security: redact Xiaomi auth logs

This commit is contained in:
Alex
2026-05-24 21:53:13 +03:00
parent 7421c2488e
commit c56d9f7e41
6 changed files with 41 additions and 18 deletions
@@ -6,6 +6,7 @@ from unittest.mock import AsyncMock, MagicMock
import httpx
import pytest
from loguru import logger
from mi_fitness.auth import _helpers as auth_helpers
from mi_fitness.auth import sts as auth_sts
@@ -22,6 +23,13 @@ def _response(
return httpx.Response(200, text=text, headers=headers, request=request)
class _Cookie:
def __init__(self, name: str, domain: str, value: str):
self.name = name
self.domain = domain
self.value = value
def test_parse_mi_response_supports_start_prefix() -> None:
parsed = auth_helpers.parse_mi_response('&&&START&&&{"code":0,"desc":"ok"}')
assert parsed == {"code": 0, "desc": "ok"}
@@ -156,6 +164,26 @@ async def test_sts_exchange_uses_device_id_and_accepts_ok_response(
assert params["p_ts"] == "1234"
@pytest.mark.asyncio
async def test_sts_exchange_does_not_log_cookie_values(monkeypatch: pytest.MonkeyPatch) -> None:
http = MagicMock()
http.get = AsyncMock(return_value=_response(text="ok"))
http.cookies.jar = [_Cookie("serviceToken", "hlth.io.mi.com", "secret-service-token")]
token = AuthToken(device_id="an_device", pass_token="secret-pass-token")
messages: list[str] = []
sink_id = logger.add(lambda message: messages.append(str(message)), level="DEBUG", format="{message}")
try:
await auth_sts.sts_exchange(http, token)
finally:
logger.remove(sink_id)
logs = "\n".join(messages)
assert "secret-service-token" not in logs
assert "secret-pass-token" not in logs
assert "serviceToken успешно сохранен" in logs
@pytest.mark.asyncio
async def test_sts_exchange_swallows_network_failure() -> None:
http = MagicMock()
+4 -1
View File
@@ -45,7 +45,7 @@ class _FakeAuth:
@pytest.mark.asyncio
async def test_qr_login_saves_token(monkeypatch: pytest.MonkeyPatch) -> None:
async def test_qr_login_saves_token(monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]) -> None:
_FakeAuth.instances.clear()
tmp_dir = _workspace_tmp_dir()
monkeypatch.setattr(cli, "XiaomiAuth", _FakeAuth)
@@ -55,6 +55,9 @@ async def test_qr_login_saves_token(monkeypatch: pytest.MonkeyPatch) -> None:
auth = _FakeAuth.instances[-1]
assert auth.login_calls == [("qr",)]
assert auth.saved_path == tmp_dir / "token.json"
stdout = capsys.readouterr().out
assert "https://example.com/login" not in stdout
assert "https://example.com/qr.png" not in stdout
finally:
shutil.rmtree(tmp_dir, ignore_errors=True)