[AZ-178] Fix Critical/High security findings: auth, CVEs, non-root containers, per-job SSE

- Pin all deps; h11==0.16.0 (CVE-2025-43859), python-multipart>=1.3.1 (CVE-2026-28356), PyJWT==2.12.1 - Add HMAC JWT verification (require_auth FastAPI dependency, JWT_SECRET-gated) - Fix TokenManager._refresh() to use ADMIN_API_URL instead of ANNOTATIONS_URL - Rename POST /detect → POST /detect/image (image-only, rejects video files) - Replace global SSE stream with per-job SSE: GET /detect/{media_id} with event replay buffer - Apply require_auth to all 4 protected endpoints - Fix on_annotation/on_status closure to use mutable current_id for correct post-upload event routing - Add non-root appuser to Dockerfile and Dockerfile.gpu - Add JWT_SECRET to e2e/docker-compose.test.yml and run-tests.sh - Update all e2e tests and unit tests for new endpoints and HMAC token signing - 64/64 tests pass Made-with: Cursor
2026-04-22 20:16:31 +00:00 · 2026-04-02 06:32:12 +03:00
parent dac350cbc5
commit 097811a67b
25 changed files with 369 additions and 429 deletions
@@ -20,17 +20,32 @@ def _chunked_reader(path: str, chunk_size: int = 64 * 1024):


@pytest.fixture(scope="module")
-def video_events(warm_engine, http_client):
+def video_events(warm_engine, http_client, auth_headers):
    if not Path(_VIDEO).is_file():
        pytest.skip(f"missing fixture {_VIDEO}")

+    r = http_client.post(
+        "/detect/video",
+        data=_chunked_reader(_VIDEO),
+        headers={
+            **auth_headers,
+            "X-Filename": "video_test01.mp4",
+            "Content-Type": "application/octet-stream",
+        },
+        timeout=15,
+    )
+    assert r.status_code == 200
+    media_id = r.json()["mediaId"]
+
    collected: list[tuple[float, dict]] = []
    thread_exc: list[BaseException] = []
    done = threading.Event()

    def _listen():
        try:
-            with http_client.get("/detect/stream", stream=True, timeout=35) as resp:
+            with http_client.get(
+                f"/detect/{media_id}", stream=True, timeout=35, headers=auth_headers
+            ) as resp:
                resp.raise_for_status()
                sse = sseclient.SSEClient(resp)
                for event in sse.events():
@@ -50,16 +65,6 @@ def video_events(warm_engine, http_client):

    th = threading.Thread(target=_listen, daemon=True)
    th.start()
-    time.sleep(0.3)
-
-    r = http_client.post(
-        "/detect/video",
-        data=_chunked_reader(_VIDEO),
-        headers={"X-Filename": "video_test01.mp4", "Content-Type": "application/octet-stream"},
-        timeout=15,
-    )
-    assert r.status_code == 200
-
    assert done.wait(timeout=30)
    th.join(timeout=5)
    assert not thread_exc, thread_exc