Arnike/duty-teller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 14 Wiki Activity

Implement phone number normalization and access control for Telegram users

Browse Source 
- Added functionality to normalize phone numbers for comparison, ensuring only digits are stored and checked.
- Updated configuration to include optional phone number allowlists for users and admins in the environment settings.
- Enhanced authentication logic to allow access based on normalized phone numbers, in addition to usernames.
- Introduced new helper functions for parsing and validating phone numbers, improving code organization and maintainability.
- Added unit tests to validate phone normalization and access control based on phone numbers.
This commit is contained in:
Nikolay Tatarinov
2026-02-18 16:11:44 +03:00
parent d0d22c150a
commit 59ba2a9ca4
10 changed files with 344 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
tests/test_app.py
View File

@@ -55,8 +55,9 @@ def test_duties_200_when_skip_auth(mock_fetch, client):
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", False)
def test_duties_403_when_init_data_invalid(mock_validate, client):
mock_validate.return_value = (None, "hash_mismatch", "en")
mock_validate.return_value = (None, None, "hash_mismatch", "en")
r = client.get(
"/api/duties",
params={"from": "2025-01-01", "to": "2025-01-31"},
@@ -72,11 +73,16 @@ def test_duties_403_when_init_data_invalid(mock_validate, client):
)
@patch("duty_teller.api.dependencies.get_user_by_telegram_id")
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
@patch("duty_teller.api.dependencies.config.can_access_miniapp")
def test_duties_403_when_username_not_allowed(mock_can_access, mock_validate, client):
mock_validate.return_value = ("someuser", "ok", "en")
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", False)
def test_duties_403_when_username_not_allowed(
mock_can_access, mock_validate, mock_get_user, client
):
mock_validate.return_value = (123, "someuser", "ok", "en")
mock_can_access.return_value = False
mock_get_user.return_value = None # no user in DB or no phone path
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
r = client.get(
"/api/duties",
@@ -90,10 +96,87 @@ def test_duties_403_when_username_not_allowed(mock_can_access, mock_validate, cl
mock_fetch.assert_not_called()
@patch("duty_teller.api.dependencies.config.can_access_miniapp_by_phone")
@patch("duty_teller.api.dependencies.get_user_by_telegram_id")
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
@patch("duty_teller.api.dependencies.config.can_access_miniapp")
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", False)
def test_duties_403_when_no_username_and_phone_not_in_allowlist(
mock_can_access, mock_validate, mock_get_user, mock_can_access_phone, client
):
"""No username in initData and user's phone not in ALLOWED_PHONES -> 403."""
from types import SimpleNamespace
mock_validate.return_value = (456, None, "ok", "en")
mock_can_access.return_value = False
mock_get_user.return_value = SimpleNamespace(phone="+79001111111", full_name="User")
mock_can_access_phone.return_value = False
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
r = client.get(
"/api/duties",
params={"from": "2025-01-01", "to": "2025-01-31"},
headers={"X-Telegram-Init-Data": "user=xxx&hash=yyy"},
)
assert r.status_code == 403
mock_fetch.assert_not_called()
@patch("duty_teller.api.dependencies.config.can_access_miniapp_by_phone")
@patch("duty_teller.api.dependencies.get_user_by_telegram_id")
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
@patch("duty_teller.api.dependencies.config.can_access_miniapp")
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", False)
def test_duties_200_when_no_username_but_phone_in_allowlist(
mock_can_access, mock_validate, mock_get_user, mock_can_access_phone, client
):
"""No username in initData but user's phone in ALLOWED_PHONES -> 200."""
from types import SimpleNamespace
mock_validate.return_value = (789, None, "ok", "en")
mock_can_access.return_value = False
mock_get_user.return_value = SimpleNamespace(
phone="+7 900 123-45-67", full_name="Иван"
)
mock_can_access_phone.return_value = True
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
mock_fetch.return_value = []
r = client.get(
"/api/duties",
params={"from": "2025-01-01", "to": "2025-01-31"},
headers={"X-Telegram-Init-Data": "user=xxx&hash=yyy"},
)
assert r.status_code == 200
assert r.json() == []
mock_fetch.assert_called_once_with(ANY, "2025-01-01", "2025-01-31")
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
@patch("duty_teller.api.dependencies.config.can_access_miniapp")
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", True)
def test_duties_200_with_valid_init_data_and_skip_auth_not_in_allowlist(
mock_can_access, mock_validate, client
):
"""With MINI_APP_SKIP_AUTH=True, valid initData grants access without allowlist check."""
mock_validate.return_value = ("outsider_user", "ok", "en")
mock_can_access.return_value = False
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
mock_fetch.return_value = []
r = client.get(
"/api/duties",
params={"from": "2025-01-01", "to": "2025-01-31"},
headers={"X-Telegram-Init-Data": "user=xxx&hash=yyy"},
)
assert r.status_code == 200
assert r.json() == []
mock_fetch.assert_called_once_with(ANY, "2025-01-01", "2025-01-31")
mock_can_access.assert_not_called()
mock_validate.assert_not_called()
@patch("duty_teller.api.dependencies.validate_init_data_with_reason")
@patch("duty_teller.api.dependencies.config.can_access_miniapp")
def test_duties_200_with_allowed_user(mock_can_access, mock_validate, client):
mock_validate.return_value = ("alloweduser", "ok", "en")
mock_validate.return_value = (1, "alloweduser", "ok", "en")
mock_can_access.return_value = True
with patch("duty_teller.api.app.fetch_duties_response") as mock_fetch:
mock_fetch.return_value = [