Refactoring code for modular approach

2025-09-09 21:27:58 +02:00
parent 9a5d70e825
commit 71153a1ff5
55 changed files with 3928 additions and 1352 deletions
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -0,0 +1,61 @@
+# tests/test_security.py
+import pytest
+from fastapi import HTTPException
+from unittest.mock import patch
+
+
+class TestSecurity:
+    def test_protected_endpoint_without_auth(self, client):
+        """Test that protected endpoints reject unauthenticated requests"""
+        protected_endpoints = [
+            "/api/v1/products",
+            "/api/v1/stock",
+            "/api/v1/shops",
+            "/api/v1/stats",
+            "/api/v1/admin/users"
+        ]
+
+        for endpoint in protected_endpoints:
+            response = client.get(endpoint)
+            assert response.status_code == 403
+
+    def test_protected_endpoint_with_invalid_token(self, client):
+        """Test protected endpoints with invalid token"""
+        headers = {"Authorization": "Bearer invalid_token_here"}
+
+        response = client.get("/api/v1/products", headers=headers)
+        assert response.status_code == 403
+
+    def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
+        """Test that admin endpoints require admin role"""
+        response = client.get("/api/v1/admin/users", headers=auth_headers)
+        assert response.status_code == 403  # Regular user should be denied
+
+    def test_sql_injection_prevention(self, client, auth_headers):
+        """Test SQL injection prevention in search parameters"""
+        # Try SQL injection in search parameter
+        malicious_search = "'; DROP TABLE products; --"
+
+        response = client.get(f"/api/v1/products?search={malicious_search}", headers=auth_headers)
+
+        # Should not crash and should return normal response
+        assert response.status_code == 200
+        # Database should still be intact (no products dropped)
+
+    def test_input_validation(self, client, auth_headers):
+        """Test input validation and sanitization"""
+        # Test XSS attempt in product creation
+        xss_payload = "<script>alert('xss')</script>"
+
+        product_data = {
+            "product_id": "XSS_TEST",
+            "title": xss_payload,
+            "description": xss_payload
+        }
+
+        response = client.post("/api/v1/products", headers=auth_headers, json=product_data)
+
+        if response.status_code == 200:
+            # If creation succeeds, content should be escaped/sanitized
+            data = response.json()
+            assert "<script>" not in data["title"]