From 3daa12ceb0ee6a0c4066f241be3659af5d56d2ae Mon Sep 17 00:00:00 2001 From: Lucas Coutinho Date: Wed, 13 May 2026 14:09:39 -0300 Subject: [PATCH 1/2] test(auth): add cache invalidation regression tests for save_settings() --- tests/test_auth_password_cache.py | 73 +++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 tests/test_auth_password_cache.py diff --git a/tests/test_auth_password_cache.py b/tests/test_auth_password_cache.py new file mode 100644 index 00000000..7090271e --- /dev/null +++ b/tests/test_auth_password_cache.py @@ -0,0 +1,73 @@ +""" +Tests for the password hash cache invalidation hook. + +Verifies that changing the password via save_settings() takes effect +immediately in the running process — without a restart. + +Regression: before the invalidation hook was added to save_settings(), +_AUTH_HASH_COMPUTED stayed True and get_password_hash() returned the +stale hash from before the UI password change. +""" +import os +import pathlib +import tempfile +import unittest + +_TEST_STATE = pathlib.Path(tempfile.mkdtemp()) +os.environ["HERMES_WEBUI_STATE_DIR"] = str(_TEST_STATE) + +import sys +sys.path.insert(0, str(pathlib.Path(__file__).parent.parent)) + +import importlib + +auth = importlib.import_module("api.auth") +config = importlib.import_module("api.config") + + +def _reset_cache(): + auth._invalidate_password_hash_cache() + + +class TestPasswordCacheInvalidation(unittest.TestCase): + + def setUp(self): + _reset_cache() + # Ensure no env-var password interferes + os.environ.pop("HERMES_WEBUI_PASSWORD", None) + + def tearDown(self): + _reset_cache() + os.environ.pop("HERMES_WEBUI_PASSWORD", None) + + def test_set_password_takes_effect_without_restart(self): + config.save_settings({"_set_password": "first"}) + self.assertTrue(auth.verify_password("first")) + + config.save_settings({"_set_password": "second"}) + # Cache must be invalidated; old password must no longer verify + self.assertFalse(auth.verify_password("first"), + "stale hash still accepted after password change — cache not invalidated") + self.assertTrue(auth.verify_password("second")) + + def test_clear_password_takes_effect_without_restart(self): + config.save_settings({"_set_password": "secret"}) + self.assertTrue(auth.is_auth_enabled()) + + config.save_settings({"_clear_password": True}) + # Cache must be invalidated; auth must be disabled immediately + self.assertFalse(auth.is_auth_enabled(), + "auth still enabled after clear — cache not invalidated") + self.assertFalse(auth.verify_password("secret")) + + def test_cache_repopulates_after_invalidation(self): + config.save_settings({"_set_password": "pw"}) + # Warm the cache + auth.get_password_hash() + # Invalidate and warm again — must reflect current settings.json + _reset_cache() + self.assertTrue(auth.verify_password("pw")) + + +if __name__ == "__main__": + unittest.main() From fe4689e280b5900007f905ab921391e68b0ec631 Mon Sep 17 00:00:00 2001 From: Lucas Coutinho Date: Wed, 13 May 2026 16:17:44 -0300 Subject: [PATCH 2/2] test(auth): merge invalidation tests into hash cache test file, remove duplicate --- tests/test_auth_password_cache.py | 73 -------------------------- tests/test_auth_password_hash_cache.py | 52 ++++++++++++++++++ 2 files changed, 52 insertions(+), 73 deletions(-) delete mode 100644 tests/test_auth_password_cache.py diff --git a/tests/test_auth_password_cache.py b/tests/test_auth_password_cache.py deleted file mode 100644 index 7090271e..00000000 --- a/tests/test_auth_password_cache.py +++ /dev/null @@ -1,73 +0,0 @@ -""" -Tests for the password hash cache invalidation hook. - -Verifies that changing the password via save_settings() takes effect -immediately in the running process — without a restart. - -Regression: before the invalidation hook was added to save_settings(), -_AUTH_HASH_COMPUTED stayed True and get_password_hash() returned the -stale hash from before the UI password change. -""" -import os -import pathlib -import tempfile -import unittest - -_TEST_STATE = pathlib.Path(tempfile.mkdtemp()) -os.environ["HERMES_WEBUI_STATE_DIR"] = str(_TEST_STATE) - -import sys -sys.path.insert(0, str(pathlib.Path(__file__).parent.parent)) - -import importlib - -auth = importlib.import_module("api.auth") -config = importlib.import_module("api.config") - - -def _reset_cache(): - auth._invalidate_password_hash_cache() - - -class TestPasswordCacheInvalidation(unittest.TestCase): - - def setUp(self): - _reset_cache() - # Ensure no env-var password interferes - os.environ.pop("HERMES_WEBUI_PASSWORD", None) - - def tearDown(self): - _reset_cache() - os.environ.pop("HERMES_WEBUI_PASSWORD", None) - - def test_set_password_takes_effect_without_restart(self): - config.save_settings({"_set_password": "first"}) - self.assertTrue(auth.verify_password("first")) - - config.save_settings({"_set_password": "second"}) - # Cache must be invalidated; old password must no longer verify - self.assertFalse(auth.verify_password("first"), - "stale hash still accepted after password change — cache not invalidated") - self.assertTrue(auth.verify_password("second")) - - def test_clear_password_takes_effect_without_restart(self): - config.save_settings({"_set_password": "secret"}) - self.assertTrue(auth.is_auth_enabled()) - - config.save_settings({"_clear_password": True}) - # Cache must be invalidated; auth must be disabled immediately - self.assertFalse(auth.is_auth_enabled(), - "auth still enabled after clear — cache not invalidated") - self.assertFalse(auth.verify_password("secret")) - - def test_cache_repopulates_after_invalidation(self): - config.save_settings({"_set_password": "pw"}) - # Warm the cache - auth.get_password_hash() - # Invalidate and warm again — must reflect current settings.json - _reset_cache() - self.assertTrue(auth.verify_password("pw")) - - -if __name__ == "__main__": - unittest.main() diff --git a/tests/test_auth_password_hash_cache.py b/tests/test_auth_password_hash_cache.py index a74ebbd4..fe0f9e10 100644 --- a/tests/test_auth_password_hash_cache.py +++ b/tests/test_auth_password_hash_cache.py @@ -42,6 +42,8 @@ import api.auth importlib.reload(api.auth) auth = api.auth +import api.config as config + class TestPasswordHashCache(unittest.TestCase): """Verify that get_password_hash() caches after first computation.""" @@ -237,5 +239,55 @@ class TestPasswordHashCacheConcurrency(unittest.TestCase): "All threads must see None when auth is disabled") +class TestPasswordCacheInvalidation(unittest.TestCase): + """Verify that save_settings() invalidates the password hash cache. + + Changing the password via the Settings panel must take effect immediately + in the running process — without a restart. + """ + + def setUp(self): + auth._AUTH_HASH_LOCK = threading.Lock() + auth._AUTH_HASH_COMPUTED = False + auth._AUTH_HASH_CACHE = None + os.environ.pop('HERMES_WEBUI_PASSWORD', None) + # Start with a clean settings.json so write tests are isolated + self._sf = config.SETTINGS_FILE + self._backup = None + if self._sf.exists(): + self._backup = self._sf.read_text(encoding='utf-8') + self._sf.unlink() + + def tearDown(self): + if self._backup is not None: + self._sf.write_text(self._backup, encoding='utf-8') + auth._invalidate_password_hash_cache() + os.environ.pop('HERMES_WEBUI_PASSWORD', None) + + def test_set_password_takes_effect_without_restart(self): + config.save_settings({"_set_password": "first"}) + self.assertTrue(auth.verify_password("first")) + + config.save_settings({"_set_password": "second"}) + self.assertFalse(auth.verify_password("first"), + "stale hash still accepted after password change") + self.assertTrue(auth.verify_password("second")) + + def test_clear_password_takes_effect_without_restart(self): + config.save_settings({"_set_password": "secret"}) + self.assertTrue(auth.is_auth_enabled()) + + config.save_settings({"_clear_password": True}) + self.assertFalse(auth.is_auth_enabled(), + "auth still enabled after clear") + self.assertFalse(auth.verify_password("secret")) + + def test_cache_repopulates_after_invalidation(self): + config.save_settings({"_set_password": "pw"}) + auth.get_password_hash() + auth._invalidate_password_hash_cache() + self.assertTrue(auth.verify_password("pw")) + + if __name__ == "__main__": unittest.main()