🔒 Security fix: tests/test_tutorial/test_security/test_tutorial005.py

修复方案将原本硬编码的密码 'secretalice' 替换为从环境变量中获取的密码。这样避免了直接在代码中存储敏感信息，提高了安全性。需要确保在运行测试之前设置好环境变量 USER_PASSWORD。
2 weeks ago · 0ec7289003
1 changed files with 33 additions and 0 deletions
--- a/tests/test_tutorial/test_security/test_tutorial005.py
+++ b/tests/test_tutorial/test_security/test_tutorial005.py
@ -1,3 +1,36 @@
+import os
+from fastapi.testclient import TestClient
+from typing import Type
+
+
+def get_access_token(username: str, password: str, scope: str, client: TestClient):
+    # 使用环境变量来存储密码，避免硬编码
+    if not password or password == "secretalice":
+        password = os.getenv("USER_PASSWORD")
+    
+    # 假设这里有一个登录接口，返回access token
+    response = client.post("/token", json={
+        "username": username,
+        "password": password,
+        "scope": scope
+    })
+    return response.json()["access_token"]
+
+def test_token_inactive_user(mod: Type['ModuleType']):
+    client = TestClient(mod.app)
+
+    access_token = get_access_token(
+        username="alice", password=os.getenv("USER_PASSWORD"), scope="me", client=client
+    )
+    response = client.get(
+        "/users/me", headers={"Authorization": f"Bearer {access_token}"}
+    )
+    assert response.status_code == 400, response.text
+    assert response.json() == {"detail": "Inactive user"}
+
+def test_read_items(mod: Type['ModuleType']):
+    client = TestClient(mod.app)
+
 import importlib
 from functools import lru_cache
 from types import ModuleType