mirror of
https://github.com/alexgetmancom/miband-bot.git
synced 2026-07-19 20:20:14 +03:00
security: redact Xiaomi auth logs
This commit is contained in:
@@ -6,6 +6,7 @@ from unittest.mock import AsyncMock, MagicMock
|
||||
|
||||
import httpx
|
||||
import pytest
|
||||
from loguru import logger
|
||||
|
||||
from mi_fitness.auth import _helpers as auth_helpers
|
||||
from mi_fitness.auth import sts as auth_sts
|
||||
@@ -22,6 +23,13 @@ def _response(
|
||||
return httpx.Response(200, text=text, headers=headers, request=request)
|
||||
|
||||
|
||||
class _Cookie:
|
||||
def __init__(self, name: str, domain: str, value: str):
|
||||
self.name = name
|
||||
self.domain = domain
|
||||
self.value = value
|
||||
|
||||
|
||||
def test_parse_mi_response_supports_start_prefix() -> None:
|
||||
parsed = auth_helpers.parse_mi_response('&&&START&&&{"code":0,"desc":"ok"}')
|
||||
assert parsed == {"code": 0, "desc": "ok"}
|
||||
@@ -156,6 +164,26 @@ async def test_sts_exchange_uses_device_id_and_accepts_ok_response(
|
||||
assert params["p_ts"] == "1234"
|
||||
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_sts_exchange_does_not_log_cookie_values(monkeypatch: pytest.MonkeyPatch) -> None:
|
||||
http = MagicMock()
|
||||
http.get = AsyncMock(return_value=_response(text="ok"))
|
||||
http.cookies.jar = [_Cookie("serviceToken", "hlth.io.mi.com", "secret-service-token")]
|
||||
token = AuthToken(device_id="an_device", pass_token="secret-pass-token")
|
||||
messages: list[str] = []
|
||||
sink_id = logger.add(lambda message: messages.append(str(message)), level="DEBUG", format="{message}")
|
||||
|
||||
try:
|
||||
await auth_sts.sts_exchange(http, token)
|
||||
finally:
|
||||
logger.remove(sink_id)
|
||||
|
||||
logs = "\n".join(messages)
|
||||
assert "secret-service-token" not in logs
|
||||
assert "secret-pass-token" not in logs
|
||||
assert "serviceToken успешно сохранен" in logs
|
||||
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_sts_exchange_swallows_network_failure() -> None:
|
||||
http = MagicMock()
|
||||
|
||||
@@ -45,7 +45,7 @@ class _FakeAuth:
|
||||
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_qr_login_saves_token(monkeypatch: pytest.MonkeyPatch) -> None:
|
||||
async def test_qr_login_saves_token(monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]) -> None:
|
||||
_FakeAuth.instances.clear()
|
||||
tmp_dir = _workspace_tmp_dir()
|
||||
monkeypatch.setattr(cli, "XiaomiAuth", _FakeAuth)
|
||||
@@ -55,6 +55,9 @@ async def test_qr_login_saves_token(monkeypatch: pytest.MonkeyPatch) -> None:
|
||||
auth = _FakeAuth.instances[-1]
|
||||
assert auth.login_calls == [("qr",)]
|
||||
assert auth.saved_path == tmp_dir / "token.json"
|
||||
stdout = capsys.readouterr().out
|
||||
assert "https://example.com/login" not in stdout
|
||||
assert "https://example.com/qr.png" not in stdout
|
||||
finally:
|
||||
shutil.rmtree(tmp_dir, ignore_errors=True)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user