chore: finalize vite migration hardening and watchdog logging

2026-02-08 22:55:38 +08:00
parent c8e225101e
commit cf194bc3a3
27 changed files with 924 additions and 356 deletions
--- a/tests/test_auth_integration.py
+++ b/tests/test_auth_integration.py
@@ -102,9 +102,62 @@ class TestLoginRoute:
        assert response.status_code == 302

        # Check session contains admin
-        with client.session_transaction() as sess:
-            assert "admin" in sess
-            assert sess["admin"]["username"] == "92367"
+        with client.session_transaction() as sess:
+            assert "admin" in sess
+            assert sess["admin"]["username"] == "92367"
+
+    @patch('mes_dashboard.services.auth_service.LOCAL_AUTH_ENABLED', False)
+    @patch('mes_dashboard.routes.auth_routes.is_admin', return_value=True)
+    @patch('mes_dashboard.services.auth_service.requests.post')
+    def test_login_blocks_external_next_redirect(self, mock_post, _mock_is_admin, client):
+        """Should ignore external next URL and redirect to portal."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {
+            "success": True,
+            "user": {
+                "username": "92367",
+                "displayName": "Admin User",
+                "mail": "ymirliu@panjit.com.tw",
+                "department": "Test Dept",
+            },
+        }
+        mock_post.return_value = mock_response
+
+        response = client.post(
+            "/admin/login?next=https://evil.example/phish",
+            data={"username": "92367", "password": "password123"},
+            follow_redirects=False,
+        )
+
+        assert response.status_code == 302
+        assert "evil.example" not in response.location
+        assert response.location.endswith("/")
+
+    @patch('mes_dashboard.services.auth_service.LOCAL_AUTH_ENABLED', False)
+    @patch('mes_dashboard.routes.auth_routes.is_admin', return_value=True)
+    @patch('mes_dashboard.services.auth_service.requests.post')
+    def test_login_allows_internal_next_redirect(self, mock_post, _mock_is_admin, client):
+        """Should keep validated local path in next URL."""
+        mock_response = MagicMock()
+        mock_response.json.return_value = {
+            "success": True,
+            "user": {
+                "username": "92367",
+                "displayName": "Admin User",
+                "mail": "ymirliu@panjit.com.tw",
+                "department": "Test Dept",
+            },
+        }
+        mock_post.return_value = mock_response
+
+        response = client.post(
+            "/admin/login?next=/admin/pages",
+            data={"username": "92367", "password": "password123"},
+            follow_redirects=False,
+        )
+
+        assert response.status_code == 302
+        assert response.location.endswith("/admin/pages")

    @patch('mes_dashboard.services.auth_service.LOCAL_AUTH_ENABLED', False)
    @patch('mes_dashboard.services.auth_service.requests.post')