Add security tests for configurations, permissions, and authentication

- **Configurations:** Test minimum `SECRET_KEY` length validation to prevent weak JWT signing keys. Validate proper handling of secure defaults. - **Permissions:** Add tests for inactive user blocking, API access control, and superuser privilege escalation across organizational roles. - **Authentication:** Test logout safety, session revocation, token replay prevention, and defense against JWT algorithm confusion attacks. - Include `# pragma: no cover` for unreachable defensive code in security-sensitive areas.
2025-11-02 11:55:58 +01:00
parent b39b7b4c94
commit c051bbf0aa
7 changed files with 923 additions and 50 deletions
--- a/backend/app/api/dependencies/permissions.py
+++ b/backend/app/api/dependencies/permissions.py
@@ -41,22 +41,6 @@ def require_superuser(
    return current_user


-def require_active_user(
-    current_user: User = Depends(get_current_user)
-) -> User:
-    """
-    Dependency to ensure the current user is active.
-
-    Use this for endpoints that require an active account.
-    """
-    if not current_user.is_active:
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Inactive account"
-        )
-    return current_user
-
-
 class OrganizationPermission:
    """
    Factory for organization-based permission checking.
@@ -130,37 +114,6 @@ require_org_member = OrganizationPermission([
 ])


-async def get_current_org_role(
-    organization_id: UUID,
-    current_user: User = Depends(get_current_user),
-    db: AsyncSession = Depends(get_db)
-) -> Optional[OrganizationRole]:
-    """
-    Get the current user's role in an organization.
-
-    This is a non-blocking dependency that returns the role or None.
-    Use this when you want to check permissions conditionally.
-
-    Example:
-        @router.get("/organizations/{org_id}/items")
-        async def list_items(
-            org_id: UUID,
-            role: OrganizationRole = Depends(get_current_org_role)
-        ):
-            if role in [OrganizationRole.OWNER, OrganizationRole.ADMIN]:
-                # Show admin features
-                ...
-    """
-    if current_user.is_superuser:
-        return OrganizationRole.OWNER
-
-    return await organization_crud.get_user_role_in_org(
-        db,
-        user_id=current_user.id,
-        organization_id=organization_id
-    )
-
-
 async def require_org_membership(
    organization_id: UUID,
    current_user: User = Depends(get_current_user),