From 473407174bf304a083df166e40173503ea9eee89 Mon Sep 17 00:00:00 2001 From: kshitijk4poor <82637225+kshitijk4poor@users.noreply.github.com> Date: Thu, 9 Jul 2026 12:13:44 +0530 Subject: [PATCH] test(dashboard): assert server still gates OAuth endpoints without cookie PR #61281 removed the client-side X-Hermes-Session-Token requirement from the dashboard OAuth mutation calls so cookie-authenticated hosted/mobile sessions can start provider logins. That change is safe only because the server still gates those endpoints (gated_auth_middleware cookie check + _require_token). The PR's api.test.ts suite mocks fetch and only asserts client behavior, so a re-break of the gated-mode cookie gate would pass CI unnoticed. Add gated-mode TestClient tests asserting POST /api/env/reveal and the OAuth mutation endpoints (disconnect/start/submit/cancel) return 401 with no session cookie. Mutation-verified: neutering both the middleware gate and _require_token flips all five to 200. --- ...t_dashboard_oauth_endpoints_server_gate.py | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 tests/hermes_cli/test_dashboard_oauth_endpoints_server_gate.py diff --git a/tests/hermes_cli/test_dashboard_oauth_endpoints_server_gate.py b/tests/hermes_cli/test_dashboard_oauth_endpoints_server_gate.py new file mode 100644 index 00000000000..f2b85a3e210 --- /dev/null +++ b/tests/hermes_cli/test_dashboard_oauth_endpoints_server_gate.py @@ -0,0 +1,69 @@ +"""Regression guard for PR #61281 (mobile/hosted dashboard OAuth). + +The PR removed the *client-side* ``X-Hermes-Session-Token`` requirement from +the dashboard OAuth mutation calls (``web/src/lib/api.ts``) so that +cookie-authenticated hosted/mobile sessions can start provider logins. The +safety of that change rests entirely on the *server* still gating those +endpoints: in gated mode the ``gated_auth_middleware`` verifies the session +cookie before the handler runs, and ``_require_token`` defers to it. + +These tests pin that server-side gate for the exact endpoints whose +client-side token gate was removed. Without them, a future change that +re-broke ``_require_token``'s gated-mode branch (e.g. letting it fall through +without a session) would still pass the PR's ``api.test.ts`` suite, because +those tests only mock ``fetch`` and never touch the server. +""" + +import pytest +from fastapi.testclient import TestClient + +from hermes_cli import web_server +from hermes_cli.dashboard_auth import clear_providers, register_provider +from tests.hermes_cli.conftest_dashboard_auth import StubAuthProvider + + +@pytest.fixture +def gated_app(): + """A gated (``auth_required``) dashboard with no session cookie set.""" + clear_providers() + register_provider(StubAuthProvider()) + prev_host = getattr(web_server.app.state, "bound_host", None) + prev_port = getattr(web_server.app.state, "bound_port", None) + prev_required = getattr(web_server.app.state, "auth_required", None) + web_server.app.state.bound_host = "fly-app.fly.dev" + web_server.app.state.bound_port = 443 + web_server.app.state.auth_required = True + client = TestClient(web_server.app, base_url="https://fly-app.fly.dev") + yield client + clear_providers() + web_server.app.state.bound_host = prev_host + web_server.app.state.bound_port = prev_port + web_server.app.state.auth_required = prev_required + + +class TestOAuthMutationEndpointsGatedWithoutCookie: + """No cookie in gated mode -> 401 on every endpoint whose client-side + session-token gate PR #61281 removed.""" + + def test_env_reveal_requires_cookie(self, gated_app): + r = gated_app.post("/api/env/reveal", json={"key": "OPENAI_API_KEY"}) + assert r.status_code == 401 + + def test_oauth_disconnect_requires_cookie(self, gated_app): + r = gated_app.delete("/api/providers/oauth/anthropic") + assert r.status_code == 401 + + def test_oauth_start_requires_cookie(self, gated_app): + r = gated_app.post("/api/providers/oauth/anthropic/start", json={}) + assert r.status_code == 401 + + def test_oauth_submit_requires_cookie(self, gated_app): + r = gated_app.post( + "/api/providers/oauth/anthropic/submit", + json={"session_id": "sid", "code": "abc"}, + ) + assert r.status_code == 401 + + def test_oauth_cancel_session_requires_cookie(self, gated_app): + r = gated_app.delete("/api/providers/oauth/sessions/sid") + assert r.status_code == 401