feat: Enhance task access control and session management

- Implemented API and web task access assertions in the task status polling endpoint. - Added functions to remember and check task access in user sessions. - Updated task status tests to validate access control based on session data. - Enhanced download route tests to ensure proper access checks. - Improved SEO metadata handling with dynamic social preview images. - Updated sitemap generation to include blog posts and new tools. - Added a social preview SVG for better sharing on social media platforms.
2026-03-17 21:19:23 +02:00
parent ff5bd19335
commit 3f24a7ea3e
17 changed files with 384 additions and 75 deletions
--- a/backend/tests/test_download.py
+++ b/backend/tests/test_download.py
@@ -1,6 +1,8 @@
 """Tests for file download route."""
 import os

+from app.utils.auth import TASK_ACCESS_SESSION_KEY
+

 class TestDownload:
    def test_download_nonexistent_file(self, client):
@@ -31,6 +33,9 @@ class TestDownload:
        with open(file_path, 'wb') as f:
            f.write(b'%PDF-1.4 test content')

+        with client.session_transaction() as session:
+            session[TASK_ACCESS_SESSION_KEY] = [task_id]
+
        response = client.get(f'/api/download/{task_id}/{filename}')
        assert response.status_code == 200
        assert response.data == b'%PDF-1.4 test content'
@@ -45,5 +50,21 @@ class TestDownload:
        with open(os.path.join(output_dir, filename), 'wb') as f:
            f.write(b'%PDF-1.4')

+        with client.session_transaction() as session:
+            session[TASK_ACCESS_SESSION_KEY] = [task_id]
+
        response = client.get(f'/api/download/{task_id}/{filename}?name=my-document.pdf')
-        assert response.status_code == 200
+        assert response.status_code == 200
+
+    def test_download_requires_task_access(self, client, app):
+        """Should not serve an existing file without session or API ownership."""
+        task_id = 'protected-download-id'
+        filename = 'output.pdf'
+
+        output_dir = os.path.join(app.config['OUTPUT_FOLDER'], task_id)
+        os.makedirs(output_dir, exist_ok=True)
+        with open(os.path.join(output_dir, filename), 'wb') as f:
+            f.write(b'%PDF-1.4 protected')
+
+        response = client.get(f'/api/download/{task_id}/{filename}')
+        assert response.status_code == 404
--- a/backend/tests/test_tasks_route.py
+++ b/backend/tests/test_tasks_route.py
@@ -1,6 +1,8 @@
 """Tests for task status polling route."""
 from unittest.mock import patch, MagicMock

+from app.utils.auth import TASK_ACCESS_SESSION_KEY
+

 class TestTaskStatus:
    def test_pending_task(self, client, monkeypatch):
@@ -9,6 +11,9 @@ class TestTaskStatus:
        mock_result.state = 'PENDING'
        mock_result.info = None

+        with client.session_transaction() as session:
+            session[TASK_ACCESS_SESSION_KEY] = ['test-task-id']
+
        with patch('app.routes.tasks.AsyncResult', return_value=mock_result):
            response = client.get('/api/tasks/test-task-id/status')

@@ -24,6 +29,9 @@ class TestTaskStatus:
        mock_result.state = 'PROCESSING'
        mock_result.info = {'step': 'Converting page 3 of 10...'}

+        with client.session_transaction() as session:
+            session[TASK_ACCESS_SESSION_KEY] = ['processing-id']
+
        with patch('app.routes.tasks.AsyncResult', return_value=mock_result):
            response = client.get('/api/tasks/processing-id/status')

@@ -42,6 +50,9 @@ class TestTaskStatus:
            'filename': 'output.pdf',
        }

+        with client.session_transaction() as session:
+            session[TASK_ACCESS_SESSION_KEY] = ['success-id']
+
        with patch('app.routes.tasks.AsyncResult', return_value=mock_result):
            response = client.get('/api/tasks/success-id/status')

@@ -57,10 +68,19 @@ class TestTaskStatus:
        mock_result.state = 'FAILURE'
        mock_result.info = Exception('Conversion failed due to corrupt PDF.')

+        with client.session_transaction() as session:
+            session[TASK_ACCESS_SESSION_KEY] = ['failed-id']
+
        with patch('app.routes.tasks.AsyncResult', return_value=mock_result):
            response = client.get('/api/tasks/failed-id/status')

        assert response.status_code == 200
        data = response.get_json()
        assert data['state'] == 'FAILURE'
-        assert 'error' in data
+        assert 'error' in data
+
+    def test_unknown_task_without_access_returns_404(self, client):
+        """Should not expose task state without session or API ownership."""
+        response = client.get('/api/tasks/unknown-task/status')
+
+        assert response.status_code == 404