fix: add security checks and tests for code review

Security: - Add authorization checks to list_packages, update_package, delete_package endpoints - Add MAX_TOTAL_ARTIFACTS limit (1000) to prevent memory exhaustion during dependency resolution - Add TooManyArtifactsError exception for proper error handling UI: - Display reverse dependency errors in PackagePage - Add warning display for failed dependency fetches in DependencyGraph Tests: - Add unit tests for metadata extraction (deb, wheel, tarball, jar) - Add unit tests for rate limit configuration - Add unit tests for PyPI registry client
2026-02-04 16:19:16 -06:00
parent 1389a03c69
commit 262aff6e97
8 changed files with 649 additions and 13 deletions
--- a/backend/tests/unit/test_rate_limit.py
+++ b/backend/tests/unit/test_rate_limit.py
@@ -0,0 +1,65 @@
+"""Unit tests for rate limiting configuration."""
+
+import os
+import pytest
+
+
+class TestRateLimitConfiguration:
+    """Tests for rate limit configuration."""
+
+    def test_default_login_rate_limit(self):
+        """Test default login rate limit is 5/minute."""
+        # Import fresh to get default value
+        import importlib
+        import app.rate_limit as rate_limit_module
+
+        # Save original env value
+        original = os.environ.get("ORCHARD_LOGIN_RATE_LIMIT")
+
+        try:
+            # Clear env variable to test default
+            if "ORCHARD_LOGIN_RATE_LIMIT" in os.environ:
+                del os.environ["ORCHARD_LOGIN_RATE_LIMIT"]
+
+            # Reload module to pick up new env
+            importlib.reload(rate_limit_module)
+
+            assert rate_limit_module.LOGIN_RATE_LIMIT == "5/minute"
+        finally:
+            # Restore original env value
+            if original is not None:
+                os.environ["ORCHARD_LOGIN_RATE_LIMIT"] = original
+            importlib.reload(rate_limit_module)
+
+    def test_custom_login_rate_limit(self):
+        """Test custom login rate limit from environment."""
+        import importlib
+        import app.rate_limit as rate_limit_module
+
+        # Save original env value
+        original = os.environ.get("ORCHARD_LOGIN_RATE_LIMIT")
+
+        try:
+            # Set custom rate limit
+            os.environ["ORCHARD_LOGIN_RATE_LIMIT"] = "10/minute"
+
+            # Reload module to pick up new env
+            importlib.reload(rate_limit_module)
+
+            assert rate_limit_module.LOGIN_RATE_LIMIT == "10/minute"
+        finally:
+            # Restore original env value
+            if original is not None:
+                os.environ["ORCHARD_LOGIN_RATE_LIMIT"] = original
+            else:
+                if "ORCHARD_LOGIN_RATE_LIMIT" in os.environ:
+                    del os.environ["ORCHARD_LOGIN_RATE_LIMIT"]
+            importlib.reload(rate_limit_module)
+
+    def test_limiter_exists(self):
+        """Test that limiter object is created."""
+        from app.rate_limit import limiter
+
+        assert limiter is not None
+        # Limiter should have a key_func set
+        assert limiter._key_func is not None