harden telegram webapp production readiness

2026-05-12 19:14:21 +09:00
parent e75697f83e
commit 2ba2e88432
27 changed files with 931 additions and 155 deletions
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -0,0 +1,30 @@
+import pytest
+from conftest import TEST_BOT_TOKEN, make_init_data
+
+from app.core.config import Settings
+from app.services.telegram_auth import verify_webapp_init_data
+
+
+def test_telegram_init_data_auth() -> None:
+    values = verify_webapp_init_data(make_init_data(42), TEST_BOT_TOKEN)
+
+    assert values["id"] == 42
+
+
+def test_cors_config_reads_csv() -> None:
+    settings = Settings(
+        bot_token="token",
+        cors_origins="https://drivers.smartsoltech.kr,https://t.me",
+    )
+
+    assert settings.cors_origin_list == ["https://drivers.smartsoltech.kr", "https://t.me"]
+
+
+@pytest.mark.asyncio
+async def test_user_cannot_get_foreign_car(client, auth_headers, other_auth_headers) -> None:
+    created = await client.post("/api/cars", headers=auth_headers, json={"name": "Owner car"})
+    car_id = created.json()["id"]
+
+    response = await client.get(f"/api/cars/{car_id}", headers=other_auth_headers)
+
+    assert response.status_code == 403