imetting_backend/test/test_api_security.py

#!/usr/bin/env python3
"""
API安全性测试脚本
测试添加JWT验证后，API端点是否正确拒绝未授权访问

运行方法:
cd /Users/jiliu/工作/projects/imeeting/backend
source venv/bin/activate
python test/test_api_security.py
"""
import requests
import json

BASE_URL = "http://127.0.0.1:8000"
PROXIES = {'http': None, 'https': None}

def test_unauthorized_access():
    """测试未授权访问各个API端点"""
    print("=== API安全性测试 ===")
    print("测试未授权访问是否被正确拒绝\n")
    
    # 需要验证的API端点
    protected_endpoints = [
        # Users endpoints
        ("GET", "/api/users", "获取所有用户"),
        ("GET", "/api/users/1", "获取用户详情"),
        
        # Meetings endpoints  
        ("GET", "/api/meetings", "获取会议列表"),
        ("GET", "/api/meetings/1", "获取会议详情"),
        ("GET", "/api/meetings/1/transcript", "获取会议转录"),
        ("GET", "/api/meetings/1/edit", "获取会议编辑信息"),
        ("GET", "/api/meetings/1/audio", "获取会议音频"),
        ("POST", "/api/meetings/1/regenerate-summary", "重新生成摘要"),
        ("GET", "/api/meetings/1/summaries", "获取会议摘要"),
        ("GET", "/api/meetings/1/transcription/status", "获取转录状态"),
        
        # Auth endpoints (需要token的)
        ("GET", "/api/auth/me", "获取用户信息"),
        ("POST", "/api/auth/logout", "登出"),
        ("POST", "/api/auth/logout-all", "登出所有设备"),
    ]
    
    success_count = 0
    total_count = len(protected_endpoints)
    
    for method, endpoint, description in protected_endpoints:
        try:
            url = f"{BASE_URL}{endpoint}"
            
            if method == "GET":
                response = requests.get(url, proxies=PROXIES, timeout=5)
            elif method == "POST":
                response = requests.post(url, proxies=PROXIES, timeout=5)
            elif method == "PUT":
                response = requests.put(url, proxies=PROXIES, timeout=5)
            elif method == "DELETE":
                response = requests.delete(url, proxies=PROXIES, timeout=5)
            
            if response.status_code == 401:
                print(f"✅ {method} {endpoint} - {description}")
                print(f"   正确返回401 Unauthorized")
                success_count += 1
            else:
                print(f"❌ {method} {endpoint} - {description}")
                print(f"   错误：返回 {response.status_code}，应该返回401")
                print(f"   响应: {response.text[:100]}...")
                
        except requests.exceptions.RequestException as e:
            print(f"❌ {method} {endpoint} - {description}")
            print(f"   请求异常: {e}")
        
        print()
    
    print(f"=== 测试结果 ===")
    print(f"通过: {success_count}/{total_count}")
    print(f"成功率: {success_count/total_count*100:.1f}%")
    
    if success_count == total_count:
        print("🎉 所有API端点都正确实施了JWT验证！")
    else:
        print("⚠️  有些API端点未正确实施JWT验证，需要修复")
    
    return success_count == total_count

def test_valid_token_access():
    """测试有效token的访问"""
    print("\n=== 测试有效Token访问 ===")
    
    # 1. 先登录获取token
    login_data = {"username": "mula", "password": "781126"}
    try:
        response = requests.post(f"{BASE_URL}/api/auth/login", json=login_data, proxies=PROXIES)
        if response.status_code != 200:
            print("❌ 无法登录获取测试token")
            print(f"登录响应: {response.status_code} - {response.text}")
            return False
            
        user_data = response.json()
        token = user_data["token"]
        headers = {"Authorization": f"Bearer {token}"}
        
        print(f"✅ 登录成功，获得token")
        
        # 2. 测试几个主要API端点
        test_endpoints = [
            ("GET", "/api/auth/me", "获取当前用户信息"),
            ("GET", "/api/users", "获取用户列表"),
            ("GET", "/api/meetings", "获取会议列表"),
        ]
        
        success_count = 0
        for method, endpoint, description in test_endpoints:
            try:
                url = f"{BASE_URL}{endpoint}"
                response = requests.get(url, headers=headers, proxies=PROXIES, timeout=5)
                
                if response.status_code == 200:
                    print(f"✅ {method} {endpoint} - {description}")
                    print(f"   正确返回200 OK")
                    success_count += 1
                elif response.status_code == 500:
                    print(f"⚠️  {method} {endpoint} - {description}")
                    print(f"   返回500 (可能是数据库连接问题，但JWT验证通过了)")
                    success_count += 1
                else:
                    print(f"❌ {method} {endpoint} - {description}")
                    print(f"   意外响应: {response.status_code}")
                    print(f"   响应内容: {response.text[:100]}...")
                    
            except requests.exceptions.RequestException as e:
                print(f"❌ {method} {endpoint} - {description}")
                print(f"   请求异常: {e}")
        
        print(f"\n有效token测试: {success_count}/{len(test_endpoints)} 通过")
        return success_count == len(test_endpoints)
        
    except Exception as e:
        print(f"❌ 测试失败: {e}")
        return False

if __name__ == "__main__":
    print("API JWT安全性测试工具")
    print("=" * 50)
    
    # 测试未授权访问
    unauthorized_ok = test_unauthorized_access()
    
    # 测试授权访问
    authorized_ok = test_valid_token_access()
    
    print("\n" + "=" * 50)
    if unauthorized_ok and authorized_ok:
        print("🎉 JWT验证实施成功！")
        print("✅ 未授权访问被正确拒绝")
        print("✅ 有效token可以正常访问")
    else:
        print("⚠️  JWT验证实施不完整")
        if not unauthorized_ok:
            print("❌ 部分API未正确拒绝未授权访问")
        if not authorized_ok:
            print("❌ 有效token访问存在问题")