From b5b9d6e5f40286471ac041df2054acb7b05b5102 Mon Sep 17 00:00:00 2001 From: BoulderBadgeDad Date: Thu, 11 Jun 2026 17:38:24 -0700 Subject: [PATCH] #852 tests: cover the login-mode WS gate (the reported bypass was the login modal) The integration test only exercised the launch-PIN path; the actual #852 report is the "Sign in to SoulSync" username/password modal. Add login-mode cases: socketio connect is rejected when require_login is on + unauthenticated, allowed once login_authenticated. Confirms the WS gate covers both overlays. --- tests/test_ws_connect_gate.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/test_ws_connect_gate.py b/tests/test_ws_connect_gate.py index d861410d..0876ac51 100644 --- a/tests/test_ws_connect_gate.py +++ b/tests/test_ws_connect_gate.py @@ -82,3 +82,26 @@ def test_socket_allowed_when_pin_verified(monkeypatch): s['launch_pin_verified'] = True sio = web_server.socketio.test_client(web_server.app, flask_test_client=flask_client) assert sio.is_connected() is True + + +# ── login mode (the "Sign in to SoulSync" path — #852 report was this one) ── +def _login_on(monkeypatch): + real = web_server.config_manager.get + monkeypatch.setattr(web_server.config_manager, 'get', + lambda k, d=None: True if k == 'security.require_login' else real(k, d)) + + +def test_socket_rejected_when_login_required_and_unauthenticated(monkeypatch): + _login_on(monkeypatch) + flask_client = web_server.app.test_client() # no login_authenticated + sio = web_server.socketio.test_client(web_server.app, flask_test_client=flask_client) + assert sio.is_connected() is False # login overlay can't be bypassed via WS + + +def test_socket_allowed_when_login_authenticated(monkeypatch): + _login_on(monkeypatch) + flask_client = web_server.app.test_client() + with flask_client.session_transaction() as s: + s['login_authenticated'] = True + sio = web_server.socketio.test_client(web_server.app, flask_test_client=flask_client) + assert sio.is_connected() is True