[AZ-178] Fix Critical/High security findings: auth, CVEs, non-root containers, per-job SSE

- Pin all deps; h11==0.16.0 (CVE-2025-43859), python-multipart>=1.3.1 (CVE-2026-28356), PyJWT==2.12.1 - Add HMAC JWT verification (require_auth FastAPI dependency, JWT_SECRET-gated) - Fix TokenManager._refresh() to use ADMIN_API_URL instead of ANNOTATIONS_URL - Rename POST /detect → POST /detect/image (image-only, rejects video files) - Replace global SSE stream with per-job SSE: GET /detect/{media_id} with event replay buffer - Apply require_auth to all 4 protected endpoints - Fix on_annotation/on_status closure to use mutable current_id for correct post-upload event routing - Add non-root appuser to Dockerfile and Dockerfile.gpu - Add JWT_SECRET to e2e/docker-compose.test.yml and run-tests.sh - Update all e2e tests and unit tests for new endpoints and HMAC token signing - 64/64 tests pass Made-with: Cursor
2026-04-22 09:06:31 +00:00 · 2026-04-02 06:32:12 +03:00
parent dac350cbc5
commit 097811a67b
25 changed files with 369 additions and 429 deletions
@@ -276,6 +276,14 @@ class TestMediaContentHashFromFile:


 def _access_jwt(sub: str = "u1") -> str:
+    import jwt as pyjwt
+    secret = os.environ.get("JWT_SECRET", "")
+    if secret:
+        return pyjwt.encode(
+            {"exp": int(time.time()) + 3600, "sub": sub},
+            secret,
+            algorithm="HS256",
+        )
    raw = json.dumps(
        {"exp": int(time.time()) + 3600, "sub": sub}, separators=(",", ":")
    ).encode()
@@ -361,7 +369,10 @@ class TestDetectVideoEndpoint:
            os.environ["VIDEOS_DIR"] = vd
            from fastapi.testclient import TestClient
            client = TestClient(main.app)
-            with patch.object(main, "get_inference", return_value=_FakeInfStream()):
+            with (
+                patch.object(main, "JWT_SECRET", ""),
+                patch.object(main, "get_inference", return_value=_FakeInfStream()),
+            ):
                # Act
                r = client.post(
                    "/detect/video",
@@ -379,12 +390,13 @@ class TestDetectVideoEndpoint:
        from fastapi.testclient import TestClient
        client = TestClient(main.app)

-        # Act
-        r = client.post(
-            "/detect/video",
-            content=b"data",
-            headers={"X-Filename": "photo.jpg"},
-        )
+        # Act — patch JWT_SECRET to "" so auth does not block the extension check
+        with patch.object(main, "JWT_SECRET", ""):
+            r = client.post(
+                "/detect/video",
+                content=b"data",
+                headers={"X-Filename": "photo.jpg"},
+            )

        # Assert
        assert r.status_code == 400
@@ -411,12 +423,16 @@ class TestDetectVideoEndpoint:
            os.environ["VIDEOS_DIR"] = vd
            from fastapi.testclient import TestClient
            client = TestClient(main.app)
+            token = _access_jwt()
            with patch.object(main, "get_inference", return_value=_CaptureInf()):
                # Act
                r = client.post(
                    "/detect/video",
                    content=video_body,
-                    headers={"X-Filename": "v.mp4"},
+                    headers={
+                        "X-Filename": "v.mp4",
+                        "Authorization": f"Bearer {token}",
+                    },
                )

            # Assert