fix(security): add username validation, constant-time login, default credential rejection, and tooling

2026-02-18 19:11:14 +01:00
parent 1521005b62
commit f41b8fd8c2
8 changed files with 393 additions and 1 deletions
--- a/backend/tests/test_security_validators.py
+++ b/backend/tests/test_security_validators.py
@@ -0,0 +1,85 @@
+"""Tests for security validators (username, password complexity)."""
+
+import sys
+import os
+
+backend_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
+if backend_dir not in sys.path:
+    sys.path.insert(0, backend_dir)
+
+import pytest
+from pydantic import ValidationError
+
+from app.schemas.user import UserCreate
+
+
+# ── Username validation ──────────────────────────────────────────────
+
+
+class TestUsernameValidation:
+
+    def test_valid_username(self):
+        u = UserCreate(username="john_doe", password="SecurePass123!@#")
+        assert u.username == "john_doe"
+
+    def test_valid_username_with_hyphens(self):
+        u = UserCreate(username="john-doe", password="SecurePass123!@#")
+        assert u.username == "john-doe"
+
+    def test_valid_username_numeric(self):
+        u = UserCreate(username="user123", password="SecurePass123!@#")
+        assert u.username == "user123"
+
+    def test_too_short_username(self):
+        with pytest.raises(ValidationError, match="3-50 characters"):
+            UserCreate(username="ab", password="SecurePass123!@#")
+
+    def test_username_with_spaces(self):
+        with pytest.raises(ValidationError, match="3-50 characters"):
+            UserCreate(username="john doe", password="SecurePass123!@#")
+
+    def test_username_with_special_chars(self):
+        with pytest.raises(ValidationError, match="3-50 characters"):
+            UserCreate(username="john@doe", password="SecurePass123!@#")
+
+    def test_reserved_username_admin(self):
+        with pytest.raises(ValidationError, match="reserved"):
+            UserCreate(username="admin", password="SecurePass123!@#")
+
+    def test_reserved_username_root(self):
+        with pytest.raises(ValidationError, match="reserved"):
+            UserCreate(username="root", password="SecurePass123!@#")
+
+    def test_reserved_username_case_insensitive(self):
+        with pytest.raises(ValidationError, match="reserved"):
+            UserCreate(username="ADMIN", password="SecurePass123!@#")
+
+
+# ── Password validation ─────────────────────────────────────────────
+
+
+class TestPasswordValidation:
+
+    def test_valid_strong_password(self):
+        u = UserCreate(username="testuser", password="SecurePass123!@#")
+        assert u.password == "SecurePass123!@#"
+
+    def test_too_short_password(self):
+        with pytest.raises(ValidationError, match="12 characters"):
+            UserCreate(username="testuser", password="Short1!")
+
+    def test_no_uppercase(self):
+        with pytest.raises(ValidationError, match="uppercase"):
+            UserCreate(username="testuser", password="securepass123!@#")
+
+    def test_no_lowercase(self):
+        with pytest.raises(ValidationError, match="lowercase"):
+            UserCreate(username="testuser", password="SECUREPASS123!@#")
+
+    def test_no_digit(self):
+        with pytest.raises(ValidationError, match="digit"):
+            UserCreate(username="testuser", password="SecurePassword!@#")
+
+    def test_no_special_char(self):
+        with pytest.raises(ValidationError, match="special"):
+            UserCreate(username="testuser", password="SecurePass12345")