d8026347e5
Renames: - platform/ → workspace-server/ (Go module path stays as "platform" for external dep compat — will update after plugin module republish) - workspace-template/ → workspace/ Removed (moved to separate repos or deleted): - PLAN.md — internal roadmap (move to private project board) - HANDOFF.md, AGENTS.md — one-time internal session docs - .claude/ — gitignored entirely (local agent config) - infra/cloudflare-worker/ → Molecule-AI/molecule-tenant-proxy - org-templates/molecule-dev/ → standalone template repo - .mcp-eval/ → molecule-mcp-server repo - test-results/ — ephemeral, gitignored Security scrubbing: - Cloudflare account/zone/KV IDs → placeholders - Real EC2 IPs → <EC2_IP> in all docs - CF token prefix, Neon project ID, Fly app names → redacted - Langfuse dev credentials → parameterized - Personal runner username/machine name → generic Community files: - CONTRIBUTING.md — build, test, branch conventions - CODE_OF_CONDUCT.md — Contributor Covenant 2.1 All Dockerfiles, CI workflows, docker-compose, railway.toml, render.yaml, README, CLAUDE.md updated for new directory names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
48 lines
1.7 KiB
Python
48 lines
1.7 KiB
Python
"""Tests for the #328 fix — /transcript endpoint must fail-CLOSED when
|
|
the workspace auth token is not yet on disk.
|
|
|
|
Prior behaviour (regressed in #287): `if expected:` skipped the auth
|
|
check when `get_token()` returned None, so any container on
|
|
`molecule-monorepo-net` could read the full session log during the
|
|
bootstrap window. The fix lifts the guard into transcript_auth.py for
|
|
testability.
|
|
"""
|
|
|
|
from transcript_auth import transcript_authorized
|
|
|
|
|
|
def test_missing_token_fails_closed():
|
|
# #328 regression: None token MUST return False (was the fail-open bug).
|
|
assert transcript_authorized(None, "Bearer anything") is False
|
|
|
|
|
|
def test_empty_token_fails_closed():
|
|
# Empty string is as-bad-as None — also a fail-closed case.
|
|
assert transcript_authorized("", "Bearer anything") is False
|
|
|
|
|
|
def test_valid_bearer_passes():
|
|
assert transcript_authorized("tok-123", "Bearer tok-123") is True
|
|
|
|
|
|
def test_wrong_bearer_fails():
|
|
assert transcript_authorized("tok-123", "Bearer other-token") is False
|
|
|
|
|
|
def test_missing_header_fails_even_when_expected_is_set():
|
|
# Empty auth header (not sent at all) must fail — client forgot.
|
|
assert transcript_authorized("tok-123", "") is False
|
|
|
|
|
|
def test_case_sensitive_bearer_prefix():
|
|
# Strict equality matches platform wsauth.BearerTokenFromHeader
|
|
# which is also case-sensitive on the "Bearer " prefix. Documenting
|
|
# the behavior so a future refactor is a conscious choice.
|
|
assert transcript_authorized("tok-123", "bearer tok-123") is False
|
|
|
|
|
|
def test_extra_whitespace_in_header_fails():
|
|
# Strict equality — accidental double space between Bearer and token
|
|
# must fail so an adversary can't test fuzzed variations.
|
|
assert transcript_authorized("tok-123", "Bearer tok-123") is False
|