API security hardening (#571)

* Enhance security and safety around user update API - Prevent a regular user from promoting themself to admin - Prevent an admin from demoting themself - Refactor token fixture to admin + regular user tokens * Restrict user CRUD API to admins * Secure admin API routes * Refactor APIrouter into Admin/UserAPIRouter * Secure theme routes * Make 'all recipes' routes public * Secure favorite routes * Remove redundant checks * Fix public routes mistakenly flagged user routes * Make webhooks changeable only by admin * Allow users to create categories and tags * Address lint issues
2025-08-05 05:25:26 +02:00 · 2021-06-22 20:22:15 +02:00 · 2021-06-22 20:22:15 +02:00 · 6320ba7ec5
commit 6320ba7ec5
parent f5faff66d3
43 changed files with 456 additions and 347 deletions
--- a/tests/integration_tests/test_group_routes.py
+++ b/tests/integration_tests/test_group_routes.py
@ -10,20 +10,20 @@ def group_data():
    return {"name": "Test Group"}


-def test_create_group(api_client: TestClient, api_routes: AppRoutes, token):
-    response = api_client.post(api_routes.groups, json={"name": "Test Group"}, headers=token)
+def test_create_group(api_client: TestClient, api_routes: AppRoutes, admin_token):
+    response = api_client.post(api_routes.groups, json={"name": "Test Group"}, headers=admin_token)

    assert response.status_code == 201


-def test_get_self_group(api_client: TestClient, api_routes: AppRoutes, token):
-    response = api_client.get(api_routes.groups, headers=token)
+def test_get_self_group(api_client: TestClient, api_routes: AppRoutes, admin_token):
+    response = api_client.get(api_routes.groups, headers=admin_token)

    assert response.status_code == 200
    assert len(json.loads(response.text)) >= 2


-def test_update_group(api_client: TestClient, api_routes: AppRoutes, token):
+def test_update_group(api_client: TestClient, api_routes: AppRoutes, admin_token):
    new_data = {
        "name": "New Group Name",
        "id": 2,
@ -36,23 +36,23 @@ def test_update_group(api_client: TestClient, api_routes: AppRoutes, token):
        "shoppingLists": [],
    }
    # Test Update
-    response = api_client.put(api_routes.groups_id(2), json=new_data, headers=token)
+    response = api_client.put(api_routes.groups_id(2), json=new_data, headers=admin_token)
    assert response.status_code == 200

    # Validate Changes
-    response = api_client.get(api_routes.groups, headers=token)
+    response = api_client.get(api_routes.groups, headers=admin_token)
    all_groups = json.loads(response.text)
    id_2 = filter(lambda x: x["id"] == 2, all_groups)
    assert next(id_2) == new_data


-def test_home_group_not_deletable(api_client: TestClient, api_routes: AppRoutes, token):
-    response = api_client.delete(api_routes.groups_id(1), headers=token)
+def test_home_group_not_deletable(api_client: TestClient, api_routes: AppRoutes, admin_token):
+    response = api_client.delete(api_routes.groups_id(1), headers=admin_token)

    assert response.status_code == 400


-def test_delete_group(api_client: TestClient, api_routes: AppRoutes, token):
-    response = api_client.delete(api_routes.groups_id(2), headers=token)
+def test_delete_group(api_client: TestClient, api_routes: AppRoutes, admin_token):
+    response = api_client.delete(api_routes.groups_id(2), headers=admin_token)

    assert response.status_code == 200