feat: Sprint 19 — password auth, security headers, login page

Auth system (off by default, zero friction for localhost): - New api/auth.py module: password hashing (SHA-256 + STATE_DIR salt), signed HMAC session cookies (24h TTL), auth middleware - Enable via HERMES_WEBUI_PASSWORD env var or Settings panel - Minimal dark-themed login page at /login (self-contained HTML) - POST /api/auth/login, /api/auth/logout, GET /api/auth/status - Settings panel: "Access Password" field + "Sign Out" button - password_hash added to settings.json (null = auth disabled) Security hardening: - Security headers on all responses: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: same-origin - POST body size limit: 20MB cap in read_body() to prevent DoS Closes #23. 9 new tests. Total: 304 passed, 0 regressions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 05:53:26 -07:00
parent 1c6db07c2b
commit b8b62722ec
8 changed files with 417 additions and 1 deletions
--- a/tests/test_sprint19.py
+++ b/tests/test_sprint19.py
@@ -0,0 +1,108 @@
+"""
+Sprint 19 Tests: auth/login, security headers, request size limit.
+"""
+import json, urllib.error, urllib.request
+
+BASE = "http://127.0.0.1:8788"
+
+
+def get(path, headers=None):
+    req = urllib.request.Request(BASE + path)
+    if headers:
+        for k, v in headers.items():
+            req.add_header(k, v)
+    with urllib.request.urlopen(req, timeout=10) as r:
+        return json.loads(r.read()), r.status, dict(r.headers)
+
+
+def post(path, body=None, headers=None):
+    data = json.dumps(body or {}).encode()
+    req = urllib.request.Request(BASE + path, data=data,
+                                headers={"Content-Type": "application/json"})
+    if headers:
+        for k, v in headers.items():
+            req.add_header(k, v)
+    try:
+        with urllib.request.urlopen(req, timeout=10) as r:
+            return json.loads(r.read()), r.status, dict(r.headers)
+    except urllib.error.HTTPError as e:
+        return json.loads(e.read()), e.code, dict(e.headers)
+
+
+# ── Auth status (no password configured in test env) ──────────────────────
+
+def test_auth_status_disabled():
+    """Auth should be disabled by default (no password set)."""
+    d, status, _ = get("/api/auth/status")
+    assert status == 200
+    assert d["auth_enabled"] is False
+
+
+def test_login_when_auth_disabled():
+    """Login should succeed trivially when auth is not enabled."""
+    d, status, _ = post("/api/auth/login", {"password": "anything"})
+    assert status == 200
+    assert d["ok"] is True
+
+
+def test_all_routes_accessible_without_auth():
+    """When auth is disabled, all routes should work without cookies."""
+    d, status, _ = get("/api/sessions")
+    assert status == 200
+    assert "sessions" in d
+
+
+def test_login_page_served():
+    """GET /login should return the login page HTML."""
+    req = urllib.request.Request(BASE + "/login")
+    with urllib.request.urlopen(req, timeout=10) as r:
+        html = r.read().decode()
+        assert r.status == 200
+        assert "Sign in" in html
+        assert "Hermes" in html
+
+
+# ── Security headers ─────────────────────────────────────────────────────
+
+def test_security_headers_on_json():
+    """JSON responses should include security headers."""
+    d, status, headers = get("/api/auth/status")
+    assert status == 200
+    assert headers.get("X-Content-Type-Options") == "nosniff"
+    assert headers.get("X-Frame-Options") == "DENY"
+    assert headers.get("Referrer-Policy") == "same-origin"
+
+
+def test_security_headers_on_health():
+    """Health endpoint should include security headers."""
+    d, status, headers = get("/health")
+    assert status == 200
+    assert headers.get("X-Content-Type-Options") == "nosniff"
+
+
+def test_cache_control_no_store():
+    """API responses should have Cache-Control: no-store."""
+    d, status, headers = get("/api/sessions")
+    assert headers.get("Cache-Control") == "no-store"
+
+
+# ── Settings password field ──────────────────────────────────────────────
+
+def test_settings_password_hash_default_null():
+    """Default settings should have password_hash as None."""
+    d, status, _ = get("/api/settings")
+    assert status == 200
+    assert d.get("password_hash") is None
+
+
+def test_settings_save_preserves_other_fields():
+    """Saving settings should not break existing fields."""
+    # Get current settings
+    current, _, _ = get("/api/settings")
+    # Save with just send_key
+    d, status, _ = post("/api/settings", {"send_key": "enter"})
+    assert status == 200
+    # Verify other fields still present
+    updated, _, _ = get("/api/settings")
+    assert "default_model" in updated
+    assert "default_workspace" in updated