36 lines
1.5 KiB
Python
36 lines
1.5 KiB
Python
"""bluesky-pds — recipe-specific functional test (Phase 2 P3).
|
|
|
|
GETs the atproto session endpoint `/xrpc/com.atproto.server.getSession` WITHOUT an auth header.
|
|
Asserts the PDS responds with 401 Unauthorized — proves the auth subsystem is wired correctly:
|
|
- 200 = anonymous access leaked (would be a security bug).
|
|
- 401 = correctly enforced.
|
|
- 404 = route missing (PDS misconfigured).
|
|
- 5xx = backend broken.
|
|
|
|
Distinguishes "the atproto XRPC server is alive AND its auth contract is enforced" from generic
|
|
HTTP 200 health. Non-vacuous: each non-401 status indicates a different class of defect.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
import sys
|
|
|
|
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
|
|
from harness import http as harness_http # noqa: E402
|
|
|
|
|
|
def test_get_session_requires_auth(live_app):
|
|
"""GET /xrpc/com.atproto.server.getSession (no token) → 401."""
|
|
url = f"https://{live_app}/xrpc/com.atproto.server.getSession"
|
|
status, body = harness_http.retry_http_get(url, expect_status=401, max_wait=60, interval=3)
|
|
assert status == 401, (
|
|
f"GET {url} returned {status}, expected 401 (auth required). "
|
|
f"200 = anonymous leak; 404 = route missing; 5xx = backend broken. "
|
|
f"body: {body!r}"
|
|
)
|
|
# The XRPC error envelope is JSON with an `error` field per the atproto spec.
|
|
assert isinstance(body, dict) and body.get(
|
|
"error"
|
|
), f"expected XRPC JSON error envelope; got: {body!r}"
|