Validate only token-supplied direct base_url values for API-token chat requests, while keeping admin-configured endpoints available for local/LAN providers.
Scope configured endpoint fallback selection to the API token owner, fail closed for unknown token owners, and preserve strict session ownership checks when resuming sessions from chat-scoped API tokens.
Add focused regression coverage for direct base_url SSRF rejection, configured endpoint fallback behavior, token-owner scoping, URL validation, and null-owner session/endpoint handling.
Three test files (test_auth_regressions, test_auth_event_loop,
test_null_owner_gates) install stubs for core.database / core.auth /
src.endpoint_resolver at module-import time, so they outlive the
file and are still present in sys.modules when later-collected test
files try to import the real modules. The stubs are minimal (a
handful of MagicMock attrs) so the import chain that follows fails
with ImportError on the very next real import.
test_companion_pairing also leaks, with a twist: its _DBStub
subclass returns a MagicMock for *any* attribute including dunders,
so the next test that does `from core.database import *` reads
`__all__` as a MagicMock and dies with 'Item in __all__ must be
str, not MagicMock'.
Move the stub installation into an autouse fixture per file and
register each stub with monkeypatch.setitem so sys.modules is
restored to its pre-test state on teardown. Tighten _DBStub to
refuse dunder names so __all__ stays undefined. _CAPTURED is
cleared per test so the mint-token assertions see a fresh dict.
Before: 3 test files fail at collection time (test_chat_image_routing,
test_context_compactor, test_webhook_ssrf_resilience). After: 0
collection errors. 1365/1370 pass, 1 skip, 4 unrelated pre-existing
failures (verified against origin/main baseline).
Out of scope: test_task_scheduler_session_delivery::
test_session_delivery_survives_empty_database also fails in the
full suite due to order-dependent state from a different test
file. That's a separate leak with a different root cause.
The sync-chat endpoint's Case 3 fallback selected a ModelEndpoint with an
unscoped `query(ModelEndpoint).filter(is_enabled == True).first()` and then
used that row's decrypted `api_key` for the LLM call. ModelEndpoint is a
per-user resource (owner non-null = private to that user), so a chat-scoped
API token for user A that sent no session and no api_key could fall back onto
user B's PRIVATE endpoint — spending B's API key/quota and reaching whatever
internal base_url B configured. This is the same multi-tenant owner-scoping
class already fixed for the session gate on this very endpoint
(_caller_owns_session) and for companion/models.
Scope the fallback to the token owner's own rows plus legacy null-owner
(shared) rows via the existing owner_filter helper, matching
routes/model_routes.py and companion/routes.py. A null/empty owner stays a
no-op, preserving single-user/legacy behaviour.
Add regression tests pinning the scoped fallback (cross-owner, shared-only,
no-visible-row, disabled-owned, and the legacy null-owner no-op).
POST /api/v1/chat (the n8n/Make/Activepieces sync-chat endpoint) verified
session ownership with `_tok_user and _sess_owner and _sess_owner != _tok_user`.
The `_sess_owner and` clause skipped the check entirely whenever the session's
owner was null — so any chat-scoped API token (e.g. a token minted for a paired
mobile device) could pass a legacy/migrated null-owner session id, inject a
message into that session, and read back its conversation history plus reuse
the owner's endpoint credentials.
This is the same `if owner and owner != user` null-owner-bypass pattern that
was already hardened in the gallery, calendar, and notes routes (see
test_null_owner_gates.py) and in session_routes._verify_session_owner. Make
this gate strict and fail closed too: require a resolvable caller and an exact
owner match, mirroring _verify_session_owner. Extract the decision into
_caller_owns_session() and pin it with regression tests.
* Fix test suite: ESM loading and stub isolation (refs #605)
Three targeted fixes to reduce suite failures from 9 → 1:
1. package.json: add "type": "module" so Node loads static/js/**
as ES modules. Fixes 7 tests in test_compare_js.py and
test_reply_recipients_js.py that fail with
"SyntaxError: Unexpected token 'export'".
2. test_null_owner_gates.py: add Base and ChatMessage to the
core.database stub. Without Base the scheduler test cannot
import at collection time; without ChatMessage core/__init__.py
fails mid-load when session_manager.py tries to import it,
leaving core partially initialised in sys.modules and poisoning
the auth manager migration test that runs later in the same file.
3. test_task_scheduler_session_delivery.py: skip gracefully when
core.database is stubbed (Base is a MagicMock) rather than
crashing. The test passes correctly when run in isolation.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Scope ESM declaration to static/js/ and document isolation workaround
Per review feedback on #844:
1. Move "type": "module" from root package.json to static/js/package.json.
The root package.json had no type field (defaulted to CJS) and should
stay that way — vendored UMD bundles in static/lib/ use require() internally
and would break if Node ever tried to load them as ES modules. Node resolves
the nearest package.json, so adding it in static/js/ scopes the ESM
declaration to just the files the JS unit tests actually load
(compare/state.js, emailLibrary/replyRecipients.js).
2. Expand the module-level skip comment in test_task_scheduler_session_delivery
to document that it is a temporary isolation workaround, explain root cause
(test_null_owner_gates installs a module-level sys.modules stub with no
cleanup), record before/after suite numbers, and note the clean path
(refactor to fixture-scoped stub).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
