docs: update environment configuration and API documentation
All checks were successful
CI / lint-and-test (push) Successful in 24s
All checks were successful
CI / lint-and-test (push) Successful in 24s
- Revised the `.env.example` file to clarify the purpose of the `MINI_APP_SKIP_AUTH` variable, emphasizing its insecure nature and restriction to development use only. - Updated the `README.md` to reflect changes in API authentication requirements, specifying that unauthenticated access to `/api/duties` and `/api/calendar-events` is only allowed with `MINI_APP_SKIP_AUTH=1`. - Enhanced `configuration.md` to detail the implications of using `MINI_APP_SKIP_AUTH` for API access without Telegram initData. - Removed the `_is_private_client` function and its associated tests, streamlining the codebase and focusing on the current authentication model. - Added logging in `run.py` to warn when `MINI_APP_SKIP_AUTH` is enabled, highlighting the security risks.
This commit is contained in:
@@ -71,29 +71,3 @@ class TestValidateDutyDates:
|
||||
assert exc_info.value.status_code == 400
|
||||
assert exc_info.value.detail == "From after to message"
|
||||
mock_t.assert_called_with("ru", "dates.from_after_to")
|
||||
|
||||
|
||||
class TestIsPrivateClient:
|
||||
"""Tests for _is_private_client."""
|
||||
|
||||
def test_loopback_true(self):
|
||||
assert deps._is_private_client("127.0.0.1") is True
|
||||
assert deps._is_private_client("::1") is True
|
||||
|
||||
def test_rfc1918_private_true(self):
|
||||
assert deps._is_private_client("10.0.0.1") is True
|
||||
assert deps._is_private_client("192.168.1.1") is True
|
||||
assert deps._is_private_client("172.16.0.1") is True
|
||||
assert deps._is_private_client("172.31.255.255") is True
|
||||
|
||||
def test_public_ip_false(self):
|
||||
assert deps._is_private_client("8.8.8.8") is False
|
||||
|
||||
def test_non_ip_false(self):
|
||||
assert deps._is_private_client("example.com") is False
|
||||
assert deps._is_private_client("") is False
|
||||
assert deps._is_private_client(None) is False
|
||||
|
||||
def test_172_non_private_octet_false(self):
|
||||
assert deps._is_private_client("172.15.0.1") is False
|
||||
assert deps._is_private_client("172.32.0.1") is False
|
||||
|
||||
@@ -37,10 +37,9 @@ def test_duties_from_after_to(client):
|
||||
assert "from" in detail or "to" in detail or "after" in detail or "позже" in detail
|
||||
|
||||
|
||||
@patch("duty_teller.api.dependencies._is_private_client")
|
||||
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", False)
|
||||
def test_duties_403_without_init_data_from_public_client(mock_private, client):
|
||||
mock_private.return_value = False
|
||||
def test_duties_403_without_init_data(client):
|
||||
"""Without X-Telegram-Init-Data and without MINI_APP_SKIP_AUTH → 403 (any client)."""
|
||||
r = client.get(
|
||||
"/api/duties",
|
||||
params={"from": "2025-01-01", "to": "2025-01-31"},
|
||||
@@ -390,6 +389,16 @@ def test_calendar_ical_events_all_returns_all_event_types(
|
||||
# --- /api/calendar-events ---
|
||||
|
||||
|
||||
@patch("duty_teller.api.dependencies.config.MINI_APP_SKIP_AUTH", False)
|
||||
def test_calendar_events_403_without_init_data(client):
|
||||
"""Without X-Telegram-Init-Data and without MINI_APP_SKIP_AUTH → 403."""
|
||||
r = client.get(
|
||||
"/api/calendar-events",
|
||||
params={"from": "2025-01-01", "to": "2025-01-31"},
|
||||
)
|
||||
assert r.status_code == 403
|
||||
|
||||
|
||||
@patch("duty_teller.api.app.config.EXTERNAL_CALENDAR_ICS_URL", "")
|
||||
@patch("duty_teller.api.app.config.MINI_APP_SKIP_AUTH", True)
|
||||
def test_calendar_events_empty_url_returns_empty_list(client):
|
||||
|
||||
Reference in New Issue
Block a user