-
-
-
diff --git a/frontend/style.css b/frontend/style.css
index e07e53a..487a443 100644
--- a/frontend/style.css
+++ b/frontend/style.css
@@ -28,14 +28,14 @@ html, body {
-webkit-tap-highlight-color: transparent;
overscroll-behavior: none;
user-select: none;
- overflow: hidden;
}
body {
display: flex;
flex-direction: column;
- height: 100vh;
- height: 100dvh;
+ min-height: 100vh;
+ /* Use dynamic viewport height on mobile to account for browser chrome */
+ min-height: 100dvh;
}
/* ===== Private mode banner (decision #1041) ===== */
@@ -59,7 +59,6 @@ body {
justify-content: space-between;
align-items: center;
padding: 16px 20px;
- padding-top: calc(env(safe-area-inset-top, 0px) + 16px);
flex-shrink: 0;
}
@@ -149,8 +148,10 @@ body {
/* ===== SOS button (min 60vmin × 60vmin per UX spec) ===== */
.btn-sos {
- width: min(60vmin, 70vw, 300px);
- height: min(60vmin, 70vw, 300px);
+ width: 60vmin;
+ height: 60vmin;
+ min-width: 180px;
+ min-height: 180px;
border-radius: 50%;
border: none;
background: var(--sos);
@@ -197,44 +198,3 @@ body {
.status[hidden] { display: none; }
.status--error { color: #f87171; }
.status--success { color: #4ade80; }
-
-/* ===== Registration form ===== */
-
-/* Override display:flex so [hidden] works on screen-content divs */
-.screen-content[hidden] { display: none; }
-
-.btn-link {
- background: none;
- border: none;
- color: var(--muted);
- font-size: 14px;
- cursor: pointer;
- padding: 4px 0;
- text-decoration: underline;
- text-underline-offset: 2px;
- -webkit-tap-highlight-color: transparent;
-}
-
-.btn-link:active { color: var(--text); }
-
-.reg-status {
- width: 100%;
- max-width: 320px;
- font-size: 14px;
- text-align: center;
- line-height: 1.5;
- padding: 4px 0;
-}
-
-.reg-status[hidden] { display: none; }
-.reg-status--error { color: #f87171; }
-.reg-status--success { color: #4ade80; }
-
-.block-message {
- color: #f87171;
- font-size: 16px;
- text-align: center;
- line-height: 1.6;
- padding: 20px;
- max-width: 320px;
-}
diff --git a/frontend/sw.js b/frontend/sw.js
index 79d89da..e37d2fa 100644
--- a/frontend/sw.js
+++ b/frontend/sw.js
@@ -1,6 +1,6 @@
'use strict';
-const CACHE_NAME = 'baton-v4';
+const CACHE_NAME = 'baton-v1';
// App shell assets to precache
const APP_SHELL = [
diff --git a/nginx/docker.conf b/nginx/docker.conf
deleted file mode 100644
index 54df415..0000000
--- a/nginx/docker.conf
+++ /dev/null
@@ -1,61 +0,0 @@
-map $request_uri $masked_uri {
- default $request_uri;
- "~^(/bot)[^/]+(/.*)$" "$1[REDACTED]$2";
-}
-
-log_format baton_secure '$remote_addr - $remote_user [$time_local] '
- '"$request_method $masked_uri $server_protocol" '
- '$status $body_bytes_sent '
- '"$http_referer" "$http_user_agent"';
-
-server {
- listen 80;
- server_name _;
-
- access_log /var/log/nginx/baton_access.log baton_secure;
- error_log /var/log/nginx/baton_error.log warn;
-
- add_header X-Content-Type-Options nosniff always;
- add_header X-Frame-Options DENY always;
- add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
-
- # API + health + admin → backend
- location /api/ {
- proxy_pass http://backend:8000;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_read_timeout 30s;
- proxy_send_timeout 30s;
- proxy_connect_timeout 5s;
- }
-
- location /health {
- proxy_pass http://backend:8000;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- }
-
- location /admin/users {
- proxy_pass http://backend:8000;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_read_timeout 30s;
- }
-
- # Frontend static
- location / {
- root /usr/share/nginx/html;
- try_files $uri /index.html;
- expires 1h;
- add_header Cache-Control "public" always;
- add_header X-Content-Type-Options nosniff always;
- add_header X-Frame-Options DENY always;
- add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
- }
-}
diff --git a/requirements.txt b/requirements.txt
index 9876432..c992449 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,5 +4,3 @@ aiosqlite>=0.20.0
httpx>=0.27.0
python-dotenv>=1.0.0
pydantic>=2.0
-email-validator>=2.0.0
-pywebpush>=2.0.0
diff --git a/tests/conftest.py b/tests/conftest.py
index 7f47b12..0801e32 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -22,7 +22,6 @@ os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
# ── 2. aiosqlite monkey-patch ────────────────────────────────────────────────
import aiosqlite
@@ -70,25 +69,17 @@ def temp_db():
# ── 5. App client factory ────────────────────────────────────────────────────
-def make_app_client(capture_send_requests: list | None = None):
+def make_app_client():
"""
Async context manager that:
1. Assigns a fresh temp-file DB path
- 2. Mocks Telegram setWebhook, sendMessage, answerCallbackQuery, editMessageText
+ 2. Mocks Telegram setWebhook and sendMessage
3. Runs the FastAPI lifespan (startup → test → shutdown)
4. Yields an httpx.AsyncClient wired to the app
-
- Args:
- capture_send_requests: if provided, each sendMessage request body (dict) is
- appended to this list, enabling HTTP-level assertions on chat_id, text, etc.
"""
- import json as _json
-
tg_set_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/setWebhook"
send_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/sendMessage"
get_me_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/getMe"
- answer_cb_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/answerCallbackQuery"
- edit_msg_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/editMessageText"
@contextlib.asynccontextmanager
async def _ctx():
@@ -102,22 +93,7 @@ def make_app_client(capture_send_requests: list | None = None):
mock_router.post(tg_set_url).mock(
return_value=httpx.Response(200, json={"ok": True, "result": True})
)
- if capture_send_requests is not None:
- def _capture_send(request: httpx.Request) -> httpx.Response:
- try:
- capture_send_requests.append(_json.loads(request.content))
- except Exception:
- pass
- return httpx.Response(200, json={"ok": True})
- mock_router.post(send_url).mock(side_effect=_capture_send)
- else:
- mock_router.post(send_url).mock(
- return_value=httpx.Response(200, json={"ok": True})
- )
- mock_router.post(answer_cb_url).mock(
- return_value=httpx.Response(200, json={"ok": True})
- )
- mock_router.post(edit_msg_url).mock(
+ mock_router.post(send_url).mock(
return_value=httpx.Response(200, json={"ok": True})
)
diff --git a/tests/test_arch_002.py b/tests/test_arch_002.py
index 0b5c681..c979b1d 100644
--- a/tests/test_arch_002.py
+++ b/tests/test_arch_002.py
@@ -119,7 +119,7 @@ async def test_signal_message_contains_registered_username():
@pytest.mark.asyncio
async def test_signal_message_without_geo_contains_bez_geolocatsii():
- """When geo is None, message must contain 'Гео нету'."""
+ """When geo is None, message must contain 'Без геолокации'."""
async with make_app_client() as client:
api_key = await _register(client, _UUID_S3, "Bob")
with patch("backend.telegram.send_message", new_callable=AsyncMock) as mock_send:
@@ -129,7 +129,7 @@ async def test_signal_message_without_geo_contains_bez_geolocatsii():
headers={"Authorization": f"Bearer {api_key}"},
)
text = mock_send.call_args[0][0]
- assert "Гео нету" in text
+ assert "Без геолокации" in text
@pytest.mark.asyncio
@@ -168,17 +168,25 @@ async def test_signal_message_contains_utc_marker():
# ---------------------------------------------------------------------------
-# Criterion 3 — SignalAggregator removed (BATON-BIZ-004: dead code cleanup)
+# Criterion 3 — SignalAggregator preserved with '# v2.0 feature' marker (static)
# ---------------------------------------------------------------------------
-def test_signal_aggregator_class_removed_from_telegram():
- """SignalAggregator must be removed from telegram.py (BATON-BIZ-004)."""
+def test_signal_aggregator_class_preserved_in_telegram():
+ """SignalAggregator class must still exist in telegram.py (ADR-004, reserved for v2)."""
source = (_BACKEND_DIR / "telegram.py").read_text()
- assert "class SignalAggregator" not in source
+ assert "class SignalAggregator" in source
-def test_signal_aggregator_not_referenced_in_telegram():
- """telegram.py must not reference SignalAggregator at all (BATON-BIZ-004)."""
- source = (_BACKEND_DIR / "telegram.py").read_text()
- assert "SignalAggregator" not in source
+def test_signal_aggregator_has_v2_feature_comment():
+ """The line immediately before 'class SignalAggregator' must contain '# v2.0 feature'."""
+ lines = (_BACKEND_DIR / "telegram.py").read_text().splitlines()
+ class_line_idx = next(
+ (i for i, line in enumerate(lines) if "class SignalAggregator" in line), None
+ )
+ assert class_line_idx is not None, "class SignalAggregator not found in telegram.py"
+ assert class_line_idx > 0, "SignalAggregator is on the first line — no preceding comment line"
+ preceding_line = lines[class_line_idx - 1]
+ assert "# v2.0 feature" in preceding_line, (
+ f"Expected '# v2.0 feature' on line before class SignalAggregator, got: {preceding_line!r}"
+ )
diff --git a/tests/test_arch_009.py b/tests/test_arch_009.py
index 01ba1c4..9457374 100644
--- a/tests/test_arch_009.py
+++ b/tests/test_arch_009.py
@@ -222,9 +222,9 @@ def test_html_loads_app_js() -> None:
assert "/app.js" in _html()
-def test_html_has_login_input() -> None:
- """index.html must have login input field for onboarding."""
- assert 'id="login-input"' in _html()
+def test_html_has_name_input() -> None:
+ """index.html must have name input field for onboarding."""
+ assert 'id="name-input"' in _html()
# ---------------------------------------------------------------------------
@@ -316,19 +316,31 @@ def _app_js() -> str:
return (FRONTEND / "app.js").read_text(encoding="utf-8")
-def test_app_posts_to_auth_login() -> None:
- """app.js must send POST to /api/auth/login during login."""
- assert "/api/auth/login" in _app_js()
+def test_app_uses_crypto_random_uuid() -> None:
+ """app.js must generate UUID via crypto.randomUUID()."""
+ assert "crypto.randomUUID()" in _app_js()
-def test_app_posts_to_auth_register() -> None:
- """app.js must send POST to /api/auth/register during registration."""
- assert "/api/auth/register" in _app_js()
+def test_app_posts_to_api_register() -> None:
+ """app.js must send POST to /api/register during onboarding."""
+ assert "/api/register" in _app_js()
-def test_app_stores_auth_token() -> None:
- """app.js must persist JWT token to storage."""
- assert "baton_auth_token" in _app_js()
+def test_app_register_sends_uuid() -> None:
+ """app.js must include uuid in the /api/register request body."""
+ app = _app_js()
+ # The register call must include uuid in the payload
+ register_section = re.search(
+ r"_apiPost\(['\"]\/api\/register['\"].*?\)", app, re.DOTALL
+ )
+ assert register_section, "No _apiPost('/api/register') call found"
+ assert "uuid" in register_section.group(0), \
+ "uuid not included in /api/register call"
+
+
+def test_app_uuid_saved_to_storage() -> None:
+ """app.js must persist UUID to storage (baton_user_id key)."""
+ assert "baton_user_id" in _app_js()
assert "setItem" in _app_js()
@@ -422,14 +434,16 @@ def test_app_posts_to_api_signal() -> None:
assert "/api/signal" in _app_js()
-def test_app_signal_sends_auth_header() -> None:
- """app.js must include Authorization Bearer header in /api/signal request."""
+def test_app_signal_sends_user_id() -> None:
+ """app.js must include user_id (UUID) in the /api/signal request body."""
app = _app_js()
+ # The signal body may be built in a variable before passing to _apiPost
+ # Look for user_id key in the context around /api/signal
signal_area = re.search(
- r"_apiPost\(['\"]\/api\/signal['\"].*Authorization.*Bearer", app, re.DOTALL
+ r"user_id.*?_apiPost\(['\"]\/api\/signal", app, re.DOTALL
)
assert signal_area, \
- "Authorization Bearer header must be set in _apiPost('/api/signal') call"
+ "user_id must be set in the request body before calling _apiPost('/api/signal')"
def test_app_sos_button_click_calls_handle_signal() -> None:
@@ -442,15 +456,15 @@ def test_app_sos_button_click_calls_handle_signal() -> None:
"btn-sos must be connected to _handleSignal"
-def test_app_signal_uses_token_from_storage() -> None:
- """app.js must retrieve auth token from storage before sending signal."""
+def test_app_signal_uses_uuid_from_storage() -> None:
+ """app.js must retrieve UUID from storage (_getOrCreateUserId) before sending signal."""
app = _app_js()
handle_signal = re.search(
r"async function _handleSignal\(\).*?^}", app, re.MULTILINE | re.DOTALL
)
assert handle_signal, "_handleSignal function not found"
- assert "_getAuthToken" in handle_signal.group(0), \
- "_handleSignal must call _getAuthToken() to get JWT token"
+ assert "_getOrCreateUserId" in handle_signal.group(0), \
+ "_handleSignal must call _getOrCreateUserId() to get UUID"
# ---------------------------------------------------------------------------
diff --git a/tests/test_baton_005.py b/tests/test_baton_005.py
index 117e95d..1504d21 100644
--- a/tests/test_baton_005.py
+++ b/tests/test_baton_005.py
@@ -42,19 +42,6 @@ _UUID_BLOCK = "f0000001-0000-4000-8000-000000000001"
_UUID_UNBLOCK = "f0000002-0000-4000-8000-000000000002"
_UUID_SIG_OK = "f0000003-0000-4000-8000-000000000003"
-# Valid UUID v4 for admin-only tests (POST /admin/users, no /api/register call)
-_UUID_ADM_UNAUTH = "e0000000-0000-4000-8000-000000000000"
-_UUID_ADM_CREATE_1 = "e0000001-0000-4000-8000-000000000001"
-_UUID_ADM_CREATE_2 = "e0000002-0000-4000-8000-000000000002"
-_UUID_ADM_CREATE_3 = "e0000003-0000-4000-8000-000000000003"
-_UUID_ADM_PASS_1 = "e0000004-0000-4000-8000-000000000004"
-_UUID_ADM_PASS_2 = "e0000005-0000-4000-8000-000000000005"
-_UUID_ADM_BLOCK = "e0000006-0000-4000-8000-000000000006"
-_UUID_ADM_UNBLOCK = "e0000007-0000-4000-8000-000000000007"
-_UUID_ADM_DELETE_1 = "e0000008-0000-4000-8000-000000000008"
-_UUID_ADM_DELETE_2 = "e0000009-0000-4000-8000-000000000009"
-_UUID_ADM_REGRESS = "e000000a-0000-4000-8000-000000000010"
-
# ---------------------------------------------------------------------------
# Criterion 6 — Unauthorised requests to /admin/* return 401
@@ -83,7 +70,7 @@ async def test_admin_create_user_without_token_returns_401() -> None:
async with make_app_client() as client:
resp = await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_UNAUTH, "name": "Ghost"},
+ json={"uuid": "unauth-uuid-001", "name": "Ghost"},
)
assert resp.status_code == 401
@@ -129,12 +116,12 @@ async def test_admin_create_user_returns_201_with_user_data() -> None:
async with make_app_client() as client:
resp = await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_CREATE_1, "name": "Alice Admin"},
+ json={"uuid": "create-uuid-001", "name": "Alice Admin"},
headers=ADMIN_HEADERS,
)
assert resp.status_code == 201
data = resp.json()
- assert data["uuid"] == _UUID_ADM_CREATE_1
+ assert data["uuid"] == "create-uuid-001"
assert data["name"] == "Alice Admin"
assert data["id"] > 0
assert data["is_blocked"] is False
@@ -146,7 +133,7 @@ async def test_admin_create_user_appears_in_list() -> None:
async with make_app_client() as client:
await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_CREATE_2, "name": "Bob Admin"},
+ json={"uuid": "create-uuid-002", "name": "Bob Admin"},
headers=ADMIN_HEADERS,
)
resp = await client.get("/admin/users", headers=ADMIN_HEADERS)
@@ -154,7 +141,7 @@ async def test_admin_create_user_appears_in_list() -> None:
assert resp.status_code == 200
users = resp.json()
uuids = [u["uuid"] for u in users]
- assert _UUID_ADM_CREATE_2 in uuids
+ assert "create-uuid-002" in uuids
@pytest.mark.asyncio
@@ -163,12 +150,12 @@ async def test_admin_create_user_duplicate_uuid_returns_409() -> None:
async with make_app_client() as client:
await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_CREATE_3, "name": "Carol"},
+ json={"uuid": "create-uuid-003", "name": "Carol"},
headers=ADMIN_HEADERS,
)
resp = await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_CREATE_3, "name": "Carol Duplicate"},
+ json={"uuid": "create-uuid-003", "name": "Carol Duplicate"},
headers=ADMIN_HEADERS,
)
assert resp.status_code == 409
@@ -194,7 +181,7 @@ async def test_admin_set_password_returns_ok() -> None:
async with make_app_client() as client:
create_resp = await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_PASS_1, "name": "PassUser"},
+ json={"uuid": "pass-uuid-001", "name": "PassUser"},
headers=ADMIN_HEADERS,
)
user_id = create_resp.json()["id"]
@@ -226,7 +213,7 @@ async def test_admin_set_password_user_still_accessible_after_change() -> None:
async with make_app_client() as client:
create_resp = await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_PASS_2, "name": "PassUser2"},
+ json={"uuid": "pass-uuid-002", "name": "PassUser2"},
headers=ADMIN_HEADERS,
)
user_id = create_resp.json()["id"]
@@ -240,7 +227,7 @@ async def test_admin_set_password_user_still_accessible_after_change() -> None:
list_resp = await client.get("/admin/users", headers=ADMIN_HEADERS)
uuids = [u["uuid"] for u in list_resp.json()]
- assert _UUID_ADM_PASS_2 in uuids
+ assert "pass-uuid-002" in uuids
# ---------------------------------------------------------------------------
@@ -254,7 +241,7 @@ async def test_admin_block_user_returns_is_blocked_true() -> None:
async with make_app_client() as client:
create_resp = await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_BLOCK, "name": "BlockUser"},
+ json={"uuid": "block-uuid-001", "name": "BlockUser"},
headers=ADMIN_HEADERS,
)
user_id = create_resp.json()["id"]
@@ -325,7 +312,7 @@ async def test_admin_unblock_user_returns_is_blocked_false() -> None:
async with make_app_client() as client:
create_resp = await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_UNBLOCK, "name": "UnblockUser"},
+ json={"uuid": "unblock-uuid-001", "name": "UnblockUser"},
headers=ADMIN_HEADERS,
)
user_id = create_resp.json()["id"]
@@ -398,7 +385,7 @@ async def test_admin_delete_user_returns_204() -> None:
async with make_app_client() as client:
create_resp = await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_DELETE_1, "name": "DeleteUser"},
+ json={"uuid": "delete-uuid-001", "name": "DeleteUser"},
headers=ADMIN_HEADERS,
)
user_id = create_resp.json()["id"]
@@ -416,7 +403,7 @@ async def test_admin_delete_user_disappears_from_list() -> None:
async with make_app_client() as client:
create_resp = await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_DELETE_2, "name": "DeleteUser2"},
+ json={"uuid": "delete-uuid-002", "name": "DeleteUser2"},
headers=ADMIN_HEADERS,
)
user_id = create_resp.json()["id"]
@@ -429,7 +416,7 @@ async def test_admin_delete_user_disappears_from_list() -> None:
list_resp = await client.get("/admin/users", headers=ADMIN_HEADERS)
uuids = [u["uuid"] for u in list_resp.json()]
- assert _UUID_ADM_DELETE_2 not in uuids
+ assert "delete-uuid-002" not in uuids
@pytest.mark.asyncio
@@ -493,7 +480,7 @@ async def test_register_not_broken_after_admin_operations() -> None:
# Admin операции
await client.post(
"/admin/users",
- json={"uuid": _UUID_ADM_REGRESS, "name": "AdminCreated"},
+ json={"uuid": "regress-admin-uuid-001", "name": "AdminCreated"},
headers=ADMIN_HEADERS,
)
diff --git a/tests/test_baton_007.py b/tests/test_baton_007.py
index 2be7818..0030c7d 100644
--- a/tests/test_baton_007.py
+++ b/tests/test_baton_007.py
@@ -15,7 +15,6 @@ Physical delivery to an actual Telegram group is outside unit test scope.
from __future__ import annotations
import asyncio
-import logging
import os
os.environ.setdefault("BOT_TOKEN", "test-bot-token")
@@ -31,9 +30,9 @@ from unittest.mock import AsyncMock, patch
import httpx
import pytest
import respx
-from httpx import AsyncClient, ASGITransport
+from httpx import AsyncClient
-from tests.conftest import make_app_client, temp_db
+from tests.conftest import make_app_client
# Valid UUID v4 constants — must not collide with UUIDs in other test files
_UUID_A = "d0000001-0000-4000-8000-000000000001"
@@ -41,7 +40,6 @@ _UUID_B = "d0000002-0000-4000-8000-000000000002"
_UUID_C = "d0000003-0000-4000-8000-000000000003"
_UUID_D = "d0000004-0000-4000-8000-000000000004"
_UUID_E = "d0000005-0000-4000-8000-000000000005"
-_UUID_F = "d0000006-0000-4000-8000-000000000006"
async def _register(client: AsyncClient, uuid: str, name: str) -> str:
@@ -140,7 +138,7 @@ async def test_signal_with_geo_send_message_contains_coordinates():
@pytest.mark.asyncio
async def test_signal_without_geo_send_message_contains_no_geo_label():
- """Criterion 1: when geo is null, Telegram message contains 'Гео нету'."""
+ """Criterion 1: when geo is null, Telegram message contains 'Без геолокации'."""
sent_texts: list[str] = []
async def _capture(text: str) -> None:
@@ -158,8 +156,8 @@ async def test_signal_without_geo_send_message_contains_no_geo_label():
await asyncio.sleep(0)
assert len(sent_texts) == 1
- assert "Гео нету" in sent_texts[0], (
- f"Expected 'Гео нету' in message, got: {sent_texts[0]!r}"
+ assert "Без геолокации" in sent_texts[0], (
+ f"Expected 'Без геолокации' in message, got: {sent_texts[0]!r}"
)
@@ -262,120 +260,3 @@ async def test_repeated_signals_produce_incrementing_signal_ids():
assert r2.json()["signal_id"] > r1.json()["signal_id"], (
"Second signal must have a higher signal_id than the first"
)
-
-
-# ---------------------------------------------------------------------------
-# Director revision: regression #1214, #1226
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_send_message_uses_negative_chat_id_from_config():
- """Regression #1226: send_message must POST to Telegram with a negative chat_id.
-
- Root cause of BATON-007: CHAT_ID=5190015988 (positive = user ID) was set in .env
- instead of -5190015988 (negative = group ID). This test inspects the actual
- chat_id value in the HTTP request body — not just call_count.
- """
- from backend import config as _cfg
- from backend.telegram import send_message
-
- send_url = f"https://api.telegram.org/bot{_cfg.BOT_TOKEN}/sendMessage"
-
- with respx.mock(assert_all_called=False) as mock:
- route = mock.post(send_url).mock(
- return_value=httpx.Response(200, json={"ok": True})
- )
- await send_message("regression #1226")
-
- assert route.called
- body = json.loads(route.calls[0].request.content)
- chat_id = body["chat_id"]
- assert chat_id == _cfg.CHAT_ID, (
- f"Expected chat_id={_cfg.CHAT_ID!r}, got {chat_id!r}"
- )
- assert str(chat_id).startswith("-"), (
- f"Regression #1226: chat_id must be negative (group ID), got: {chat_id!r}. "
- "Positive chat_id is a user ID, not a Telegram group."
- )
-
-
-@pytest.mark.asyncio
-async def test_send_message_4xx_does_not_trigger_retry_loop():
- """Regression #1214: on Telegram 4xx (wrong chat_id), retry loop must NOT run.
-
- Only one HTTP call should be made. Retrying a 4xx is pointless — it will
- keep failing. send_message must break immediately on any 4xx response.
- """
- from backend import config as _cfg
- from backend.telegram import send_message
-
- send_url = f"https://api.telegram.org/bot{_cfg.BOT_TOKEN}/sendMessage"
-
- with respx.mock(assert_all_called=False) as mock:
- route = mock.post(send_url).mock(
- return_value=httpx.Response(
- 400,
- json={"ok": False, "error_code": 400, "description": "Bad Request: chat not found"},
- )
- )
- await send_message("retry test #1214")
-
- assert route.call_count == 1, (
- f"Regression #1214: expected exactly 1 HTTP call on 4xx, got {route.call_count}. "
- "send_message must break immediately on client errors — no retry loop."
- )
-
-
-@pytest.mark.asyncio
-async def test_signal_endpoint_returns_200_on_telegram_4xx(caplog):
- """Regression: /api/signal must return 200 even when Telegram Bot API returns 4xx.
-
- When CHAT_ID is wrong (or any Telegram 4xx), the error must be logged by
- send_message but the /api/signal endpoint must still return 200 — the signal
- was saved to DB, only the Telegram notification failed.
- """
- from backend import config as _cfg
- from backend.main import app
-
- send_url = f"https://api.telegram.org/bot{_cfg.BOT_TOKEN}/sendMessage"
- tg_set_url = f"https://api.telegram.org/bot{_cfg.BOT_TOKEN}/setWebhook"
- get_me_url = f"https://api.telegram.org/bot{_cfg.BOT_TOKEN}/getMe"
-
- with temp_db():
- with respx.mock(assert_all_called=False) as mock_tg:
- mock_tg.get(get_me_url).mock(
- return_value=httpx.Response(200, json={"ok": True, "result": {"username": "testbot"}})
- )
- mock_tg.post(tg_set_url).mock(
- return_value=httpx.Response(200, json={"ok": True, "result": True})
- )
- mock_tg.post(send_url).mock(
- return_value=httpx.Response(
- 400,
- json={"ok": False, "error_code": 400, "description": "Bad Request: chat not found"},
- )
- )
-
- async with app.router.lifespan_context(app):
- transport = ASGITransport(app=app)
- async with AsyncClient(transport=transport, base_url="http://testserver") as client:
- reg = await client.post("/api/register", json={"uuid": _UUID_F, "name": "Tg4xxUser"})
- assert reg.status_code == 200, f"Register failed: {reg.text}"
- api_key = reg.json()["api_key"]
-
- with caplog.at_level(logging.ERROR, logger="backend.telegram"):
- resp = await client.post(
- "/api/signal",
- json={"user_id": _UUID_F, "timestamp": 1742478000000},
- headers={"Authorization": f"Bearer {api_key}"},
- )
- await asyncio.sleep(0)
-
- assert resp.status_code == 200, (
- f"Expected /api/signal to return 200 even when Telegram returns 4xx, got {resp.status_code}"
- )
- assert any("400" in r.message for r in caplog.records), (
- "Expected ERROR log containing '400' when Telegram returns 4xx. "
- "Error must be logged, not silently swallowed."
- )
diff --git a/tests/test_baton_008.py b/tests/test_baton_008.py
deleted file mode 100644
index cc597a6..0000000
--- a/tests/test_baton_008.py
+++ /dev/null
@@ -1,888 +0,0 @@
-"""
-Tests for BATON-008: Registration flow with Telegram admin approval.
-
-Acceptance criteria:
-1. POST /api/auth/register returns 201 with status='pending' on valid input
-2. POST /api/auth/register returns 409 on email or login conflict
-3. POST /api/auth/register returns 422 on invalid email/login/password
-4. Telegram notification is fire-and-forget — 201 is returned even if Telegram fails
-5. Webhook callback_query approve → db status='approved', push task fired if subscription present
-6. Webhook callback_query reject → db status='rejected'
-7. Webhook callback_query with unknown reg_id → returns {"ok": True} gracefully
-"""
-from __future__ import annotations
-
-import asyncio
-import os
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
-
-from unittest.mock import AsyncMock, patch
-
-import pytest
-
-from tests.conftest import make_app_client
-
-_WEBHOOK_SECRET = "test-webhook-secret"
-_WEBHOOK_HEADERS = {"X-Telegram-Bot-Api-Secret-Token": _WEBHOOK_SECRET}
-
-_VALID_PAYLOAD = {
- "email": "user@tutlot.com",
- "login": "testuser",
- "password": "strongpassword123",
-}
-
-
-# ---------------------------------------------------------------------------
-# 1. Happy path — 201
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_returns_201_pending():
- """Valid registration request returns 201 with status='pending'."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- resp = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
-
- assert resp.status_code == 201, f"Expected 201, got {resp.status_code}: {resp.text}"
- body = resp.json()
- assert body["status"] == "pending"
- assert "message" in body
-
-
-@pytest.mark.asyncio
-async def test_auth_register_fire_and_forget_telegram_error_still_returns_201():
- """Telegram failure must not break 201 — fire-and-forget pattern."""
- async with make_app_client() as client:
- with patch(
- "backend.telegram.send_registration_notification",
- new_callable=AsyncMock,
- side_effect=Exception("Telegram down"),
- ):
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "other@tutlot.com", "login": "otheruser"},
- )
- await asyncio.sleep(0)
-
- assert resp.status_code == 201, f"Telegram error must not break 201, got {resp.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 2. Conflict — 409
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_409_on_duplicate_email():
- """Duplicate email returns 409."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- r1 = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert r1.status_code == 201, f"First registration failed: {r1.text}"
-
- r2 = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "login": "differentlogin"},
- )
-
- assert r2.status_code == 409, f"Expected 409 on duplicate email, got {r2.status_code}"
-
-
-@pytest.mark.asyncio
-async def test_auth_register_409_on_duplicate_login():
- """Duplicate login returns 409."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- r1 = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert r1.status_code == 201, f"First registration failed: {r1.text}"
-
- r2 = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "different@tutlot.com"},
- )
-
- assert r2.status_code == 409, f"Expected 409 on duplicate login, got {r2.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 3. Validation — 422
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_invalid_email():
- """Invalid email format returns 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "not-an-email"},
- )
- assert resp.status_code == 422, f"Expected 422 on invalid email, got {resp.status_code}"
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_short_login():
- """Login shorter than 3 chars returns 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "login": "ab"},
- )
- assert resp.status_code == 422, f"Expected 422 on short login, got {resp.status_code}"
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_login_invalid_chars():
- """Login with spaces/special chars returns 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "login": "invalid login!"},
- )
- assert resp.status_code == 422, f"Expected 422 on login with spaces, got {resp.status_code}"
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_short_password():
- """Password shorter than 8 chars returns 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "password": "short"},
- )
- assert resp.status_code == 422, f"Expected 422 on short password, got {resp.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 4. Telegram notification is sent to ADMIN_CHAT_ID
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_sends_notification_to_admin():
- """Registration triggers real HTTP sendMessage to ADMIN_CHAT_ID with correct login/email."""
- from backend import config as _cfg
-
- captured: list[dict] = []
- async with make_app_client(capture_send_requests=captured) as client:
- resp = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert resp.status_code == 201
- await asyncio.sleep(0)
-
- admin_chat_id = str(_cfg.ADMIN_CHAT_ID)
- admin_msgs = [r for r in captured if str(r.get("chat_id")) == admin_chat_id]
- assert len(admin_msgs) >= 1, (
- f"Expected sendMessage to ADMIN_CHAT_ID={admin_chat_id!r}, captured: {captured}"
- )
- text = admin_msgs[0].get("text", "")
- assert _VALID_PAYLOAD["login"] in text, f"Expected login in text: {text!r}"
- assert _VALID_PAYLOAD["email"] in text, f"Expected email in text: {text!r}"
-
-
-# ---------------------------------------------------------------------------
-# 5. Webhook callback_query — approve
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_approve_updates_db_status():
- """approve callback updates registration status to 'approved' in DB."""
- from backend import db as _db
-
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert reg_resp.status_code == 201
-
- # We need reg_id — get it from DB directly
- reg_id = None
- from tests.conftest import temp_db as _temp_db # noqa: F401 — already active
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
-
- assert reg_id is not None, "Registration not found in DB"
-
- cb_payload = {
- "callback_query": {
- "id": "cq_001",
- "data": f"approve:{reg_id}",
- "message": {
- "message_id": 42,
- "chat": {"id": 5694335584},
- },
- }
- }
- resp = await client.post(
- "/api/webhook/telegram",
- json=cb_payload,
- headers=_WEBHOOK_HEADERS,
- )
- await asyncio.sleep(0)
-
- assert resp.status_code == 200
- assert resp.json() == {"ok": True}
-
- # Verify DB status updated
- reg = await _db.get_registration(reg_id)
- assert reg is not None
- assert reg["status"] == "approved", f"Expected status='approved', got {reg['status']!r}"
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_approve_fires_push_when_subscription_present():
- """approve callback triggers send_push when push_subscription is set."""
- push_sub = {
- "endpoint": "https://fcm.googleapis.com/fcm/send/test",
- "keys": {"p256dh": "BQABC", "auth": "xyz"},
- }
-
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "push_subscription": push_sub},
- )
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- cb_payload = {
- "callback_query": {
- "id": "cq_002",
- "data": f"approve:{reg_id}",
- "message": {"message_id": 43, "chat": {"id": 5694335584}},
- }
- }
- push_calls: list = []
-
- async def _capture_push(sub_json, title, body):
- push_calls.append(sub_json)
-
- with patch("backend.push.send_push", side_effect=_capture_push):
- await client.post("/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- assert len(push_calls) == 1, f"Expected 1 push call, got {len(push_calls)}"
-
-
-# ---------------------------------------------------------------------------
-# 6. Webhook callback_query — reject
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_reject_updates_db_status():
- """reject callback updates registration status to 'rejected' in DB."""
- from backend import db as _db
-
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- cb_payload = {
- "callback_query": {
- "id": "cq_003",
- "data": f"reject:{reg_id}",
- "message": {"message_id": 44, "chat": {"id": 5694335584}},
- }
- }
- resp = await client.post(
- "/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS
- )
- await asyncio.sleep(0)
-
- assert resp.status_code == 200
-
- reg = await _db.get_registration(reg_id)
- assert reg is not None
- assert reg["status"] == "rejected", f"Expected status='rejected', got {reg['status']!r}"
-
-
-# ---------------------------------------------------------------------------
-# 7. Unknown reg_id — graceful handling
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_unknown_reg_id_returns_ok():
- """callback_query with unknown reg_id returns ok without error."""
- async with make_app_client() as client:
- cb_payload = {
- "callback_query": {
- "id": "cq_999",
- "data": "approve:99999",
- "message": {"message_id": 1, "chat": {"id": 5694335584}},
- }
- }
- resp = await client.post(
- "/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS
- )
- await asyncio.sleep(0)
-
- assert resp.status_code == 200
- assert resp.json() == {"ok": True}
-
-
-# ---------------------------------------------------------------------------
-# 8. Registration without push_subscription
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_register_without_push_subscription():
- """Registration with push_subscription=null returns 201."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "nopush@tutlot.com", "login": "nopushuser"},
- )
- assert resp.status_code == 201
- assert resp.json()["status"] == "pending"
-
-
-# ---------------------------------------------------------------------------
-# 9. reject does NOT trigger Web Push
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_reject_does_not_send_push():
- """reject callback does NOT call send_push."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- cb_payload = {
- "callback_query": {
- "id": "cq_r001",
- "data": f"reject:{reg_id}",
- "message": {"message_id": 50, "chat": {"id": 5694335584}},
- }
- }
- push_calls: list = []
-
- async def _capture_push(sub_json, title, body):
- push_calls.append(sub_json)
-
- with patch("backend.push.send_push", side_effect=_capture_push):
- await client.post("/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- assert len(push_calls) == 0, f"Expected 0 push calls on reject, got {len(push_calls)}"
-
-
-# ---------------------------------------------------------------------------
-# 10. approve calls editMessageText with ✅ text
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_approve_edits_message():
- """approve callback calls editMessageText with '✅ Пользователь ... одобрен'."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "edit@tutlot.com", "login": "edituser"},
- )
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- cb_payload = {
- "callback_query": {
- "id": "cq_e001",
- "data": f"approve:{reg_id}",
- "message": {"message_id": 51, "chat": {"id": 5694335584}},
- }
- }
- edit_calls: list[str] = []
-
- async def _capture_edit(chat_id, message_id, text):
- edit_calls.append(text)
-
- with patch("backend.telegram.edit_message_text", side_effect=_capture_edit):
- await client.post("/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS)
-
- assert len(edit_calls) == 1, f"Expected 1 editMessageText call, got {len(edit_calls)}"
- assert "✅" in edit_calls[0], f"Expected ✅ in edit text, got: {edit_calls[0]!r}"
- assert "edituser" in edit_calls[0], f"Expected login in edit text, got: {edit_calls[0]!r}"
-
-
-# ---------------------------------------------------------------------------
-# 11. answerCallbackQuery is called after callback processing
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_answer_sent():
- """answerCallbackQuery is called with the callback_query_id after processing."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "answer@tutlot.com", "login": "answeruser"},
- )
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- cb_payload = {
- "callback_query": {
- "id": "cq_a001",
- "data": f"approve:{reg_id}",
- "message": {"message_id": 52, "chat": {"id": 5694335584}},
- }
- }
- answer_calls: list[str] = []
-
- async def _capture_answer(callback_query_id):
- answer_calls.append(callback_query_id)
-
- with patch("backend.telegram.answer_callback_query", side_effect=_capture_answer):
- await client.post("/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS)
-
- assert len(answer_calls) == 1, f"Expected 1 answerCallbackQuery call, got {len(answer_calls)}"
- assert answer_calls[0] == "cq_a001"
-
-
-# ---------------------------------------------------------------------------
-# 12. CORS — Authorization header is allowed
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_cors_authorization_header_allowed():
- """CORS preflight request allows Authorization header."""
- async with make_app_client() as client:
- resp = await client.options(
- "/api/auth/register",
- headers={
- "Origin": "http://localhost:3000",
- "Access-Control-Request-Method": "POST",
- "Access-Control-Request-Headers": "Authorization",
- },
- )
- assert resp.status_code in (200, 204), f"CORS preflight returned {resp.status_code}"
- allow_headers = resp.headers.get("access-control-allow-headers", "")
- assert "authorization" in allow_headers.lower(), (
- f"Authorization not in Access-Control-Allow-Headers: {allow_headers!r}"
- )
-
-
-# ---------------------------------------------------------------------------
-# 13. DB — registrations table exists after init_db
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_registrations_table_created():
- """init_db creates the registrations table with correct schema."""
- from tests.conftest import temp_db
- from backend import db as _db, config as _cfg
- import aiosqlite
-
- with temp_db():
- await _db.init_db()
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- async with conn.execute(
- "SELECT name FROM sqlite_master WHERE type='table' AND name='registrations'"
- ) as cur:
- row = await cur.fetchone()
- assert row is not None, "Table 'registrations' not found after init_db()"
-
-
-# ---------------------------------------------------------------------------
-# 14. DB — password_hash uses PBKDF2 '{salt_hex}:{dk_hex}' format
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_password_hash_stored_in_pbkdf2_format():
- """Stored password_hash uses '
:' PBKDF2 format."""
- from backend import config as _cfg
- import aiosqlite
-
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "pbkdf2@tutlot.com", "login": "pbkdf2user"},
- )
-
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute(
- "SELECT password_hash FROM registrations WHERE login = 'pbkdf2user'"
- ) as cur:
- row = await cur.fetchone()
-
- assert row is not None, "Registration not found in DB"
- password_hash = row["password_hash"]
- assert ":" in password_hash, f"Expected 'salt:hash' format, got {password_hash!r}"
- parts = password_hash.split(":")
- assert len(parts) == 2, f"Expected exactly one colon separator, got {password_hash!r}"
- salt_hex, dk_hex = parts
- # salt = os.urandom(16) → 32 hex chars; dk = SHA-256 output (32 bytes) → 64 hex chars
- assert len(salt_hex) == 32, f"Expected 32-char salt hex, got {len(salt_hex)}"
- assert len(dk_hex) == 64, f"Expected 64-char dk hex (SHA-256), got {len(dk_hex)}"
- int(salt_hex, 16) # raises ValueError if not valid hex
- int(dk_hex, 16)
-
-
-# ---------------------------------------------------------------------------
-# 15. State machine — повторное нажатие approve на уже approved
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_double_approve_does_not_send_push():
- """Second approve on already-approved registration must NOT fire push."""
- push_sub = {
- "endpoint": "https://fcm.googleapis.com/fcm/send/test2",
- "keys": {"p256dh": "BQDEF", "auth": "abc"},
- }
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "double@tutlot.com", "login": "doubleuser", "push_subscription": push_sub},
- )
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- cb_payload = {
- "callback_query": {
- "id": "cq_d1",
- "data": f"approve:{reg_id}",
- "message": {"message_id": 60, "chat": {"id": 5694335584}},
- }
- }
-
- # First approve — should succeed
- await client.post("/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- # Second approve — push must NOT be fired
- push_calls: list = []
-
- async def _capture_push(sub_json, title, body):
- push_calls.append(sub_json)
-
- cb_payload2 = {**cb_payload, "callback_query": {**cb_payload["callback_query"], "id": "cq_d2"}}
- with patch("backend.push.send_push", side_effect=_capture_push):
- await client.post("/api/webhook/telegram", json=cb_payload2, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- assert len(push_calls) == 0, f"Second approve must not fire push, got {len(push_calls)} calls"
-
- # Also verify status is still 'approved'
- from backend import db as _db
- # Can't check here as client context is closed; DB assertion was covered by state machine logic
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_double_approve_status_stays_approved():
- """Status remains 'approved' after a second approve callback."""
- from backend import db as _db
-
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "stay@tutlot.com", "login": "stayuser"},
- )
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- cb = {
- "callback_query": {
- "id": "cq_s1",
- "data": f"approve:{reg_id}",
- "message": {"message_id": 70, "chat": {"id": 5694335584}},
- }
- }
- await client.post("/api/webhook/telegram", json=cb, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- cb2 = {**cb, "callback_query": {**cb["callback_query"], "id": "cq_s2"}}
- await client.post("/api/webhook/telegram", json=cb2, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- reg = await _db.get_registration(reg_id)
- assert reg["status"] == "approved", f"Expected 'approved', got {reg['status']!r}"
-
-
-# ---------------------------------------------------------------------------
-# 16. State machine — approve после reject
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_approve_after_reject_status_stays_rejected():
- """Approve after reject must NOT change status — remains 'rejected'."""
- from backend import db as _db
-
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "artest@tutlot.com", "login": "artestuser"},
- )
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- # First: reject
- rej_cb = {
- "callback_query": {
- "id": "cq_ar1",
- "data": f"reject:{reg_id}",
- "message": {"message_id": 80, "chat": {"id": 5694335584}},
- }
- }
- await client.post("/api/webhook/telegram", json=rej_cb, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- # Then: approve — must be ignored
- push_calls: list = []
-
- async def _capture_push(sub_json, title, body):
- push_calls.append(sub_json)
-
- app_cb = {
- "callback_query": {
- "id": "cq_ar2",
- "data": f"approve:{reg_id}",
- "message": {"message_id": 81, "chat": {"id": 5694335584}},
- }
- }
- with patch("backend.push.send_push", side_effect=_capture_push):
- await client.post("/api/webhook/telegram", json=app_cb, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- reg = await _db.get_registration(reg_id)
- assert reg["status"] == "rejected", f"Expected 'rejected', got {reg['status']!r}"
-
- assert len(push_calls) == 0, f"Approve after reject must not fire push, got {len(push_calls)}"
-
-
-# ---------------------------------------------------------------------------
-# 17. Rate limiting — 4th request returns 429
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_rate_limit_fourth_request_returns_429():
- """4th registration request from same IP within the window returns 429."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- for i in range(3):
- r = await client.post(
- "/api/auth/register",
- json={
- "email": f"ratetest{i}@tutlot.com",
- "login": f"ratetest{i}",
- "password": "strongpassword123",
- },
- )
- assert r.status_code == 201, f"Request {i+1} should succeed, got {r.status_code}"
-
- # 4th request — must be rate-limited
- r4 = await client.post(
- "/api/auth/register",
- json={
- "email": "ratetest4@tutlot.com",
- "login": "ratetest4",
- "password": "strongpassword123",
- },
- )
-
- assert r4.status_code == 429, f"Expected 429 on 4th request, got {r4.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 18. VAPID public key endpoint /api/push/public-key
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_new_endpoint_returns_200():
- """GET /api/push/public-key returns 200 with vapid_public_key field."""
- async with make_app_client() as client:
- resp = await client.get("/api/push/public-key")
-
- assert resp.status_code == 200, f"Expected 200, got {resp.status_code}: {resp.text}"
- body = resp.json()
- assert "vapid_public_key" in body, f"Expected 'vapid_public_key' in response, got {body}"
-
-
-# ---------------------------------------------------------------------------
-# 19. Password max length — 129 chars → 422
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_password_too_long():
- """Password of 129 characters returns 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "password": "a" * 129},
- )
- assert resp.status_code == 422, f"Expected 422 on 129-char password, got {resp.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 20. Login max length — 31 chars → 422
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_login_too_long():
- """Login of 31 characters returns 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "login": "a" * 31},
- )
- assert resp.status_code == 422, f"Expected 422 on 31-char login, got {resp.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 21. Empty body — POST /api/auth/register with {} → 422
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_empty_body():
- """Empty JSON body returns 422."""
- async with make_app_client() as client:
- resp = await client.post("/api/auth/register", json={})
- assert resp.status_code == 422, f"Expected 422 on empty body, got {resp.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 22. Malformed callback_data — no colon → ok:True without crash
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_malformed_data_no_colon_returns_ok():
- """callback_query with data='garbage' (no colon) returns ok:True gracefully."""
- async with make_app_client() as client:
- cb_payload = {
- "callback_query": {
- "id": "cq_mal1",
- "data": "garbage",
- "message": {"message_id": 90, "chat": {"id": 5694335584}},
- }
- }
- resp = await client.post(
- "/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS
- )
-
- assert resp.status_code == 200, f"Expected 200, got {resp.status_code}"
- assert resp.json() == {"ok": True}, f"Expected ok:True, got {resp.json()}"
-
-
-# ---------------------------------------------------------------------------
-# 23. Non-numeric reg_id — data='approve:abc' → ok:True without crash
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_non_numeric_reg_id_returns_ok():
- """callback_query with data='approve:abc' (non-numeric reg_id) returns ok:True."""
- async with make_app_client() as client:
- cb_payload = {
- "callback_query": {
- "id": "cq_nan1",
- "data": "approve:abc",
- "message": {"message_id": 91, "chat": {"id": 5694335584}},
- }
- }
- resp = await client.post(
- "/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS
- )
-
- assert resp.status_code == 200, f"Expected 200, got {resp.status_code}"
- assert resp.json() == {"ok": True}, f"Expected ok:True, got {resp.json()}"
diff --git a/tests/test_baton_008_frontend.py b/tests/test_baton_008_frontend.py
deleted file mode 100644
index 5b8eeb2..0000000
--- a/tests/test_baton_008_frontend.py
+++ /dev/null
@@ -1,439 +0,0 @@
-"""
-Tests for BATON-008: Frontend registration module.
-
-Acceptance criteria:
-1. index.html — форма регистрации с полями email, login, password присутствует
-2. index.html — НЕТ захардкоженных VAPID-ключей в HTML-атрибутах (decision #1333)
-3. app.js — вызов /api/push/public-key (не старый /api/vapid-public-key) (decision #1331)
-4. app.js — guard для PushManager (decision #1332)
-5. app.js — обработчик для кнопки регистрации (#btn-register → _handleSignUp)
-6. app.js — переключение между view-login и view-register
-7. app.js — показ ошибок пользователю (_setRegStatus)
-8. GET /api/push/public-key → 200 с vapid_public_key (API контракт)
-9. POST /api/auth/register с валидными данными → 201 (API контракт)
-10. POST /api/auth/register с дублирующим email → 409
-11. POST /api/auth/register с дублирующим login → 409
-12. POST /api/auth/register с невалидным email → 422
-"""
-from __future__ import annotations
-
-import re
-from pathlib import Path
-from unittest.mock import AsyncMock, patch
-
-import pytest
-
-PROJECT_ROOT = Path(__file__).parent.parent
-INDEX_HTML = PROJECT_ROOT / "frontend" / "index.html"
-APP_JS = PROJECT_ROOT / "frontend" / "app.js"
-
-from tests.conftest import make_app_client
-
-_VALID_PAYLOAD = {
- "email": "frontend_test@tutlot.com",
- "login": "frontenduser",
- "password": "strongpassword123",
-}
-
-
-# ---------------------------------------------------------------------------
-# HTML static analysis — Criterion 1: поля формы регистрации
-# ---------------------------------------------------------------------------
-
-
-def test_index_html_has_email_field() -> None:
- """index.html должен содержать поле email для регистрации (id=reg-email)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="reg-email"' in content, (
- "index.html не содержит поле с id='reg-email'"
- )
-
-
-def test_index_html_has_login_field() -> None:
- """index.html должен содержать поле логина для регистрации (id=reg-login)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="reg-login"' in content, (
- "index.html не содержит поле с id='reg-login'"
- )
-
-
-def test_index_html_has_password_field() -> None:
- """index.html должен содержать поле пароля для регистрации (id=reg-password)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="reg-password"' in content, (
- "index.html не содержит поле с id='reg-password'"
- )
-
-
-def test_index_html_email_field_has_correct_type() -> None:
- """Поле email регистрации должно иметь type='email'."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- # Ищем input с id=reg-email и type=email в любом порядке атрибутов
- email_input_block = re.search(
- r']*id="reg-email"[^>]*>', content, re.DOTALL
- )
- assert email_input_block is not None, "Не найден input с id='reg-email'"
- assert 'type="email"' in email_input_block.group(0), (
- "Поле reg-email не имеет type='email'"
- )
-
-
-def test_index_html_password_field_has_correct_type() -> None:
- """Поле пароля регистрации должно иметь type='password'."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- password_input_block = re.search(
- r']*id="reg-password"[^>]*>', content, re.DOTALL
- )
- assert password_input_block is not None, "Не найден input с id='reg-password'"
- assert 'type="password"' in password_input_block.group(0), (
- "Поле reg-password не имеет type='password'"
- )
-
-
-def test_index_html_has_register_button() -> None:
- """index.html должен содержать кнопку регистрации (id=btn-register)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="btn-register"' in content, (
- "index.html не содержит кнопку с id='btn-register'"
- )
-
-
-def test_index_html_has_switch_to_register_button() -> None:
- """index.html должен содержать кнопку переключения на форму регистрации (id=btn-switch-to-register)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="btn-switch-to-register"' in content, (
- "index.html не содержит кнопку с id='btn-switch-to-register'"
- )
-
-
-def test_index_html_has_view_register_div() -> None:
- """index.html должен содержать блок view-register для формы регистрации."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="view-register"' in content, (
- "index.html не содержит блок с id='view-register'"
- )
-
-
-def test_index_html_has_view_login_div() -> None:
- """index.html должен содержать блок view-login для онбординга."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="view-login"' in content, (
- "index.html не содержит блок с id='view-login'"
- )
-
-
-def test_index_html_has_reg_status_element() -> None:
- """index.html должен содержать элемент статуса регистрации (id=reg-status)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="reg-status"' in content, (
- "index.html не содержит элемент с id='reg-status'"
- )
-
-
-# ---------------------------------------------------------------------------
-# HTML static analysis — Criterion 2: НЕТ захардкоженного VAPID в HTML (decision #1333)
-# ---------------------------------------------------------------------------
-
-
-def test_index_html_no_hardcoded_vapid_key_in_meta() -> None:
- """index.html НЕ должен содержать VAPID-ключ захардкоженным в meta-теге (decision #1333)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- # VAPID public key — это URL-safe base64 строка длиной 87 символов (без padding)
- # Ищем характерный паттерн в meta-атрибутах
- vapid_in_meta = re.search(
- r']+content\s*=\s*["\'][A-Za-z0-9_\-]{60,}["\'][^>]*>',
- content,
- )
- assert vapid_in_meta is None, (
- f"Найден meta-тег с длинной строкой (возможный VAPID-ключ): "
- f"{vapid_in_meta.group(0) if vapid_in_meta else ''}"
- )
-
-
-def test_index_html_no_vapid_key_attribute_pattern() -> None:
- """index.html НЕ должен содержать data-vapid-key или аналогичные атрибуты."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert "vapid" not in content.lower(), (
- "index.html содержит упоминание 'vapid' — VAPID ключ должен читаться через API, "
- "а не быть захардкожен в HTML (decision #1333)"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 3: /api/push/public-key endpoint (decision #1331)
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_uses_new_vapid_endpoint() -> None:
- """app.js должен обращаться к /api/push/public-key (decision #1331)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/push/public-key" in content, (
- "app.js не содержит endpoint '/api/push/public-key'"
- )
-
-
-def test_app_js_does_not_use_old_vapid_endpoint() -> None:
- """app.js НЕ должен использовать устаревший /api/vapid-public-key (decision #1331)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/vapid-public-key" not in content, (
- "app.js содержит устаревший endpoint '/api/vapid-public-key' — "
- "нарушение decision #1331, должен использоваться '/api/push/public-key'"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 4: PushManager guard (decision #1332)
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_has_push_manager_guard_in_registration_flow() -> None:
- """app.js должен содержать guard 'PushManager' in window (decision #1332)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "'PushManager' in window" in content, (
- "app.js не содержит guard \"'PushManager' in window\" — "
- "нарушение decision #1332"
- )
-
-
-def test_app_js_push_manager_guard_combined_with_service_worker_check() -> None:
- """Guard PushManager должен сочетаться с проверкой serviceWorker."""
- content = APP_JS.read_text(encoding="utf-8")
- # Ищем паттерн совместной проверки serviceWorker + PushManager
- assert re.search(
- r"serviceWorker.*PushManager|PushManager.*serviceWorker",
- content,
- re.DOTALL,
- ), (
- "app.js не содержит совместной проверки 'serviceWorker' и 'PushManager' — "
- "guard неполный (decision #1332)"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 5: обработчик кнопки регистрации
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_has_handle_sign_up_function() -> None:
- """app.js должен содержать функцию _handleSignUp."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "_handleSignUp" in content, (
- "app.js не содержит функцию '_handleSignUp'"
- )
-
-
-def test_app_js_registers_click_handler_for_btn_register() -> None:
- """app.js должен добавлять click-обработчик на btn-register → _handleSignUp."""
- content = APP_JS.read_text(encoding="utf-8")
- # Ищем addEventListener на элементе btn-register с вызовом _handleSignUp
- assert re.search(
- r'btn-register.*addEventListener|addEventListener.*btn-register',
- content,
- re.DOTALL,
- ), (
- "app.js не содержит addEventListener для кнопки 'btn-register'"
- )
- # Проверяем что именно _handleSignUp привязан к кнопке
- assert re.search(
- r'btn[Rr]egister.*_handleSignUp|_handleSignUp.*btn[Rr]egister',
- content,
- re.DOTALL,
- ), (
- "app.js не связывает кнопку 'btn-register' с функцией '_handleSignUp'"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 6: переключение view-login / view-register
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_has_show_view_function() -> None:
- """app.js должен содержать функцию _showView для переключения видов."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "_showView" in content, (
- "app.js не содержит функцию '_showView'"
- )
-
-
-def test_app_js_show_view_handles_view_login() -> None:
- """_showView в app.js должна обрабатывать view-login."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "view-login" in content, (
- "app.js не содержит id 'view-login' — нет переключения на вид логина"
- )
-
-
-def test_app_js_show_view_handles_view_register() -> None:
- """_showView в app.js должна обрабатывать view-register."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "view-register" in content, (
- "app.js не содержит id 'view-register' — нет переключения на вид регистрации"
- )
-
-
-def test_app_js_has_btn_switch_to_register_handler() -> None:
- """app.js должен содержать обработчик для btn-switch-to-register."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "btn-switch-to-register" in content, (
- "app.js не содержит ссылку на 'btn-switch-to-register'"
- )
-
-
-def test_app_js_has_btn_switch_to_login_handler() -> None:
- """app.js должен содержать обработчик для btn-switch-to-login (назад)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "btn-switch-to-login" in content, (
- "app.js не содержит ссылку на 'btn-switch-to-login'"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 7: обработка ошибок / показ сообщения пользователю
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_has_set_reg_status_function() -> None:
- """app.js должен содержать _setRegStatus для показа статуса в форме регистрации."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "_setRegStatus" in content, (
- "app.js не содержит функцию '_setRegStatus'"
- )
-
-
-def test_app_js_handle_sign_up_shows_error_on_empty_fields() -> None:
- """_handleSignUp должна вызывать _setRegStatus с ошибкой при пустых полях."""
- content = APP_JS.read_text(encoding="utf-8")
- # Проверяем наличие валидации пустых полей внутри _handleSignUp-подобного блока
- assert re.search(
- r"_setRegStatus\s*\([^)]*error",
- content,
- ), (
- "app.js не содержит вызов _setRegStatus с классом 'error' "
- "— ошибки не отображаются пользователю"
- )
-
-
-def test_app_js_handle_sign_up_shows_success_on_ok() -> None:
- """_handleSignUp должна вызывать _setRegStatus с success при успешной регистрации."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(
- r"_setRegStatus\s*\([^)]*success",
- content,
- ), (
- "app.js не содержит вызов _setRegStatus с классом 'success' "
- "— пользователь не уведомляется об успехе регистрации"
- )
-
-
-def test_app_js_clears_password_after_successful_signup() -> None:
- """_handleSignUp должна очищать поле пароля после успешной отправки."""
- content = APP_JS.read_text(encoding="utf-8")
- # Ищем сброс значения пароля
- assert re.search(
- r"passwordInput\.value\s*=\s*['\"][\s]*['\"]",
- content,
- ), (
- "app.js не очищает поле пароля после успешной регистрации — "
- "пароль остаётся в DOM (security concern)"
- )
-
-
-def test_app_js_uses_api_auth_register_endpoint() -> None:
- """app.js должен отправлять форму на /api/auth/register."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/auth/register" in content, (
- "app.js не содержит endpoint '/api/auth/register'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Integration tests — API контракты (Criteria 8–12)
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_endpoint_returns_200_with_key():
- """GET /api/push/public-key → 200 с полем vapid_public_key."""
- async with make_app_client() as client:
- resp = await client.get("/api/push/public-key")
-
- assert resp.status_code == 200, (
- f"GET /api/push/public-key вернул {resp.status_code}, ожидался 200"
- )
- body = resp.json()
- assert "vapid_public_key" in body, (
- f"Ответ /api/push/public-key не содержит 'vapid_public_key': {body}"
- )
- assert isinstance(body["vapid_public_key"], str), (
- "vapid_public_key должен быть строкой"
- )
-
-
-@pytest.mark.asyncio
-async def test_register_valid_payload_returns_201_pending():
- """POST /api/auth/register с валидными данными → 201 status=pending."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- resp = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
-
- assert resp.status_code == 201, (
- f"POST /api/auth/register вернул {resp.status_code}: {resp.text}"
- )
- body = resp.json()
- assert body.get("status") == "pending", (
- f"Ожидался status='pending', получено: {body}"
- )
- assert "message" in body, (
- f"Ответ не содержит поле 'message': {body}"
- )
-
-
-@pytest.mark.asyncio
-async def test_register_duplicate_email_returns_409():
- """POST /api/auth/register с дублирующим email → 409."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- r1 = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert r1.status_code == 201, f"Первая регистрация не прошла: {r1.text}"
-
- r2 = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "login": "anotherlogin"},
- )
-
- assert r2.status_code == 409, (
- f"Дублирующий email должен вернуть 409, получено {r2.status_code}"
- )
-
-
-@pytest.mark.asyncio
-async def test_register_duplicate_login_returns_409():
- """POST /api/auth/register с дублирующим login → 409."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- r1 = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert r1.status_code == 201, f"Первая регистрация не прошла: {r1.text}"
-
- r2 = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "another@tutlot.com"},
- )
-
- assert r2.status_code == 409, (
- f"Дублирующий login должен вернуть 409, получено {r2.status_code}"
- )
-
-
-@pytest.mark.asyncio
-async def test_register_invalid_email_returns_422():
- """POST /api/auth/register с невалидным email → 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "not-an-email"},
- )
-
- assert resp.status_code == 422, (
- f"Невалидный email должен вернуть 422, получено {resp.status_code}"
- )
diff --git a/tests/test_biz_001.py b/tests/test_biz_001.py
deleted file mode 100644
index b48d176..0000000
--- a/tests/test_biz_001.py
+++ /dev/null
@@ -1,338 +0,0 @@
-"""
-Tests for BATON-BIZ-001: Login mechanism for approved users (dual-layer: AST + httpx functional).
-
-Acceptance criteria:
-1. Успешный login по login-полю → 200 + token
-2. Успешный login по email-полю → 200 + token
-3. Неверный пароль → 401 (без раскрытия причины)
-4. Статус pending → 403 с читаемым сообщением
-5. Статус rejected → 403 с читаемым сообщением
-6. Rate limit — 6-й запрос подряд → 429
-7. Guard middleware возвращает 401 без токена
-8. Guard middleware пропускает валидный токен
-
-Additional: error message uniformity, PBKDF2 verification.
-"""
-from __future__ import annotations
-
-import os
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
-
-import pytest
-from fastapi import HTTPException
-from fastapi.security import HTTPAuthorizationCredentials
-
-from backend import db
-from backend.middleware import create_auth_token, verify_auth_token
-from tests.conftest import make_app_client
-
-
-# ---------------------------------------------------------------------------
-# Helpers
-# ---------------------------------------------------------------------------
-
-async def _register_auth(client, email: str, login: str, password: str) -> int:
- """Register via /api/auth/register, return registration id."""
- resp = await client.post(
- "/api/auth/register",
- json={"email": email, "login": login, "password": password},
- )
- assert resp.status_code == 201, f"auth/register failed: {resp.text}"
- reg = await db.get_registration_by_login_or_email(login)
- assert reg is not None
- return reg["id"]
-
-
-async def _approve(reg_id: int) -> None:
- await db.update_registration_status(reg_id, "approved")
-
-
-async def _reject(reg_id: int) -> None:
- await db.update_registration_status(reg_id, "rejected")
-
-
-# ---------------------------------------------------------------------------
-# Criterion 1 — Успешный login по login-полю
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_login_by_login_field_returns_200_with_token():
- """Approved user can login using their login field → 200 + token."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "alice@tutlot.com", "alice", "password123")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "alice", "password": "password123"},
- )
- assert resp.status_code == 200
- data = resp.json()
- assert "token" in data
- assert data["login"] == "alice"
-
-
-@pytest.mark.asyncio
-async def test_login_by_login_field_token_is_non_empty_string():
- """Token returned for approved login user is a non-empty string."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "alice2@tutlot.com", "alice2", "password123")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "alice2", "password": "password123"},
- )
- assert isinstance(resp.json()["token"], str)
- assert len(resp.json()["token"]) > 0
-
-
-# ---------------------------------------------------------------------------
-# Criterion 2 — Успешный login по email-полю
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_login_by_email_field_returns_200_with_token():
- """Approved user can login using their email field → 200 + token."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "bob@tutlot.com", "bobuser", "securepass1")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "bob@tutlot.com", "password": "securepass1"},
- )
- assert resp.status_code == 200
- data = resp.json()
- assert "token" in data
- assert data["login"] == "bobuser"
-
-
-@pytest.mark.asyncio
-async def test_login_by_email_field_token_login_matches_registration():
- """Token response login field matches the login set during registration."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "bob2@tutlot.com", "bob2user", "securepass1")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "bob2@tutlot.com", "password": "securepass1"},
- )
- assert resp.json()["login"] == "bob2user"
-
-
-# ---------------------------------------------------------------------------
-# Criterion 3 — Неверный пароль → 401 без раскрытия причины
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_wrong_password_returns_401():
- """Wrong password returns 401 with generic message (no detail about which field failed)."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "carol@tutlot.com", "carol", "correctpass1")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "carol", "password": "wrongpassword"},
- )
- assert resp.status_code == 401
- assert "Неверный логин или пароль" in resp.json()["detail"]
-
-
-@pytest.mark.asyncio
-async def test_nonexistent_user_returns_401_same_message_as_wrong_password():
- """Non-existent login returns same 401 message as wrong password (prevents user enumeration)."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "doesnotexist", "password": "anypassword"},
- )
- assert resp.status_code == 401
- assert "Неверный логин или пароль" in resp.json()["detail"]
-
-
-# ---------------------------------------------------------------------------
-# Criterion 4 — Статус pending → 403 с читаемым сообщением
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_pending_user_login_returns_403():
- """User with pending status gets 403."""
- async with make_app_client() as client:
- await _register_auth(client, "dave@tutlot.com", "dave", "password123")
- # Status is 'pending' by default — no approval step
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "dave", "password": "password123"},
- )
- assert resp.status_code == 403
-
-
-@pytest.mark.asyncio
-async def test_pending_user_login_403_message_is_human_readable():
- """403 message for pending user contains readable Russian text about the waiting status."""
- async with make_app_client() as client:
- await _register_auth(client, "dave2@tutlot.com", "dave2", "password123")
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "dave2", "password": "password123"},
- )
- assert "ожидает" in resp.json()["detail"]
-
-
-# ---------------------------------------------------------------------------
-# Criterion 5 — Статус rejected → 403 с читаемым сообщением
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_rejected_user_login_returns_403():
- """User with rejected status gets 403."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "eve@tutlot.com", "evegirl", "password123")
- await _reject(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "evegirl", "password": "password123"},
- )
- assert resp.status_code == 403
-
-
-@pytest.mark.asyncio
-async def test_rejected_user_login_403_message_is_human_readable():
- """403 message for rejected user contains readable Russian text about rejection."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "eve2@tutlot.com", "eve2girl", "password123")
- await _reject(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "eve2girl", "password": "password123"},
- )
- assert "отклонена" in resp.json()["detail"]
-
-
-# ---------------------------------------------------------------------------
-# Criterion 6 — Rate limit: 6-й запрос подряд → 429
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_rate_limit_triggers_on_sixth_login_attempt():
- """Login rate limit (5 per window) triggers 429 exactly on the 6th request."""
- async with make_app_client() as client:
- statuses = []
- for _ in range(6):
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "nouser_rl", "password": "nopass"},
- headers={"X-Real-IP": "10.99.99.1"},
- )
- statuses.append(resp.status_code)
- # First 5 attempts pass rate limit (user not found → 401)
- assert all(s == 401 for s in statuses[:5]), (
- f"Первые 5 попыток должны быть 401, получили: {statuses[:5]}"
- )
- # 6th attempt hits rate limit
- assert statuses[5] == 429, (
- f"6-я попытка должна быть 429, получили: {statuses[5]}"
- )
-
-
-@pytest.mark.asyncio
-async def test_rate_limit_fifth_attempt_still_passes():
- """5th login attempt is still allowed (rate limit triggers only on 6th)."""
- async with make_app_client() as client:
- for i in range(4):
- await client.post(
- "/api/auth/login",
- json={"login_or_email": "nouser_rl2", "password": "nopass"},
- headers={"X-Real-IP": "10.99.99.2"},
- )
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "nouser_rl2", "password": "nopass"},
- headers={"X-Real-IP": "10.99.99.2"},
- )
- assert resp.status_code == 401, (
- f"5-я попытка должна пройти rate limit и вернуть 401, получили: {resp.status_code}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 7 — Guard middleware: 401 без токена
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_verify_auth_token_raises_401_when_credentials_is_none():
- """verify_auth_token raises HTTPException 401 when no credentials provided."""
- with pytest.raises(HTTPException) as exc_info:
- await verify_auth_token(credentials=None)
- assert exc_info.value.status_code == 401
-
-
-@pytest.mark.asyncio
-async def test_verify_auth_token_raises_401_for_malformed_token():
- """verify_auth_token raises HTTPException 401 for a malformed/invalid token."""
- creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials="not.a.valid.jwt")
- with pytest.raises(HTTPException) as exc_info:
- await verify_auth_token(credentials=creds)
- assert exc_info.value.status_code == 401
-
-
-# ---------------------------------------------------------------------------
-# Criterion 8 — Guard middleware: валидный токен пропускается
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_verify_auth_token_returns_payload_for_valid_token():
- """verify_auth_token returns decoded JWT payload for a valid signed token."""
- token = create_auth_token(reg_id=42, login="testuser")
- creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials=token)
- payload = await verify_auth_token(credentials=creds)
- assert payload["sub"] == "42"
- assert payload["login"] == "testuser"
-
-
-@pytest.mark.asyncio
-async def test_verify_auth_token_payload_contains_expected_fields():
- """Payload returned by verify_auth_token contains sub, login, iat, exp fields."""
- token = create_auth_token(reg_id=7, login="inspector")
- creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials=token)
- payload = await verify_auth_token(credentials=creds)
- for field in ("sub", "login", "iat", "exp"):
- assert field in payload, f"Поле '{field}' отсутствует в payload"
-
-
-# ---------------------------------------------------------------------------
-# Additional: PBKDF2 correctness — verify_password timing-safe
-# ---------------------------------------------------------------------------
-
-
-def test_hash_and_verify_password_returns_true_for_correct_password():
- """_hash_password + _verify_password: correct password returns True."""
- from backend.main import _hash_password, _verify_password
- stored = _hash_password("mysecretpass")
- assert _verify_password("mysecretpass", stored) is True
-
-
-def test_hash_and_verify_password_returns_false_for_wrong_password():
- """_hash_password + _verify_password: wrong password returns False."""
- from backend.main import _hash_password, _verify_password
- stored = _hash_password("mysecretpass")
- assert _verify_password("wrongpassword", stored) is False
-
-
-def test_verify_password_returns_false_for_malformed_hash():
- """_verify_password returns False (not exception) for a malformed hash string."""
- from backend.main import _verify_password
- assert _verify_password("anypassword", "not-a-valid-hash") is False
diff --git a/tests/test_biz_002.py b/tests/test_biz_002.py
deleted file mode 100644
index 0136df7..0000000
--- a/tests/test_biz_002.py
+++ /dev/null
@@ -1,203 +0,0 @@
-"""
-Tests for BATON-BIZ-002: Убрать hardcoded VAPID key из meta-тега, читать с /api/push/public-key
-
-Acceptance criteria:
-1. Meta-тег vapid-public-key полностью отсутствует в frontend/index.html (decision #1333).
-2. app.js использует canonical URL /api/push/public-key для получения VAPID ключа.
-3. Graceful fallback: endpoint недоступен → функция возвращает null, не бросает исключение.
-4. Graceful fallback: ключ пустой → _initPushSubscription не выполняется (guard на null).
-5. GET /api/push/public-key возвращает HTTP 200 с полем vapid_public_key.
-6. GET /api/push/public-key возвращает правильное значение из конфига.
-"""
-from __future__ import annotations
-
-import os
-import re
-from pathlib import Path
-from unittest.mock import patch
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
-
-import pytest
-
-from tests.conftest import make_app_client
-
-PROJECT_ROOT = Path(__file__).parent.parent
-INDEX_HTML = PROJECT_ROOT / "frontend" / "index.html"
-APP_JS = PROJECT_ROOT / "frontend" / "app.js"
-
-_TEST_VAPID_KEY = "BFakeVapidPublicKeyForBiz002TestingBase64UrlEncoded"
-
-
-# ---------------------------------------------------------------------------
-# Criterion 1 — AST: meta-тег vapid-public-key полностью отсутствует
-# ---------------------------------------------------------------------------
-
-
-def test_index_html_has_no_meta_tag_named_vapid_public_key() -> None:
- """index.html не должен содержать вообще (decision #1333)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- match = re.search(
- r']+name\s*=\s*["\']vapid-public-key["\']',
- content,
- re.IGNORECASE,
- )
- assert match is None, (
- f"index.html содержит удалённый тег : {match.group(0)!r}"
- )
-
-
-def test_index_html_has_no_vapid_meta_tag_with_empty_or_any_content() -> None:
- """index.html не должен содержать ни пустой, ни непустой VAPID ключ в meta content."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- match = re.search(
- r']*(?:vapid|application-server-key)[^>]*content\s*=',
- content,
- re.IGNORECASE,
- )
- assert match is None, (
- f"index.html содержит -тег с VAPID-связанным атрибутом content: {match.group(0)!r}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 2 — AST: app.js использует canonical /api/push/public-key
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_fetch_vapid_uses_canonical_push_public_key_url() -> None:
- """_fetchVapidPublicKey в app.js должна использовать /api/push/public-key (canonical URL)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/push/public-key" in content, (
- "app.js не содержит canonical URL '/api/push/public-key' — "
- "ключ не читается через правильный endpoint"
- )
-
-
-def test_app_js_fetch_vapid_returns_vapid_public_key_field() -> None:
- """_fetchVapidPublicKey должна читать поле vapid_public_key из JSON-ответа."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"data\.vapid_public_key", content), (
- "app.js не читает поле 'data.vapid_public_key' из ответа API"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 3 — AST: graceful fallback когда endpoint недоступен
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_fetch_vapid_returns_null_on_http_error() -> None:
- """_fetchVapidPublicKey должна возвращать null при res.ok === false (HTTP-ошибка)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"if\s*\(\s*!\s*res\.ok\s*\)", content), (
- "app.js не содержит проверку 'if (!res.ok)' — "
- "HTTP-ошибки не обрабатываются gracefully в _fetchVapidPublicKey"
- )
-
-
-def test_app_js_fetch_vapid_catches_network_errors() -> None:
- """_fetchVapidPublicKey должна оборачивать fetch в try/catch и возвращать null при сетевой ошибке."""
- content = APP_JS.read_text(encoding="utf-8")
- # Проверяем паттерн try { fetch ... } catch (err) { return null; } внутри функции
- func_match = re.search(
- r"async function _fetchVapidPublicKey\(\).*?(?=^(?:async )?function |\Z)",
- content,
- re.DOTALL | re.MULTILINE,
- )
- assert func_match, "Функция _fetchVapidPublicKey не найдена в app.js"
- func_body = func_match.group(0)
- assert "catch" in func_body, (
- "app.js: _fetchVapidPublicKey не содержит блок catch — "
- "сетевые ошибки при fetch не обрабатываются"
- )
- assert re.search(r"return\s+null", func_body), (
- "app.js: _fetchVapidPublicKey не возвращает null при ошибке — "
- "upstream код получит исключение вместо null"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 4 — AST: graceful fallback когда ключ пустой (decision #1332)
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_fetch_vapid_returns_null_on_empty_key() -> None:
- """_fetchVapidPublicKey должна возвращать null когда vapid_public_key пустой."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"data\.vapid_public_key\s*\|\|\s*null", content), (
- "app.js не содержит 'data.vapid_public_key || null' — "
- "пустой ключ не преобразуется в null"
- )
-
-
-def test_app_js_init_push_subscription_guard_skips_on_null_key() -> None:
- """_initPushSubscription должна ранним возвратом пропускать подписку при null ключе (decision #1332)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"if\s*\(\s*!\s*vapidPublicKey\s*\)", content), (
- "app.js: _initPushSubscription не содержит guard 'if (!vapidPublicKey)' — "
- "подписка может быть создана без ключа"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 5 — HTTP: GET /api/push/public-key → 200 + vapid_public_key
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_push_public_key_endpoint_returns_200() -> None:
- """GET /api/push/public-key должен вернуть HTTP 200."""
- async with make_app_client() as client:
- response = await client.get("/api/push/public-key")
- assert response.status_code == 200, (
- f"GET /api/push/public-key вернул {response.status_code}, ожидался 200"
- )
-
-
-@pytest.mark.asyncio
-async def test_push_public_key_endpoint_returns_json_with_vapid_field() -> None:
- """GET /api/push/public-key должен вернуть JSON с полем vapid_public_key."""
- async with make_app_client() as client:
- response = await client.get("/api/push/public-key")
- data = response.json()
- assert "vapid_public_key" in data, (
- f"Ответ /api/push/public-key не содержит поле 'vapid_public_key': {data!r}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 6 — HTTP: возвращает правильное значение из конфига
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_push_public_key_endpoint_returns_configured_value() -> None:
- """GET /api/push/public-key возвращает значение из VAPID_PUBLIC_KEY конфига."""
- with patch("backend.config.VAPID_PUBLIC_KEY", _TEST_VAPID_KEY):
- async with make_app_client() as client:
- response = await client.get("/api/push/public-key")
- data = response.json()
- assert data.get("vapid_public_key") == _TEST_VAPID_KEY, (
- f"vapid_public_key должен быть '{_TEST_VAPID_KEY}', "
- f"получили: {data.get('vapid_public_key')!r}"
- )
-
-
-@pytest.mark.asyncio
-async def test_push_public_key_endpoint_returns_empty_string_when_not_configured() -> None:
- """GET /api/push/public-key возвращает пустую строку (не ошибку) если ключ не настроен."""
- with patch("backend.config.VAPID_PUBLIC_KEY", ""):
- async with make_app_client() as client:
- response = await client.get("/api/push/public-key")
- assert response.status_code == 200, (
- f"Endpoint вернул {response.status_code} при пустом ключе, ожидался 200"
- )
- data = response.json()
- assert "vapid_public_key" in data, "Поле vapid_public_key отсутствует при пустом конфиге"
diff --git a/tests/test_biz_004.py b/tests/test_biz_004.py
deleted file mode 100644
index 228f2ac..0000000
--- a/tests/test_biz_004.py
+++ /dev/null
@@ -1,96 +0,0 @@
-"""
-BATON-BIZ-004: Verify removal of dead code from backend/telegram.py.
-
-Acceptance criteria:
-1. telegram.py does NOT contain duplicate logging setLevel calls for httpx/httpcore.
-2. telegram.py does NOT contain the SignalAggregator class.
-3. httpx/httpcore logging suppression is still configured in main.py (globally).
-4. SignalAggregator is NOT importable from backend.telegram.
-"""
-from __future__ import annotations
-
-import ast
-import importlib
-import inspect
-import logging
-import os
-from pathlib import Path
-
-
-# ---------------------------------------------------------------------------
-# Helpers
-# ---------------------------------------------------------------------------
-
-_BACKEND_DIR = Path(__file__).parent.parent / "backend"
-_TELEGRAM_SRC = (_BACKEND_DIR / "telegram.py").read_text(encoding="utf-8")
-_MAIN_SRC = (_BACKEND_DIR / "main.py").read_text(encoding="utf-8")
-
-
-# ---------------------------------------------------------------------------
-# Criteria 1 — no setLevel for httpx/httpcore in telegram.py
-# ---------------------------------------------------------------------------
-
-def test_telegram_has_no_httpx_setlevel():
- """telegram.py must not set log level for 'httpx'."""
- assert 'getLogger("httpx").setLevel' not in _TELEGRAM_SRC
- assert "getLogger('httpx').setLevel" not in _TELEGRAM_SRC
-
-
-def test_telegram_has_no_httpcore_setlevel():
- """telegram.py must not set log level for 'httpcore'."""
- assert 'getLogger("httpcore").setLevel' not in _TELEGRAM_SRC
- assert "getLogger('httpcore').setLevel" not in _TELEGRAM_SRC
-
-
-# ---------------------------------------------------------------------------
-# Criteria 2 — SignalAggregator absent from telegram.py source
-# ---------------------------------------------------------------------------
-
-def test_telegram_source_has_no_signal_aggregator_class():
- """telegram.py source text must not contain the class definition."""
- assert "class SignalAggregator" not in _TELEGRAM_SRC
-
-
-def test_telegram_source_has_no_signal_aggregator_reference():
- """telegram.py source text must not reference SignalAggregator at all."""
- assert "SignalAggregator" not in _TELEGRAM_SRC
-
-
-# ---------------------------------------------------------------------------
-# Criteria 3 — httpx/httpcore suppression still lives in main.py
-# ---------------------------------------------------------------------------
-
-def test_main_suppresses_httpx_logging():
- """main.py must call getLogger('httpx').setLevel to suppress noise."""
- assert (
- 'getLogger("httpx").setLevel' in _MAIN_SRC
- or "getLogger('httpx').setLevel" in _MAIN_SRC
- )
-
-
-def test_main_suppresses_httpcore_logging():
- """main.py must call getLogger('httpcore').setLevel to suppress noise."""
- assert (
- 'getLogger("httpcore").setLevel' in _MAIN_SRC
- or "getLogger('httpcore').setLevel" in _MAIN_SRC
- )
-
-
-# ---------------------------------------------------------------------------
-# Criteria 4 — SignalAggregator not importable from backend.telegram
-# ---------------------------------------------------------------------------
-
-def test_signal_aggregator_not_importable_from_telegram():
- """Importing SignalAggregator from backend.telegram must raise ImportError."""
- import importlib
- import sys
-
- # Force a fresh import so changes to the module are reflected
- mod_name = "backend.telegram"
- if mod_name in sys.modules:
- del sys.modules[mod_name]
-
- import backend.telegram as tg_mod # noqa: F401
- assert not hasattr(tg_mod, "SignalAggregator"), (
- "SignalAggregator should not be an attribute of backend.telegram"
- )
diff --git a/tests/test_db.py b/tests/test_db.py
index 93e87a1..e823fc4 100644
--- a/tests/test_db.py
+++ b/tests/test_db.py
@@ -29,14 +29,6 @@ import pytest
from backend import config, db
-# Valid UUID v4 constants — db-layer tests bypass Pydantic but use canonical UUIDs
-_UUID_DB_1 = "d0000001-0000-4000-8000-000000000001"
-_UUID_DB_2 = "d0000002-0000-4000-8000-000000000002"
-_UUID_DB_3 = "d0000003-0000-4000-8000-000000000003"
-_UUID_DB_4 = "d0000004-0000-4000-8000-000000000004"
-_UUID_DB_5 = "d0000005-0000-4000-8000-000000000005"
-_UUID_DB_6 = "d0000006-0000-4000-8000-000000000006"
-
def _tmpdb():
"""Return a fresh temp-file path and set config.DB_PATH."""
@@ -136,10 +128,10 @@ async def test_register_user_returns_id():
path = _tmpdb()
try:
await db.init_db()
- result = await db.register_user(uuid=_UUID_DB_1, name="Alice")
+ result = await db.register_user(uuid="uuid-001", name="Alice")
assert isinstance(result["user_id"], int)
assert result["user_id"] > 0
- assert result["uuid"] == _UUID_DB_1
+ assert result["uuid"] == "uuid-001"
finally:
_cleanup(path)
@@ -150,8 +142,8 @@ async def test_register_user_idempotent():
path = _tmpdb()
try:
await db.init_db()
- r1 = await db.register_user(uuid=_UUID_DB_2, name="Bob")
- r2 = await db.register_user(uuid=_UUID_DB_2, name="Bob")
+ r1 = await db.register_user(uuid="uuid-002", name="Bob")
+ r2 = await db.register_user(uuid="uuid-002", name="Bob")
assert r1["user_id"] == r2["user_id"]
finally:
_cleanup(path)
@@ -167,8 +159,8 @@ async def test_get_user_name_returns_name():
path = _tmpdb()
try:
await db.init_db()
- await db.register_user(uuid=_UUID_DB_3, name="Charlie")
- name = await db.get_user_name(_UUID_DB_3)
+ await db.register_user(uuid="uuid-003", name="Charlie")
+ name = await db.get_user_name("uuid-003")
assert name == "Charlie"
finally:
_cleanup(path)
@@ -196,9 +188,9 @@ async def test_save_signal_returns_id():
path = _tmpdb()
try:
await db.init_db()
- await db.register_user(uuid=_UUID_DB_4, name="Dana")
+ await db.register_user(uuid="uuid-004", name="Dana")
signal_id = await db.save_signal(
- user_uuid=_UUID_DB_4,
+ user_uuid="uuid-004",
timestamp=1742478000000,
lat=55.7558,
lon=37.6173,
@@ -216,9 +208,9 @@ async def test_save_signal_without_geo():
path = _tmpdb()
try:
await db.init_db()
- await db.register_user(uuid=_UUID_DB_5, name="Eve")
+ await db.register_user(uuid="uuid-005", name="Eve")
signal_id = await db.save_signal(
- user_uuid=_UUID_DB_5,
+ user_uuid="uuid-005",
timestamp=1742478000000,
lat=None,
lon=None,
@@ -247,9 +239,9 @@ async def test_save_signal_increments_id():
path = _tmpdb()
try:
await db.init_db()
- await db.register_user(uuid=_UUID_DB_6, name="Frank")
- id1 = await db.save_signal(_UUID_DB_6, 1742478000001, None, None, None)
- id2 = await db.save_signal(_UUID_DB_6, 1742478000002, None, None, None)
+ await db.register_user(uuid="uuid-006", name="Frank")
+ id1 = await db.save_signal("uuid-006", 1742478000001, None, None, None)
+ id2 = await db.save_signal("uuid-006", 1742478000002, None, None, None)
assert id2 > id1
finally:
_cleanup(path)
diff --git a/tests/test_fix_005.py b/tests/test_fix_005.py
deleted file mode 100644
index 4a0c25f..0000000
--- a/tests/test_fix_005.py
+++ /dev/null
@@ -1,172 +0,0 @@
-"""
-Tests for BATON-FIX-005: BOT_TOKEN leak prevention in logs.
-
-Acceptance criteria covered by unit tests:
- AC#4 — no places in source code where token is logged in plain text:
- - _mask_token() returns masked representation (***XXXX format)
- - validate_bot_token() exception handler does not log raw BOT_TOKEN
- - validate_bot_token() exception handler logs type(exc).__name__ + masked token
- - httpcore logger level >= WARNING (prevents URL leak via transport layer)
-
-AC#1, AC#2, AC#3 (journalctl, webhook, service health) require live production
-verification and are outside unit test scope.
-"""
-from __future__ import annotations
-
-import logging
-import os
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-
-import httpx
-import pytest
-import respx
-
-from backend import config
-from backend.telegram import _mask_token, validate_bot_token
-
-GET_ME_URL = f"https://api.telegram.org/bot{config.BOT_TOKEN}/getMe"
-
-
-# ---------------------------------------------------------------------------
-# _mask_token helper
-# ---------------------------------------------------------------------------
-
-
-def test_mask_token_shows_last_4_chars():
- """_mask_token returns '***XXXX' where XXXX is the last 4 chars of the token."""
- token = "123456789:ABCDEFsomeLongTokenXYZW"
- result = _mask_token(token)
- assert result == f"***{token[-4:]}", f"Expected ***{token[-4:]}, got {result!r}"
-
-
-def test_mask_token_hides_most_of_token():
- """_mask_token must NOT expose the full token — only last 4 chars."""
- token = "123456789:ABCDEFsomeLongTokenXYZW"
- result = _mask_token(token)
- assert token[:-4] not in result, f"Masked token exposes too much: {result!r}"
-
-
-def test_mask_token_short_token_returns_redacted():
- """_mask_token returns '***REDACTED***' for tokens shorter than 4 chars."""
- assert _mask_token("abc") == "***REDACTED***"
-
-
-def test_mask_token_empty_string_returns_redacted():
- """_mask_token on empty string returns '***REDACTED***'."""
- assert _mask_token("") == "***REDACTED***"
-
-
-def test_mask_token_exactly_4_chars_is_not_redacted():
- """_mask_token with exactly 4 chars returns '***XXXX' (not redacted)."""
- result = _mask_token("1234")
- assert result == "***1234", f"Expected ***1234, got {result!r}"
-
-
-# ---------------------------------------------------------------------------
-# httpcore logger suppression (new in FIX-005; httpx covered in test_fix_011)
-# ---------------------------------------------------------------------------
-
-
-def test_httpcore_logger_level_is_warning_or_higher():
- """logging.getLogger('httpcore').level must be WARNING or higher after app import."""
- import backend.main # noqa: F401 — ensures telegram.py module-level setLevel is called
-
- httpcore_logger = logging.getLogger("httpcore")
- assert httpcore_logger.level >= logging.WARNING, (
- f"httpcore logger level must be >= WARNING (30), got {httpcore_logger.level}. "
- "httpcore logs transport-level requests including URLs with BOT_TOKEN."
- )
-
-
-def test_httpcore_logger_info_not_enabled():
- """httpcore logger must not propagate INFO-level messages (would leak BOT_TOKEN URL)."""
- import backend.main # noqa: F401
-
- httpcore_logger = logging.getLogger("httpcore")
- assert not httpcore_logger.isEnabledFor(logging.INFO), (
- "httpcore logger must not process INFO messages — could leak BOT_TOKEN via URL"
- )
-
-
-# ---------------------------------------------------------------------------
-# validate_bot_token() exception handler — AC#4: no raw token in error logs
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_validate_bot_token_network_error_does_not_log_raw_token(caplog):
- """validate_bot_token() on ConnectError must NOT log the raw BOT_TOKEN.
-
- AC#4: The exception handler logs type(exc).__name__ + _mask_token() instead
- of raw exc, which embeds the Telegram API URL containing the token.
- """
- with respx.mock(assert_all_called=False) as mock:
- mock.get(GET_ME_URL).mock(side_effect=httpx.ConnectError("connection refused"))
- with caplog.at_level(logging.ERROR, logger="backend.telegram"):
- result = await validate_bot_token()
-
- assert result is False
-
- raw_token = config.BOT_TOKEN
- for record in caplog.records:
- assert raw_token not in record.message, (
- f"AC#4: Raw BOT_TOKEN leaked in log message: {record.message!r}"
- )
-
-
-@pytest.mark.asyncio
-async def test_validate_bot_token_network_error_logs_exception_type_name(caplog):
- """validate_bot_token() on ConnectError logs the exception type name, not repr(exc).
-
- The fixed handler: logger.error('...%s...', type(exc).__name__, ...) — not str(exc).
- """
- with respx.mock(assert_all_called=False) as mock:
- mock.get(GET_ME_URL).mock(side_effect=httpx.ConnectError("connection refused"))
- with caplog.at_level(logging.ERROR, logger="backend.telegram"):
- await validate_bot_token()
-
- error_messages = [r.message for r in caplog.records if r.levelno >= logging.ERROR]
- assert error_messages, "Expected at least one ERROR log on network failure"
- assert any("ConnectError" in msg for msg in error_messages), (
- f"Expected 'ConnectError' (type name) in error log, got: {error_messages}"
- )
-
-
-@pytest.mark.asyncio
-async def test_validate_bot_token_network_error_logs_masked_token(caplog):
- """validate_bot_token() on network error logs masked token (***XXXX), not raw token."""
- with respx.mock(assert_all_called=False) as mock:
- mock.get(GET_ME_URL).mock(side_effect=httpx.ConnectError("connection refused"))
- with caplog.at_level(logging.ERROR, logger="backend.telegram"):
- await validate_bot_token()
-
- token = config.BOT_TOKEN # "test-bot-token"
- masked = f"***{token[-4:]}" # "***oken"
- error_messages = [r.message for r in caplog.records if r.levelno >= logging.ERROR]
- assert any(masked in msg for msg in error_messages), (
- f"Expected masked token '{masked}' in error log. Got: {error_messages}"
- )
-
-
-@pytest.mark.asyncio
-async def test_validate_bot_token_network_error_no_api_url_in_logs(caplog):
- """validate_bot_token() on network error must not log the Telegram API URL.
-
- httpx embeds the request URL (including the token) into exception repr/str.
- The fixed handler avoids logging exc directly to prevent this leak.
- """
- with respx.mock(assert_all_called=False) as mock:
- mock.get(GET_ME_URL).mock(side_effect=httpx.ConnectError("connection refused"))
- with caplog.at_level(logging.ERROR, logger="backend.telegram"):
- await validate_bot_token()
-
- for record in caplog.records:
- assert "api.telegram.org" not in record.message, (
- f"AC#4: Telegram API URL (containing token) leaked in log: {record.message!r}"
- )
diff --git a/tests/test_fix_007.py b/tests/test_fix_007.py
deleted file mode 100644
index 3779fe0..0000000
--- a/tests/test_fix_007.py
+++ /dev/null
@@ -1,155 +0,0 @@
-"""
-Tests for BATON-FIX-007: CORS OPTIONS preflight verification.
-
-Acceptance criteria:
-1. OPTIONS preflight to /api/signal returns 200.
-2. Preflight response includes Access-Control-Allow-Methods containing GET.
-3. Preflight response includes Access-Control-Allow-Origin matching the configured origin.
-4. Preflight response includes Access-Control-Allow-Headers with Authorization.
-5. allow_methods in CORSMiddleware configuration explicitly contains GET.
-"""
-from __future__ import annotations
-
-import ast
-from pathlib import Path
-
-import pytest
-
-from tests.conftest import make_app_client
-
-_FRONTEND_ORIGIN = "http://localhost:3000"
-_BACKEND_DIR = Path(__file__).parent.parent / "backend"
-
-# ---------------------------------------------------------------------------
-# Static check — CORSMiddleware config contains GET in allow_methods
-# ---------------------------------------------------------------------------
-
-
-def test_main_py_cors_allow_methods_contains_get() -> None:
- """allow_methods в CORSMiddleware должен содержать 'GET'."""
- source = (_BACKEND_DIR / "main.py").read_text(encoding="utf-8")
- tree = ast.parse(source, filename="main.py")
-
- for node in ast.walk(tree):
- if isinstance(node, ast.Call):
- func = node.func
- if isinstance(func, ast.Name) and func.id == "add_middleware":
- continue
- if not (
- isinstance(func, ast.Attribute) and func.attr == "add_middleware"
- ):
- continue
- for kw in node.keywords:
- if kw.arg == "allow_methods":
- if isinstance(kw.value, ast.List):
- methods = [
- elt.value
- for elt in kw.value.elts
- if isinstance(elt, ast.Constant) and isinstance(elt.value, str)
- ]
- assert "GET" in methods, (
- f"allow_methods в CORSMiddleware не содержит 'GET': {methods}"
- )
- return
-
- pytest.fail("add_middleware с CORSMiddleware и allow_methods не найден в main.py")
-
-
-def test_main_py_cors_allow_methods_contains_post() -> None:
- """allow_methods в CORSMiddleware должен содержать 'POST' (регрессия)."""
- source = (_BACKEND_DIR / "main.py").read_text(encoding="utf-8")
- assert '"POST"' in source or "'POST'" in source, (
- "allow_methods в CORSMiddleware не содержит 'POST'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Functional — OPTIONS preflight request
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_options_preflight_signal_returns_200() -> None:
- """OPTIONS preflight к /api/signal должен возвращать 200."""
- async with make_app_client() as client:
- resp = await client.options(
- "/api/signal",
- headers={
- "Origin": _FRONTEND_ORIGIN,
- "Access-Control-Request-Method": "POST",
- "Access-Control-Request-Headers": "Content-Type, Authorization",
- },
- )
- assert resp.status_code == 200, (
- f"Preflight OPTIONS /api/signal вернул {resp.status_code}, ожидался 200"
- )
-
-
-@pytest.mark.asyncio
-async def test_options_preflight_allow_origin_header() -> None:
- """OPTIONS preflight должен вернуть Access-Control-Allow-Origin."""
- async with make_app_client() as client:
- resp = await client.options(
- "/api/signal",
- headers={
- "Origin": _FRONTEND_ORIGIN,
- "Access-Control-Request-Method": "POST",
- "Access-Control-Request-Headers": "Content-Type, Authorization",
- },
- )
- acao = resp.headers.get("access-control-allow-origin", "")
- assert acao == _FRONTEND_ORIGIN, (
- f"Ожидался Access-Control-Allow-Origin: {_FRONTEND_ORIGIN!r}, получен: {acao!r}"
- )
-
-
-@pytest.mark.asyncio
-async def test_options_preflight_allow_methods_contains_get() -> None:
- """OPTIONS preflight должен вернуть Access-Control-Allow-Methods, включающий GET."""
- async with make_app_client() as client:
- resp = await client.options(
- "/api/signal",
- headers={
- "Origin": _FRONTEND_ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": "Authorization",
- },
- )
- acam = resp.headers.get("access-control-allow-methods", "")
- assert "GET" in acam, (
- f"Access-Control-Allow-Methods не содержит GET: {acam!r}\n"
- "Decision #1268: allow_methods=['POST'] — GET отсутствует"
- )
-
-
-@pytest.mark.asyncio
-async def test_options_preflight_allow_headers_contains_authorization() -> None:
- """OPTIONS preflight должен вернуть Access-Control-Allow-Headers, включающий Authorization."""
- async with make_app_client() as client:
- resp = await client.options(
- "/api/signal",
- headers={
- "Origin": _FRONTEND_ORIGIN,
- "Access-Control-Request-Method": "POST",
- "Access-Control-Request-Headers": "Authorization",
- },
- )
- acah = resp.headers.get("access-control-allow-headers", "")
- assert "authorization" in acah.lower(), (
- f"Access-Control-Allow-Headers не содержит Authorization: {acah!r}"
- )
-
-
-@pytest.mark.asyncio
-async def test_get_health_cors_header_present() -> None:
- """GET /health с Origin должен вернуть Access-Control-Allow-Origin (simple request)."""
- async with make_app_client() as client:
- resp = await client.get(
- "/health",
- headers={"Origin": _FRONTEND_ORIGIN},
- )
- assert resp.status_code == 200
- acao = resp.headers.get("access-control-allow-origin", "")
- assert acao == _FRONTEND_ORIGIN, (
- f"GET /health: ожидался CORS-заголовок {_FRONTEND_ORIGIN!r}, получен: {acao!r}"
- )
diff --git a/tests/test_fix_009.py b/tests/test_fix_009.py
deleted file mode 100644
index 399e4aa..0000000
--- a/tests/test_fix_009.py
+++ /dev/null
@@ -1,229 +0,0 @@
-"""
-Tests for BATON-FIX-009: Live delivery verification — automated regression guards.
-
-Acceptance criteria mapped to unit tests:
- AC#3 — BOT_TOKEN validates on startup via validate_bot_token() (getMe call)
- AC#4 — CHAT_ID is negative (regression guard for decision #1212)
- AC#1 — POST /api/signal returns 200 with valid auth
-
-Physical production checks (AC#2 Telegram group message, AC#5 systemd status)
-are outside unit test scope and require live production verification.
-"""
-from __future__ import annotations
-
-import logging
-import os
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-
-import json
-from unittest.mock import AsyncMock, patch
-
-import httpx
-import pytest
-import respx
-
-from tests.conftest import make_app_client, temp_db
-
-
-# ---------------------------------------------------------------------------
-# AC#3 — validate_bot_token called at startup (decision #1211)
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_validate_bot_token_called_once_during_startup():
- """AC#3: validate_bot_token() must be called exactly once during app startup.
-
- Maps to production check: curl getMe must be executed to detect invalid token
- before the service starts accepting signals (decision #1211).
- """
- from backend.main import app
-
- with temp_db():
- with patch("backend.telegram.validate_bot_token", new_callable=AsyncMock) as mock_validate:
- mock_validate.return_value = True
- with patch("backend.telegram.set_webhook", new_callable=AsyncMock):
- async with app.router.lifespan_context(app):
- pass
-
- assert mock_validate.call_count == 1, (
- f"Expected validate_bot_token to be called exactly once at startup, "
- f"got {mock_validate.call_count}"
- )
-
-
-@pytest.mark.asyncio
-async def test_invalid_bot_token_logs_critical_error_on_startup(caplog):
- """AC#3: When BOT_TOKEN is invalid (validate_bot_token returns False),
- a CRITICAL/ERROR is logged but lifespan continues — service must not crash.
-
- Maps to: 'Check BOT_TOKEN valid via getMe — status OK/FAIL' (decision #1211).
- """
- from backend.main import app
-
- with temp_db():
- with patch("backend.telegram.validate_bot_token", new_callable=AsyncMock) as mock_validate:
- mock_validate.return_value = False
- with patch("backend.telegram.set_webhook", new_callable=AsyncMock):
- with caplog.at_level(logging.ERROR, logger="backend.main"):
- async with app.router.lifespan_context(app):
- pass # lifespan must complete without raising
-
- critical_msgs = [r.message for r in caplog.records if r.levelno >= logging.ERROR]
- assert len(critical_msgs) >= 1, (
- "Expected at least one ERROR/CRITICAL log when BOT_TOKEN is invalid. "
- "Operator must be alerted on startup if Telegram delivery is broken."
- )
- assert any("BOT_TOKEN" in m for m in critical_msgs), (
- f"Expected log mentioning 'BOT_TOKEN', got: {critical_msgs}"
- )
-
-
-@pytest.mark.asyncio
-async def test_invalid_bot_token_lifespan_does_not_raise():
- """AC#3: Invalid BOT_TOKEN must not crash the service — lifespan completes normally."""
- from backend.main import app
-
- with temp_db():
- with patch("backend.telegram.validate_bot_token", new_callable=AsyncMock) as mock_validate:
- mock_validate.return_value = False
- with patch("backend.telegram.set_webhook", new_callable=AsyncMock):
- # Must not raise — service stays alive even with broken Telegram token
- async with app.router.lifespan_context(app):
- pass
-
-
-# ---------------------------------------------------------------------------
-# AC#4 — CHAT_ID is negative (decision #1212 regression guard)
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_send_message_chat_id_in_request_is_negative():
- """AC#4: The chat_id sent to Telegram API must be negative (group ID).
-
- Root cause of BATON-007: CHAT_ID=5190015988 (positive) was set in .env
- instead of -5190015988 (negative). Negative ID = Telegram group/supergroup.
- Decision #1212: CHAT_ID=-5190015988 отрицательный.
- """
- from backend import config
- from backend.telegram import send_message
-
- send_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/sendMessage"
-
- with respx.mock(assert_all_called=False) as mock:
- route = mock.post(send_url).mock(
- return_value=httpx.Response(200, json={"ok": True})
- )
- await send_message("AC#4 regression guard")
-
- assert route.called
- body = json.loads(route.calls[0].request.content)
- chat_id = body["chat_id"]
- assert str(chat_id).startswith("-"), (
- f"Regression #1212: chat_id must be negative (group ID), got {chat_id!r}. "
- "Positive chat_id is a user ID — messages go to private DM, not the group."
- )
-
-
-# ---------------------------------------------------------------------------
-# AC#1 — POST /api/signal returns 200 (decision #1211)
-# ---------------------------------------------------------------------------
-
-
-_UUID_FIX009 = "f0090001-0000-4000-8000-000000000001"
-
-
-@pytest.mark.asyncio
-async def test_signal_endpoint_returns_200_with_valid_auth():
- """AC#1: POST /api/signal with valid Bearer token must return HTTP 200.
-
- Maps to production check: 'SSH на сервер, отправить POST /api/signal,
- зафиксировать raw ответ API' (decision #1211).
- """
- async with make_app_client() as client:
- reg = await client.post(
- "/api/register",
- json={"uuid": _UUID_FIX009, "name": "Fix009User"},
- )
- assert reg.status_code == 200, f"Registration failed: {reg.text}"
- api_key = reg.json()["api_key"]
-
- resp = await client.post(
- "/api/signal",
- json={"user_id": _UUID_FIX009, "timestamp": 1742478000000},
- headers={"Authorization": f"Bearer {api_key}"},
- )
-
- assert resp.status_code == 200, (
- f"Expected /api/signal to return 200, got {resp.status_code}: {resp.text}"
- )
- body = resp.json()
- assert body.get("status") == "ok", f"Expected status='ok', got: {body}"
- assert "signal_id" in body, f"Expected signal_id in response, got: {body}"
-
-
-@pytest.mark.asyncio
-async def test_signal_endpoint_returns_200_even_when_telegram_returns_400(caplog):
- """AC#1 + decision #1230: POST /api/signal must return 200 even if Telegram returns 400.
-
- Decision #1230: 'Если Telegram возвращает 400 — зафиксировать и сообщить'.
- The HTTP 400 from Telegram must be logged as ERROR (captured/reported),
- but /api/signal must still return 200 — signal was saved to DB.
- """
- from backend import config
- from backend.main import app
-
- send_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/sendMessage"
- set_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/setWebhook"
- get_me_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/getMe"
-
- _UUID_400 = "f0090002-0000-4000-8000-000000000002"
-
- with temp_db():
- with respx.mock(assert_all_called=False) as mock_tg:
- mock_tg.get(get_me_url).mock(
- return_value=httpx.Response(200, json={"ok": True, "result": {"username": "testbot"}})
- )
- mock_tg.post(set_url).mock(
- return_value=httpx.Response(200, json={"ok": True, "result": True})
- )
- mock_tg.post(send_url).mock(
- return_value=httpx.Response(
- 400,
- json={"ok": False, "error_code": 400, "description": "Bad Request: chat not found"},
- )
- )
-
- async with app.router.lifespan_context(app):
- import asyncio
- from httpx import AsyncClient, ASGITransport
-
- transport = ASGITransport(app=app)
- async with AsyncClient(transport=transport, base_url="http://testserver") as client:
- reg = await client.post("/api/register", json={"uuid": _UUID_400, "name": "TgErrUser"})
- assert reg.status_code == 200
- api_key = reg.json()["api_key"]
-
- with caplog.at_level(logging.ERROR, logger="backend.telegram"):
- resp = await client.post(
- "/api/signal",
- json={"user_id": _UUID_400, "timestamp": 1742478000000},
- headers={"Authorization": f"Bearer {api_key}"},
- )
- await asyncio.sleep(0)
-
- assert resp.status_code == 200, (
- f"Decision #1230: /api/signal must return 200 even on Telegram 400, "
- f"got {resp.status_code}"
- )
- assert any("400" in r.message for r in caplog.records), (
- "Decision #1230: Telegram 400 error must be logged (captured and reported). "
- "Got logs: " + str([r.message for r in caplog.records])
- )
diff --git a/tests/test_fix_011.py b/tests/test_fix_011.py
deleted file mode 100644
index f4a3019..0000000
--- a/tests/test_fix_011.py
+++ /dev/null
@@ -1,116 +0,0 @@
-"""
-BATON-FIX-011: Проверяет, что BOT_TOKEN не попадает в httpx-логи.
-
-1. logging.getLogger('httpx').level >= logging.WARNING после импорта приложения.
-2. Дочерние логгеры httpx._client и httpx._async_client также не пишут INFO.
-3. При вызове send_message ни одна запись httpx-логгера с уровнем INFO
- не содержит 'bot' или токен-подобный паттерн /bot[0-9]+:/.
-"""
-from __future__ import annotations
-
-import logging
-import re
-
-import httpx
-import pytest
-import respx
-from unittest.mock import patch, AsyncMock
-
-# conftest.py уже устанавливает BOT_TOKEN=test-bot-token до этого импорта
-from backend import config
-from backend.telegram import send_message
-
-SEND_URL = f"https://api.telegram.org/bot{config.BOT_TOKEN}/sendMessage"
-BOT_TOKEN_PATTERN = re.compile(r"bot[0-9]+:")
-
-
-# ---------------------------------------------------------------------------
-# Уровень логгера httpx
-# ---------------------------------------------------------------------------
-
-def test_httpx_logger_level_is_warning_or_higher():
- """logging.getLogger('httpx').level должен быть WARNING (30) или выше после импорта приложения."""
- # Импортируем main, чтобы гарантировать, что setLevel уже вызван
- import backend.main # noqa: F401
-
- httpx_logger = logging.getLogger("httpx")
- assert httpx_logger.level >= logging.WARNING, (
- f"Ожидался уровень >= WARNING (30), получен {httpx_logger.level}"
- )
-
-
-def test_httpx_logger_info_not_enabled():
- """logging.getLogger('httpx').isEnabledFor(INFO) должен возвращать False."""
- import backend.main # noqa: F401
-
- httpx_logger = logging.getLogger("httpx")
- assert not httpx_logger.isEnabledFor(logging.INFO), (
- "httpx-логгер не должен обрабатывать INFO-сообщения"
- )
-
-
-def test_httpx_client_logger_info_not_enabled():
- """Дочерний логгер httpx._client не должен обрабатывать INFO."""
- import backend.main # noqa: F401
-
- child_logger = logging.getLogger("httpx._client")
- assert not child_logger.isEnabledFor(logging.INFO), (
- "httpx._client не должен обрабатывать INFO-сообщения"
- )
-
-
-def test_httpx_async_client_logger_info_not_enabled():
- """Дочерний логгер httpx._async_client не должен обрабатывать INFO."""
- import backend.main # noqa: F401
-
- child_logger = logging.getLogger("httpx._async_client")
- assert not child_logger.isEnabledFor(logging.INFO), (
- "httpx._async_client не должен обрабатывать INFO-сообщения"
- )
-
-
-# ---------------------------------------------------------------------------
-# BOT_TOKEN не появляется в httpx INFO-логах при send_message
-# ---------------------------------------------------------------------------
-
-@pytest.mark.asyncio
-async def test_send_message_no_httpx_records_at_warning_level(caplog):
- """При вызове send_message httpx не выдаёт записей уровня WARNING и ниже с токеном.
-
- Проверяет фактическое состояние логгера в продакшне (WARNING): INFO-сообщения
- с URL (включая BOT_TOKEN) не должны проходить через httpx-логгер.
- """
- import backend.main # noqa: F401 — убеждаемся, что setLevel вызван
-
- with respx.mock(assert_all_called=False) as mock:
- mock.post(SEND_URL).mock(return_value=httpx.Response(200, json={"ok": True}))
-
- # Захватываем логи при реальном уровне WARNING — INFO-сообщения не должны проходить
- with caplog.at_level(logging.WARNING, logger="httpx"):
- await send_message("test message for token leak check")
-
- bot_token = config.BOT_TOKEN
- httpx_records = [r for r in caplog.records if r.name.startswith("httpx")]
- for record in httpx_records:
- assert bot_token not in record.message, (
- f"BOT_TOKEN найден в httpx-логе (уровень {record.levelname}): {record.message!r}"
- )
-
-
-@pytest.mark.asyncio
-async def test_send_message_no_token_pattern_in_httpx_info_logs(caplog):
- """При вызове send_message httpx INFO-логи не содержат паттерн /bot[0-9]+:/."""
- with respx.mock(assert_all_called=False) as mock:
- mock.post(SEND_URL).mock(return_value=httpx.Response(200, json={"ok": True}))
-
- with caplog.at_level(logging.INFO, logger="httpx"):
- await send_message("check token pattern")
-
- info_records = [
- r for r in caplog.records
- if r.name.startswith("httpx") and r.levelno <= logging.INFO
- ]
- for record in info_records:
- assert not BOT_TOKEN_PATTERN.search(record.message), (
- f"Паттерн bot[0-9]+: найден в httpx INFO-логе: {record.message!r}"
- )
diff --git a/tests/test_fix_012.py b/tests/test_fix_012.py
deleted file mode 100644
index 324091a..0000000
--- a/tests/test_fix_012.py
+++ /dev/null
@@ -1,172 +0,0 @@
-"""
-Tests for BATON-FIX-012: UUID v4 validation regression guard.
-
-BATON-SEC-005 added UUID v4 pattern validation to RegisterRequest.uuid and
-SignalRequest.user_id. Tests in test_db.py / test_baton_005.py / test_telegram.py
-previously used placeholder strings ('uuid-001', 'create-uuid-001', 'agg-uuid-001')
-that are not valid UUID v4 — causing 25 regressions.
-
-This file locks down the behaviour so the same mistake cannot recur silently:
- - Old-style placeholder strings are rejected by Pydantic
- - All UUID constants used across the fixed test files are valid UUID v4
- - RegisterRequest and SignalRequest accept exactly-valid v4 UUIDs
- - They reject strings that violate version (bit 3 of field-3 must be 4) or
- variant (top bits of field-4 must be 10xx) requirements
-"""
-from __future__ import annotations
-
-import os
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-
-import pytest
-from pydantic import ValidationError
-
-from backend.models import RegisterRequest, SignalRequest
-
-# ---------------------------------------------------------------------------
-# UUID constants from fixed test files — all must be valid UUID v4
-# ---------------------------------------------------------------------------
-
-# test_db.py constants (_UUID_DB_1 .. _UUID_DB_6)
-_DB_UUIDS = [
- "d0000001-0000-4000-8000-000000000001",
- "d0000002-0000-4000-8000-000000000002",
- "d0000003-0000-4000-8000-000000000003",
- "d0000004-0000-4000-8000-000000000004",
- "d0000005-0000-4000-8000-000000000005",
- "d0000006-0000-4000-8000-000000000006",
-]
-
-# test_baton_005.py constants (_UUID_ADM_*)
-_ADM_UUIDS = [
- "e0000000-0000-4000-8000-000000000000",
- "e0000001-0000-4000-8000-000000000001",
- "e0000002-0000-4000-8000-000000000002",
- "e0000003-0000-4000-8000-000000000003",
- "e0000004-0000-4000-8000-000000000004",
- "e0000005-0000-4000-8000-000000000005",
- "e0000006-0000-4000-8000-000000000006",
- "e0000007-0000-4000-8000-000000000007",
- "e0000008-0000-4000-8000-000000000008",
- "e0000009-0000-4000-8000-000000000009",
- "e000000a-0000-4000-8000-000000000010",
-]
-
-# test_telegram.py constants (aggregator UUIDs)
-_AGG_UUIDS = [
- "a9900001-0000-4000-8000-000000000001",
- "a9900099-0000-4000-8000-000000000099",
-] + [f"a990000{i}-0000-4000-8000-00000000000{i}" for i in range(5)]
-
-
-# ---------------------------------------------------------------------------
-# Old-style placeholder UUIDs (pre-fix) must be rejected
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.parametrize("bad_uuid", [
- "uuid-001",
- "uuid-002",
- "uuid-003",
- "uuid-004",
- "uuid-005",
- "uuid-006",
- "create-uuid-001",
- "create-uuid-002",
- "create-uuid-003",
- "pass-uuid-001",
- "pass-uuid-002",
- "block-uuid-001",
- "unblock-uuid-001",
- "delete-uuid-001",
- "delete-uuid-002",
- "regress-admin-uuid-001",
- "unauth-uuid-001",
- "agg-uuid-001",
- "agg-uuid-clr",
-])
-def test_register_request_rejects_old_placeholder_uuid(bad_uuid: str) -> None:
- """RegisterRequest.uuid must reject all pre-BATON-SEC-005 placeholder strings."""
- with pytest.raises(ValidationError):
- RegisterRequest(uuid=bad_uuid, name="Test")
-
-
-@pytest.mark.parametrize("bad_uuid", [
- "uuid-001",
- "agg-uuid-001",
- "create-uuid-001",
-])
-def test_signal_request_accepts_any_user_id_string(bad_uuid: str) -> None:
- """SignalRequest.user_id is optional (no pattern) — validation is at endpoint level."""
- req = SignalRequest(user_id=bad_uuid, timestamp=1700000000000)
- assert req.user_id == bad_uuid
-
-
-# ---------------------------------------------------------------------------
-# All UUID constants from the fixed test files are valid UUID v4
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.parametrize("valid_uuid", _DB_UUIDS)
-def test_register_request_accepts_db_uuid_constants(valid_uuid: str) -> None:
- """RegisterRequest accepts all _UUID_DB_* constants from test_db.py."""
- req = RegisterRequest(uuid=valid_uuid, name="Test")
- assert req.uuid == valid_uuid
-
-
-@pytest.mark.parametrize("valid_uuid", _ADM_UUIDS)
-def test_register_request_accepts_adm_uuid_constants(valid_uuid: str) -> None:
- """RegisterRequest accepts all _UUID_ADM_* constants from test_baton_005.py."""
- req = RegisterRequest(uuid=valid_uuid, name="Test")
- assert req.uuid == valid_uuid
-
-
-@pytest.mark.parametrize("valid_uuid", _AGG_UUIDS)
-def test_signal_request_accepts_agg_uuid_constants(valid_uuid: str) -> None:
- """SignalRequest accepts all aggregator UUID constants from test_telegram.py."""
- req = SignalRequest(user_id=valid_uuid, timestamp=1700000000000)
- assert req.user_id == valid_uuid
-
-
-# ---------------------------------------------------------------------------
-# UUID v4 structural requirements — version digit and variant bits
-# ---------------------------------------------------------------------------
-
-
-def test_register_request_rejects_uuid_v1_version_digit() -> None:
- """UUID with version digit = 1 (not 4) must be rejected by RegisterRequest."""
- with pytest.raises(ValidationError):
- # third group starts with '1' — version 1, not v4
- RegisterRequest(uuid="550e8400-e29b-11d4-a716-446655440000", name="Test")
-
-
-def test_register_request_rejects_uuid_v3_version_digit() -> None:
- """UUID with version digit = 3 must be rejected."""
- with pytest.raises(ValidationError):
- RegisterRequest(uuid="550e8400-e29b-31d4-a716-446655440000", name="Test")
-
-
-def test_signal_request_accepts_any_variant_bits() -> None:
- """SignalRequest.user_id is now optional and unvalidated (JWT auth doesn't use it)."""
- req = SignalRequest(user_id="550e8400-e29b-41d4-0716-446655440000", timestamp=1700000000000)
- assert req.user_id is not None
-
-
-def test_signal_request_without_user_id() -> None:
- """SignalRequest works without user_id (JWT auth mode)."""
- req = SignalRequest(timestamp=1700000000000)
- assert req.user_id is None
-
-
-def test_register_request_accepts_all_valid_v4_variants() -> None:
- """RegisterRequest accepts UUIDs with variant nibbles 8, 9, a, b."""
- for variant in ("8", "9", "a", "b"):
- uuid = f"550e8400-e29b-41d4-{variant}716-446655440000"
- req = RegisterRequest(uuid=uuid, name="Test")
- assert req.uuid == uuid
diff --git a/tests/test_fix_013.py b/tests/test_fix_013.py
deleted file mode 100644
index 5445895..0000000
--- a/tests/test_fix_013.py
+++ /dev/null
@@ -1,194 +0,0 @@
-"""
-Tests for BATON-FIX-013: CORS allow_methods — добавить GET для /health эндпоинтов.
-
-Acceptance criteria:
-1. CORSMiddleware в main.py содержит "GET" в allow_methods.
-2. OPTIONS preflight /health с Origin и Access-Control-Request-Method: GET
- возвращает 200/204 и содержит GET в Access-Control-Allow-Methods.
-3. OPTIONS preflight /api/health — аналогично.
-4. GET /health возвращает 200 (regression guard vs. allow_methods=['POST'] only).
-"""
-from __future__ import annotations
-
-import os
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
-
-import pytest
-
-from tests.conftest import make_app_client
-
-_ORIGIN = "http://localhost:3000"
-# allow_headers = ["Content-Type", "Authorization"] — X-Custom-Header не разрешён,
-# поэтому preflight с X-Custom-Header вернёт 400. Используем Content-Type.
-_PREFLIGHT_HEADER = "Content-Type"
-
-
-# ---------------------------------------------------------------------------
-# Criterion 1 — Static: CORSMiddleware.allow_methods must contain "GET"
-# ---------------------------------------------------------------------------
-
-
-def test_cors_middleware_allow_methods_contains_get() -> None:
- """app.user_middleware CORSMiddleware должен содержать 'GET' в allow_methods."""
- from fastapi.middleware.cors import CORSMiddleware
-
- from backend.main import app
-
- cors_mw = next(
- (m for m in app.user_middleware if m.cls is CORSMiddleware), None
- )
- assert cors_mw is not None, "CORSMiddleware не найден в app.user_middleware"
- allow_methods = cors_mw.kwargs.get("allow_methods", [])
- assert "GET" in allow_methods, (
- f"CORSMiddleware.allow_methods={allow_methods!r} не содержит 'GET'"
- )
-
-
-def test_cors_middleware_allow_methods_contains_head() -> None:
- """allow_methods должен содержать 'HEAD' для корректной работы preflight."""
- from fastapi.middleware.cors import CORSMiddleware
-
- from backend.main import app
-
- cors_mw = next(
- (m for m in app.user_middleware if m.cls is CORSMiddleware), None
- )
- assert cors_mw is not None
- allow_methods = cors_mw.kwargs.get("allow_methods", [])
- assert "HEAD" in allow_methods, (
- f"CORSMiddleware.allow_methods={allow_methods!r} не содержит 'HEAD'"
- )
-
-
-def test_cors_middleware_allow_methods_contains_options() -> None:
- """allow_methods должен содержать 'OPTIONS' для корректной обработки preflight."""
- from fastapi.middleware.cors import CORSMiddleware
-
- from backend.main import app
-
- cors_mw = next(
- (m for m in app.user_middleware if m.cls is CORSMiddleware), None
- )
- assert cors_mw is not None
- allow_methods = cors_mw.kwargs.get("allow_methods", [])
- assert "OPTIONS" in allow_methods, (
- f"CORSMiddleware.allow_methods={allow_methods!r} не содержит 'OPTIONS'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 2 — Preflight OPTIONS /health includes GET in Allow-Methods
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_health_preflight_options_returns_success_status() -> None:
- """OPTIONS preflight /health должен вернуть 200 или 204."""
- async with make_app_client() as client:
- response = await client.options(
- "/health",
- headers={
- "Origin": _ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
- },
- )
- assert response.status_code in (200, 204), (
- f"OPTIONS /health вернул {response.status_code}, ожидался 200 или 204"
- )
-
-
-@pytest.mark.asyncio
-async def test_health_preflight_options_allow_methods_contains_get() -> None:
- """OPTIONS preflight /health: Access-Control-Allow-Methods должен содержать GET."""
- async with make_app_client() as client:
- response = await client.options(
- "/health",
- headers={
- "Origin": _ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
- },
- )
- allow_methods_header = response.headers.get("access-control-allow-methods", "")
- assert "GET" in allow_methods_header, (
- f"Access-Control-Allow-Methods={allow_methods_header!r} не содержит 'GET'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 3 — Preflight OPTIONS /api/health includes GET in Allow-Methods
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_api_health_preflight_options_returns_success_status() -> None:
- """OPTIONS preflight /api/health должен вернуть 200 или 204."""
- async with make_app_client() as client:
- response = await client.options(
- "/api/health",
- headers={
- "Origin": _ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
- },
- )
- assert response.status_code in (200, 204), (
- f"OPTIONS /api/health вернул {response.status_code}, ожидался 200 или 204"
- )
-
-
-@pytest.mark.asyncio
-async def test_api_health_preflight_options_allow_methods_contains_get() -> None:
- """OPTIONS preflight /api/health: Access-Control-Allow-Methods должен содержать GET."""
- async with make_app_client() as client:
- response = await client.options(
- "/api/health",
- headers={
- "Origin": _ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
- },
- )
- allow_methods_header = response.headers.get("access-control-allow-methods", "")
- assert "GET" in allow_methods_header, (
- f"Access-Control-Allow-Methods={allow_methods_header!r} не содержит 'GET'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 4 — GET /health returns 200 (regression guard)
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_health_get_returns_200_regression_guard() -> None:
- """GET /health должен вернуть 200 — regression guard против allow_methods=['POST'] only."""
- async with make_app_client() as client:
- response = await client.get(
- "/health",
- headers={"Origin": _ORIGIN},
- )
- assert response.status_code == 200, (
- f"GET /health вернул {response.status_code}, ожидался 200"
- )
-
-
-@pytest.mark.asyncio
-async def test_api_health_get_returns_200_regression_guard() -> None:
- """GET /api/health должен вернуть 200 — regression guard против allow_methods=['POST'] only."""
- async with make_app_client() as client:
- response = await client.get(
- "/api/health",
- headers={"Origin": _ORIGIN},
- )
- assert response.status_code == 200, (
- f"GET /api/health вернул {response.status_code}, ожидался 200"
- )
diff --git a/tests/test_fix_016.py b/tests/test_fix_016.py
deleted file mode 100644
index e4748ba..0000000
--- a/tests/test_fix_016.py
+++ /dev/null
@@ -1,163 +0,0 @@
-"""
-Tests for BATON-FIX-016: VAPID public key — убедиться, что ключ не вшит
-как пустая строка в frontend-коде и читается через API.
-
-Acceptance criteria:
-1. В frontend-коде нет хардкода пустой строки в качестве VAPID key в -теге.
-2. frontend читает ключ через API /api/vapid-public-key (_fetchVapidPublicKey).
-3. GET /api/vapid-public-key возвращает HTTP 200.
-4. GET /api/vapid-public-key возвращает JSON с полем vapid_public_key.
-5. При наличии конфигурации VAPID_PUBLIC_KEY — ответ содержит непустое значение.
-"""
-from __future__ import annotations
-
-import os
-import re
-from pathlib import Path
-from unittest.mock import patch
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
-
-import pytest
-
-from tests.conftest import make_app_client
-
-PROJECT_ROOT = Path(__file__).parent.parent
-FRONTEND_DIR = PROJECT_ROOT / "frontend"
-INDEX_HTML = FRONTEND_DIR / "index.html"
-APP_JS = FRONTEND_DIR / "app.js"
-
-_TEST_VAPID_PUBLIC_KEY = "BFakeVapidPublicKeyForTestingPurposesOnlyBase64UrlEncoded"
-
-
-# ---------------------------------------------------------------------------
-# Criterion 1 — AST: no hardcoded empty VAPID key in tag (index.html)
-# ---------------------------------------------------------------------------
-
-
-def test_index_html_has_no_vapid_meta_tag_with_empty_content() -> None:
- """index.html не должен содержать -тег с application-server-key и пустым content."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- match = re.search(
- r']*(?:application-server-key|vapid)[^>]*content\s*=\s*["\']["\']',
- content,
- re.IGNORECASE,
- )
- assert match is None, (
- f"index.html содержит -тег с пустым VAPID ключом: {match.group(0)!r}"
- )
-
-
-def test_index_html_has_no_hardcoded_application_server_key_attribute() -> None:
- """index.html не должен содержать атрибут application-server-key вообще."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert "application-server-key" not in content.lower(), (
- "index.html содержит атрибут 'application-server-key' — "
- "VAPID ключ не должен быть вшит в HTML"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 2 — AST: frontend reads key through API (app.js)
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_contains_fetch_vapid_public_key_function() -> None:
- """app.js должен содержать функцию _fetchVapidPublicKey."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "_fetchVapidPublicKey" in content, (
- "app.js не содержит функцию _fetchVapidPublicKey — "
- "чтение VAPID ключа через API не реализовано"
- )
-
-
-def test_app_js_fetch_vapid_calls_api_endpoint() -> None:
- """_fetchVapidPublicKey в app.js должна обращаться к /api/push/public-key (canonical URL)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/push/public-key" in content, (
- "app.js не содержит URL '/api/push/public-key' — VAPID ключ не читается через API"
- )
-
-
-def test_app_js_init_push_subscription_has_null_guard() -> None:
- """_initPushSubscription в app.js должна содержать guard против null ключа."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"if\s*\(\s*!\s*vapidPublicKey\s*\)", content), (
- "app.js: _initPushSubscription не содержит guard 'if (!vapidPublicKey)' — "
- "подписка может быть создана без ключа"
- )
-
-
-def test_app_js_init_chains_fetch_vapid_then_init_subscription() -> None:
- """_init() в app.js должна вызывать _fetchVapidPublicKey().then(_initPushSubscription)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(
- r"_fetchVapidPublicKey\(\)\s*\.\s*then\s*\(\s*_initPushSubscription\s*\)",
- content,
- ), (
- "app.js: _init() не содержит цепочку _fetchVapidPublicKey().then(_initPushSubscription)"
- )
-
-
-def test_app_js_has_no_empty_string_hardcoded_as_application_server_key() -> None:
- """app.js не должен содержать хардкода пустой строки для applicationServerKey."""
- content = APP_JS.read_text(encoding="utf-8")
- match = re.search(r"applicationServerKey\s*[=:]\s*[\"']{2}", content)
- assert match is None, (
- f"app.js содержит хардкод пустой строки для applicationServerKey: {match.group(0)!r}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 3 — HTTP: GET /api/vapid-public-key returns 200
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_endpoint_returns_200() -> None:
- """GET /api/vapid-public-key должен вернуть HTTP 200."""
- async with make_app_client() as client:
- response = await client.get("/api/vapid-public-key")
- assert response.status_code == 200, (
- f"GET /api/vapid-public-key вернул {response.status_code}, ожидался 200"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 4 — HTTP: response JSON contains vapid_public_key field
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_endpoint_returns_json_with_field() -> None:
- """GET /api/vapid-public-key должен вернуть JSON с полем vapid_public_key."""
- async with make_app_client() as client:
- response = await client.get("/api/vapid-public-key")
- data = response.json()
- assert "vapid_public_key" in data, (
- f"Ответ /api/vapid-public-key не содержит поле 'vapid_public_key': {data!r}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 5 — HTTP: non-empty vapid_public_key when env var is configured
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_endpoint_returns_configured_value() -> None:
- """GET /api/vapid-public-key возвращает непустой ключ, когда VAPID_PUBLIC_KEY задан."""
- with patch("backend.config.VAPID_PUBLIC_KEY", _TEST_VAPID_PUBLIC_KEY):
- async with make_app_client() as client:
- response = await client.get("/api/vapid-public-key")
- data = response.json()
- assert data.get("vapid_public_key") == _TEST_VAPID_PUBLIC_KEY, (
- f"vapid_public_key должен быть '{_TEST_VAPID_PUBLIC_KEY}', "
- f"получили: {data.get('vapid_public_key')!r}"
- )
diff --git a/tests/test_models.py b/tests/test_models.py
index cf9641a..0e55586 100644
--- a/tests/test_models.py
+++ b/tests/test_models.py
@@ -123,16 +123,14 @@ def test_signal_request_no_geo():
assert req.geo is None
-def test_signal_request_without_user_id():
- """user_id is optional (JWT auth sends signals without it)."""
- req = SignalRequest(timestamp=1742478000000)
- assert req.user_id is None
+def test_signal_request_missing_user_id():
+ with pytest.raises(ValidationError):
+ SignalRequest(timestamp=1742478000000) # type: ignore[call-arg]
def test_signal_request_empty_user_id():
- """Empty string user_id is accepted (treated as None at endpoint level)."""
- req = SignalRequest(user_id="", timestamp=1742478000000)
- assert req.user_id == ""
+ with pytest.raises(ValidationError):
+ SignalRequest(user_id="", timestamp=1742478000000)
def test_signal_request_timestamp_zero():
diff --git a/tests/test_signal.py b/tests/test_signal.py
index ca9d547..1ed0fc2 100644
--- a/tests/test_signal.py
+++ b/tests/test_signal.py
@@ -78,14 +78,14 @@ async def test_signal_without_geo_success():
@pytest.mark.asyncio
-async def test_signal_missing_auth_returns_401():
- """Missing Authorization header must return 401."""
+async def test_signal_missing_user_id_returns_422():
+ """Missing user_id field must return 422."""
async with make_app_client() as client:
resp = await client.post(
"/api/signal",
json={"timestamp": 1742478000000},
)
- assert resp.status_code == 401
+ assert resp.status_code == 422
@pytest.mark.asyncio
diff --git a/tests/test_telegram.py b/tests/test_telegram.py
index bd46f51..c55a6a0 100644
--- a/tests/test_telegram.py
+++ b/tests/test_telegram.py
@@ -1,5 +1,5 @@
"""
-Tests for backend/telegram.py: send_message, set_webhook, validate_bot_token.
+Tests for backend/telegram.py: send_message, set_webhook, SignalAggregator.
NOTE: respx routes must be registered INSIDE the 'with mock:' block to be
intercepted properly. Registering them before entering the context does not
@@ -25,6 +25,8 @@ def _safe_aiosqlite_await(self):
aiosqlite.core.Connection.__await__ = _safe_aiosqlite_await # type: ignore[method-assign]
import json
+import os as _os
+import tempfile
from unittest.mock import AsyncMock, patch
import httpx
@@ -32,7 +34,7 @@ import pytest
import respx
from backend import config
-from backend.telegram import send_message, set_webhook, validate_bot_token
+from backend.telegram import SignalAggregator, send_message, set_webhook, validate_bot_token
SEND_URL = f"https://api.telegram.org/bot{config.BOT_TOKEN}/sendMessage"
@@ -184,6 +186,127 @@ async def test_set_webhook_raises_on_non_200():
await set_webhook(url="https://example.com/webhook", secret="s")
+# ---------------------------------------------------------------------------
+# SignalAggregator helpers
+# ---------------------------------------------------------------------------
+
+async def _init_db_with_tmp() -> str:
+ """Init a temp-file DB and return its path."""
+ from backend import config as _cfg, db as _db
+ path = tempfile.mktemp(suffix=".db")
+ _cfg.DB_PATH = path
+ await _db.init_db()
+ return path
+
+
+def _cleanup(path: str) -> None:
+ for ext in ("", "-wal", "-shm"):
+ try:
+ _os.unlink(path + ext)
+ except FileNotFoundError:
+ pass
+
+
+# ---------------------------------------------------------------------------
+# SignalAggregator tests
+# ---------------------------------------------------------------------------
+
+@pytest.mark.asyncio
+async def test_aggregator_single_signal_calls_send_message():
+ """Flushing an aggregator with one signal calls send_message once."""
+ path = await _init_db_with_tmp()
+ try:
+ agg = SignalAggregator(interval=9999)
+ await agg.add_signal(
+ user_uuid="agg-uuid-001",
+ user_name="Alice",
+ timestamp=1742478000000,
+ geo={"lat": 55.0, "lon": 37.0, "accuracy": 10.0},
+ signal_id=1,
+ )
+
+ with respx.mock(assert_all_called=False) as mock:
+ send_route = mock.post(SEND_URL).mock(
+ return_value=httpx.Response(200, json={"ok": True})
+ )
+ with patch("backend.telegram.db.save_telegram_batch", new_callable=AsyncMock):
+ with patch("backend.telegram.asyncio.sleep", new_callable=AsyncMock):
+ await agg.flush()
+
+ assert send_route.call_count == 1
+ finally:
+ _cleanup(path)
+
+
+@pytest.mark.asyncio
+async def test_aggregator_multiple_signals_one_message():
+ """5 signals flushed at once produce exactly one send_message call."""
+ path = await _init_db_with_tmp()
+ try:
+ agg = SignalAggregator(interval=9999)
+ for i in range(5):
+ await agg.add_signal(
+ user_uuid=f"agg-uuid-{i:03d}",
+ user_name=f"User{i}",
+ timestamp=1742478000000 + i * 1000,
+ geo=None,
+ signal_id=i + 1,
+ )
+
+ with respx.mock(assert_all_called=False) as mock:
+ send_route = mock.post(SEND_URL).mock(
+ return_value=httpx.Response(200, json={"ok": True})
+ )
+ with patch("backend.telegram.db.save_telegram_batch", new_callable=AsyncMock):
+ with patch("backend.telegram.asyncio.sleep", new_callable=AsyncMock):
+ await agg.flush()
+
+ assert send_route.call_count == 1
+ finally:
+ _cleanup(path)
+
+
+@pytest.mark.asyncio
+async def test_aggregator_empty_buffer_no_send():
+ """Flushing an empty aggregator must NOT call send_message."""
+ agg = SignalAggregator(interval=9999)
+
+ # No routes registered — if a POST is made it will raise AllMockedAssertionError
+ with respx.mock(assert_all_called=False) as mock:
+ send_route = mock.post(SEND_URL).mock(
+ return_value=httpx.Response(200, json={"ok": True})
+ )
+ await agg.flush()
+
+ assert send_route.call_count == 0
+
+
+@pytest.mark.asyncio
+async def test_aggregator_buffer_cleared_after_flush():
+ """After flush, the aggregator buffer is empty."""
+ path = await _init_db_with_tmp()
+ try:
+ agg = SignalAggregator(interval=9999)
+ await agg.add_signal(
+ user_uuid="agg-uuid-clr",
+ user_name="Test",
+ timestamp=1742478000000,
+ geo=None,
+ signal_id=99,
+ )
+ assert len(agg._buffer) == 1
+
+ with respx.mock(assert_all_called=False) as mock:
+ mock.post(SEND_URL).mock(return_value=httpx.Response(200, json={"ok": True}))
+ with patch("backend.telegram.db.save_telegram_batch", new_callable=AsyncMock):
+ with patch("backend.telegram.asyncio.sleep", new_callable=AsyncMock):
+ await agg.flush()
+
+ assert len(agg._buffer) == 0
+ finally:
+ _cleanup(path)
+
+
# ---------------------------------------------------------------------------
# BATON-007: 400 "chat not found" handling
# ---------------------------------------------------------------------------
@@ -248,3 +371,33 @@ async def test_send_message_all_5xx_retries_exhausted_does_not_raise():
# Must not raise — message is dropped, service stays alive
await send_message("test all retries exhausted")
+
+@pytest.mark.asyncio
+async def test_aggregator_unknown_user_shows_uuid_prefix():
+ """If user_name is None, the message shows first 8 chars of uuid."""
+ path = await _init_db_with_tmp()
+ try:
+ agg = SignalAggregator(interval=9999)
+ test_uuid = "abcdef1234567890"
+ await agg.add_signal(
+ user_uuid=test_uuid,
+ user_name=None,
+ timestamp=1742478000000,
+ geo=None,
+ signal_id=1,
+ )
+
+ sent_texts: list[str] = []
+
+ async def _fake_send(text: str) -> None:
+ sent_texts.append(text)
+
+ with patch("backend.telegram.send_message", side_effect=_fake_send):
+ with patch("backend.telegram.db.save_telegram_batch", new_callable=AsyncMock):
+ with patch("backend.telegram.asyncio.sleep", new_callable=AsyncMock):
+ await agg.flush()
+
+ assert len(sent_texts) == 1
+ assert test_uuid[:8] in sent_texts[0]
+ finally:
+ _cleanup(path)