fix(auth): drop reserved usernames loaded from auth config (#3727)

2026-06-17 02:05:22 -04:00 · 2026-06-10 17:31:26 +03:00
parent cd3fb4e96b
commit ee6cfbd25a
3 changed files with 106 additions and 3 deletions
@@ -58,6 +58,62 @@ def test_rename_into_reserved_username_is_blocked(tmp_path):
    assert "bob" in mgr.users


+def test_legacy_reserved_username_is_removed_on_load(tmp_path):
+    auth_path = tmp_path / "auth.json"
+    auth_path.write_text(
+        '{"users": {"internal-tool": {"password_hash": "unused", "is_admin": false}, '
+        '"admin": {"password_hash": "unused", "is_admin": true}}}',
+        encoding="utf-8",
+    )
+    mgr = _fresh_auth_manager(tmp_path)
+
+    assert "internal-tool" not in mgr.users
+    assert "admin" in mgr.users
+    assert "internal-tool" not in auth_path.read_text(encoding="utf-8")
+
+
+def test_legacy_reserved_username_session_cannot_authenticate(tmp_path):
+    auth_path = tmp_path / "auth.json"
+    sessions_path = tmp_path / "sessions.json"
+    auth_path.write_text(
+        '{"users": {"internal-tool": {"password_hash": "unused", "is_admin": false}}}',
+        encoding="utf-8",
+    )
+    sessions_path.write_text(
+        '{"tok": {"username": "internal-tool", "expiry": 9999999999}}',
+        encoding="utf-8",
+    )
+    mgr = _fresh_auth_manager(tmp_path)
+
+    assert mgr.validate_token("tok") is False
+    assert mgr.get_username_for_token("tok") is None
+
+
+def test_legacy_reserved_single_user_migrates_to_admin(tmp_path):
+    auth_path = tmp_path / "auth.json"
+    auth_path.write_text(
+        '{"username": "internal-tool", "password_hash": "unused"}',
+        encoding="utf-8",
+    )
+    mgr = _fresh_auth_manager(tmp_path)
+
+    assert "internal-tool" not in mgr.users
+    assert "admin" in mgr.users
+    assert mgr.is_admin("admin") is True
+
+
+def test_token_cache_owner_normalization_requires_current_user():
+    clear_module("core.auth")
+    from core.auth import normalize_known_username
+
+    users = {"alice": {}, "admin": {}}
+
+    assert normalize_known_username(users, " Alice ") == "alice"
+    assert normalize_known_username(users, "internal-tool") is None
+    assert normalize_known_username(users, "api") is None
+    assert normalize_known_username(users, "") is None
+
+
 def test_normal_usernames_still_allowed(tmp_path):
    mgr = _fresh_auth_manager(tmp_path)
    assert mgr.create_user("alice", "pw-123456") is True