feat(V2): X-Bot-Tag header obbligatorio + endpoint /admin/audit con filtri

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 08:51:40 +02:00
parent bd6b03ce43
commit 69ac878893
10 changed files with 549 additions and 8 deletions
@@ -67,7 +67,10 @@ def test_testnet_token_sets_env_testnet():
        return {"env": request.state.environment}

    c = TestClient(fa)
-    r = c.get("/mcp-deribit/peek", headers={"Authorization": "Bearer tk_test"})
+    r = c.get(
+        "/mcp-deribit/peek",
+        headers={"Authorization": "Bearer tk_test", "X-Bot-Tag": "test-bot"},
+    )
    assert r.status_code == 200
    assert r.json() == {"env": "testnet"}

@@ -83,7 +86,10 @@ def test_mainnet_token_sets_env_mainnet():
        return {"env": request.state.environment}

    c = TestClient(fa)
-    r = c.get("/mcp-deribit/peek", headers={"Authorization": "Bearer tk_live"})
+    r = c.get(
+        "/mcp-deribit/peek",
+        headers={"Authorization": "Bearer tk_live", "X-Bot-Tag": "test-bot"},
+    )
    assert r.status_code == 200
    assert r.json() == {"env": "mainnet"}

@@ -96,3 +102,73 @@ def test_uses_compare_digest():

    src = inspect.getsource(auth)
    assert "compare_digest" in src, "auth.py deve usare secrets.compare_digest"
+
+
+# ── X-Bot-Tag header ─────────────────────────────────────────────────────────
+
+def test_missing_bot_tag_returns_400():
+    from cerbero_mcp.auth import install_auth_middleware
+    fa = FastAPI()
+    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")
+
+    @fa.get("/mcp-deribit/health")
+    def h():
+        return {"ok": True}
+
+    c = TestClient(fa)
+    r = c.get("/mcp-deribit/health", headers={"Authorization": "Bearer t"})
+    assert r.status_code == 400
+    assert "X-Bot-Tag" in r.json()["error"]["message"]
+
+
+def test_bot_tag_accepted_and_set_on_state():
+    from cerbero_mcp.auth import install_auth_middleware
+    fa = FastAPI()
+    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")
+
+    @fa.get("/mcp-deribit/peek")
+    def peek(request: Request):
+        return {
+            "env": request.state.environment,
+            "bot_tag": request.state.bot_tag,
+        }
+
+    c = TestClient(fa)
+    r = c.get(
+        "/mcp-deribit/peek",
+        headers={"Authorization": "Bearer t", "X-Bot-Tag": "scanner-alpha"},
+    )
+    assert r.status_code == 200
+    assert r.json() == {"env": "testnet", "bot_tag": "scanner-alpha"}
+
+
+def test_bot_tag_too_long_returns_400():
+    from cerbero_mcp.auth import install_auth_middleware
+    fa = FastAPI()
+    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")
+
+    @fa.get("/mcp-deribit/health")
+    def h():
+        return {"ok": True}
+
+    c = TestClient(fa)
+    r = c.get(
+        "/mcp-deribit/health",
+        headers={"Authorization": "Bearer t", "X-Bot-Tag": "x" * 65},
+    )
+    assert r.status_code == 400
+
+
+def test_bot_tag_not_required_on_health():
+    """Health endpoint deve restare senza auth e senza bot tag."""
+    from cerbero_mcp.auth import install_auth_middleware
+    fa = FastAPI()
+    install_auth_middleware(fa, testnet_token="t", mainnet_token="m")
+
+    @fa.get("/health")
+    def h():
+        return {"ok": True}
+
+    c = TestClient(fa)
+    r = c.get("/health")
+    assert r.status_code == 200