Use encrypted cookie sessions

This commit is contained in:
kacper 2026-04-12 22:02:47 -04:00
parent a7b0352d3c
commit d84a885fdb
9 changed files with 131 additions and 27 deletions

View file

@ -17,6 +17,7 @@ class AppTestCase(unittest.TestCase):
os.environ,
{
"APP_BASE_URL": "http://testserver",
"AUTH_SECRET_KEY": "test-auth-secret-key-that-is-long-enough",
"FORGEJO_TOKEN": "",
"FORGEJO_OAUTH_CLIENT_ID": "client-id",
"FORGEJO_OAUTH_CLIENT_SECRET": "client-secret",
@ -172,6 +173,7 @@ class AppTestCase(unittest.TestCase):
self.assertEqual(callback_response.status_code, 303)
self.assertEqual(callback_response.headers["location"], "/discussions/7")
self.assertIn("robot_u_session", callback_response.cookies)
self.assertNotIn("oauth-token", callback_response.cookies["robot_u_session"])
self.assertEqual(fake_client.exchanged_code, "auth-code")
session_response = self.client.get("/api/auth/session")
@ -219,6 +221,28 @@ class AppTestCase(unittest.TestCase):
self.assertEqual(builder.call_args.kwargs["auth_source"], "session")
self.assertEqual(builder.call_args.kwargs["session_user"]["login"], "kacper")
def test_encrypted_session_cookie_survives_new_app_instance(self) -> None:
fake_client = _FakeForgejoClient(user={"login": "kacper"}, access_token="oauth-token")
with patch("app.ForgejoClient", return_value=fake_client):
start_response = self.client.get(
"/api/auth/forgejo/start",
follow_redirects=False,
)
state = parse_qs(urlparse(start_response.headers["location"]).query)["state"][0]
callback_response = self.client.get(
f"/api/auth/forgejo/callback?code=auth-code&state={state}",
follow_redirects=False,
)
fresh_client = TestClient(create_app())
fresh_client.cookies.set("robot_u_session", callback_response.cookies["robot_u_session"])
session_response = fresh_client.get("/api/auth/session")
self.assertEqual(session_response.status_code, 200)
self.assertEqual(session_response.json()["authenticated"], True)
self.assertEqual(session_response.json()["login"], "kacper")
self.assertEqual(session_response.json()["source"], "session")
def test_create_discussion_reply(self) -> None:
fake_client = _FakeForgejoClient(
comment={