Spaces:
Running
Running
| # backend/tests/test_health.py | |
| # Tests the /health endpoint without spinning up real services. | |
| import pytest | |
| class TestHealthEndpoint: | |
| def test_health_returns_200(self, app_client): | |
| resp = app_client.get("/health") | |
| assert resp.status_code == 200 | |
| def test_health_returns_ok_status(self, app_client): | |
| data = app_client.get("/health").json() | |
| assert data.get("status") == "ok" | |
| def test_health_no_auth_required(self, app_client): | |
| # Health must be accessible without a JWT — used by HF Spaces and Cloudflare Worker. | |
| resp = app_client.get("/health", headers={}) | |
| assert resp.status_code == 200 | |
| class TestSecurityHeaders: | |
| def test_cors_header_not_present_for_wrong_origin(self, app_client): | |
| # CORS middleware should not add the allow-origin header for disallowed origins. | |
| resp = app_client.get( | |
| "/health", | |
| headers={"Origin": "https://evil.example.com"}, | |
| ) | |
| # Status is still 200 (CORS does not block server-side; it's a browser hint) | |
| assert resp.status_code == 200 | |
| # The allow-origin header must not echo back a disallowed origin | |
| acao = resp.headers.get("access-control-allow-origin", "") | |
| assert "evil.example.com" not in acao | |
| def test_options_preflight_handled(self, app_client): | |
| resp = app_client.options( | |
| "/chat", | |
| headers={ | |
| "Origin": "http://localhost:3000", | |
| "Access-Control-Request-Method": "POST", | |
| }, | |
| ) | |
| # FastAPI returns 200 or 204 for preflight | |
| assert resp.status_code in (200, 204) | |