Operation Darling Purge: slim to wealth core (-33,783 lines) (#121)

2026-03-02 13:17:38 -05:00
parent f694eff0a4
commit 584eeb679e
183 changed files with 154 additions and 33807 deletions
--- a/tests/security/test_security_regression.py
+++ b/tests/security/test_security_regression.py
@@ -1,46 +1,4 @@
-import hmac
-import hashlib
-import base64
 import pytest
-from timmy_serve.l402_proxy import create_l402_challenge, verify_l402_token, Macaroon, _sign
-
-def test_l402_macaroon_forgery_prevention():
-    """Test that knowing the hmac_secret is not enough to forge a macaroon.
-    
-    The forgery attempt uses the same hmac_secret found in a valid macaroon
-    but doesn't know the server's internal _MACAROON_SECRET.
-    """
-    # 1. Create a valid challenge
-    challenge = create_l402_challenge(100, "valid")
-    valid_token = challenge["macaroon"]
-    
-    # 2. Extract components from the valid macaroon
-    valid_mac = Macaroon.deserialize(valid_token)
-    assert valid_mac is not None
-    
-    # 3. Attempt to forge a macaroon for a different (unpaid) identifier
-    # but using the same hmac_secret and the same signing logic a naive 
-    # attacker might assume (if it was just hmac(hmac_secret, identifier)).
-    fake_identifier = "forged-payment-hash"
-    
-    # Naive forgery attempt:
-    fake_signature = hmac.new(
-        valid_mac.hmac_secret.encode(), 
-        fake_identifier.encode(), 
-        hashlib.sha256
-    ).hexdigest()
-    
-    fake_mac = Macaroon(
-        identifier=fake_identifier,
-        signature=fake_signature,
-        hmac_secret=valid_mac.hmac_secret,
-        version=valid_mac.version,
-        location=valid_mac.location
-    )
-    fake_token = fake_mac.serialize()
-    
-    # 4. Verification should fail because the server uses two-key derivation
-    assert verify_l402_token(fake_token) is False

 def test_xss_protection_in_templates():
    """Verify that templates now use the escape filter for user-controlled content."""
@@ -57,19 +15,3 @@ def test_xss_protection_in_templates():
            content = f.read()
            assert expected_snippet in content, f"XSS fix missing in {path}"

-def test_macaroon_serialization_v2():
-    """Test that the new serialization format includes the hmac_secret."""
-    mac = Macaroon(identifier="id", signature="sig", hmac_secret="secret")
-    serialized = mac.serialize()
-    
-    # Decode manually to check parts
-    raw = base64.urlsafe_b64decode(serialized.encode()).decode()
-    parts = raw.split(":")
-    assert len(parts) == 5
-    assert parts[2] == "id"
-    assert parts[3] == "sig"
-    assert parts[4] == "secret"
-    
-    # Test deserialization
-    restored = Macaroon.deserialize(serialized)
-    assert restored.hmac_secret == "secret"