Add security regression tests for all hardening fixes

- New: test_security_headers.py — verify all headers present, HSTS conditional on HTTPS - New: test_passkey_error_handling.py — generic vs user-facing error messages - New: test_poi_validation.py — field length and coordinate range constraints - Extend test_rate_limiter.py — client IP depth selection, in-memory fallback enforcement - Extend test_models.py — sqm range validation - Extend test_task_service.py — IDOR 404, ownership 200, traceback suppression in production
2026-02-08 19:42:53 +00:00 · 2026-02-08 19:42:53 +00:00 · 492921424e
commit 492921424e
parent 727dd537ef
6 changed files with 365 additions and 0 deletions
--- a/tests/unit/test_poi_validation.py
+++ b/tests/unit/test_poi_validation.py
@ -0,0 +1,58 @@
+"""Unit tests for POI request validation."""
+import pytest
+from pydantic import ValidationError
+
+from api.poi_routes import CreatePOIRequest, UpdatePOIRequest
+
+
+class TestCreatePOIValidation:
+    """Tests for CreatePOIRequest field validation."""
+
+    def test_valid_request(self) -> None:
+        req = CreatePOIRequest(name="Office", address="123 Main St", latitude=51.5, longitude=-0.1)
+        assert req.name == "Office"
+
+    def test_name_too_long(self) -> None:
+        with pytest.raises(ValidationError):
+            CreatePOIRequest(name="A" * 201, address="addr", latitude=0, longitude=0)
+
+    def test_address_too_long(self) -> None:
+        with pytest.raises(ValidationError):
+            CreatePOIRequest(name="ok", address="A" * 501, latitude=0, longitude=0)
+
+    def test_latitude_too_high(self) -> None:
+        with pytest.raises(ValidationError):
+            CreatePOIRequest(name="ok", address="addr", latitude=91.0, longitude=0)
+
+    def test_latitude_too_low(self) -> None:
+        with pytest.raises(ValidationError):
+            CreatePOIRequest(name="ok", address="addr", latitude=-91.0, longitude=0)
+
+    def test_longitude_too_high(self) -> None:
+        with pytest.raises(ValidationError):
+            CreatePOIRequest(name="ok", address="addr", latitude=0, longitude=181.0)
+
+    def test_longitude_too_low(self) -> None:
+        with pytest.raises(ValidationError):
+            CreatePOIRequest(name="ok", address="addr", latitude=0, longitude=-181.0)
+
+
+class TestUpdatePOIValidation:
+    """Tests for UpdatePOIRequest field validation."""
+
+    def test_valid_partial_update(self) -> None:
+        req = UpdatePOIRequest(name="New Name")
+        assert req.name == "New Name"
+        assert req.latitude is None
+
+    def test_name_too_long(self) -> None:
+        with pytest.raises(ValidationError):
+            UpdatePOIRequest(name="A" * 201)
+
+    def test_latitude_out_of_range(self) -> None:
+        with pytest.raises(ValidationError):
+            UpdatePOIRequest(latitude=91.0)
+
+    def test_longitude_out_of_range(self) -> None:
+        with pytest.raises(ValidationError):
+            UpdatePOIRequest(longitude=181.0)