forked from Rockachopa/Timmy-time-dashboard
b615595100
* feat: upgrade primary model from llama3.1:8b to qwen2.5:14b - Swap OLLAMA_MODEL_PRIMARY to qwen2.5:14b for better reasoning - llama3.1:8b-instruct becomes fallback - Update .env default and README quick start - Fix hardcoded model assertions in tests qwen2.5:14b provides significantly better multi-step reasoning and tool calling reliability while still running locally on modest hardware. The 8B model remains as automatic fallback. * security: centralize config, harden uploads, fix silent exceptions - Add 9 pydantic Settings fields (skip_embeddings, disable_csrf, rqlite_url, brain_source, brain_db_path, csrf_cookie_secure, chat_api_max_body_bytes, timmy_test_mode) to centralize env-var access - Migrate 8 os.environ.get() calls across 5 source files to use `from config import settings` per project convention - Add path traversal defense-in-depth to file upload endpoint - Add 1MB request body size limit to chat API - Make CSRF cookie secure flag configurable via settings - Replace 2 silent `except: pass` blocks with debug logging in session.py - Remove unused `import os` from brain/memory.py and csrf.py - Update 5 CSRF test fixtures to patch settings instead of os.environ Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Trip T <trip@local> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
40 lines
1.5 KiB
Python
40 lines
1.5 KiB
Python
import pytest
|
|
from fastapi.testclient import TestClient
|
|
from dashboard.app import app
|
|
|
|
@pytest.fixture
|
|
def client():
|
|
return TestClient(app)
|
|
|
|
def test_security_headers_middleware_is_used(client):
|
|
"""Verify that SecurityHeadersMiddleware is used instead of the inline function."""
|
|
response = client.get("/")
|
|
# SecurityHeadersMiddleware sets X-Frame-Options to 'SAMEORIGIN' by default
|
|
assert response.headers["X-Frame-Options"] == "SAMEORIGIN"
|
|
# SecurityHeadersMiddleware also sets Permissions-Policy
|
|
assert "Permissions-Policy" in response.headers
|
|
|
|
def test_request_logging_middleware_is_used(client):
|
|
"""Verify that RequestLoggingMiddleware is used."""
|
|
response = client.get("/")
|
|
# RequestLoggingMiddleware adds X-Correlation-ID to the response
|
|
assert "X-Correlation-ID" in response.headers
|
|
|
|
def test_csrf_middleware_is_used(client):
|
|
"""Verify that CSRFMiddleware is used."""
|
|
from config import settings
|
|
original = settings.timmy_disable_csrf
|
|
settings.timmy_disable_csrf = False
|
|
try:
|
|
# GET request should set a csrf_token cookie if not present
|
|
response = client.get("/")
|
|
assert "csrf_token" in response.cookies
|
|
|
|
# POST request without token should be blocked (403)
|
|
# Use a path that isn't likely to be exempt
|
|
response = client.post("/agents/create")
|
|
assert response.status_code == 403
|
|
assert response.json()["code"] == "CSRF_INVALID"
|
|
finally:
|
|
settings.timmy_disable_csrf = original
|