yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: update local authentication mode to require a non-placeholder token of at least 50 characters

Browse Source
This commit is contained in:
Abhimanyu Saharan
2026-02-11 19:30:25 +05:30
parent b87f56de7a
commit 571b4844d9
18 changed files with 363 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/tests/conftest.py
View File

@@ -10,6 +10,6 @@ if str(ROOT) not in sys.path:
sys.path.insert(0, str(ROOT))
# Tests should fail fast if auth-mode wiring breaks, but still need deterministic
# defaults during import-time settings initialization.
os.environ.setdefault("AUTH_MODE", "local")
os.environ.setdefault("LOCAL_AUTH_TOKEN", "test-local-token")
# defaults during import-time settings initialization, regardless of shell env.
os.environ["AUTH_MODE"] = "local"
os.environ["LOCAL_AUTH_TOKEN"] = "test-local-token-0123456789-0123456789-0123456789x"

11
backend/tests/test_authenticate_request_flow.py
View File

@@ -9,6 +9,7 @@ import pytest
from fastapi import HTTPException
from app.core import auth
from app.core.auth_mode import AuthMode
from app.models.users import User
@@ -21,7 +22,7 @@ class _FakeSession:
async def test_get_auth_context_raises_401_when_clerk_signed_out(
monkeypatch: pytest.MonkeyPatch,
) -> None:
monkeypatch.setattr(auth.settings, "auth_mode", "clerk")
monkeypatch.setattr(auth.settings, "auth_mode", AuthMode.CLERK)
monkeypatch.setattr(auth.settings, "clerk_secret_key", "sk_test_dummy")
from clerk_backend_api.security.types import AuthStatus, RequestState
@@ -45,7 +46,7 @@ async def test_get_auth_context_raises_401_when_clerk_signed_out(
async def test_get_auth_context_uses_request_state_payload_claims(
monkeypatch: pytest.MonkeyPatch,
) -> None:
monkeypatch.setattr(auth.settings, "auth_mode", "clerk")
monkeypatch.setattr(auth.settings, "auth_mode", AuthMode.CLERK)
monkeypatch.setattr(auth.settings, "clerk_secret_key", "sk_test_dummy")
from clerk_backend_api.security.types import AuthStatus, RequestState
@@ -88,7 +89,7 @@ async def test_get_auth_context_uses_request_state_payload_claims(
async def test_get_auth_context_optional_returns_none_for_agent_token(
monkeypatch: pytest.MonkeyPatch,
) -> None:
monkeypatch.setattr(auth.settings, "auth_mode", "clerk")
monkeypatch.setattr(auth.settings, "auth_mode", AuthMode.CLERK)
monkeypatch.setattr(auth.settings, "clerk_secret_key", "sk_test_dummy")
async def _boom(_request: Any) -> Any: # pragma: no cover
@@ -108,7 +109,7 @@ async def test_get_auth_context_optional_returns_none_for_agent_token(
async def test_get_auth_context_local_mode_requires_valid_bearer_token(
monkeypatch: pytest.MonkeyPatch,
) -> None:
monkeypatch.setattr(auth.settings, "auth_mode", "local")
monkeypatch.setattr(auth.settings, "auth_mode", AuthMode.LOCAL)
monkeypatch.setattr(auth.settings, "local_auth_token", "expected-token")
async def _fake_local_user(_session: Any) -> User:
@@ -131,7 +132,7 @@ async def test_get_auth_context_local_mode_requires_valid_bearer_token(
async def test_get_auth_context_optional_local_mode_returns_none_without_token(
monkeypatch: pytest.MonkeyPatch,
) -> None:
monkeypatch.setattr(auth.settings, "auth_mode", "local")
monkeypatch.setattr(auth.settings, "auth_mode", AuthMode.LOCAL)
monkeypatch.setattr(auth.settings, "local_auth_token", "expected-token")
async def _boom(_session: Any) -> User: # pragma: no cover

70
backend/tests/test_config_auth_mode.py Normal file
View File

@@ -0,0 +1,70 @@
# ruff: noqa: INP001
"""Settings validation tests for auth-mode configuration."""
from __future__ import annotations
import pytest
from pydantic import ValidationError
from app.core.auth_mode import AuthMode
from app.core.config import Settings
def test_local_mode_requires_non_empty_token() -> None:
with pytest.raises(
ValidationError,
match="LOCAL_AUTH_TOKEN must be at least 50 characters and non-placeholder when AUTH_MODE=local",
):
Settings(
_env_file=None,
auth_mode=AuthMode.LOCAL,
local_auth_token="",
)
def test_local_mode_requires_minimum_length() -> None:
with pytest.raises(
ValidationError,
match="LOCAL_AUTH_TOKEN must be at least 50 characters and non-placeholder when AUTH_MODE=local",
):
Settings(
_env_file=None,
auth_mode=AuthMode.LOCAL,
local_auth_token="x" * 49,
)
def test_local_mode_rejects_placeholder_token() -> None:
with pytest.raises(
ValidationError,
match="LOCAL_AUTH_TOKEN must be at least 50 characters and non-placeholder when AUTH_MODE=local",
):
Settings(
_env_file=None,
auth_mode=AuthMode.LOCAL,
local_auth_token="change-me",
)
def test_local_mode_accepts_real_token() -> None:
token = "a" * 50
settings = Settings(
_env_file=None,
auth_mode=AuthMode.LOCAL,
local_auth_token=token,
)
assert settings.auth_mode == AuthMode.LOCAL
assert settings.local_auth_token == token
def test_clerk_mode_requires_secret_key() -> None:
with pytest.raises(
ValidationError,
match="CLERK_SECRET_KEY must be set and non-empty when AUTH_MODE=clerk",
):
Settings(
_env_file=None,
auth_mode=AuthMode.CLERK,
clerk_secret_key="",
)

3
backend/tests/test_local_auth_integration.py
View File

@@ -14,6 +14,7 @@ from sqlmodel.ext.asyncio.session import AsyncSession
from app.api.users import router as users_router
from app.core import auth as auth_module
from app.core.auth_mode import AuthMode
from app.core.config import settings
from app.db.session import get_session
@@ -51,7 +52,7 @@ async def test_local_auth_users_me_requires_and_accepts_valid_token(
expected_email = f"local-{unique_suffix}@localhost"
expected_name = "Local Integration User"
monkeypatch.setattr(settings, "auth_mode", "local")
monkeypatch.setattr(settings, "auth_mode", AuthMode.LOCAL)
monkeypatch.setattr(settings, "local_auth_token", "integration-token")
monkeypatch.setattr(auth_module, "LOCAL_AUTH_USER_ID", expected_user_id)
monkeypatch.setattr(auth_module, "LOCAL_AUTH_EMAIL", expected_email)