Skip to content

test: harden security coverage for body cap, CSRF, and JWKS (#31/#32/#36)#46

Merged
tcconnally merged 1 commit into
mainfrom
test/security-coverage-31-32-36
Jun 24, 2026
Merged

test: harden security coverage for body cap, CSRF, and JWKS (#31/#32/#36)#46
tcconnally merged 1 commit into
mainfrom
test/security-coverage-31-32-36

Conversation

@tcconnally

@tcconnally tcconnally commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Why

The v0.7 security hardening (PR #42) shipped with uneven test coverage. Per the launch-gate follow-up, #31 (body cap), #32 (CSRF/same-origin), and #36 (JWKS) had lighter coverage than ideal — #32 had none, and the only #36 test reached out to Google's live JWKS endpoint (flaky offline). This PR closes those gaps with self-contained tests — no network, no crypto dependencies — to harden the public-launch gate.

Tests only; no behavior change.

What

#36 — RS256 / JWKS signature verification (TestRS256Verification)
A fixed RSA-2048 test keypair signs tokens in pure Python (EMSA-PKCS1-v1_5 / SHA-256), and _get_public_key is patched to return its public half — so the hand-rolled verifier is exercised deterministically. Covers:

  • valid signature accepted
  • tampered payload rejected (hash mismatch)
  • alg=none downgrade rejected
  • alg=HS256 rejected
  • missing kid, malformed token, wrong key
  • _claims_from_id_token actually running verification on the real (non-hdr) path

#32 — CSRF / same-origin (TestSameOrigin unit + TestCSRFEnforcement integration)
Previously untested. Full branch coverage of _same_origin (matching/mismatched Origin, Referer fallback, no headers, no base_url, Origin-over-Referer precedence, trailing-slash normalization), plus live-server enforcement: cookie-authenticated POSTs are blocked cross-origin and origin-less, allowed same-origin, while Bearer /v1/usage stays exempt.

#31 — body cap (TestBodyCap)
_body boundary coverage: at-limit allowed, over-limit raises _BodyTooLarge, missing Content-Length is empty, and the 1 MiB default constant.

Verification

Full suite: 142 passed (was 118) locally on Windows / Python 3.14.

🤖 Generated with Claude Code

@tcconnally @claude
test: harden security coverage for body cap, CSRF, and JWKS (#31/#32/#36
2d42334 
)

The v0.7 security fixes shipped with uneven test coverage. This adds
self-contained tests (no network, no crypto deps) for the three lighter areas,
hardening the public-launch gate.

#36 (RS256 / JWKS) — a fixed RSA-2048 test keypair signs tokens in pure Python
and _get_public_key is patched to return its public half, so signature
verification is exercised deterministically instead of fetching Google's live
JWKS. Covers: valid signature accepted; tampered payload rejected; alg=none
downgrade rejected; alg=HS256 rejected; missing kid; malformed token; wrong key;
and the _claims_from_id_token path actually running verification.

#32 (CSRF / same-origin) — previously untested. Adds full branch coverage of
_same_origin (matching/mismatched Origin, Referer fallback, no headers, no
base_url, Origin-over-Referer precedence, trailing-slash) plus live-server
enforcement: cookie POSTs are blocked cross-origin / origin-less and allowed
same-origin, while Bearer /v1/usage stays exempt.

#31 (body cap) — adds _body boundary coverage: at-limit allowed, over-limit
raises _BodyTooLarge, missing Content-Length is empty, and the 1 MiB default.

Tests only; no behavior change. Full suite: 142 passed (was 118).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@tcconnally tcconnally merged commit 3edf1d6 into main Jun 24, 2026
4 checks passed
@tcconnally tcconnally deleted the test/security-coverage-31-32-36 branch June 24, 2026 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tcconnally