Harden auth flow against timing and event-loop blocking

2026-02-25 00:17:05 -05:00
parent 54232acd87
commit e7d3b41782
5 changed files with 460 additions and 171 deletions
--- a/server/tests/test_auth_service.py
+++ b/server/tests/test_auth_service.py
@@ -50,3 +50,20 @@ def test_bootstrap_admin_once(tmp_path: Path) -> None:
    finally:
        service.close()

+
+def test_login_missing_user_runs_dummy_verify(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None:
+    service = make_auth_service(tmp_path)
+    try:
+        calls: list[tuple[str, str]] = []
+
+        def fake_verify(password: str, stored: str) -> bool:
+            calls.append((password, stored))
+            return False
+
+        monkeypatch.setattr(service, "_verify_password", fake_verify)
+        with pytest.raises(AuthError):
+            service.login("missing_user", "password99")
+        assert len(calls) == 1
+        assert calls[0][0] == "password99"
+    finally:
+        service.close()