Enhance database initialization and improve command handling

- Added `__all__` declaration in `db/__init__.py` for better module export management. - Simplified command text formatting in `handlers/commands.py` for improved readability. - Refactored error handler function signature in `handlers/errors.py` for better code style. - Introduced comprehensive tests for API duties and Telegram authentication in new test files.
2026-02-17 20:05:49 +03:00
parent 5cfc699c3d
commit 4e6756025d
5 changed files with 23 additions and 5 deletions
--- a/tests/test_app.py
+++ b/tests/test_app.py
@@ -0,0 +1,133 @@
+"""Tests for FastAPI app /api/duties."""
+
+import time
+from unittest.mock import patch
+
+import pytest
+from fastapi.testclient import TestClient
+
+import config
+from api.app import app
+from tests.test_telegram_auth import _make_init_data
+
+
+@pytest.fixture
+def client():
+    return TestClient(app)
+
+
+def test_duties_invalid_date_format(client):
+    r = client.get("/api/duties", params={"from": "2025-01-01", "to": "invalid"})
+    assert r.status_code == 400
+    assert "YYYY-MM-DD" in r.json()["detail"]
+
+
+def test_duties_from_after_to(client):
+    r = client.get("/api/duties", params={"from": "2025-02-01", "to": "2025-01-01"})
+    assert r.status_code == 400
+    assert "from" in r.json()["detail"].lower() or "позже" in r.json()["detail"]
+
+
+@patch("api.app._is_private_client")
+@patch("api.app.config.MINI_APP_SKIP_AUTH", False)
+def test_duties_403_without_init_data_from_public_client(mock_private, client):
+    """Without initData and without private IP / skip-auth, should get 403."""
+    mock_private.return_value = False  # simulate public client
+    r = client.get(
+        "/api/duties",
+        params={"from": "2025-01-01", "to": "2025-01-31"},
+    )
+    assert r.status_code == 403
+
+
+@patch("api.app.config.MINI_APP_SKIP_AUTH", True)
+@patch("api.app._fetch_duties_response")
+def test_duties_200_when_skip_auth(mock_fetch, client):
+    mock_fetch.return_value = []
+    r = client.get(
+        "/api/duties",
+        params={"from": "2025-01-01", "to": "2025-01-31"},
+    )
+    assert r.status_code == 200
+    assert r.json() == []
+    mock_fetch.assert_called_once_with("2025-01-01", "2025-01-31")
+
+
+@patch("api.app.validate_init_data_with_reason")
+def test_duties_403_when_init_data_invalid(mock_validate, client):
+    mock_validate.return_value = (None, "hash_mismatch")
+    r = client.get(
+        "/api/duties",
+        params={"from": "2025-01-01", "to": "2025-01-31"},
+        headers={"X-Telegram-Init-Data": "some=data&hash=abc"},
+    )
+    assert r.status_code == 403
+    detail = r.json()["detail"]
+    assert "авторизации" in detail or "Неверные" in detail or "Неверная" in detail
+
+
+@patch("api.app.validate_init_data_with_reason")
+@patch("api.app.config.can_access_miniapp")
+def test_duties_403_when_username_not_allowed(mock_can_access, mock_validate, client):
+    mock_validate.return_value = ("someuser", "ok")
+    mock_can_access.return_value = False
+    with patch("api.app._fetch_duties_response") as mock_fetch:
+        r = client.get(
+            "/api/duties",
+            params={"from": "2025-01-01", "to": "2025-01-31"},
+            headers={"X-Telegram-Init-Data": "user=xxx&hash=yyy"},
+        )
+    assert r.status_code == 403
+    assert "Доступ запрещён" in r.json()["detail"]
+    mock_fetch.assert_not_called()
+
+
+@patch("api.app.validate_init_data_with_reason")
+@patch("api.app.config.can_access_miniapp")
+def test_duties_200_with_allowed_user(mock_can_access, mock_validate, client):
+    mock_validate.return_value = ("alloweduser", "ok")
+    mock_can_access.return_value = True
+    with patch("api.app._fetch_duties_response") as mock_fetch:
+        mock_fetch.return_value = [
+            {
+                "id": 1,
+                "user_id": 10,
+                "start_at": "2025-01-15T09:00:00",
+                "end_at": "2025-01-15T18:00:00",
+                "full_name": "Иван Иванов",
+            }
+        ]
+        r = client.get(
+            "/api/duties",
+            params={"from": "2025-01-01", "to": "2025-01-31"},
+            headers={"X-Telegram-Init-Data": "user=xxx&hash=yyy"},
+        )
+    assert r.status_code == 200
+    assert len(r.json()) == 1
+    assert r.json()[0]["full_name"] == "Иван Иванов"
+    mock_fetch.assert_called_once_with("2025-01-01", "2025-01-31")
+
+
+def test_duties_e2e_auth_real_validation(client, monkeypatch):
+    """E2E: valid initData + allowlist, no mocks on validate_init_data_with_reason; full auth path."""
+    test_token = "123:ABC"
+    test_username = "e2euser"
+    monkeypatch.setattr(config, "BOT_TOKEN", test_token)
+    monkeypatch.setattr(config, "ALLOWED_USERNAMES", {test_username})
+    monkeypatch.setattr(config, "ADMIN_USERNAMES", set())
+    monkeypatch.setattr(config, "INIT_DATA_MAX_AGE_SECONDS", 0)
+    init_data = _make_init_data(
+        {"id": 1, "username": test_username},
+        test_token,
+        auth_date=int(time.time()),
+    )
+    with patch("api.app._fetch_duties_response") as mock_fetch:
+        mock_fetch.return_value = []
+        r = client.get(
+            "/api/duties",
+            params={"from": "2025-01-01", "to": "2025-01-31"},
+            headers={"X-Telegram-Init-Data": init_data},
+        )
+    assert r.status_code == 200
+    assert r.json() == []
+    mock_fetch.assert_called_once_with("2025-01-01", "2025-01-31")
--- a/tests/test_telegram_auth.py
+++ b/tests/test_telegram_auth.py
@@ -0,0 +1,123 @@
+"""Tests for api.telegram_auth.validate_init_data."""
+
+import hashlib
+import hmac
+import json
+from urllib.parse import quote, unquote
+
+
+from api.telegram_auth import validate_init_data
+
+
+def _make_init_data(
+    user: dict | None,
+    bot_token: str,
+    auth_date: int | None = None,
+) -> str:
+    """Build initData string with valid HMAC for testing."""
+    params = {}
+    if user is not None:
+        params["user"] = quote(json.dumps(user))
+    if auth_date is not None:
+        params["auth_date"] = str(auth_date)
+    pairs = sorted(params.items())
+    data_string = "\n".join(f"{k}={unquote(v)}" for k, v in pairs)
+    secret_key = hmac.new(
+        b"WebAppData",
+        msg=bot_token.encode(),
+        digestmod=hashlib.sha256,
+    ).digest()
+    computed = hmac.new(
+        secret_key,
+        msg=data_string.encode(),
+        digestmod=hashlib.sha256,
+    ).hexdigest()
+    params["hash"] = computed
+    return "&".join(f"{k}={v}" for k, v in sorted(params.items()))
+
+
+def test_valid_payload_returns_username():
+    bot_token = "123:ABC"
+    user = {"id": 123, "username": "testuser", "first_name": "Test"}
+    init_data = _make_init_data(user, bot_token)
+    assert validate_init_data(init_data, bot_token) == "testuser"
+
+
+def test_valid_payload_username_lowercase():
+    bot_token = "123:ABC"
+    user = {"id": 123, "username": "TestUser", "first_name": "Test"}
+    init_data = _make_init_data(user, bot_token)
+    assert validate_init_data(init_data, bot_token) == "testuser"
+
+
+def test_invalid_hash_returns_none():
+    bot_token = "123:ABC"
+    user = {"id": 123, "username": "testuser"}
+    init_data = _make_init_data(user, bot_token)
+    # Tamper with hash
+    init_data = init_data.replace("hash=", "hash=x")
+    assert validate_init_data(init_data, bot_token) is None
+
+
+def test_wrong_bot_token_returns_none():
+    bot_token = "123:ABC"
+    user = {"id": 123, "username": "testuser"}
+    init_data = _make_init_data(user, bot_token)
+    assert validate_init_data(init_data, "other:token") is None
+
+
+def test_missing_user_returns_none():
+    bot_token = "123:ABC"
+    init_data = _make_init_data(None, bot_token)  # no user key
+    assert validate_init_data(init_data, bot_token) is None
+
+
+def test_user_without_username_returns_none():
+    bot_token = "123:ABC"
+    user = {"id": 123, "first_name": "Test"}  # no username
+    init_data = _make_init_data(user, bot_token)
+    assert validate_init_data(init_data, bot_token) is None
+
+
+def test_empty_init_data_returns_none():
+    assert validate_init_data("", "token") is None
+    assert validate_init_data("   ", "token") is None
+
+
+def test_empty_bot_token_returns_none():
+    user = {"id": 1, "username": "u"}
+    init_data = _make_init_data(user, "token")
+    assert validate_init_data(init_data, "") is None
+
+
+def test_auth_date_expiry_rejects_old_init_data():
+    """When max_age_seconds is set, initData older than that is rejected."""
+    import time as t
+
+    bot_token = "123:ABC"
+    user = {"id": 1, "username": "testuser"}
+    # auth_date 100 seconds ago
+    old_ts = int(t.time()) - 100
+    init_data = _make_init_data(user, bot_token, auth_date=old_ts)
+    assert validate_init_data(init_data, bot_token, max_age_seconds=60) is None
+    assert validate_init_data(init_data, bot_token, max_age_seconds=200) == "testuser"
+
+
+def test_auth_date_expiry_accepts_fresh_init_data():
+    """Fresh auth_date within max_age_seconds is accepted."""
+    import time as t
+
+    bot_token = "123:ABC"
+    user = {"id": 1, "username": "testuser"}
+    fresh_ts = int(t.time()) - 10
+    init_data = _make_init_data(user, bot_token, auth_date=fresh_ts)
+    assert validate_init_data(init_data, bot_token, max_age_seconds=60) == "testuser"
+
+
+def test_auth_date_expiry_requires_auth_date_when_max_age_set():
+    """When max_age_seconds is set but auth_date is missing, return None."""
+    bot_token = "123:ABC"
+    user = {"id": 1, "username": "testuser"}
+    init_data = _make_init_data(user, bot_token)  # no auth_date
+    assert validate_init_data(init_data, bot_token, max_age_seconds=86400) is None
+    assert validate_init_data(init_data, bot_token) == "testuser"