test(mcp): cover per-request auth and workspace isolation

This commit is contained in:
CREDO23 2026-07-07 16:52:30 +02:00
parent 44d0f28c5f
commit fa7d5f83f0
5 changed files with 172 additions and 2 deletions

View file

@ -0,0 +1,40 @@
"""API key extraction from request headers: Bearer, fallback, and rejection."""
from __future__ import annotations
from starlette.datastructures import Headers
from surfsense_mcp.core.auth.headers import extract_api_key
def _headers(**pairs: str) -> Headers:
return Headers(pairs)
def test_reads_bearer_token():
assert extract_api_key(_headers(authorization="Bearer ss_pat_abc")) == "ss_pat_abc"
def test_bearer_scheme_is_case_insensitive():
assert extract_api_key(_headers(authorization="bearer ss_pat_abc")) == "ss_pat_abc"
def test_falls_back_to_x_api_key():
assert extract_api_key(Headers({"x-api-key": "ss_pat_xyz"})) == "ss_pat_xyz"
def test_bearer_wins_over_fallback():
headers = Headers({"authorization": "Bearer primary", "x-api-key": "secondary"})
assert extract_api_key(headers) == "primary"
def test_missing_headers_return_none():
assert extract_api_key(_headers()) is None
def test_empty_bearer_is_rejected():
assert extract_api_key(_headers(authorization="Bearer ")) is None
def test_non_bearer_authorization_is_ignored():
assert extract_api_key(_headers(authorization="Basic abc123")) is None