mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-09 08:21:50 +00:00
5b4e431e8c
First-class iMessage support via Photon's managed Spectrum platform. Targeted as a successor to the BlueBubbles adapter — Photon allocates the iMessage line, handles delivery, and abuse-prevention so users don't have to run their own Mac relay. Free tier uses Photon's shared line pool. Architecture: - Inbound: signed JSON webhooks (X-Spectrum-Signature, HMAC-SHA256) delivered to a local aiohttp listener. Dedupes on message.id, rejects deliveries with >5min timestamp drift. - Outbound: small supervised Node sidecar that runs the spectrum-ts SDK. Photon does not currently expose a public HTTP send-message endpoint; the sidecar is the only way to call Space.send() today. When Photon ships an HTTP send endpoint we collapse the sidecar into _sidecar_send and drop the Node dep — every other layer of the plugin stays the same. - Setup: 'hermes photon login' runs the RFC 8628 device-code flow; 'hermes photon setup' creates a Spectrum-enabled project, creates a shared user (free tier), installs the sidecar's npm deps. - Webhook management: 'hermes photon webhook register|list|delete'. - Credentials persisted under credential_pool.photon / credential_pool.photon_project in ~/.hermes/auth.json. Plugin path (not built-in) — per current policy (May 2026), all new platforms ship under plugins/platforms/. Registers itself via ctx.register_platform() + ctx.register_cli_command(), zero edits to core gateway code. Tests cover: - HMAC-SHA256 signature verification (happy path, tampered body, wrong secret, drift, missing v0 prefix, empty inputs, non-integer timestamp) - Inbound dispatch for text DMs, group ids (any;+;...), and attachment metadata markers - Deduplication window - check_requirements gating when Node is absent - Device-code flow: request, header-based token return, body-fallback token return, access_denied propagation - Project/user/webhook API clients with mocked httpx Known limitations (current Photon API): - Attachments are metadata only — no download URL yet - Outbound attachment send not wired (sidecar can add easily) - Reactions / message effects not exposed yet Docs: website/docs/user-guide/messaging/photon.md + sidebar entry.
211 lines
7.3 KiB
Python
211 lines
7.3 KiB
Python
"""Tests for the Photon auth module (device login + project + user creation)."""
|
|
from __future__ import annotations
|
|
|
|
import json
|
|
import time
|
|
from pathlib import Path
|
|
from typing import Any, Dict
|
|
|
|
import pytest
|
|
|
|
from plugins.platforms.photon import auth as photon_auth
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Fake httpx — we don't want to hit the real Photon API in unit tests.
|
|
|
|
class _FakeResponse:
|
|
def __init__(
|
|
self,
|
|
*,
|
|
status: int = 200,
|
|
json_body: Any = None,
|
|
headers: Dict[str, str] | None = None,
|
|
text: str = "",
|
|
) -> None:
|
|
self.status_code = status
|
|
self._json = json_body if json_body is not None else {}
|
|
self.headers = headers or {}
|
|
self.text = text
|
|
|
|
def json(self) -> Any:
|
|
return self._json
|
|
|
|
def raise_for_status(self) -> None:
|
|
if self.status_code >= 400:
|
|
raise RuntimeError(f"HTTP {self.status_code}")
|
|
|
|
|
|
@pytest.fixture
|
|
def tmp_hermes_home(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Path:
|
|
home = tmp_path / "hermes"
|
|
home.mkdir()
|
|
monkeypatch.setenv("HERMES_HOME", str(home))
|
|
# The auth module memoises by reading get_hermes_home at call time
|
|
# so the env var is what matters.
|
|
return home
|
|
|
|
|
|
def test_store_and_load_photon_token(tmp_hermes_home: Path) -> None:
|
|
photon_auth.store_photon_token("abc123def456")
|
|
assert photon_auth.load_photon_token() == "abc123def456"
|
|
|
|
auth_json = json.loads((tmp_hermes_home / "auth.json").read_text())
|
|
assert "credential_pool" in auth_json
|
|
assert auth_json["credential_pool"]["photon"][0]["access_token"] == "abc123def456"
|
|
|
|
|
|
def test_store_and_load_project_credentials(tmp_hermes_home: Path) -> None:
|
|
photon_auth.store_project_credentials(
|
|
"proj-uuid", "secret-key", name="Test Project",
|
|
)
|
|
pid, secret = photon_auth.load_project_credentials()
|
|
assert pid == "proj-uuid"
|
|
assert secret == "secret-key"
|
|
|
|
|
|
def test_load_project_credentials_env_override(
|
|
tmp_hermes_home: Path, monkeypatch: pytest.MonkeyPatch,
|
|
) -> None:
|
|
photon_auth.store_project_credentials("from-file", "secret-file")
|
|
monkeypatch.setenv("PHOTON_PROJECT_ID", "from-env")
|
|
monkeypatch.setenv("PHOTON_PROJECT_SECRET", "secret-env")
|
|
pid, secret = photon_auth.load_project_credentials()
|
|
assert pid == "from-env"
|
|
assert secret == "secret-env"
|
|
|
|
|
|
def test_request_device_code(monkeypatch: pytest.MonkeyPatch) -> None:
|
|
captured: Dict[str, Any] = {}
|
|
|
|
def fake_post(url: str, *, json: Dict[str, Any], timeout: float) -> _FakeResponse:
|
|
captured["url"] = url
|
|
captured["body"] = json
|
|
return _FakeResponse(json_body={
|
|
"device_code": "dev-code-xyz",
|
|
"user_code": "ABCD-1234",
|
|
"verification_uri": "https://app.photon.codes/device",
|
|
"verification_uri_complete": "https://app.photon.codes/device?code=ABCD-1234",
|
|
"expires_in": 600,
|
|
"interval": 5,
|
|
})
|
|
|
|
monkeypatch.setattr(photon_auth.httpx, "post", fake_post)
|
|
|
|
code = photon_auth.request_device_code()
|
|
assert code.device_code == "dev-code-xyz"
|
|
assert code.user_code == "ABCD-1234"
|
|
assert code.expires_in == 600
|
|
assert "/api/auth/device/code" in captured["url"]
|
|
assert captured["body"]["client_id"] == "hermes-agent"
|
|
|
|
|
|
def test_poll_for_token_via_header(monkeypatch: pytest.MonkeyPatch) -> None:
|
|
"""Token from set-auth-token header is the documented mechanism."""
|
|
|
|
def fake_post(url: str, *, json: Dict[str, Any], timeout: float) -> _FakeResponse:
|
|
return _FakeResponse(
|
|
status=200,
|
|
json_body={"session": {}, "user": {}},
|
|
headers={"set-auth-token": "bearer-xyz"},
|
|
)
|
|
|
|
monkeypatch.setattr(photon_auth.httpx, "post", fake_post)
|
|
|
|
code = photon_auth.DeviceCode(
|
|
device_code="d", user_code="u",
|
|
verification_uri="https://x", verification_uri_complete=None,
|
|
expires_in=10, interval=0,
|
|
)
|
|
token = photon_auth.poll_for_token(code, interval=0, timeout=2)
|
|
assert token == "bearer-xyz"
|
|
|
|
|
|
def test_poll_for_token_via_body_fallback(monkeypatch: pytest.MonkeyPatch) -> None:
|
|
"""If the header is absent we fall back to session.access_token."""
|
|
|
|
def fake_post(url: str, *, json: Dict[str, Any], timeout: float) -> _FakeResponse:
|
|
return _FakeResponse(
|
|
status=200,
|
|
json_body={"session": {"access_token": "from-body"}, "user": {}},
|
|
)
|
|
|
|
monkeypatch.setattr(photon_auth.httpx, "post", fake_post)
|
|
code = photon_auth.DeviceCode(
|
|
device_code="d", user_code="u",
|
|
verification_uri="https://x", verification_uri_complete=None,
|
|
expires_in=10, interval=0,
|
|
)
|
|
assert photon_auth.poll_for_token(code, interval=0, timeout=2) == "from-body"
|
|
|
|
|
|
def test_poll_for_token_propagates_access_denied(
|
|
monkeypatch: pytest.MonkeyPatch,
|
|
) -> None:
|
|
def fake_post(url: str, *, json: Dict[str, Any], timeout: float) -> _FakeResponse:
|
|
return _FakeResponse(
|
|
status=400, json_body={"error": "access_denied"},
|
|
)
|
|
|
|
monkeypatch.setattr(photon_auth.httpx, "post", fake_post)
|
|
code = photon_auth.DeviceCode(
|
|
device_code="d", user_code="u",
|
|
verification_uri="https://x", verification_uri_complete=None,
|
|
expires_in=10, interval=0,
|
|
)
|
|
with pytest.raises(RuntimeError, match="access_denied"):
|
|
photon_auth.poll_for_token(code, interval=0, timeout=2)
|
|
|
|
|
|
def test_create_user_rejects_invalid_phone() -> None:
|
|
with pytest.raises(ValueError, match="E.164"):
|
|
photon_auth.create_user(
|
|
"proj", "secret", phone_number="not-a-number",
|
|
)
|
|
|
|
|
|
def test_create_user_posts_shared_type(monkeypatch: pytest.MonkeyPatch) -> None:
|
|
captured: Dict[str, Any] = {}
|
|
|
|
def fake_post(url: str, *, json: Dict[str, Any], auth: tuple, timeout: float) -> _FakeResponse:
|
|
captured["url"] = url
|
|
captured["body"] = json
|
|
captured["auth"] = auth
|
|
return _FakeResponse(json_body={
|
|
"succeed": True,
|
|
"data": {
|
|
"id": "user-uuid",
|
|
"phoneNumber": "+15551234567",
|
|
"assignedPhoneNumber": "+15559999999",
|
|
},
|
|
})
|
|
|
|
monkeypatch.setattr(photon_auth.httpx, "post", fake_post)
|
|
user = photon_auth.create_user(
|
|
"proj-id", "proj-secret",
|
|
phone_number="+15551234567",
|
|
)
|
|
assert user["assignedPhoneNumber"] == "+15559999999"
|
|
assert captured["auth"] == ("proj-id", "proj-secret")
|
|
assert captured["body"]["type"] == "shared"
|
|
assert captured["body"]["phoneNumber"] == "+15551234567"
|
|
assert "/projects/proj-id/users/" in captured["url"]
|
|
|
|
|
|
def test_register_webhook_surfaces_secret(monkeypatch: pytest.MonkeyPatch) -> None:
|
|
def fake_post(url: str, *, json: Dict[str, Any], auth: tuple, timeout: float) -> _FakeResponse:
|
|
return _FakeResponse(json_body={
|
|
"succeed": True,
|
|
"data": {
|
|
"id": "wh-uuid",
|
|
"webhookUrl": json["webhookUrl"],
|
|
"signingSecret": "0" * 64,
|
|
},
|
|
})
|
|
|
|
monkeypatch.setattr(photon_auth.httpx, "post", fake_post)
|
|
data = photon_auth.register_webhook(
|
|
"proj", "secret", webhook_url="https://x.example.com/hook",
|
|
)
|
|
assert data["signingSecret"] == "0" * 64
|
|
assert data["webhookUrl"] == "https://x.example.com/hook"
|