kin: BATON-SEC-003 Добавить аутентификацию на /api/signal

2026-03-21 08:16:46 +02:00 · 2026-03-21 08:16:46 +02:00 · 6142770c0c
commit 6142770c0c
parent 4b37703335
2 changed files with 57 additions and 5 deletions
--- a/tests/test_sec_006.py
+++ b/tests/test_sec_006.py
@ -302,26 +302,34 @@ async def test_different_x_real_ip_values_have_independent_counters():
    Verifies that rate-limit keys are truly per-IP.
    """
    async with make_app_client() as client:
-        await client.post(
+        r_a = await client.post(
            "/api/register", json={"uuid": _UUID_XREALIP_A, "name": "IPA"}
        )
-        await client.post(
+        r_b = await client.post(
            "/api/register", json={"uuid": _UUID_XREALIP_B, "name": "IPB"}
        )
+        api_key_a = r_a.json()["api_key"]
+        api_key_b = r_b.json()["api_key"]

-        # Exhaust limit for IP-A
+        # Exhaust limit for IP-A (with valid auth so requests reach the rate limiter)
        for _ in range(11):
            await client.post(
                "/api/signal",
                json={"user_id": _UUID_XREALIP_A, "timestamp": 1742478000000},
-                headers={"X-Real-IP": "198.51.100.100"},
+                headers={
+                    "X-Real-IP": "198.51.100.100",
+                    "Authorization": f"Bearer {api_key_a}",
+                },
            )

        # IP-B has its own independent counter — must not be blocked
        r = await client.post(
            "/api/signal",
            json={"user_id": _UUID_XREALIP_B, "timestamp": 1742478000000},
-            headers={"X-Real-IP": "198.51.100.200"},
+            headers={
+                "X-Real-IP": "198.51.100.200",
+                "Authorization": f"Bearer {api_key_b}",
+            },
        )

    assert r.status_code == 200, (