fix(security): add nonce-uniqueness test and fix caller indentation
This commit is contained in:
@@ -600,7 +600,7 @@
|
|||||||
localStorage.setItem('secret_phrase', data.secret_phrase);
|
localStorage.setItem('secret_phrase', data.secret_phrase);
|
||||||
localStorage.setItem('secret_last_fetch', Date.now().toString());
|
localStorage.setItem('secret_last_fetch', Date.now().toString());
|
||||||
|
|
||||||
utils.showAlert(elements.secretResult, { title: 'Secret Phrase:', body: data.secret_phrase }, 'success');
|
utils.showAlert(elements.secretResult, { title: 'Secret Phrase:', body: data.secret_phrase }, 'success');
|
||||||
} else {
|
} else {
|
||||||
// Clear cached secret if user is no longer authorized
|
// Clear cached secret if user is no longer authorized
|
||||||
localStorage.removeItem('secret_phrase');
|
localStorage.removeItem('secret_phrase');
|
||||||
|
|||||||
@@ -51,6 +51,19 @@ def test_root_serves_csp_with_nonce():
|
|||||||
nonce = match.group(1)
|
nonce = match.group(1)
|
||||||
assert f'nonce="{nonce}"' in body
|
assert f'nonce="{nonce}"' in body
|
||||||
|
|
||||||
|
def test_root_csp_nonce_is_unique_per_request():
|
||||||
|
"""Test that each GET / response gets a fresh CSP nonce (not module-level/static)."""
|
||||||
|
import re
|
||||||
|
n1 = re.search(
|
||||||
|
r"nonce-([A-Za-z0-9_-]+)",
|
||||||
|
client.get("/").headers.get("content-security-policy", ""),
|
||||||
|
).group(1)
|
||||||
|
n2 = re.search(
|
||||||
|
r"nonce-([A-Za-z0-9_-]+)",
|
||||||
|
client.get("/").headers.get("content-security-policy", ""),
|
||||||
|
).group(1)
|
||||||
|
assert n1 != n2
|
||||||
|
|
||||||
@patch('main.verify_token')
|
@patch('main.verify_token')
|
||||||
def test_validate_token_success(mock_verify_token):
|
def test_validate_token_success(mock_verify_token):
|
||||||
"""Test successful token validation."""
|
"""Test successful token validation."""
|
||||||
|
|||||||
Reference in New Issue
Block a user