-
-
-
diff --git a/frontend/style.css b/frontend/style.css
index e07e53a..487a443 100644
--- a/frontend/style.css
+++ b/frontend/style.css
@@ -28,14 +28,14 @@ html, body {
-webkit-tap-highlight-color: transparent;
overscroll-behavior: none;
user-select: none;
- overflow: hidden;
}
body {
display: flex;
flex-direction: column;
- height: 100vh;
- height: 100dvh;
+ min-height: 100vh;
+ /* Use dynamic viewport height on mobile to account for browser chrome */
+ min-height: 100dvh;
}
/* ===== Private mode banner (decision #1041) ===== */
@@ -59,7 +59,6 @@ body {
justify-content: space-between;
align-items: center;
padding: 16px 20px;
- padding-top: calc(env(safe-area-inset-top, 0px) + 16px);
flex-shrink: 0;
}
@@ -149,8 +148,10 @@ body {
/* ===== SOS button (min 60vmin × 60vmin per UX spec) ===== */
.btn-sos {
- width: min(60vmin, 70vw, 300px);
- height: min(60vmin, 70vw, 300px);
+ width: 60vmin;
+ height: 60vmin;
+ min-width: 180px;
+ min-height: 180px;
border-radius: 50%;
border: none;
background: var(--sos);
@@ -197,44 +198,3 @@ body {
.status[hidden] { display: none; }
.status--error { color: #f87171; }
.status--success { color: #4ade80; }
-
-/* ===== Registration form ===== */
-
-/* Override display:flex so [hidden] works on screen-content divs */
-.screen-content[hidden] { display: none; }
-
-.btn-link {
- background: none;
- border: none;
- color: var(--muted);
- font-size: 14px;
- cursor: pointer;
- padding: 4px 0;
- text-decoration: underline;
- text-underline-offset: 2px;
- -webkit-tap-highlight-color: transparent;
-}
-
-.btn-link:active { color: var(--text); }
-
-.reg-status {
- width: 100%;
- max-width: 320px;
- font-size: 14px;
- text-align: center;
- line-height: 1.5;
- padding: 4px 0;
-}
-
-.reg-status[hidden] { display: none; }
-.reg-status--error { color: #f87171; }
-.reg-status--success { color: #4ade80; }
-
-.block-message {
- color: #f87171;
- font-size: 16px;
- text-align: center;
- line-height: 1.6;
- padding: 20px;
- max-width: 320px;
-}
diff --git a/frontend/sw.js b/frontend/sw.js
index 79d89da..e37d2fa 100644
--- a/frontend/sw.js
+++ b/frontend/sw.js
@@ -1,6 +1,6 @@
'use strict';
-const CACHE_NAME = 'baton-v4';
+const CACHE_NAME = 'baton-v1';
// App shell assets to precache
const APP_SHELL = [
diff --git a/nginx/docker.conf b/nginx/docker.conf
deleted file mode 100644
index 54df415..0000000
--- a/nginx/docker.conf
+++ /dev/null
@@ -1,61 +0,0 @@
-map $request_uri $masked_uri {
- default $request_uri;
- "~^(/bot)[^/]+(/.*)$" "$1[REDACTED]$2";
-}
-
-log_format baton_secure '$remote_addr - $remote_user [$time_local] '
- '"$request_method $masked_uri $server_protocol" '
- '$status $body_bytes_sent '
- '"$http_referer" "$http_user_agent"';
-
-server {
- listen 80;
- server_name _;
-
- access_log /var/log/nginx/baton_access.log baton_secure;
- error_log /var/log/nginx/baton_error.log warn;
-
- add_header X-Content-Type-Options nosniff always;
- add_header X-Frame-Options DENY always;
- add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
-
- # API + health + admin → backend
- location /api/ {
- proxy_pass http://backend:8000;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_read_timeout 30s;
- proxy_send_timeout 30s;
- proxy_connect_timeout 5s;
- }
-
- location /health {
- proxy_pass http://backend:8000;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- }
-
- location /admin/users {
- proxy_pass http://backend:8000;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_read_timeout 30s;
- }
-
- # Frontend static
- location / {
- root /usr/share/nginx/html;
- try_files $uri /index.html;
- expires 1h;
- add_header Cache-Control "public" always;
- add_header X-Content-Type-Options nosniff always;
- add_header X-Frame-Options DENY always;
- add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
- }
-}
diff --git a/tests/conftest.py b/tests/conftest.py
index 7f47b12..727bf75 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -22,7 +22,6 @@ os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
# ── 2. aiosqlite monkey-patch ────────────────────────────────────────────────
import aiosqlite
@@ -70,20 +69,14 @@ def temp_db():
# ── 5. App client factory ────────────────────────────────────────────────────
-def make_app_client(capture_send_requests: list | None = None):
+def make_app_client():
"""
Async context manager that:
1. Assigns a fresh temp-file DB path
2. Mocks Telegram setWebhook, sendMessage, answerCallbackQuery, editMessageText
3. Runs the FastAPI lifespan (startup → test → shutdown)
4. Yields an httpx.AsyncClient wired to the app
-
- Args:
- capture_send_requests: if provided, each sendMessage request body (dict) is
- appended to this list, enabling HTTP-level assertions on chat_id, text, etc.
"""
- import json as _json
-
tg_set_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/setWebhook"
send_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/sendMessage"
get_me_url = f"https://api.telegram.org/bot{config.BOT_TOKEN}/getMe"
@@ -102,18 +95,9 @@ def make_app_client(capture_send_requests: list | None = None):
mock_router.post(tg_set_url).mock(
return_value=httpx.Response(200, json={"ok": True, "result": True})
)
- if capture_send_requests is not None:
- def _capture_send(request: httpx.Request) -> httpx.Response:
- try:
- capture_send_requests.append(_json.loads(request.content))
- except Exception:
- pass
- return httpx.Response(200, json={"ok": True})
- mock_router.post(send_url).mock(side_effect=_capture_send)
- else:
- mock_router.post(send_url).mock(
- return_value=httpx.Response(200, json={"ok": True})
- )
+ mock_router.post(send_url).mock(
+ return_value=httpx.Response(200, json={"ok": True})
+ )
mock_router.post(answer_cb_url).mock(
return_value=httpx.Response(200, json={"ok": True})
)
diff --git a/tests/test_arch_002.py b/tests/test_arch_002.py
index 0b5c681..c979b1d 100644
--- a/tests/test_arch_002.py
+++ b/tests/test_arch_002.py
@@ -119,7 +119,7 @@ async def test_signal_message_contains_registered_username():
@pytest.mark.asyncio
async def test_signal_message_without_geo_contains_bez_geolocatsii():
- """When geo is None, message must contain 'Гео нету'."""
+ """When geo is None, message must contain 'Без геолокации'."""
async with make_app_client() as client:
api_key = await _register(client, _UUID_S3, "Bob")
with patch("backend.telegram.send_message", new_callable=AsyncMock) as mock_send:
@@ -129,7 +129,7 @@ async def test_signal_message_without_geo_contains_bez_geolocatsii():
headers={"Authorization": f"Bearer {api_key}"},
)
text = mock_send.call_args[0][0]
- assert "Гео нету" in text
+ assert "Без геолокации" in text
@pytest.mark.asyncio
@@ -168,17 +168,25 @@ async def test_signal_message_contains_utc_marker():
# ---------------------------------------------------------------------------
-# Criterion 3 — SignalAggregator removed (BATON-BIZ-004: dead code cleanup)
+# Criterion 3 — SignalAggregator preserved with '# v2.0 feature' marker (static)
# ---------------------------------------------------------------------------
-def test_signal_aggregator_class_removed_from_telegram():
- """SignalAggregator must be removed from telegram.py (BATON-BIZ-004)."""
+def test_signal_aggregator_class_preserved_in_telegram():
+ """SignalAggregator class must still exist in telegram.py (ADR-004, reserved for v2)."""
source = (_BACKEND_DIR / "telegram.py").read_text()
- assert "class SignalAggregator" not in source
+ assert "class SignalAggregator" in source
-def test_signal_aggregator_not_referenced_in_telegram():
- """telegram.py must not reference SignalAggregator at all (BATON-BIZ-004)."""
- source = (_BACKEND_DIR / "telegram.py").read_text()
- assert "SignalAggregator" not in source
+def test_signal_aggregator_has_v2_feature_comment():
+ """The line immediately before 'class SignalAggregator' must contain '# v2.0 feature'."""
+ lines = (_BACKEND_DIR / "telegram.py").read_text().splitlines()
+ class_line_idx = next(
+ (i for i, line in enumerate(lines) if "class SignalAggregator" in line), None
+ )
+ assert class_line_idx is not None, "class SignalAggregator not found in telegram.py"
+ assert class_line_idx > 0, "SignalAggregator is on the first line — no preceding comment line"
+ preceding_line = lines[class_line_idx - 1]
+ assert "# v2.0 feature" in preceding_line, (
+ f"Expected '# v2.0 feature' on line before class SignalAggregator, got: {preceding_line!r}"
+ )
diff --git a/tests/test_arch_009.py b/tests/test_arch_009.py
index 01ba1c4..9457374 100644
--- a/tests/test_arch_009.py
+++ b/tests/test_arch_009.py
@@ -222,9 +222,9 @@ def test_html_loads_app_js() -> None:
assert "/app.js" in _html()
-def test_html_has_login_input() -> None:
- """index.html must have login input field for onboarding."""
- assert 'id="login-input"' in _html()
+def test_html_has_name_input() -> None:
+ """index.html must have name input field for onboarding."""
+ assert 'id="name-input"' in _html()
# ---------------------------------------------------------------------------
@@ -316,19 +316,31 @@ def _app_js() -> str:
return (FRONTEND / "app.js").read_text(encoding="utf-8")
-def test_app_posts_to_auth_login() -> None:
- """app.js must send POST to /api/auth/login during login."""
- assert "/api/auth/login" in _app_js()
+def test_app_uses_crypto_random_uuid() -> None:
+ """app.js must generate UUID via crypto.randomUUID()."""
+ assert "crypto.randomUUID()" in _app_js()
-def test_app_posts_to_auth_register() -> None:
- """app.js must send POST to /api/auth/register during registration."""
- assert "/api/auth/register" in _app_js()
+def test_app_posts_to_api_register() -> None:
+ """app.js must send POST to /api/register during onboarding."""
+ assert "/api/register" in _app_js()
-def test_app_stores_auth_token() -> None:
- """app.js must persist JWT token to storage."""
- assert "baton_auth_token" in _app_js()
+def test_app_register_sends_uuid() -> None:
+ """app.js must include uuid in the /api/register request body."""
+ app = _app_js()
+ # The register call must include uuid in the payload
+ register_section = re.search(
+ r"_apiPost\(['\"]\/api\/register['\"].*?\)", app, re.DOTALL
+ )
+ assert register_section, "No _apiPost('/api/register') call found"
+ assert "uuid" in register_section.group(0), \
+ "uuid not included in /api/register call"
+
+
+def test_app_uuid_saved_to_storage() -> None:
+ """app.js must persist UUID to storage (baton_user_id key)."""
+ assert "baton_user_id" in _app_js()
assert "setItem" in _app_js()
@@ -422,14 +434,16 @@ def test_app_posts_to_api_signal() -> None:
assert "/api/signal" in _app_js()
-def test_app_signal_sends_auth_header() -> None:
- """app.js must include Authorization Bearer header in /api/signal request."""
+def test_app_signal_sends_user_id() -> None:
+ """app.js must include user_id (UUID) in the /api/signal request body."""
app = _app_js()
+ # The signal body may be built in a variable before passing to _apiPost
+ # Look for user_id key in the context around /api/signal
signal_area = re.search(
- r"_apiPost\(['\"]\/api\/signal['\"].*Authorization.*Bearer", app, re.DOTALL
+ r"user_id.*?_apiPost\(['\"]\/api\/signal", app, re.DOTALL
)
assert signal_area, \
- "Authorization Bearer header must be set in _apiPost('/api/signal') call"
+ "user_id must be set in the request body before calling _apiPost('/api/signal')"
def test_app_sos_button_click_calls_handle_signal() -> None:
@@ -442,15 +456,15 @@ def test_app_sos_button_click_calls_handle_signal() -> None:
"btn-sos must be connected to _handleSignal"
-def test_app_signal_uses_token_from_storage() -> None:
- """app.js must retrieve auth token from storage before sending signal."""
+def test_app_signal_uses_uuid_from_storage() -> None:
+ """app.js must retrieve UUID from storage (_getOrCreateUserId) before sending signal."""
app = _app_js()
handle_signal = re.search(
r"async function _handleSignal\(\).*?^}", app, re.MULTILINE | re.DOTALL
)
assert handle_signal, "_handleSignal function not found"
- assert "_getAuthToken" in handle_signal.group(0), \
- "_handleSignal must call _getAuthToken() to get JWT token"
+ assert "_getOrCreateUserId" in handle_signal.group(0), \
+ "_handleSignal must call _getOrCreateUserId() to get UUID"
# ---------------------------------------------------------------------------
diff --git a/tests/test_baton_007.py b/tests/test_baton_007.py
index 2be7818..8738d53 100644
--- a/tests/test_baton_007.py
+++ b/tests/test_baton_007.py
@@ -140,7 +140,7 @@ async def test_signal_with_geo_send_message_contains_coordinates():
@pytest.mark.asyncio
async def test_signal_without_geo_send_message_contains_no_geo_label():
- """Criterion 1: when geo is null, Telegram message contains 'Гео нету'."""
+ """Criterion 1: when geo is null, Telegram message contains 'Без геолокации'."""
sent_texts: list[str] = []
async def _capture(text: str) -> None:
@@ -158,8 +158,8 @@ async def test_signal_without_geo_send_message_contains_no_geo_label():
await asyncio.sleep(0)
assert len(sent_texts) == 1
- assert "Гео нету" in sent_texts[0], (
- f"Expected 'Гео нету' in message, got: {sent_texts[0]!r}"
+ assert "Без геолокации" in sent_texts[0], (
+ f"Expected 'Без геолокации' in message, got: {sent_texts[0]!r}"
)
diff --git a/tests/test_baton_008.py b/tests/test_baton_008.py
index cc597a6..0a6a678 100644
--- a/tests/test_baton_008.py
+++ b/tests/test_baton_008.py
@@ -21,7 +21,6 @@ os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
from unittest.mock import AsyncMock, patch
@@ -33,7 +32,7 @@ _WEBHOOK_SECRET = "test-webhook-secret"
_WEBHOOK_HEADERS = {"X-Telegram-Bot-Api-Secret-Token": _WEBHOOK_SECRET}
_VALID_PAYLOAD = {
- "email": "user@tutlot.com",
+ "email": "user@example.com",
"login": "testuser",
"password": "strongpassword123",
}
@@ -68,7 +67,7 @@ async def test_auth_register_fire_and_forget_telegram_error_still_returns_201():
):
resp = await client.post(
"/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "other@tutlot.com", "login": "otheruser"},
+ json={**_VALID_PAYLOAD, "email": "other@example.com", "login": "otheruser"},
)
await asyncio.sleep(0)
@@ -106,7 +105,7 @@ async def test_auth_register_409_on_duplicate_login():
r2 = await client.post(
"/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "different@tutlot.com"},
+ json={**_VALID_PAYLOAD, "email": "different@example.com"},
)
assert r2.status_code == 409, f"Expected 409 on duplicate login, got {r2.status_code}"
@@ -168,23 +167,20 @@ async def test_auth_register_422_short_password():
@pytest.mark.asyncio
async def test_auth_register_sends_notification_to_admin():
- """Registration triggers real HTTP sendMessage to ADMIN_CHAT_ID with correct login/email."""
- from backend import config as _cfg
+ """Registration triggers send_registration_notification with correct data."""
+ calls: list[dict] = []
- captured: list[dict] = []
- async with make_app_client(capture_send_requests=captured) as client:
- resp = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert resp.status_code == 201
- await asyncio.sleep(0)
+ async def _capture(reg_id, login, email, created_at):
+ calls.append({"reg_id": reg_id, "login": login, "email": email})
- admin_chat_id = str(_cfg.ADMIN_CHAT_ID)
- admin_msgs = [r for r in captured if str(r.get("chat_id")) == admin_chat_id]
- assert len(admin_msgs) >= 1, (
- f"Expected sendMessage to ADMIN_CHAT_ID={admin_chat_id!r}, captured: {captured}"
- )
- text = admin_msgs[0].get("text", "")
- assert _VALID_PAYLOAD["login"] in text, f"Expected login in text: {text!r}"
- assert _VALID_PAYLOAD["email"] in text, f"Expected email in text: {text!r}"
+ async with make_app_client() as client:
+ with patch("backend.telegram.send_registration_notification", side_effect=_capture):
+ await client.post("/api/auth/register", json=_VALID_PAYLOAD)
+ await asyncio.sleep(0)
+
+ assert len(calls) == 1, f"Expected 1 notification call, got {len(calls)}"
+ assert calls[0]["login"] == _VALID_PAYLOAD["login"]
+ assert calls[0]["email"] == _VALID_PAYLOAD["email"]
# ---------------------------------------------------------------------------
@@ -365,7 +361,7 @@ async def test_register_without_push_subscription():
with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
resp = await client.post(
"/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "nopush@tutlot.com", "login": "nopushuser"},
+ json={**_VALID_PAYLOAD, "email": "nopush@example.com", "login": "nopushuser"},
)
assert resp.status_code == 201
assert resp.json()["status"] == "pending"
@@ -424,7 +420,7 @@ async def test_webhook_callback_approve_edits_message():
with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
reg_resp = await client.post(
"/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "edit@tutlot.com", "login": "edituser"},
+ json={**_VALID_PAYLOAD, "email": "edit@example.com", "login": "edituser"},
)
assert reg_resp.status_code == 201
@@ -469,7 +465,7 @@ async def test_webhook_callback_answer_sent():
with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
reg_resp = await client.post(
"/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "answer@tutlot.com", "login": "answeruser"},
+ json={**_VALID_PAYLOAD, "email": "answer@example.com", "login": "answeruser"},
)
assert reg_resp.status_code == 201
@@ -562,7 +558,7 @@ async def test_password_hash_stored_in_pbkdf2_format():
with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
await client.post(
"/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "pbkdf2@tutlot.com", "login": "pbkdf2user"},
+ json={**_VALID_PAYLOAD, "email": "pbkdf2@example.com", "login": "pbkdf2user"},
)
async with aiosqlite.connect(_cfg.DB_PATH) as conn:
@@ -583,306 +579,3 @@ async def test_password_hash_stored_in_pbkdf2_format():
assert len(dk_hex) == 64, f"Expected 64-char dk hex (SHA-256), got {len(dk_hex)}"
int(salt_hex, 16) # raises ValueError if not valid hex
int(dk_hex, 16)
-
-
-# ---------------------------------------------------------------------------
-# 15. State machine — повторное нажатие approve на уже approved
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_double_approve_does_not_send_push():
- """Second approve on already-approved registration must NOT fire push."""
- push_sub = {
- "endpoint": "https://fcm.googleapis.com/fcm/send/test2",
- "keys": {"p256dh": "BQDEF", "auth": "abc"},
- }
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "double@tutlot.com", "login": "doubleuser", "push_subscription": push_sub},
- )
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- cb_payload = {
- "callback_query": {
- "id": "cq_d1",
- "data": f"approve:{reg_id}",
- "message": {"message_id": 60, "chat": {"id": 5694335584}},
- }
- }
-
- # First approve — should succeed
- await client.post("/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- # Second approve — push must NOT be fired
- push_calls: list = []
-
- async def _capture_push(sub_json, title, body):
- push_calls.append(sub_json)
-
- cb_payload2 = {**cb_payload, "callback_query": {**cb_payload["callback_query"], "id": "cq_d2"}}
- with patch("backend.push.send_push", side_effect=_capture_push):
- await client.post("/api/webhook/telegram", json=cb_payload2, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- assert len(push_calls) == 0, f"Second approve must not fire push, got {len(push_calls)} calls"
-
- # Also verify status is still 'approved'
- from backend import db as _db
- # Can't check here as client context is closed; DB assertion was covered by state machine logic
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_double_approve_status_stays_approved():
- """Status remains 'approved' after a second approve callback."""
- from backend import db as _db
-
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "stay@tutlot.com", "login": "stayuser"},
- )
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- cb = {
- "callback_query": {
- "id": "cq_s1",
- "data": f"approve:{reg_id}",
- "message": {"message_id": 70, "chat": {"id": 5694335584}},
- }
- }
- await client.post("/api/webhook/telegram", json=cb, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- cb2 = {**cb, "callback_query": {**cb["callback_query"], "id": "cq_s2"}}
- await client.post("/api/webhook/telegram", json=cb2, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- reg = await _db.get_registration(reg_id)
- assert reg["status"] == "approved", f"Expected 'approved', got {reg['status']!r}"
-
-
-# ---------------------------------------------------------------------------
-# 16. State machine — approve после reject
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_approve_after_reject_status_stays_rejected():
- """Approve after reject must NOT change status — remains 'rejected'."""
- from backend import db as _db
-
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- reg_resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "artest@tutlot.com", "login": "artestuser"},
- )
- assert reg_resp.status_code == 201
-
- from backend import config as _cfg
- import aiosqlite
- async with aiosqlite.connect(_cfg.DB_PATH) as conn:
- conn.row_factory = aiosqlite.Row
- async with conn.execute("SELECT id FROM registrations LIMIT 1") as cur:
- row = await cur.fetchone()
- reg_id = row["id"] if row else None
- assert reg_id is not None
-
- # First: reject
- rej_cb = {
- "callback_query": {
- "id": "cq_ar1",
- "data": f"reject:{reg_id}",
- "message": {"message_id": 80, "chat": {"id": 5694335584}},
- }
- }
- await client.post("/api/webhook/telegram", json=rej_cb, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- # Then: approve — must be ignored
- push_calls: list = []
-
- async def _capture_push(sub_json, title, body):
- push_calls.append(sub_json)
-
- app_cb = {
- "callback_query": {
- "id": "cq_ar2",
- "data": f"approve:{reg_id}",
- "message": {"message_id": 81, "chat": {"id": 5694335584}},
- }
- }
- with patch("backend.push.send_push", side_effect=_capture_push):
- await client.post("/api/webhook/telegram", json=app_cb, headers=_WEBHOOK_HEADERS)
- await asyncio.sleep(0)
-
- reg = await _db.get_registration(reg_id)
- assert reg["status"] == "rejected", f"Expected 'rejected', got {reg['status']!r}"
-
- assert len(push_calls) == 0, f"Approve after reject must not fire push, got {len(push_calls)}"
-
-
-# ---------------------------------------------------------------------------
-# 17. Rate limiting — 4th request returns 429
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_rate_limit_fourth_request_returns_429():
- """4th registration request from same IP within the window returns 429."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- for i in range(3):
- r = await client.post(
- "/api/auth/register",
- json={
- "email": f"ratetest{i}@tutlot.com",
- "login": f"ratetest{i}",
- "password": "strongpassword123",
- },
- )
- assert r.status_code == 201, f"Request {i+1} should succeed, got {r.status_code}"
-
- # 4th request — must be rate-limited
- r4 = await client.post(
- "/api/auth/register",
- json={
- "email": "ratetest4@tutlot.com",
- "login": "ratetest4",
- "password": "strongpassword123",
- },
- )
-
- assert r4.status_code == 429, f"Expected 429 on 4th request, got {r4.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 18. VAPID public key endpoint /api/push/public-key
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_new_endpoint_returns_200():
- """GET /api/push/public-key returns 200 with vapid_public_key field."""
- async with make_app_client() as client:
- resp = await client.get("/api/push/public-key")
-
- assert resp.status_code == 200, f"Expected 200, got {resp.status_code}: {resp.text}"
- body = resp.json()
- assert "vapid_public_key" in body, f"Expected 'vapid_public_key' in response, got {body}"
-
-
-# ---------------------------------------------------------------------------
-# 19. Password max length — 129 chars → 422
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_password_too_long():
- """Password of 129 characters returns 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "password": "a" * 129},
- )
- assert resp.status_code == 422, f"Expected 422 on 129-char password, got {resp.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 20. Login max length — 31 chars → 422
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_login_too_long():
- """Login of 31 characters returns 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "login": "a" * 31},
- )
- assert resp.status_code == 422, f"Expected 422 on 31-char login, got {resp.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 21. Empty body — POST /api/auth/register with {} → 422
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_auth_register_422_empty_body():
- """Empty JSON body returns 422."""
- async with make_app_client() as client:
- resp = await client.post("/api/auth/register", json={})
- assert resp.status_code == 422, f"Expected 422 on empty body, got {resp.status_code}"
-
-
-# ---------------------------------------------------------------------------
-# 22. Malformed callback_data — no colon → ok:True without crash
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_malformed_data_no_colon_returns_ok():
- """callback_query with data='garbage' (no colon) returns ok:True gracefully."""
- async with make_app_client() as client:
- cb_payload = {
- "callback_query": {
- "id": "cq_mal1",
- "data": "garbage",
- "message": {"message_id": 90, "chat": {"id": 5694335584}},
- }
- }
- resp = await client.post(
- "/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS
- )
-
- assert resp.status_code == 200, f"Expected 200, got {resp.status_code}"
- assert resp.json() == {"ok": True}, f"Expected ok:True, got {resp.json()}"
-
-
-# ---------------------------------------------------------------------------
-# 23. Non-numeric reg_id — data='approve:abc' → ok:True without crash
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_webhook_callback_non_numeric_reg_id_returns_ok():
- """callback_query with data='approve:abc' (non-numeric reg_id) returns ok:True."""
- async with make_app_client() as client:
- cb_payload = {
- "callback_query": {
- "id": "cq_nan1",
- "data": "approve:abc",
- "message": {"message_id": 91, "chat": {"id": 5694335584}},
- }
- }
- resp = await client.post(
- "/api/webhook/telegram", json=cb_payload, headers=_WEBHOOK_HEADERS
- )
-
- assert resp.status_code == 200, f"Expected 200, got {resp.status_code}"
- assert resp.json() == {"ok": True}, f"Expected ok:True, got {resp.json()}"
diff --git a/tests/test_baton_008_frontend.py b/tests/test_baton_008_frontend.py
deleted file mode 100644
index 5b8eeb2..0000000
--- a/tests/test_baton_008_frontend.py
+++ /dev/null
@@ -1,439 +0,0 @@
-"""
-Tests for BATON-008: Frontend registration module.
-
-Acceptance criteria:
-1. index.html — форма регистрации с полями email, login, password присутствует
-2. index.html — НЕТ захардкоженных VAPID-ключей в HTML-атрибутах (decision #1333)
-3. app.js — вызов /api/push/public-key (не старый /api/vapid-public-key) (decision #1331)
-4. app.js — guard для PushManager (decision #1332)
-5. app.js — обработчик для кнопки регистрации (#btn-register → _handleSignUp)
-6. app.js — переключение между view-login и view-register
-7. app.js — показ ошибок пользователю (_setRegStatus)
-8. GET /api/push/public-key → 200 с vapid_public_key (API контракт)
-9. POST /api/auth/register с валидными данными → 201 (API контракт)
-10. POST /api/auth/register с дублирующим email → 409
-11. POST /api/auth/register с дублирующим login → 409
-12. POST /api/auth/register с невалидным email → 422
-"""
-from __future__ import annotations
-
-import re
-from pathlib import Path
-from unittest.mock import AsyncMock, patch
-
-import pytest
-
-PROJECT_ROOT = Path(__file__).parent.parent
-INDEX_HTML = PROJECT_ROOT / "frontend" / "index.html"
-APP_JS = PROJECT_ROOT / "frontend" / "app.js"
-
-from tests.conftest import make_app_client
-
-_VALID_PAYLOAD = {
- "email": "frontend_test@tutlot.com",
- "login": "frontenduser",
- "password": "strongpassword123",
-}
-
-
-# ---------------------------------------------------------------------------
-# HTML static analysis — Criterion 1: поля формы регистрации
-# ---------------------------------------------------------------------------
-
-
-def test_index_html_has_email_field() -> None:
- """index.html должен содержать поле email для регистрации (id=reg-email)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="reg-email"' in content, (
- "index.html не содержит поле с id='reg-email'"
- )
-
-
-def test_index_html_has_login_field() -> None:
- """index.html должен содержать поле логина для регистрации (id=reg-login)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="reg-login"' in content, (
- "index.html не содержит поле с id='reg-login'"
- )
-
-
-def test_index_html_has_password_field() -> None:
- """index.html должен содержать поле пароля для регистрации (id=reg-password)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="reg-password"' in content, (
- "index.html не содержит поле с id='reg-password'"
- )
-
-
-def test_index_html_email_field_has_correct_type() -> None:
- """Поле email регистрации должно иметь type='email'."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- # Ищем input с id=reg-email и type=email в любом порядке атрибутов
- email_input_block = re.search(
- r'
]*id="reg-email"[^>]*>', content, re.DOTALL
- )
- assert email_input_block is not None, "Не найден input с id='reg-email'"
- assert 'type="email"' in email_input_block.group(0), (
- "Поле reg-email не имеет type='email'"
- )
-
-
-def test_index_html_password_field_has_correct_type() -> None:
- """Поле пароля регистрации должно иметь type='password'."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- password_input_block = re.search(
- r']*id="reg-password"[^>]*>', content, re.DOTALL
- )
- assert password_input_block is not None, "Не найден input с id='reg-password'"
- assert 'type="password"' in password_input_block.group(0), (
- "Поле reg-password не имеет type='password'"
- )
-
-
-def test_index_html_has_register_button() -> None:
- """index.html должен содержать кнопку регистрации (id=btn-register)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="btn-register"' in content, (
- "index.html не содержит кнопку с id='btn-register'"
- )
-
-
-def test_index_html_has_switch_to_register_button() -> None:
- """index.html должен содержать кнопку переключения на форму регистрации (id=btn-switch-to-register)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="btn-switch-to-register"' in content, (
- "index.html не содержит кнопку с id='btn-switch-to-register'"
- )
-
-
-def test_index_html_has_view_register_div() -> None:
- """index.html должен содержать блок view-register для формы регистрации."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="view-register"' in content, (
- "index.html не содержит блок с id='view-register'"
- )
-
-
-def test_index_html_has_view_login_div() -> None:
- """index.html должен содержать блок view-login для онбординга."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="view-login"' in content, (
- "index.html не содержит блок с id='view-login'"
- )
-
-
-def test_index_html_has_reg_status_element() -> None:
- """index.html должен содержать элемент статуса регистрации (id=reg-status)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert 'id="reg-status"' in content, (
- "index.html не содержит элемент с id='reg-status'"
- )
-
-
-# ---------------------------------------------------------------------------
-# HTML static analysis — Criterion 2: НЕТ захардкоженного VAPID в HTML (decision #1333)
-# ---------------------------------------------------------------------------
-
-
-def test_index_html_no_hardcoded_vapid_key_in_meta() -> None:
- """index.html НЕ должен содержать VAPID-ключ захардкоженным в meta-теге (decision #1333)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- # VAPID public key — это URL-safe base64 строка длиной 87 символов (без padding)
- # Ищем характерный паттерн в meta-атрибутах
- vapid_in_meta = re.search(
- r']+content\s*=\s*["\'][A-Za-z0-9_\-]{60,}["\'][^>]*>',
- content,
- )
- assert vapid_in_meta is None, (
- f"Найден meta-тег с длинной строкой (возможный VAPID-ключ): "
- f"{vapid_in_meta.group(0) if vapid_in_meta else ''}"
- )
-
-
-def test_index_html_no_vapid_key_attribute_pattern() -> None:
- """index.html НЕ должен содержать data-vapid-key или аналогичные атрибуты."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert "vapid" not in content.lower(), (
- "index.html содержит упоминание 'vapid' — VAPID ключ должен читаться через API, "
- "а не быть захардкожен в HTML (decision #1333)"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 3: /api/push/public-key endpoint (decision #1331)
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_uses_new_vapid_endpoint() -> None:
- """app.js должен обращаться к /api/push/public-key (decision #1331)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/push/public-key" in content, (
- "app.js не содержит endpoint '/api/push/public-key'"
- )
-
-
-def test_app_js_does_not_use_old_vapid_endpoint() -> None:
- """app.js НЕ должен использовать устаревший /api/vapid-public-key (decision #1331)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/vapid-public-key" not in content, (
- "app.js содержит устаревший endpoint '/api/vapid-public-key' — "
- "нарушение decision #1331, должен использоваться '/api/push/public-key'"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 4: PushManager guard (decision #1332)
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_has_push_manager_guard_in_registration_flow() -> None:
- """app.js должен содержать guard 'PushManager' in window (decision #1332)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "'PushManager' in window" in content, (
- "app.js не содержит guard \"'PushManager' in window\" — "
- "нарушение decision #1332"
- )
-
-
-def test_app_js_push_manager_guard_combined_with_service_worker_check() -> None:
- """Guard PushManager должен сочетаться с проверкой serviceWorker."""
- content = APP_JS.read_text(encoding="utf-8")
- # Ищем паттерн совместной проверки serviceWorker + PushManager
- assert re.search(
- r"serviceWorker.*PushManager|PushManager.*serviceWorker",
- content,
- re.DOTALL,
- ), (
- "app.js не содержит совместной проверки 'serviceWorker' и 'PushManager' — "
- "guard неполный (decision #1332)"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 5: обработчик кнопки регистрации
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_has_handle_sign_up_function() -> None:
- """app.js должен содержать функцию _handleSignUp."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "_handleSignUp" in content, (
- "app.js не содержит функцию '_handleSignUp'"
- )
-
-
-def test_app_js_registers_click_handler_for_btn_register() -> None:
- """app.js должен добавлять click-обработчик на btn-register → _handleSignUp."""
- content = APP_JS.read_text(encoding="utf-8")
- # Ищем addEventListener на элементе btn-register с вызовом _handleSignUp
- assert re.search(
- r'btn-register.*addEventListener|addEventListener.*btn-register',
- content,
- re.DOTALL,
- ), (
- "app.js не содержит addEventListener для кнопки 'btn-register'"
- )
- # Проверяем что именно _handleSignUp привязан к кнопке
- assert re.search(
- r'btn[Rr]egister.*_handleSignUp|_handleSignUp.*btn[Rr]egister',
- content,
- re.DOTALL,
- ), (
- "app.js не связывает кнопку 'btn-register' с функцией '_handleSignUp'"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 6: переключение view-login / view-register
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_has_show_view_function() -> None:
- """app.js должен содержать функцию _showView для переключения видов."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "_showView" in content, (
- "app.js не содержит функцию '_showView'"
- )
-
-
-def test_app_js_show_view_handles_view_login() -> None:
- """_showView в app.js должна обрабатывать view-login."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "view-login" in content, (
- "app.js не содержит id 'view-login' — нет переключения на вид логина"
- )
-
-
-def test_app_js_show_view_handles_view_register() -> None:
- """_showView в app.js должна обрабатывать view-register."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "view-register" in content, (
- "app.js не содержит id 'view-register' — нет переключения на вид регистрации"
- )
-
-
-def test_app_js_has_btn_switch_to_register_handler() -> None:
- """app.js должен содержать обработчик для btn-switch-to-register."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "btn-switch-to-register" in content, (
- "app.js не содержит ссылку на 'btn-switch-to-register'"
- )
-
-
-def test_app_js_has_btn_switch_to_login_handler() -> None:
- """app.js должен содержать обработчик для btn-switch-to-login (назад)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "btn-switch-to-login" in content, (
- "app.js не содержит ссылку на 'btn-switch-to-login'"
- )
-
-
-# ---------------------------------------------------------------------------
-# app.js static analysis — Criterion 7: обработка ошибок / показ сообщения пользователю
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_has_set_reg_status_function() -> None:
- """app.js должен содержать _setRegStatus для показа статуса в форме регистрации."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "_setRegStatus" in content, (
- "app.js не содержит функцию '_setRegStatus'"
- )
-
-
-def test_app_js_handle_sign_up_shows_error_on_empty_fields() -> None:
- """_handleSignUp должна вызывать _setRegStatus с ошибкой при пустых полях."""
- content = APP_JS.read_text(encoding="utf-8")
- # Проверяем наличие валидации пустых полей внутри _handleSignUp-подобного блока
- assert re.search(
- r"_setRegStatus\s*\([^)]*error",
- content,
- ), (
- "app.js не содержит вызов _setRegStatus с классом 'error' "
- "— ошибки не отображаются пользователю"
- )
-
-
-def test_app_js_handle_sign_up_shows_success_on_ok() -> None:
- """_handleSignUp должна вызывать _setRegStatus с success при успешной регистрации."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(
- r"_setRegStatus\s*\([^)]*success",
- content,
- ), (
- "app.js не содержит вызов _setRegStatus с классом 'success' "
- "— пользователь не уведомляется об успехе регистрации"
- )
-
-
-def test_app_js_clears_password_after_successful_signup() -> None:
- """_handleSignUp должна очищать поле пароля после успешной отправки."""
- content = APP_JS.read_text(encoding="utf-8")
- # Ищем сброс значения пароля
- assert re.search(
- r"passwordInput\.value\s*=\s*['\"][\s]*['\"]",
- content,
- ), (
- "app.js не очищает поле пароля после успешной регистрации — "
- "пароль остаётся в DOM (security concern)"
- )
-
-
-def test_app_js_uses_api_auth_register_endpoint() -> None:
- """app.js должен отправлять форму на /api/auth/register."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/auth/register" in content, (
- "app.js не содержит endpoint '/api/auth/register'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Integration tests — API контракты (Criteria 8–12)
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_endpoint_returns_200_with_key():
- """GET /api/push/public-key → 200 с полем vapid_public_key."""
- async with make_app_client() as client:
- resp = await client.get("/api/push/public-key")
-
- assert resp.status_code == 200, (
- f"GET /api/push/public-key вернул {resp.status_code}, ожидался 200"
- )
- body = resp.json()
- assert "vapid_public_key" in body, (
- f"Ответ /api/push/public-key не содержит 'vapid_public_key': {body}"
- )
- assert isinstance(body["vapid_public_key"], str), (
- "vapid_public_key должен быть строкой"
- )
-
-
-@pytest.mark.asyncio
-async def test_register_valid_payload_returns_201_pending():
- """POST /api/auth/register с валидными данными → 201 status=pending."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- resp = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
-
- assert resp.status_code == 201, (
- f"POST /api/auth/register вернул {resp.status_code}: {resp.text}"
- )
- body = resp.json()
- assert body.get("status") == "pending", (
- f"Ожидался status='pending', получено: {body}"
- )
- assert "message" in body, (
- f"Ответ не содержит поле 'message': {body}"
- )
-
-
-@pytest.mark.asyncio
-async def test_register_duplicate_email_returns_409():
- """POST /api/auth/register с дублирующим email → 409."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- r1 = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert r1.status_code == 201, f"Первая регистрация не прошла: {r1.text}"
-
- r2 = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "login": "anotherlogin"},
- )
-
- assert r2.status_code == 409, (
- f"Дублирующий email должен вернуть 409, получено {r2.status_code}"
- )
-
-
-@pytest.mark.asyncio
-async def test_register_duplicate_login_returns_409():
- """POST /api/auth/register с дублирующим login → 409."""
- async with make_app_client() as client:
- with patch("backend.telegram.send_registration_notification", new_callable=AsyncMock):
- r1 = await client.post("/api/auth/register", json=_VALID_PAYLOAD)
- assert r1.status_code == 201, f"Первая регистрация не прошла: {r1.text}"
-
- r2 = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "another@tutlot.com"},
- )
-
- assert r2.status_code == 409, (
- f"Дублирующий login должен вернуть 409, получено {r2.status_code}"
- )
-
-
-@pytest.mark.asyncio
-async def test_register_invalid_email_returns_422():
- """POST /api/auth/register с невалидным email → 422."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/register",
- json={**_VALID_PAYLOAD, "email": "not-an-email"},
- )
-
- assert resp.status_code == 422, (
- f"Невалидный email должен вернуть 422, получено {resp.status_code}"
- )
diff --git a/tests/test_biz_001.py b/tests/test_biz_001.py
deleted file mode 100644
index b48d176..0000000
--- a/tests/test_biz_001.py
+++ /dev/null
@@ -1,338 +0,0 @@
-"""
-Tests for BATON-BIZ-001: Login mechanism for approved users (dual-layer: AST + httpx functional).
-
-Acceptance criteria:
-1. Успешный login по login-полю → 200 + token
-2. Успешный login по email-полю → 200 + token
-3. Неверный пароль → 401 (без раскрытия причины)
-4. Статус pending → 403 с читаемым сообщением
-5. Статус rejected → 403 с читаемым сообщением
-6. Rate limit — 6-й запрос подряд → 429
-7. Guard middleware возвращает 401 без токена
-8. Guard middleware пропускает валидный токен
-
-Additional: error message uniformity, PBKDF2 verification.
-"""
-from __future__ import annotations
-
-import os
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
-
-import pytest
-from fastapi import HTTPException
-from fastapi.security import HTTPAuthorizationCredentials
-
-from backend import db
-from backend.middleware import create_auth_token, verify_auth_token
-from tests.conftest import make_app_client
-
-
-# ---------------------------------------------------------------------------
-# Helpers
-# ---------------------------------------------------------------------------
-
-async def _register_auth(client, email: str, login: str, password: str) -> int:
- """Register via /api/auth/register, return registration id."""
- resp = await client.post(
- "/api/auth/register",
- json={"email": email, "login": login, "password": password},
- )
- assert resp.status_code == 201, f"auth/register failed: {resp.text}"
- reg = await db.get_registration_by_login_or_email(login)
- assert reg is not None
- return reg["id"]
-
-
-async def _approve(reg_id: int) -> None:
- await db.update_registration_status(reg_id, "approved")
-
-
-async def _reject(reg_id: int) -> None:
- await db.update_registration_status(reg_id, "rejected")
-
-
-# ---------------------------------------------------------------------------
-# Criterion 1 — Успешный login по login-полю
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_login_by_login_field_returns_200_with_token():
- """Approved user can login using their login field → 200 + token."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "alice@tutlot.com", "alice", "password123")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "alice", "password": "password123"},
- )
- assert resp.status_code == 200
- data = resp.json()
- assert "token" in data
- assert data["login"] == "alice"
-
-
-@pytest.mark.asyncio
-async def test_login_by_login_field_token_is_non_empty_string():
- """Token returned for approved login user is a non-empty string."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "alice2@tutlot.com", "alice2", "password123")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "alice2", "password": "password123"},
- )
- assert isinstance(resp.json()["token"], str)
- assert len(resp.json()["token"]) > 0
-
-
-# ---------------------------------------------------------------------------
-# Criterion 2 — Успешный login по email-полю
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_login_by_email_field_returns_200_with_token():
- """Approved user can login using their email field → 200 + token."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "bob@tutlot.com", "bobuser", "securepass1")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "bob@tutlot.com", "password": "securepass1"},
- )
- assert resp.status_code == 200
- data = resp.json()
- assert "token" in data
- assert data["login"] == "bobuser"
-
-
-@pytest.mark.asyncio
-async def test_login_by_email_field_token_login_matches_registration():
- """Token response login field matches the login set during registration."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "bob2@tutlot.com", "bob2user", "securepass1")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "bob2@tutlot.com", "password": "securepass1"},
- )
- assert resp.json()["login"] == "bob2user"
-
-
-# ---------------------------------------------------------------------------
-# Criterion 3 — Неверный пароль → 401 без раскрытия причины
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_wrong_password_returns_401():
- """Wrong password returns 401 with generic message (no detail about which field failed)."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "carol@tutlot.com", "carol", "correctpass1")
- await _approve(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "carol", "password": "wrongpassword"},
- )
- assert resp.status_code == 401
- assert "Неверный логин или пароль" in resp.json()["detail"]
-
-
-@pytest.mark.asyncio
-async def test_nonexistent_user_returns_401_same_message_as_wrong_password():
- """Non-existent login returns same 401 message as wrong password (prevents user enumeration)."""
- async with make_app_client() as client:
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "doesnotexist", "password": "anypassword"},
- )
- assert resp.status_code == 401
- assert "Неверный логин или пароль" in resp.json()["detail"]
-
-
-# ---------------------------------------------------------------------------
-# Criterion 4 — Статус pending → 403 с читаемым сообщением
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_pending_user_login_returns_403():
- """User with pending status gets 403."""
- async with make_app_client() as client:
- await _register_auth(client, "dave@tutlot.com", "dave", "password123")
- # Status is 'pending' by default — no approval step
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "dave", "password": "password123"},
- )
- assert resp.status_code == 403
-
-
-@pytest.mark.asyncio
-async def test_pending_user_login_403_message_is_human_readable():
- """403 message for pending user contains readable Russian text about the waiting status."""
- async with make_app_client() as client:
- await _register_auth(client, "dave2@tutlot.com", "dave2", "password123")
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "dave2", "password": "password123"},
- )
- assert "ожидает" in resp.json()["detail"]
-
-
-# ---------------------------------------------------------------------------
-# Criterion 5 — Статус rejected → 403 с читаемым сообщением
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_rejected_user_login_returns_403():
- """User with rejected status gets 403."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "eve@tutlot.com", "evegirl", "password123")
- await _reject(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "evegirl", "password": "password123"},
- )
- assert resp.status_code == 403
-
-
-@pytest.mark.asyncio
-async def test_rejected_user_login_403_message_is_human_readable():
- """403 message for rejected user contains readable Russian text about rejection."""
- async with make_app_client() as client:
- reg_id = await _register_auth(client, "eve2@tutlot.com", "eve2girl", "password123")
- await _reject(reg_id)
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "eve2girl", "password": "password123"},
- )
- assert "отклонена" in resp.json()["detail"]
-
-
-# ---------------------------------------------------------------------------
-# Criterion 6 — Rate limit: 6-й запрос подряд → 429
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_rate_limit_triggers_on_sixth_login_attempt():
- """Login rate limit (5 per window) triggers 429 exactly on the 6th request."""
- async with make_app_client() as client:
- statuses = []
- for _ in range(6):
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "nouser_rl", "password": "nopass"},
- headers={"X-Real-IP": "10.99.99.1"},
- )
- statuses.append(resp.status_code)
- # First 5 attempts pass rate limit (user not found → 401)
- assert all(s == 401 for s in statuses[:5]), (
- f"Первые 5 попыток должны быть 401, получили: {statuses[:5]}"
- )
- # 6th attempt hits rate limit
- assert statuses[5] == 429, (
- f"6-я попытка должна быть 429, получили: {statuses[5]}"
- )
-
-
-@pytest.mark.asyncio
-async def test_rate_limit_fifth_attempt_still_passes():
- """5th login attempt is still allowed (rate limit triggers only on 6th)."""
- async with make_app_client() as client:
- for i in range(4):
- await client.post(
- "/api/auth/login",
- json={"login_or_email": "nouser_rl2", "password": "nopass"},
- headers={"X-Real-IP": "10.99.99.2"},
- )
- resp = await client.post(
- "/api/auth/login",
- json={"login_or_email": "nouser_rl2", "password": "nopass"},
- headers={"X-Real-IP": "10.99.99.2"},
- )
- assert resp.status_code == 401, (
- f"5-я попытка должна пройти rate limit и вернуть 401, получили: {resp.status_code}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 7 — Guard middleware: 401 без токена
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_verify_auth_token_raises_401_when_credentials_is_none():
- """verify_auth_token raises HTTPException 401 when no credentials provided."""
- with pytest.raises(HTTPException) as exc_info:
- await verify_auth_token(credentials=None)
- assert exc_info.value.status_code == 401
-
-
-@pytest.mark.asyncio
-async def test_verify_auth_token_raises_401_for_malformed_token():
- """verify_auth_token raises HTTPException 401 for a malformed/invalid token."""
- creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials="not.a.valid.jwt")
- with pytest.raises(HTTPException) as exc_info:
- await verify_auth_token(credentials=creds)
- assert exc_info.value.status_code == 401
-
-
-# ---------------------------------------------------------------------------
-# Criterion 8 — Guard middleware: валидный токен пропускается
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_verify_auth_token_returns_payload_for_valid_token():
- """verify_auth_token returns decoded JWT payload for a valid signed token."""
- token = create_auth_token(reg_id=42, login="testuser")
- creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials=token)
- payload = await verify_auth_token(credentials=creds)
- assert payload["sub"] == "42"
- assert payload["login"] == "testuser"
-
-
-@pytest.mark.asyncio
-async def test_verify_auth_token_payload_contains_expected_fields():
- """Payload returned by verify_auth_token contains sub, login, iat, exp fields."""
- token = create_auth_token(reg_id=7, login="inspector")
- creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials=token)
- payload = await verify_auth_token(credentials=creds)
- for field in ("sub", "login", "iat", "exp"):
- assert field in payload, f"Поле '{field}' отсутствует в payload"
-
-
-# ---------------------------------------------------------------------------
-# Additional: PBKDF2 correctness — verify_password timing-safe
-# ---------------------------------------------------------------------------
-
-
-def test_hash_and_verify_password_returns_true_for_correct_password():
- """_hash_password + _verify_password: correct password returns True."""
- from backend.main import _hash_password, _verify_password
- stored = _hash_password("mysecretpass")
- assert _verify_password("mysecretpass", stored) is True
-
-
-def test_hash_and_verify_password_returns_false_for_wrong_password():
- """_hash_password + _verify_password: wrong password returns False."""
- from backend.main import _hash_password, _verify_password
- stored = _hash_password("mysecretpass")
- assert _verify_password("wrongpassword", stored) is False
-
-
-def test_verify_password_returns_false_for_malformed_hash():
- """_verify_password returns False (not exception) for a malformed hash string."""
- from backend.main import _verify_password
- assert _verify_password("anypassword", "not-a-valid-hash") is False
diff --git a/tests/test_biz_002.py b/tests/test_biz_002.py
deleted file mode 100644
index 0136df7..0000000
--- a/tests/test_biz_002.py
+++ /dev/null
@@ -1,203 +0,0 @@
-"""
-Tests for BATON-BIZ-002: Убрать hardcoded VAPID key из meta-тега, читать с /api/push/public-key
-
-Acceptance criteria:
-1. Meta-тег vapid-public-key полностью отсутствует в frontend/index.html (decision #1333).
-2. app.js использует canonical URL /api/push/public-key для получения VAPID ключа.
-3. Graceful fallback: endpoint недоступен → функция возвращает null, не бросает исключение.
-4. Graceful fallback: ключ пустой → _initPushSubscription не выполняется (guard на null).
-5. GET /api/push/public-key возвращает HTTP 200 с полем vapid_public_key.
-6. GET /api/push/public-key возвращает правильное значение из конфига.
-"""
-from __future__ import annotations
-
-import os
-import re
-from pathlib import Path
-from unittest.mock import patch
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
-
-import pytest
-
-from tests.conftest import make_app_client
-
-PROJECT_ROOT = Path(__file__).parent.parent
-INDEX_HTML = PROJECT_ROOT / "frontend" / "index.html"
-APP_JS = PROJECT_ROOT / "frontend" / "app.js"
-
-_TEST_VAPID_KEY = "BFakeVapidPublicKeyForBiz002TestingBase64UrlEncoded"
-
-
-# ---------------------------------------------------------------------------
-# Criterion 1 — AST: meta-тег vapid-public-key полностью отсутствует
-# ---------------------------------------------------------------------------
-
-
-def test_index_html_has_no_meta_tag_named_vapid_public_key() -> None:
- """index.html не должен содержать вообще (decision #1333)."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- match = re.search(
- r']+name\s*=\s*["\']vapid-public-key["\']',
- content,
- re.IGNORECASE,
- )
- assert match is None, (
- f"index.html содержит удалённый тег : {match.group(0)!r}"
- )
-
-
-def test_index_html_has_no_vapid_meta_tag_with_empty_or_any_content() -> None:
- """index.html не должен содержать ни пустой, ни непустой VAPID ключ в meta content."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- match = re.search(
- r']*(?:vapid|application-server-key)[^>]*content\s*=',
- content,
- re.IGNORECASE,
- )
- assert match is None, (
- f"index.html содержит -тег с VAPID-связанным атрибутом content: {match.group(0)!r}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 2 — AST: app.js использует canonical /api/push/public-key
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_fetch_vapid_uses_canonical_push_public_key_url() -> None:
- """_fetchVapidPublicKey в app.js должна использовать /api/push/public-key (canonical URL)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/push/public-key" in content, (
- "app.js не содержит canonical URL '/api/push/public-key' — "
- "ключ не читается через правильный endpoint"
- )
-
-
-def test_app_js_fetch_vapid_returns_vapid_public_key_field() -> None:
- """_fetchVapidPublicKey должна читать поле vapid_public_key из JSON-ответа."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"data\.vapid_public_key", content), (
- "app.js не читает поле 'data.vapid_public_key' из ответа API"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 3 — AST: graceful fallback когда endpoint недоступен
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_fetch_vapid_returns_null_on_http_error() -> None:
- """_fetchVapidPublicKey должна возвращать null при res.ok === false (HTTP-ошибка)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"if\s*\(\s*!\s*res\.ok\s*\)", content), (
- "app.js не содержит проверку 'if (!res.ok)' — "
- "HTTP-ошибки не обрабатываются gracefully в _fetchVapidPublicKey"
- )
-
-
-def test_app_js_fetch_vapid_catches_network_errors() -> None:
- """_fetchVapidPublicKey должна оборачивать fetch в try/catch и возвращать null при сетевой ошибке."""
- content = APP_JS.read_text(encoding="utf-8")
- # Проверяем паттерн try { fetch ... } catch (err) { return null; } внутри функции
- func_match = re.search(
- r"async function _fetchVapidPublicKey\(\).*?(?=^(?:async )?function |\Z)",
- content,
- re.DOTALL | re.MULTILINE,
- )
- assert func_match, "Функция _fetchVapidPublicKey не найдена в app.js"
- func_body = func_match.group(0)
- assert "catch" in func_body, (
- "app.js: _fetchVapidPublicKey не содержит блок catch — "
- "сетевые ошибки при fetch не обрабатываются"
- )
- assert re.search(r"return\s+null", func_body), (
- "app.js: _fetchVapidPublicKey не возвращает null при ошибке — "
- "upstream код получит исключение вместо null"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 4 — AST: graceful fallback когда ключ пустой (decision #1332)
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_fetch_vapid_returns_null_on_empty_key() -> None:
- """_fetchVapidPublicKey должна возвращать null когда vapid_public_key пустой."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"data\.vapid_public_key\s*\|\|\s*null", content), (
- "app.js не содержит 'data.vapid_public_key || null' — "
- "пустой ключ не преобразуется в null"
- )
-
-
-def test_app_js_init_push_subscription_guard_skips_on_null_key() -> None:
- """_initPushSubscription должна ранним возвратом пропускать подписку при null ключе (decision #1332)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"if\s*\(\s*!\s*vapidPublicKey\s*\)", content), (
- "app.js: _initPushSubscription не содержит guard 'if (!vapidPublicKey)' — "
- "подписка может быть создана без ключа"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 5 — HTTP: GET /api/push/public-key → 200 + vapid_public_key
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_push_public_key_endpoint_returns_200() -> None:
- """GET /api/push/public-key должен вернуть HTTP 200."""
- async with make_app_client() as client:
- response = await client.get("/api/push/public-key")
- assert response.status_code == 200, (
- f"GET /api/push/public-key вернул {response.status_code}, ожидался 200"
- )
-
-
-@pytest.mark.asyncio
-async def test_push_public_key_endpoint_returns_json_with_vapid_field() -> None:
- """GET /api/push/public-key должен вернуть JSON с полем vapid_public_key."""
- async with make_app_client() as client:
- response = await client.get("/api/push/public-key")
- data = response.json()
- assert "vapid_public_key" in data, (
- f"Ответ /api/push/public-key не содержит поле 'vapid_public_key': {data!r}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 6 — HTTP: возвращает правильное значение из конфига
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_push_public_key_endpoint_returns_configured_value() -> None:
- """GET /api/push/public-key возвращает значение из VAPID_PUBLIC_KEY конфига."""
- with patch("backend.config.VAPID_PUBLIC_KEY", _TEST_VAPID_KEY):
- async with make_app_client() as client:
- response = await client.get("/api/push/public-key")
- data = response.json()
- assert data.get("vapid_public_key") == _TEST_VAPID_KEY, (
- f"vapid_public_key должен быть '{_TEST_VAPID_KEY}', "
- f"получили: {data.get('vapid_public_key')!r}"
- )
-
-
-@pytest.mark.asyncio
-async def test_push_public_key_endpoint_returns_empty_string_when_not_configured() -> None:
- """GET /api/push/public-key возвращает пустую строку (не ошибку) если ключ не настроен."""
- with patch("backend.config.VAPID_PUBLIC_KEY", ""):
- async with make_app_client() as client:
- response = await client.get("/api/push/public-key")
- assert response.status_code == 200, (
- f"Endpoint вернул {response.status_code} при пустом ключе, ожидался 200"
- )
- data = response.json()
- assert "vapid_public_key" in data, "Поле vapid_public_key отсутствует при пустом конфиге"
diff --git a/tests/test_biz_004.py b/tests/test_biz_004.py
deleted file mode 100644
index 228f2ac..0000000
--- a/tests/test_biz_004.py
+++ /dev/null
@@ -1,96 +0,0 @@
-"""
-BATON-BIZ-004: Verify removal of dead code from backend/telegram.py.
-
-Acceptance criteria:
-1. telegram.py does NOT contain duplicate logging setLevel calls for httpx/httpcore.
-2. telegram.py does NOT contain the SignalAggregator class.
-3. httpx/httpcore logging suppression is still configured in main.py (globally).
-4. SignalAggregator is NOT importable from backend.telegram.
-"""
-from __future__ import annotations
-
-import ast
-import importlib
-import inspect
-import logging
-import os
-from pathlib import Path
-
-
-# ---------------------------------------------------------------------------
-# Helpers
-# ---------------------------------------------------------------------------
-
-_BACKEND_DIR = Path(__file__).parent.parent / "backend"
-_TELEGRAM_SRC = (_BACKEND_DIR / "telegram.py").read_text(encoding="utf-8")
-_MAIN_SRC = (_BACKEND_DIR / "main.py").read_text(encoding="utf-8")
-
-
-# ---------------------------------------------------------------------------
-# Criteria 1 — no setLevel for httpx/httpcore in telegram.py
-# ---------------------------------------------------------------------------
-
-def test_telegram_has_no_httpx_setlevel():
- """telegram.py must not set log level for 'httpx'."""
- assert 'getLogger("httpx").setLevel' not in _TELEGRAM_SRC
- assert "getLogger('httpx').setLevel" not in _TELEGRAM_SRC
-
-
-def test_telegram_has_no_httpcore_setlevel():
- """telegram.py must not set log level for 'httpcore'."""
- assert 'getLogger("httpcore").setLevel' not in _TELEGRAM_SRC
- assert "getLogger('httpcore').setLevel" not in _TELEGRAM_SRC
-
-
-# ---------------------------------------------------------------------------
-# Criteria 2 — SignalAggregator absent from telegram.py source
-# ---------------------------------------------------------------------------
-
-def test_telegram_source_has_no_signal_aggregator_class():
- """telegram.py source text must not contain the class definition."""
- assert "class SignalAggregator" not in _TELEGRAM_SRC
-
-
-def test_telegram_source_has_no_signal_aggregator_reference():
- """telegram.py source text must not reference SignalAggregator at all."""
- assert "SignalAggregator" not in _TELEGRAM_SRC
-
-
-# ---------------------------------------------------------------------------
-# Criteria 3 — httpx/httpcore suppression still lives in main.py
-# ---------------------------------------------------------------------------
-
-def test_main_suppresses_httpx_logging():
- """main.py must call getLogger('httpx').setLevel to suppress noise."""
- assert (
- 'getLogger("httpx").setLevel' in _MAIN_SRC
- or "getLogger('httpx').setLevel" in _MAIN_SRC
- )
-
-
-def test_main_suppresses_httpcore_logging():
- """main.py must call getLogger('httpcore').setLevel to suppress noise."""
- assert (
- 'getLogger("httpcore").setLevel' in _MAIN_SRC
- or "getLogger('httpcore').setLevel" in _MAIN_SRC
- )
-
-
-# ---------------------------------------------------------------------------
-# Criteria 4 — SignalAggregator not importable from backend.telegram
-# ---------------------------------------------------------------------------
-
-def test_signal_aggregator_not_importable_from_telegram():
- """Importing SignalAggregator from backend.telegram must raise ImportError."""
- import importlib
- import sys
-
- # Force a fresh import so changes to the module are reflected
- mod_name = "backend.telegram"
- if mod_name in sys.modules:
- del sys.modules[mod_name]
-
- import backend.telegram as tg_mod # noqa: F401
- assert not hasattr(tg_mod, "SignalAggregator"), (
- "SignalAggregator should not be an attribute of backend.telegram"
- )
diff --git a/tests/test_fix_007.py b/tests/test_fix_007.py
deleted file mode 100644
index 3779fe0..0000000
--- a/tests/test_fix_007.py
+++ /dev/null
@@ -1,155 +0,0 @@
-"""
-Tests for BATON-FIX-007: CORS OPTIONS preflight verification.
-
-Acceptance criteria:
-1. OPTIONS preflight to /api/signal returns 200.
-2. Preflight response includes Access-Control-Allow-Methods containing GET.
-3. Preflight response includes Access-Control-Allow-Origin matching the configured origin.
-4. Preflight response includes Access-Control-Allow-Headers with Authorization.
-5. allow_methods in CORSMiddleware configuration explicitly contains GET.
-"""
-from __future__ import annotations
-
-import ast
-from pathlib import Path
-
-import pytest
-
-from tests.conftest import make_app_client
-
-_FRONTEND_ORIGIN = "http://localhost:3000"
-_BACKEND_DIR = Path(__file__).parent.parent / "backend"
-
-# ---------------------------------------------------------------------------
-# Static check — CORSMiddleware config contains GET in allow_methods
-# ---------------------------------------------------------------------------
-
-
-def test_main_py_cors_allow_methods_contains_get() -> None:
- """allow_methods в CORSMiddleware должен содержать 'GET'."""
- source = (_BACKEND_DIR / "main.py").read_text(encoding="utf-8")
- tree = ast.parse(source, filename="main.py")
-
- for node in ast.walk(tree):
- if isinstance(node, ast.Call):
- func = node.func
- if isinstance(func, ast.Name) and func.id == "add_middleware":
- continue
- if not (
- isinstance(func, ast.Attribute) and func.attr == "add_middleware"
- ):
- continue
- for kw in node.keywords:
- if kw.arg == "allow_methods":
- if isinstance(kw.value, ast.List):
- methods = [
- elt.value
- for elt in kw.value.elts
- if isinstance(elt, ast.Constant) and isinstance(elt.value, str)
- ]
- assert "GET" in methods, (
- f"allow_methods в CORSMiddleware не содержит 'GET': {methods}"
- )
- return
-
- pytest.fail("add_middleware с CORSMiddleware и allow_methods не найден в main.py")
-
-
-def test_main_py_cors_allow_methods_contains_post() -> None:
- """allow_methods в CORSMiddleware должен содержать 'POST' (регрессия)."""
- source = (_BACKEND_DIR / "main.py").read_text(encoding="utf-8")
- assert '"POST"' in source or "'POST'" in source, (
- "allow_methods в CORSMiddleware не содержит 'POST'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Functional — OPTIONS preflight request
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_options_preflight_signal_returns_200() -> None:
- """OPTIONS preflight к /api/signal должен возвращать 200."""
- async with make_app_client() as client:
- resp = await client.options(
- "/api/signal",
- headers={
- "Origin": _FRONTEND_ORIGIN,
- "Access-Control-Request-Method": "POST",
- "Access-Control-Request-Headers": "Content-Type, Authorization",
- },
- )
- assert resp.status_code == 200, (
- f"Preflight OPTIONS /api/signal вернул {resp.status_code}, ожидался 200"
- )
-
-
-@pytest.mark.asyncio
-async def test_options_preflight_allow_origin_header() -> None:
- """OPTIONS preflight должен вернуть Access-Control-Allow-Origin."""
- async with make_app_client() as client:
- resp = await client.options(
- "/api/signal",
- headers={
- "Origin": _FRONTEND_ORIGIN,
- "Access-Control-Request-Method": "POST",
- "Access-Control-Request-Headers": "Content-Type, Authorization",
- },
- )
- acao = resp.headers.get("access-control-allow-origin", "")
- assert acao == _FRONTEND_ORIGIN, (
- f"Ожидался Access-Control-Allow-Origin: {_FRONTEND_ORIGIN!r}, получен: {acao!r}"
- )
-
-
-@pytest.mark.asyncio
-async def test_options_preflight_allow_methods_contains_get() -> None:
- """OPTIONS preflight должен вернуть Access-Control-Allow-Methods, включающий GET."""
- async with make_app_client() as client:
- resp = await client.options(
- "/api/signal",
- headers={
- "Origin": _FRONTEND_ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": "Authorization",
- },
- )
- acam = resp.headers.get("access-control-allow-methods", "")
- assert "GET" in acam, (
- f"Access-Control-Allow-Methods не содержит GET: {acam!r}\n"
- "Decision #1268: allow_methods=['POST'] — GET отсутствует"
- )
-
-
-@pytest.mark.asyncio
-async def test_options_preflight_allow_headers_contains_authorization() -> None:
- """OPTIONS preflight должен вернуть Access-Control-Allow-Headers, включающий Authorization."""
- async with make_app_client() as client:
- resp = await client.options(
- "/api/signal",
- headers={
- "Origin": _FRONTEND_ORIGIN,
- "Access-Control-Request-Method": "POST",
- "Access-Control-Request-Headers": "Authorization",
- },
- )
- acah = resp.headers.get("access-control-allow-headers", "")
- assert "authorization" in acah.lower(), (
- f"Access-Control-Allow-Headers не содержит Authorization: {acah!r}"
- )
-
-
-@pytest.mark.asyncio
-async def test_get_health_cors_header_present() -> None:
- """GET /health с Origin должен вернуть Access-Control-Allow-Origin (simple request)."""
- async with make_app_client() as client:
- resp = await client.get(
- "/health",
- headers={"Origin": _FRONTEND_ORIGIN},
- )
- assert resp.status_code == 200
- acao = resp.headers.get("access-control-allow-origin", "")
- assert acao == _FRONTEND_ORIGIN, (
- f"GET /health: ожидался CORS-заголовок {_FRONTEND_ORIGIN!r}, получен: {acao!r}"
- )
diff --git a/tests/test_fix_012.py b/tests/test_fix_012.py
deleted file mode 100644
index 324091a..0000000
--- a/tests/test_fix_012.py
+++ /dev/null
@@ -1,172 +0,0 @@
-"""
-Tests for BATON-FIX-012: UUID v4 validation regression guard.
-
-BATON-SEC-005 added UUID v4 pattern validation to RegisterRequest.uuid and
-SignalRequest.user_id. Tests in test_db.py / test_baton_005.py / test_telegram.py
-previously used placeholder strings ('uuid-001', 'create-uuid-001', 'agg-uuid-001')
-that are not valid UUID v4 — causing 25 regressions.
-
-This file locks down the behaviour so the same mistake cannot recur silently:
- - Old-style placeholder strings are rejected by Pydantic
- - All UUID constants used across the fixed test files are valid UUID v4
- - RegisterRequest and SignalRequest accept exactly-valid v4 UUIDs
- - They reject strings that violate version (bit 3 of field-3 must be 4) or
- variant (top bits of field-4 must be 10xx) requirements
-"""
-from __future__ import annotations
-
-import os
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-
-import pytest
-from pydantic import ValidationError
-
-from backend.models import RegisterRequest, SignalRequest
-
-# ---------------------------------------------------------------------------
-# UUID constants from fixed test files — all must be valid UUID v4
-# ---------------------------------------------------------------------------
-
-# test_db.py constants (_UUID_DB_1 .. _UUID_DB_6)
-_DB_UUIDS = [
- "d0000001-0000-4000-8000-000000000001",
- "d0000002-0000-4000-8000-000000000002",
- "d0000003-0000-4000-8000-000000000003",
- "d0000004-0000-4000-8000-000000000004",
- "d0000005-0000-4000-8000-000000000005",
- "d0000006-0000-4000-8000-000000000006",
-]
-
-# test_baton_005.py constants (_UUID_ADM_*)
-_ADM_UUIDS = [
- "e0000000-0000-4000-8000-000000000000",
- "e0000001-0000-4000-8000-000000000001",
- "e0000002-0000-4000-8000-000000000002",
- "e0000003-0000-4000-8000-000000000003",
- "e0000004-0000-4000-8000-000000000004",
- "e0000005-0000-4000-8000-000000000005",
- "e0000006-0000-4000-8000-000000000006",
- "e0000007-0000-4000-8000-000000000007",
- "e0000008-0000-4000-8000-000000000008",
- "e0000009-0000-4000-8000-000000000009",
- "e000000a-0000-4000-8000-000000000010",
-]
-
-# test_telegram.py constants (aggregator UUIDs)
-_AGG_UUIDS = [
- "a9900001-0000-4000-8000-000000000001",
- "a9900099-0000-4000-8000-000000000099",
-] + [f"a990000{i}-0000-4000-8000-00000000000{i}" for i in range(5)]
-
-
-# ---------------------------------------------------------------------------
-# Old-style placeholder UUIDs (pre-fix) must be rejected
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.parametrize("bad_uuid", [
- "uuid-001",
- "uuid-002",
- "uuid-003",
- "uuid-004",
- "uuid-005",
- "uuid-006",
- "create-uuid-001",
- "create-uuid-002",
- "create-uuid-003",
- "pass-uuid-001",
- "pass-uuid-002",
- "block-uuid-001",
- "unblock-uuid-001",
- "delete-uuid-001",
- "delete-uuid-002",
- "regress-admin-uuid-001",
- "unauth-uuid-001",
- "agg-uuid-001",
- "agg-uuid-clr",
-])
-def test_register_request_rejects_old_placeholder_uuid(bad_uuid: str) -> None:
- """RegisterRequest.uuid must reject all pre-BATON-SEC-005 placeholder strings."""
- with pytest.raises(ValidationError):
- RegisterRequest(uuid=bad_uuid, name="Test")
-
-
-@pytest.mark.parametrize("bad_uuid", [
- "uuid-001",
- "agg-uuid-001",
- "create-uuid-001",
-])
-def test_signal_request_accepts_any_user_id_string(bad_uuid: str) -> None:
- """SignalRequest.user_id is optional (no pattern) — validation is at endpoint level."""
- req = SignalRequest(user_id=bad_uuid, timestamp=1700000000000)
- assert req.user_id == bad_uuid
-
-
-# ---------------------------------------------------------------------------
-# All UUID constants from the fixed test files are valid UUID v4
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.parametrize("valid_uuid", _DB_UUIDS)
-def test_register_request_accepts_db_uuid_constants(valid_uuid: str) -> None:
- """RegisterRequest accepts all _UUID_DB_* constants from test_db.py."""
- req = RegisterRequest(uuid=valid_uuid, name="Test")
- assert req.uuid == valid_uuid
-
-
-@pytest.mark.parametrize("valid_uuid", _ADM_UUIDS)
-def test_register_request_accepts_adm_uuid_constants(valid_uuid: str) -> None:
- """RegisterRequest accepts all _UUID_ADM_* constants from test_baton_005.py."""
- req = RegisterRequest(uuid=valid_uuid, name="Test")
- assert req.uuid == valid_uuid
-
-
-@pytest.mark.parametrize("valid_uuid", _AGG_UUIDS)
-def test_signal_request_accepts_agg_uuid_constants(valid_uuid: str) -> None:
- """SignalRequest accepts all aggregator UUID constants from test_telegram.py."""
- req = SignalRequest(user_id=valid_uuid, timestamp=1700000000000)
- assert req.user_id == valid_uuid
-
-
-# ---------------------------------------------------------------------------
-# UUID v4 structural requirements — version digit and variant bits
-# ---------------------------------------------------------------------------
-
-
-def test_register_request_rejects_uuid_v1_version_digit() -> None:
- """UUID with version digit = 1 (not 4) must be rejected by RegisterRequest."""
- with pytest.raises(ValidationError):
- # third group starts with '1' — version 1, not v4
- RegisterRequest(uuid="550e8400-e29b-11d4-a716-446655440000", name="Test")
-
-
-def test_register_request_rejects_uuid_v3_version_digit() -> None:
- """UUID with version digit = 3 must be rejected."""
- with pytest.raises(ValidationError):
- RegisterRequest(uuid="550e8400-e29b-31d4-a716-446655440000", name="Test")
-
-
-def test_signal_request_accepts_any_variant_bits() -> None:
- """SignalRequest.user_id is now optional and unvalidated (JWT auth doesn't use it)."""
- req = SignalRequest(user_id="550e8400-e29b-41d4-0716-446655440000", timestamp=1700000000000)
- assert req.user_id is not None
-
-
-def test_signal_request_without_user_id() -> None:
- """SignalRequest works without user_id (JWT auth mode)."""
- req = SignalRequest(timestamp=1700000000000)
- assert req.user_id is None
-
-
-def test_register_request_accepts_all_valid_v4_variants() -> None:
- """RegisterRequest accepts UUIDs with variant nibbles 8, 9, a, b."""
- for variant in ("8", "9", "a", "b"):
- uuid = f"550e8400-e29b-41d4-{variant}716-446655440000"
- req = RegisterRequest(uuid=uuid, name="Test")
- assert req.uuid == uuid
diff --git a/tests/test_fix_013.py b/tests/test_fix_013.py
deleted file mode 100644
index 5445895..0000000
--- a/tests/test_fix_013.py
+++ /dev/null
@@ -1,194 +0,0 @@
-"""
-Tests for BATON-FIX-013: CORS allow_methods — добавить GET для /health эндпоинтов.
-
-Acceptance criteria:
-1. CORSMiddleware в main.py содержит "GET" в allow_methods.
-2. OPTIONS preflight /health с Origin и Access-Control-Request-Method: GET
- возвращает 200/204 и содержит GET в Access-Control-Allow-Methods.
-3. OPTIONS preflight /api/health — аналогично.
-4. GET /health возвращает 200 (regression guard vs. allow_methods=['POST'] only).
-"""
-from __future__ import annotations
-
-import os
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
-
-import pytest
-
-from tests.conftest import make_app_client
-
-_ORIGIN = "http://localhost:3000"
-# allow_headers = ["Content-Type", "Authorization"] — X-Custom-Header не разрешён,
-# поэтому preflight с X-Custom-Header вернёт 400. Используем Content-Type.
-_PREFLIGHT_HEADER = "Content-Type"
-
-
-# ---------------------------------------------------------------------------
-# Criterion 1 — Static: CORSMiddleware.allow_methods must contain "GET"
-# ---------------------------------------------------------------------------
-
-
-def test_cors_middleware_allow_methods_contains_get() -> None:
- """app.user_middleware CORSMiddleware должен содержать 'GET' в allow_methods."""
- from fastapi.middleware.cors import CORSMiddleware
-
- from backend.main import app
-
- cors_mw = next(
- (m for m in app.user_middleware if m.cls is CORSMiddleware), None
- )
- assert cors_mw is not None, "CORSMiddleware не найден в app.user_middleware"
- allow_methods = cors_mw.kwargs.get("allow_methods", [])
- assert "GET" in allow_methods, (
- f"CORSMiddleware.allow_methods={allow_methods!r} не содержит 'GET'"
- )
-
-
-def test_cors_middleware_allow_methods_contains_head() -> None:
- """allow_methods должен содержать 'HEAD' для корректной работы preflight."""
- from fastapi.middleware.cors import CORSMiddleware
-
- from backend.main import app
-
- cors_mw = next(
- (m for m in app.user_middleware if m.cls is CORSMiddleware), None
- )
- assert cors_mw is not None
- allow_methods = cors_mw.kwargs.get("allow_methods", [])
- assert "HEAD" in allow_methods, (
- f"CORSMiddleware.allow_methods={allow_methods!r} не содержит 'HEAD'"
- )
-
-
-def test_cors_middleware_allow_methods_contains_options() -> None:
- """allow_methods должен содержать 'OPTIONS' для корректной обработки preflight."""
- from fastapi.middleware.cors import CORSMiddleware
-
- from backend.main import app
-
- cors_mw = next(
- (m for m in app.user_middleware if m.cls is CORSMiddleware), None
- )
- assert cors_mw is not None
- allow_methods = cors_mw.kwargs.get("allow_methods", [])
- assert "OPTIONS" in allow_methods, (
- f"CORSMiddleware.allow_methods={allow_methods!r} не содержит 'OPTIONS'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 2 — Preflight OPTIONS /health includes GET in Allow-Methods
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_health_preflight_options_returns_success_status() -> None:
- """OPTIONS preflight /health должен вернуть 200 или 204."""
- async with make_app_client() as client:
- response = await client.options(
- "/health",
- headers={
- "Origin": _ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
- },
- )
- assert response.status_code in (200, 204), (
- f"OPTIONS /health вернул {response.status_code}, ожидался 200 или 204"
- )
-
-
-@pytest.mark.asyncio
-async def test_health_preflight_options_allow_methods_contains_get() -> None:
- """OPTIONS preflight /health: Access-Control-Allow-Methods должен содержать GET."""
- async with make_app_client() as client:
- response = await client.options(
- "/health",
- headers={
- "Origin": _ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
- },
- )
- allow_methods_header = response.headers.get("access-control-allow-methods", "")
- assert "GET" in allow_methods_header, (
- f"Access-Control-Allow-Methods={allow_methods_header!r} не содержит 'GET'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 3 — Preflight OPTIONS /api/health includes GET in Allow-Methods
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_api_health_preflight_options_returns_success_status() -> None:
- """OPTIONS preflight /api/health должен вернуть 200 или 204."""
- async with make_app_client() as client:
- response = await client.options(
- "/api/health",
- headers={
- "Origin": _ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
- },
- )
- assert response.status_code in (200, 204), (
- f"OPTIONS /api/health вернул {response.status_code}, ожидался 200 или 204"
- )
-
-
-@pytest.mark.asyncio
-async def test_api_health_preflight_options_allow_methods_contains_get() -> None:
- """OPTIONS preflight /api/health: Access-Control-Allow-Methods должен содержать GET."""
- async with make_app_client() as client:
- response = await client.options(
- "/api/health",
- headers={
- "Origin": _ORIGIN,
- "Access-Control-Request-Method": "GET",
- "Access-Control-Request-Headers": _PREFLIGHT_HEADER,
- },
- )
- allow_methods_header = response.headers.get("access-control-allow-methods", "")
- assert "GET" in allow_methods_header, (
- f"Access-Control-Allow-Methods={allow_methods_header!r} не содержит 'GET'"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 4 — GET /health returns 200 (regression guard)
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_health_get_returns_200_regression_guard() -> None:
- """GET /health должен вернуть 200 — regression guard против allow_methods=['POST'] only."""
- async with make_app_client() as client:
- response = await client.get(
- "/health",
- headers={"Origin": _ORIGIN},
- )
- assert response.status_code == 200, (
- f"GET /health вернул {response.status_code}, ожидался 200"
- )
-
-
-@pytest.mark.asyncio
-async def test_api_health_get_returns_200_regression_guard() -> None:
- """GET /api/health должен вернуть 200 — regression guard против allow_methods=['POST'] only."""
- async with make_app_client() as client:
- response = await client.get(
- "/api/health",
- headers={"Origin": _ORIGIN},
- )
- assert response.status_code == 200, (
- f"GET /api/health вернул {response.status_code}, ожидался 200"
- )
diff --git a/tests/test_fix_016.py b/tests/test_fix_016.py
deleted file mode 100644
index e4748ba..0000000
--- a/tests/test_fix_016.py
+++ /dev/null
@@ -1,163 +0,0 @@
-"""
-Tests for BATON-FIX-016: VAPID public key — убедиться, что ключ не вшит
-как пустая строка в frontend-коде и читается через API.
-
-Acceptance criteria:
-1. В frontend-коде нет хардкода пустой строки в качестве VAPID key в -теге.
-2. frontend читает ключ через API /api/vapid-public-key (_fetchVapidPublicKey).
-3. GET /api/vapid-public-key возвращает HTTP 200.
-4. GET /api/vapid-public-key возвращает JSON с полем vapid_public_key.
-5. При наличии конфигурации VAPID_PUBLIC_KEY — ответ содержит непустое значение.
-"""
-from __future__ import annotations
-
-import os
-import re
-from pathlib import Path
-from unittest.mock import patch
-
-os.environ.setdefault("BOT_TOKEN", "test-bot-token")
-os.environ.setdefault("CHAT_ID", "-1001234567890")
-os.environ.setdefault("WEBHOOK_SECRET", "test-webhook-secret")
-os.environ.setdefault("WEBHOOK_URL", "https://example.com/api/webhook/telegram")
-os.environ.setdefault("FRONTEND_ORIGIN", "http://localhost:3000")
-os.environ.setdefault("ADMIN_TOKEN", "test-admin-token")
-os.environ.setdefault("ADMIN_CHAT_ID", "5694335584")
-
-import pytest
-
-from tests.conftest import make_app_client
-
-PROJECT_ROOT = Path(__file__).parent.parent
-FRONTEND_DIR = PROJECT_ROOT / "frontend"
-INDEX_HTML = FRONTEND_DIR / "index.html"
-APP_JS = FRONTEND_DIR / "app.js"
-
-_TEST_VAPID_PUBLIC_KEY = "BFakeVapidPublicKeyForTestingPurposesOnlyBase64UrlEncoded"
-
-
-# ---------------------------------------------------------------------------
-# Criterion 1 — AST: no hardcoded empty VAPID key in tag (index.html)
-# ---------------------------------------------------------------------------
-
-
-def test_index_html_has_no_vapid_meta_tag_with_empty_content() -> None:
- """index.html не должен содержать -тег с application-server-key и пустым content."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- match = re.search(
- r']*(?:application-server-key|vapid)[^>]*content\s*=\s*["\']["\']',
- content,
- re.IGNORECASE,
- )
- assert match is None, (
- f"index.html содержит -тег с пустым VAPID ключом: {match.group(0)!r}"
- )
-
-
-def test_index_html_has_no_hardcoded_application_server_key_attribute() -> None:
- """index.html не должен содержать атрибут application-server-key вообще."""
- content = INDEX_HTML.read_text(encoding="utf-8")
- assert "application-server-key" not in content.lower(), (
- "index.html содержит атрибут 'application-server-key' — "
- "VAPID ключ не должен быть вшит в HTML"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 2 — AST: frontend reads key through API (app.js)
-# ---------------------------------------------------------------------------
-
-
-def test_app_js_contains_fetch_vapid_public_key_function() -> None:
- """app.js должен содержать функцию _fetchVapidPublicKey."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "_fetchVapidPublicKey" in content, (
- "app.js не содержит функцию _fetchVapidPublicKey — "
- "чтение VAPID ключа через API не реализовано"
- )
-
-
-def test_app_js_fetch_vapid_calls_api_endpoint() -> None:
- """_fetchVapidPublicKey в app.js должна обращаться к /api/push/public-key (canonical URL)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert "/api/push/public-key" in content, (
- "app.js не содержит URL '/api/push/public-key' — VAPID ключ не читается через API"
- )
-
-
-def test_app_js_init_push_subscription_has_null_guard() -> None:
- """_initPushSubscription в app.js должна содержать guard против null ключа."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(r"if\s*\(\s*!\s*vapidPublicKey\s*\)", content), (
- "app.js: _initPushSubscription не содержит guard 'if (!vapidPublicKey)' — "
- "подписка может быть создана без ключа"
- )
-
-
-def test_app_js_init_chains_fetch_vapid_then_init_subscription() -> None:
- """_init() в app.js должна вызывать _fetchVapidPublicKey().then(_initPushSubscription)."""
- content = APP_JS.read_text(encoding="utf-8")
- assert re.search(
- r"_fetchVapidPublicKey\(\)\s*\.\s*then\s*\(\s*_initPushSubscription\s*\)",
- content,
- ), (
- "app.js: _init() не содержит цепочку _fetchVapidPublicKey().then(_initPushSubscription)"
- )
-
-
-def test_app_js_has_no_empty_string_hardcoded_as_application_server_key() -> None:
- """app.js не должен содержать хардкода пустой строки для applicationServerKey."""
- content = APP_JS.read_text(encoding="utf-8")
- match = re.search(r"applicationServerKey\s*[=:]\s*[\"']{2}", content)
- assert match is None, (
- f"app.js содержит хардкод пустой строки для applicationServerKey: {match.group(0)!r}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 3 — HTTP: GET /api/vapid-public-key returns 200
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_endpoint_returns_200() -> None:
- """GET /api/vapid-public-key должен вернуть HTTP 200."""
- async with make_app_client() as client:
- response = await client.get("/api/vapid-public-key")
- assert response.status_code == 200, (
- f"GET /api/vapid-public-key вернул {response.status_code}, ожидался 200"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 4 — HTTP: response JSON contains vapid_public_key field
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_endpoint_returns_json_with_field() -> None:
- """GET /api/vapid-public-key должен вернуть JSON с полем vapid_public_key."""
- async with make_app_client() as client:
- response = await client.get("/api/vapid-public-key")
- data = response.json()
- assert "vapid_public_key" in data, (
- f"Ответ /api/vapid-public-key не содержит поле 'vapid_public_key': {data!r}"
- )
-
-
-# ---------------------------------------------------------------------------
-# Criterion 5 — HTTP: non-empty vapid_public_key when env var is configured
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_vapid_public_key_endpoint_returns_configured_value() -> None:
- """GET /api/vapid-public-key возвращает непустой ключ, когда VAPID_PUBLIC_KEY задан."""
- with patch("backend.config.VAPID_PUBLIC_KEY", _TEST_VAPID_PUBLIC_KEY):
- async with make_app_client() as client:
- response = await client.get("/api/vapid-public-key")
- data = response.json()
- assert data.get("vapid_public_key") == _TEST_VAPID_PUBLIC_KEY, (
- f"vapid_public_key должен быть '{_TEST_VAPID_PUBLIC_KEY}', "
- f"получили: {data.get('vapid_public_key')!r}"
- )
diff --git a/tests/test_models.py b/tests/test_models.py
index cf9641a..0e55586 100644
--- a/tests/test_models.py
+++ b/tests/test_models.py
@@ -123,16 +123,14 @@ def test_signal_request_no_geo():
assert req.geo is None
-def test_signal_request_without_user_id():
- """user_id is optional (JWT auth sends signals without it)."""
- req = SignalRequest(timestamp=1742478000000)
- assert req.user_id is None
+def test_signal_request_missing_user_id():
+ with pytest.raises(ValidationError):
+ SignalRequest(timestamp=1742478000000) # type: ignore[call-arg]
def test_signal_request_empty_user_id():
- """Empty string user_id is accepted (treated as None at endpoint level)."""
- req = SignalRequest(user_id="", timestamp=1742478000000)
- assert req.user_id == ""
+ with pytest.raises(ValidationError):
+ SignalRequest(user_id="", timestamp=1742478000000)
def test_signal_request_timestamp_zero():
diff --git a/tests/test_signal.py b/tests/test_signal.py
index ca9d547..1ed0fc2 100644
--- a/tests/test_signal.py
+++ b/tests/test_signal.py
@@ -78,14 +78,14 @@ async def test_signal_without_geo_success():
@pytest.mark.asyncio
-async def test_signal_missing_auth_returns_401():
- """Missing Authorization header must return 401."""
+async def test_signal_missing_user_id_returns_422():
+ """Missing user_id field must return 422."""
async with make_app_client() as client:
resp = await client.post(
"/api/signal",
json={"timestamp": 1742478000000},
)
- assert resp.status_code == 401
+ assert resp.status_code == 422
@pytest.mark.asyncio
diff --git a/tests/test_telegram.py b/tests/test_telegram.py
index bd46f51..e1467a0 100644
--- a/tests/test_telegram.py
+++ b/tests/test_telegram.py
@@ -1,5 +1,5 @@
"""
-Tests for backend/telegram.py: send_message, set_webhook, validate_bot_token.
+Tests for backend/telegram.py: send_message, set_webhook, SignalAggregator.
NOTE: respx routes must be registered INSIDE the 'with mock:' block to be
intercepted properly. Registering them before entering the context does not
@@ -25,6 +25,8 @@ def _safe_aiosqlite_await(self):
aiosqlite.core.Connection.__await__ = _safe_aiosqlite_await # type: ignore[method-assign]
import json
+import os as _os
+import tempfile
from unittest.mock import AsyncMock, patch
import httpx
@@ -32,7 +34,7 @@ import pytest
import respx
from backend import config
-from backend.telegram import send_message, set_webhook, validate_bot_token
+from backend.telegram import SignalAggregator, send_message, set_webhook, validate_bot_token
SEND_URL = f"https://api.telegram.org/bot{config.BOT_TOKEN}/sendMessage"
@@ -184,6 +186,127 @@ async def test_set_webhook_raises_on_non_200():
await set_webhook(url="https://example.com/webhook", secret="s")
+# ---------------------------------------------------------------------------
+# SignalAggregator helpers
+# ---------------------------------------------------------------------------
+
+async def _init_db_with_tmp() -> str:
+ """Init a temp-file DB and return its path."""
+ from backend import config as _cfg, db as _db
+ path = tempfile.mktemp(suffix=".db")
+ _cfg.DB_PATH = path
+ await _db.init_db()
+ return path
+
+
+def _cleanup(path: str) -> None:
+ for ext in ("", "-wal", "-shm"):
+ try:
+ _os.unlink(path + ext)
+ except FileNotFoundError:
+ pass
+
+
+# ---------------------------------------------------------------------------
+# SignalAggregator tests
+# ---------------------------------------------------------------------------
+
+@pytest.mark.asyncio
+async def test_aggregator_single_signal_calls_send_message():
+ """Flushing an aggregator with one signal calls send_message once."""
+ path = await _init_db_with_tmp()
+ try:
+ agg = SignalAggregator(interval=9999)
+ await agg.add_signal(
+ user_uuid="a9900001-0000-4000-8000-000000000001",
+ user_name="Alice",
+ timestamp=1742478000000,
+ geo={"lat": 55.0, "lon": 37.0, "accuracy": 10.0},
+ signal_id=1,
+ )
+
+ with respx.mock(assert_all_called=False) as mock:
+ send_route = mock.post(SEND_URL).mock(
+ return_value=httpx.Response(200, json={"ok": True})
+ )
+ with patch("backend.telegram.db.save_telegram_batch", new_callable=AsyncMock):
+ with patch("backend.telegram.asyncio.sleep", new_callable=AsyncMock):
+ await agg.flush()
+
+ assert send_route.call_count == 1
+ finally:
+ _cleanup(path)
+
+
+@pytest.mark.asyncio
+async def test_aggregator_multiple_signals_one_message():
+ """5 signals flushed at once produce exactly one send_message call."""
+ path = await _init_db_with_tmp()
+ try:
+ agg = SignalAggregator(interval=9999)
+ for i in range(5):
+ await agg.add_signal(
+ user_uuid=f"a990000{i}-0000-4000-8000-00000000000{i}",
+ user_name=f"User{i}",
+ timestamp=1742478000000 + i * 1000,
+ geo=None,
+ signal_id=i + 1,
+ )
+
+ with respx.mock(assert_all_called=False) as mock:
+ send_route = mock.post(SEND_URL).mock(
+ return_value=httpx.Response(200, json={"ok": True})
+ )
+ with patch("backend.telegram.db.save_telegram_batch", new_callable=AsyncMock):
+ with patch("backend.telegram.asyncio.sleep", new_callable=AsyncMock):
+ await agg.flush()
+
+ assert send_route.call_count == 1
+ finally:
+ _cleanup(path)
+
+
+@pytest.mark.asyncio
+async def test_aggregator_empty_buffer_no_send():
+ """Flushing an empty aggregator must NOT call send_message."""
+ agg = SignalAggregator(interval=9999)
+
+ # No routes registered — if a POST is made it will raise AllMockedAssertionError
+ with respx.mock(assert_all_called=False) as mock:
+ send_route = mock.post(SEND_URL).mock(
+ return_value=httpx.Response(200, json={"ok": True})
+ )
+ await agg.flush()
+
+ assert send_route.call_count == 0
+
+
+@pytest.mark.asyncio
+async def test_aggregator_buffer_cleared_after_flush():
+ """After flush, the aggregator buffer is empty."""
+ path = await _init_db_with_tmp()
+ try:
+ agg = SignalAggregator(interval=9999)
+ await agg.add_signal(
+ user_uuid="a9900099-0000-4000-8000-000000000099",
+ user_name="Test",
+ timestamp=1742478000000,
+ geo=None,
+ signal_id=99,
+ )
+ assert len(agg._buffer) == 1
+
+ with respx.mock(assert_all_called=False) as mock:
+ mock.post(SEND_URL).mock(return_value=httpx.Response(200, json={"ok": True}))
+ with patch("backend.telegram.db.save_telegram_batch", new_callable=AsyncMock):
+ with patch("backend.telegram.asyncio.sleep", new_callable=AsyncMock):
+ await agg.flush()
+
+ assert len(agg._buffer) == 0
+ finally:
+ _cleanup(path)
+
+
# ---------------------------------------------------------------------------
# BATON-007: 400 "chat not found" handling
# ---------------------------------------------------------------------------
@@ -248,3 +371,33 @@ async def test_send_message_all_5xx_retries_exhausted_does_not_raise():
# Must not raise — message is dropped, service stays alive
await send_message("test all retries exhausted")
+
+@pytest.mark.asyncio
+async def test_aggregator_unknown_user_shows_uuid_prefix():
+ """If user_name is None, the message shows first 8 chars of uuid."""
+ path = await _init_db_with_tmp()
+ try:
+ agg = SignalAggregator(interval=9999)
+ test_uuid = "abcdef1234567890"
+ await agg.add_signal(
+ user_uuid=test_uuid,
+ user_name=None,
+ timestamp=1742478000000,
+ geo=None,
+ signal_id=1,
+ )
+
+ sent_texts: list[str] = []
+
+ async def _fake_send(text: str) -> None:
+ sent_texts.append(text)
+
+ with patch("backend.telegram.send_message", side_effect=_fake_send):
+ with patch("backend.telegram.db.save_telegram_batch", new_callable=AsyncMock):
+ with patch("backend.telegram.asyncio.sleep", new_callable=AsyncMock):
+ await agg.flush()
+
+ assert len(sent_texts) == 1
+ assert test_uuid[:8] in sent_texts[0]
+ finally:
+ _cleanup(path)