
"verification_code": code,
"expires_at": datetime.utcnow() + timedelta(minutes=10)
}
mock_service.get_session.return_value = {
"session_id": session_id,
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": verified,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": "",
"response_type": "code"
}
mock_service.verify_code.return_value = {
"session_id": session_id,
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": True,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": "",
"response_type": "code"
}
mock_service.is_session_verified.return_value = verified
mock_service.delete_session = Mock()
return mock_service
@pytest.fixture
def configured_app(monkeypatch, tmp_path):
"""Create a fully configured app with fresh database."""
@@ -87,31 +142,50 @@ def configured_app(monkeypatch, tmp_path):
class TestUnverifiedDomainTriggersVerification:
"""Tests that unverified domains trigger the verification flow."""
"""Tests that any login triggers authentication (email code)."""
def test_unverified_domain_shows_verification_form(
self, configured_app, valid_auth_params
):
"""Test that an unverified domain shows the verification code form."""
app, _ = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser
"""Test that DNS-verified domain STILL shows verification form (email auth required)."""
app, db_path = configured_app
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_happ_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from sqlalchemy import text
mock_service = create_mock_verification_service(start_success=True)
mock_parser = create_mock_happ_parser()
# Setup database with DNS-verified domain
db = Database(f"sqlite:///{db_path}")
db.initialize()
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
app.dependency_overrides[get_database] = lambda: db
app.dependency_overrides[get_dns_service] = lambda: create_mock_dns_service(True)
app.dependency_overrides[get_email_service] = lambda: create_mock_email_service()
app.dependency_overrides[get_html_fetcher] = lambda: create_mock_html_fetcher("test@example.com")
app.dependency_overrides[get_relme_parser] = create_mock_relme_parser
app.dependency_overrides[get_happ_parser] = lambda: create_mock_happ_parser()
app.dependency_overrides[get_auth_session_service] = lambda: create_mock_auth_session_service()
try:
with TestClient(app) as client:
response = client.get("/authorize", params=valid_auth_params)
assert response.status_code == 200
# Should show verification form, not consent form
# CRITICAL: Even DNS-verified domains require email verification every login
assert "Verify Your Identity" in response.text
assert "verification code" in response.text.lower()
# Should show masked email
assert "t***@example.com" in response.text
finally:
app.dependency_overrides.clear()
@@ -119,89 +193,76 @@ class TestUnverifiedDomainTriggersVerification:
self, configured_app, valid_auth_params
):
"""Test that authorization parameters are preserved in verification form."""
app, _ = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser
app, db_path = configured_app
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_happ_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from sqlalchemy import text
mock_service = create_mock_verification_service(start_success=True)
mock_parser = create_mock_happ_parser()
db = Database(f"sqlite:///{db_path}")
db.initialize()
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
app.dependency_overrides[get_database] = lambda: db
app.dependency_overrides[get_dns_service] = lambda: create_mock_dns_service(True)
app.dependency_overrides[get_email_service] = lambda: create_mock_email_service()
app.dependency_overrides[get_html_fetcher] = lambda: create_mock_html_fetcher("test@example.com")
app.dependency_overrides[get_relme_parser] = create_mock_relme_parser
app.dependency_overrides[get_happ_parser] = lambda: create_mock_happ_parser()
app.dependency_overrides[get_auth_session_service] = lambda: create_mock_auth_session_service()
try:
with TestClient(app) as client:
response = client.get("/authorize", params=valid_auth_params)
assert response.status_code == 200
# Check hidden fields contain auth params
assert 'name="client_id"' in response.text
assert 'name="redirect_uri"' in response.text
assert 'name="state"' in response.text
assert 'name="code_challenge"' in response.text
finally:
app.dependency_overrides.clear()
def test_unverified_domain_does_not_show_consent(
self, configured_app, valid_auth_params
):
"""Test that unverified domain does NOT show consent form directly."""
app, _ = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser
mock_service = create_mock_verification_service(start_success=True)
mock_parser = create_mock_happ_parser()
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
try:
with TestClient(app) as client:
response = client.get("/authorize", params=valid_auth_params)
assert response.status_code == 200
# Should NOT show consent/authorization form
assert "Authorization Request" not in response.text
# New flow uses session_id instead of passing all params
assert 'name="session_id"' in response.text
finally:
app.dependency_overrides.clear()
class TestVerifiedDomainShowsConsent:
"""Tests that verified domains skip verification and show consent."""
"""Tests that verified sessions (email code verified) show consent."""
def test_verified_domain_shows_consent_page(
self, configured_app, valid_auth_params
):
"""Test that a verified domain shows consent page directly."""
"""Test that after email verification, consent page is shown."""
app, db_path = configured_app
from gondulf.dependencies import get_happ_parser, get_database
from gondulf.database.connection import Database
from sqlalchemy import text
from gondulf.dependencies import get_happ_parser, get_auth_session_service
from gondulf.services.auth_session import CodeVerificationError
# Create database and insert verified domain
db = Database(f"sqlite:///{db_path}")
db.initialize()
# Mock auth session that succeeds on verify
mock_session = create_mock_auth_session_service(verified=True)
with db.get_engine().begin() as conn:
conn.execute(
text("""
INSERT INTO domains (domain, email, verification_code, verified, verified_at, two_factor)
VALUES (:domain, :email, '', 1, :verified_at, 1)
"""),
{"domain": "user.example.com", "email": "test@example.com", "verified_at": datetime.utcnow()}
)
# Override database to use same instance
app.dependency_overrides[get_database] = lambda: db
mock_parser = create_mock_happ_parser()
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
app.dependency_overrides[get_happ_parser] = lambda: create_mock_happ_parser()
try:
with TestClient(app) as client:
response = client.get("/authorize", params=valid_auth_params)
# Simulate verifying the code
form_data = {
"session_id": "test_session_123",
"code": "123456",
}
response = client.post("/authorize/verify-code", data=form_data)
# Should show consent page
assert response.status_code == 200
assert "Authorization Request" in response.text
assert "Authorization Request" in response.text or "Authorize" in response.text
assert 'action="/authorize/consent"' in response.text
finally:
app.dependency_overrides.clear()
@@ -215,27 +276,19 @@ class TestVerificationCodeValidation:
):
"""Test that valid verification code shows consent page."""
app, _ = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser
from gondulf.dependencies import get_happ_parser, get_auth_session_service
mock_service = create_mock_verification_service(verify_success=True)
mock_session = create_mock_auth_session_service()
mock_parser = create_mock_happ_parser()
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
try:
with TestClient(app) as client:
form_data = {
"domain": "user.example.com",
"session_id": "test_session_123",
"code": "123456",
"client_id": valid_auth_params["client_id"],
"redirect_uri": valid_auth_params["redirect_uri"],
"response_type": valid_auth_params["response_type"],
"state": valid_auth_params["state"],
"code_challenge": valid_auth_params["code_challenge"],
"code_challenge_method": valid_auth_params["code_challenge_method"],
"scope": "",
"me": valid_auth_params["me"],
}
response = client.post("/authorize/verify-code", data=form_data)
@@ -251,27 +304,22 @@ class TestVerificationCodeValidation:
):
"""Test that invalid code shows error and allows retry."""
app, _ = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser
from gondulf.dependencies import get_happ_parser, get_auth_session_service
from gondulf.services.auth_session import CodeVerificationError
mock_session = create_mock_auth_session_service()
mock_session.verify_code.side_effect = CodeVerificationError("Invalid code")
mock_service = create_mock_verification_service(verify_success=False)
mock_parser = create_mock_happ_parser()
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
try:
with TestClient(app) as client:
form_data = {
"domain": "user.example.com",
"session_id": "test_session_123",
"code": "000000",
"client_id": valid_auth_params["client_id"],
"redirect_uri": valid_auth_params["redirect_uri"],
"response_type": valid_auth_params["response_type"],
"state": valid_auth_params["state"],
"code_challenge": valid_auth_params["code_challenge"],
"code_challenge_method": valid_auth_params["code_challenge_method"],
"scope": "",
"me": valid_auth_params["me"],
}
response = client.post("/authorize/verify-code", data=form_data)
@@ -285,45 +333,6 @@ class TestVerificationCodeValidation:
app.dependency_overrides.clear()
class TestDNSFailureHandling:
"""Tests for DNS verification failure scenarios."""
def test_dns_failure_shows_instructions(
self, configured_app, valid_auth_params
):
"""Test that DNS verification failure shows helpful instructions."""
app, db_path = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser, get_database
from gondulf.database.connection import Database
from sqlalchemy import text
# Clear any pre-existing verified domain to ensure test isolation
db = Database(f"sqlite:///{db_path}")
db.initialize()
with db.get_engine().begin() as conn:
conn.execute(text("DELETE FROM domains WHERE domain = :domain"), {"domain": "user.example.com"})
app.dependency_overrides[get_database] = lambda: db
mock_service = create_mock_verification_service(start_success=False, start_error="dns_verification_failed")
mock_parser = create_mock_happ_parser()
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
try:
with TestClient(app) as client:
response = client.get("/authorize", params=valid_auth_params)
assert response.status_code == 200
# Should show error page with DNS instructions
assert "DNS" in response.text or "dns" in response.text.lower()
assert "TXT" in response.text
assert "_gondulf" in response.text
finally:
app.dependency_overrides.clear()
class TestEmailFailureHandling:
"""Tests for email discovery failure scenarios."""
@@ -332,23 +341,34 @@ class TestEmailFailureHandling:
):
"""Test that email discovery failure shows helpful instructions."""
app, db_path = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser, get_database
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_happ_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from sqlalchemy import text
# Clear any pre-existing verified domain to ensure test isolation
db = Database(f"sqlite:///{db_path}")
db.initialize()
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(text("DELETE FROM domains WHERE domain = :domain"), {"domain": "user.example.com"})
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
app.dependency_overrides[get_database] = lambda: db
mock_service = create_mock_verification_service(start_success=False, start_error="email_discovery_failed")
mock_parser = create_mock_happ_parser()
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
app.dependency_overrides[get_dns_service] = lambda: create_mock_dns_service(True)
app.dependency_overrides[get_email_service] = lambda: create_mock_email_service()
# HTML fetcher returns page with no email
app.dependency_overrides[get_html_fetcher] = lambda: create_mock_html_fetcher(email=None)
app.dependency_overrides[get_relme_parser] = create_mock_relme_parser
app.dependency_overrides[get_happ_parser] = lambda: create_mock_happ_parser()
app.dependency_overrides[get_auth_session_service] = lambda: create_mock_auth_session_service()
try:
with TestClient(app) as client:
@@ -367,29 +387,42 @@ class TestFullVerificationFlow:
def test_full_flow_new_domain(
self, configured_app, valid_auth_params
):
"""Test complete flow: unverified domain -> verify code -> consent."""
"""Test complete flow: authorize -> verify code -> consent."""
app, db_path = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser, get_database
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_happ_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from sqlalchemy import text
# Clear any pre-existing verified domain to ensure test isolation
db = Database(f"sqlite:///{db_path}")
db.initialize()
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(text("DELETE FROM domains WHERE domain = :domain"), {"domain": "user.example.com"})
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
app.dependency_overrides[get_database] = lambda: db
mock_service = create_mock_verification_service(start_success=True, verify_success=True)
mock_session = create_mock_auth_session_service()
mock_parser = create_mock_happ_parser()
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_database] = lambda: db
app.dependency_overrides[get_dns_service] = lambda: create_mock_dns_service(True)
app.dependency_overrides[get_email_service] = lambda: create_mock_email_service()
app.dependency_overrides[get_html_fetcher] = lambda: create_mock_html_fetcher("test@example.com")
app.dependency_overrides[get_relme_parser] = create_mock_relme_parser
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
try:
with TestClient(app) as client:
# Step 1: GET /authorize -> should show verification form
# Step 1: GET /authorize -> should show verification form (always!)
response1 = client.get("/authorize", params=valid_auth_params)
assert response1.status_code == 200
@@ -397,16 +430,8 @@ class TestFullVerificationFlow:
# Step 2: POST /authorize/verify-code -> should show consent
form_data = {
"domain": "user.example.com",
"session_id": "test_session_123",
"code": "123456",
"client_id": valid_auth_params["client_id"],
"redirect_uri": valid_auth_params["redirect_uri"],
"response_type": valid_auth_params["response_type"],
"state": valid_auth_params["state"],
"code_challenge": valid_auth_params["code_challenge"],
"code_challenge_method": valid_auth_params["code_challenge_method"],
"scope": "",
"me": valid_auth_params["me"],
}
response2 = client.post("/authorize/verify-code", data=form_data)
@@ -422,35 +447,38 @@ class TestFullVerificationFlow:
):
"""Test that user can retry with correct code after failure."""
app, _ = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser
from gondulf.dependencies import get_happ_parser, get_auth_session_service
from gondulf.services.auth_session import CodeVerificationError
mock_service = Mock()
# First verify_email_code call fails, second succeeds
mock_service.verify_email_code.side_effect = [
{"success": False, "error": "invalid_code"},
{"success": True, "email": "test@example.com"}
mock_session = create_mock_auth_session_service()
# First verify_code call fails, second succeeds
mock_session.verify_code.side_effect = [
CodeVerificationError("Invalid code"),
{
"session_id": "test_session_123",
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": True,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": "",
"response_type": "code"
}
]
mock_service.code_storage = Mock()
mock_service.code_storage.get.return_value = "test@example.com"
mock_parser = create_mock_happ_parser()
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
try:
with TestClient(app) as client:
form_data = {
"domain": "user.example.com",
"session_id": "test_session_123",
"code": "000000", # Wrong code
"client_id": valid_auth_params["client_id"],
"redirect_uri": valid_auth_params["redirect_uri"],
"response_type": valid_auth_params["response_type"],
"state": valid_auth_params["state"],
"code_challenge": valid_auth_params["code_challenge"],
"code_challenge_method": valid_auth_params["code_challenge_method"],
"scope": "",
"me": valid_auth_params["me"],
}
# First attempt with wrong code
@@ -468,36 +496,48 @@ class TestFullVerificationFlow:
class TestSecurityRequirements:
"""Tests for security requirements of the fix."""
"""Tests for security requirements - email auth required every login."""
def test_unverified_domain_never_sees_consent_directly(
self, configured_app, valid_auth_params
):
"""Critical: Unverified domains must NEVER see consent page directly."""
"""Critical: Even DNS-verified domains must authenticate via email every time."""
app, db_path = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser, get_database
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_happ_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from sqlalchemy import text
# Clear any pre-existing verified domain to ensure test isolation
db = Database(f"sqlite:///{db_path}")
db.initialize()
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(text("DELETE FROM domains WHERE domain = :domain"), {"domain": "user.example.com"})
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
mock_session = create_mock_auth_session_service()
app.dependency_overrides[get_database] = lambda: db
mock_service = create_mock_verification_service(start_success=True)
mock_parser = create_mock_happ_parser()
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
app.dependency_overrides[get_dns_service] = lambda: create_mock_dns_service(True)
app.dependency_overrides[get_email_service] = lambda: create_mock_email_service()
app.dependency_overrides[get_html_fetcher] = lambda: create_mock_html_fetcher("test@example.com")
app.dependency_overrides[get_relme_parser] = create_mock_relme_parser
app.dependency_overrides[get_happ_parser] = lambda: create_mock_happ_parser()
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
try:
with TestClient(app) as client:
response = client.get("/authorize", params=valid_auth_params)
# The consent page should NOT be shown
# CRITICAL: The consent page should NOT be shown without email verification
assert "Authorization Request" not in response.text
# Verify code page should be shown instead
assert "Verify Your Identity" in response.text
@@ -508,14 +548,36 @@ class TestSecurityRequirements:
self, configured_app, valid_auth_params
):
"""Test that state parameter is preserved through verification flow."""
app, _ = configured_app
from gondulf.dependencies import get_verification_service, get_happ_parser
app, db_path = configured_app
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_happ_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from sqlalchemy import text
mock_service = create_mock_verification_service(start_success=True)
mock_parser = create_mock_happ_parser()
db = Database(f"sqlite:///{db_path}")
db.initialize()
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
app.dependency_overrides[get_verification_service] = lambda: mock_service
app.dependency_overrides[get_happ_parser] = lambda: mock_parser
mock_session = create_mock_auth_session_service()
app.dependency_overrides[get_database] = lambda: db
app.dependency_overrides[get_dns_service] = lambda: create_mock_dns_service(True)
app.dependency_overrides[get_email_service] = lambda: create_mock_email_service()
app.dependency_overrides[get_html_fetcher] = lambda: create_mock_html_fetcher("test@example.com")
app.dependency_overrides[get_relme_parser] = create_mock_relme_parser
app.dependency_overrides[get_happ_parser] = lambda: create_mock_happ_parser()
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
try:
unique_state = "unique_state_abc123xyz"
@@ -526,7 +588,9 @@ class TestSecurityRequirements:
response = client.get("/authorize", params=params)
assert response.status_code == 200
# State should be in hidden form field
assert f'value="{unique_state}"' in response.text or f"value='{unique_state}'" in response.text
# State is now stored in session, so we check session_id is present
assert 'name="session_id"' in response.text
# The state should be stored in the session service
assert mock_session.create_session.called
finally:
app.dependency_overrides.clear()