fix(security): add nonce-uniqueness test and fix caller indentation
This commit is contained in:
@@ -600,7 +600,7 @@
|
||||
localStorage.setItem('secret_phrase', data.secret_phrase);
|
||||
localStorage.setItem('secret_last_fetch', Date.now().toString());
|
||||
|
||||
utils.showAlert(elements.secretResult, { title: 'Secret Phrase:', body: data.secret_phrase }, 'success');
|
||||
utils.showAlert(elements.secretResult, { title: 'Secret Phrase:', body: data.secret_phrase }, 'success');
|
||||
} else {
|
||||
// Clear cached secret if user is no longer authorized
|
||||
localStorage.removeItem('secret_phrase');
|
||||
|
||||
@@ -51,6 +51,19 @@ def test_root_serves_csp_with_nonce():
|
||||
nonce = match.group(1)
|
||||
assert f'nonce="{nonce}"' in body
|
||||
|
||||
def test_root_csp_nonce_is_unique_per_request():
|
||||
"""Test that each GET / response gets a fresh CSP nonce (not module-level/static)."""
|
||||
import re
|
||||
n1 = re.search(
|
||||
r"nonce-([A-Za-z0-9_-]+)",
|
||||
client.get("/").headers.get("content-security-policy", ""),
|
||||
).group(1)
|
||||
n2 = re.search(
|
||||
r"nonce-([A-Za-z0-9_-]+)",
|
||||
client.get("/").headers.get("content-security-policy", ""),
|
||||
).group(1)
|
||||
assert n1 != n2
|
||||
|
||||
@patch('main.verify_token')
|
||||
def test_validate_token_success(mock_verify_token):
|
||||
"""Test successful token validation."""
|
||||
|
||||
Reference in New Issue
Block a user