curo/kite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(05-12): resolve 3 critical code review findings

Browse Source 
CR-01: add `except HTTPException: raise` before broad except in
stream_document_content — prevents 503 (reconnect prompt) from being
swallowed and replaced with misleading 502

CR-02: move pre-flight credential checks BEFORE Redis setex in
oauth_initiate — no orphan state tokens written for unconfigured providers;
also adds onedrive_tenant_id to OneDrive pre-flight condition (WR-02)

CR-03: add CLOUD_CREDS_KEY to celery-worker environment in docker-compose.yml
— worker cannot decrypt cloud credentials without this key; every cloud
document task was silently failing at runtime

WR-03: assert Redis store empty after 400 pre-flight responses in both
new tests — confirms no token leak on misconfigured-provider requests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
2026-05-30 18:04:09 +02:00
parent 12dd692f00
commit b1a136b5be
4 changed files with 23 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/tests/test_cloud.py
+8 -2
View File
@@ -784,7 +784,8 @@ async def test_oauth_initiate_returns_json_url(async_client, db_session, monkeyp
async def test_oauth_initiate_google_drive_not_configured(async_client, db_session, monkeypatch):
"""GET /api/cloud/oauth/initiate/google_drive returns 400 with env-var hint when creds missing.
Pre-flight check (plan 05-12): empty GOOGLE_CLIENT_ID/SECRET → 400 before touching OAuth libs.
Pre-flight check (plan 05-12): empty GOOGLE_CLIENT_ID/SECRET → 400 BEFORE Redis state write.
Asserts Redis store is empty to confirm no orphan state tokens are created on misconfigured calls.
"""
from main import app
from config import settings
@@ -802,16 +803,19 @@ async def test_oauth_initiate_google_drive_not_configured(async_client, db_sessi
follow_redirects=False,
)
redis_keys = list(fake_redis._store.keys())
app.state.redis = None
assert resp.status_code == 400, f"Expected 400, got {resp.status_code}: {resp.text}"
assert "GOOGLE_CLIENT_ID" in resp.json()["detail"], f"Unexpected detail: {resp.json()['detail']}"
assert len(redis_keys) == 0, f"Expected no Redis state token written on pre-flight failure, got: {redis_keys}"
async def test_oauth_initiate_onedrive_not_configured(async_client, db_session, monkeypatch):
"""GET /api/cloud/oauth/initiate/onedrive returns 400 with env-var hint when creds missing.
Pre-flight check (plan 05-12): empty ONEDRIVE_CLIENT_ID → 400 before touching MSAL.
Pre-flight check (plan 05-12): empty ONEDRIVE_CLIENT_ID → 400 BEFORE Redis state write.
Asserts Redis store is empty to confirm no orphan state tokens are created on misconfigured calls.
"""
from main import app
from config import settings
@@ -829,10 +833,12 @@ async def test_oauth_initiate_onedrive_not_configured(async_client, db_session,
follow_redirects=False,
)
redis_keys = list(fake_redis._store.keys())
app.state.redis = None
assert resp.status_code == 400, f"Expected 400, got {resp.status_code}: {resp.text}"
assert "ONEDRIVE_CLIENT_ID" in resp.json()["detail"], f"Unexpected detail: {resp.json()['detail']}"
assert len(redis_keys) == 0, f"Expected no Redis state token written on pre-flight failure, got: {redis_keys}"
async def test_oauth_initiate_requires_auth(async_client, db_session):