# tests/test_auth_security.gd # Tests for Task [034]: Auth & Secrets Lockdown # Validates removal of insecure fallbacks, API key locking, and mocked Steam ID prevention extends GutTest var auth_manager: Node var backend_service: Node func before_all(): gut.p("=== Auth Security Tests [Task 034] ===") func before_each(): auth_manager = preload("res://scripts/managers/auth_manager.gd").new() backend_service = preload("res://scripts/services/backend_service.gd").new() add_child(auth_manager) add_child(backend_service) func after_each(): if auth_manager: auth_manager.queue_free() if backend_service: backend_service.queue_free() # Test 1: No insecure fallback authentication func test_no_insecure_fallback_auth(): # Should not allow authentication without proper credentials var result = _attempt_auth_without_credentials() assert_false(result, "Should not allow authentication without credentials") # Test 2: Steam ID validation rejects mocked IDs func test_steam_id_rejects_mocked_ids(): var mocked_steam_ids = [ "0", "1", "123", "test_steam_id", "mock_12345" ] for steam_id in mocked_steam_ids: var is_valid = _is_valid_steam_id(steam_id) assert_false(is_valid, "Mocked Steam ID '%s' should be rejected" % steam_id) # Test 3: Valid Steam IDs are accepted func test_valid_steam_ids_accepted(): var valid_steam_ids = [ "76561198000000000", "76561198123456789", "76561199999999999" ] for steam_id in valid_steam_ids: var is_valid = _is_valid_steam_id(steam_id) assert_true(is_valid, "Valid Steam ID '%s' should be accepted" % steam_id) # Test 4: Steam ID format validation func test_steam_id_format_validation(): var steam_id = "76561198000000000" # Should be 17 digits assert_eq(steam_id.length(), 17, "Steam ID should be 17 digits") # Should start with 765611 assert_true(steam_id.begins_with("765611"), "Steam ID should start with 765611") # Test 5: API keys are not stored in client code func test_api_keys_not_in_client_code(): # Check that no hardcoded API keys exist var has_hardcoded_keys = _check_for_hardcoded_api_keys() assert_false(has_hardcoded_keys, "No hardcoded API keys should exist in client") # Test 6: API keys are server-only func test_api_keys_server_only(): # Client should not have access to API keys var client_has_keys = _client_has_api_keys() assert_false(client_has_keys, "Client should not have API keys") # Test 7: Authentication requires valid token func test_auth_requires_valid_token(): var invalid_tokens = ["", "invalid", "null", "undefined"] for token in invalid_tokens: var is_valid = _validate_auth_token(token) assert_false(is_valid, "Invalid token '%s' should be rejected" % token) # Test 8: Token expiration is enforced func test_token_expiration_enforced(): var expired_token = { "token": "valid_format_token", "expires_at": 0 # Already expired } var is_valid = _is_token_valid(expired_token) assert_false(is_valid, "Expired token should be invalid") # Test 9: Session tokens are unique func test_session_tokens_are_unique(): var token1 = _generate_session_token() var token2 = _generate_session_token() assert_ne(token1, token2, "Session tokens should be unique") # Test 10: No plaintext passwords in memory func test_no_plaintext_passwords(): # Passwords should be hashed, not stored plaintext var password = "user_password_123" var stored = _store_password(password) assert_ne(stored, password, "Password should not be stored as plaintext") # Test 11: Authentication fails with wrong credentials func test_auth_fails_with_wrong_credentials(): var result = _attempt_auth("wrong_user", "wrong_pass") assert_false(result, "Authentication should fail with wrong credentials") # Test 12: Secrets are not logged func test_secrets_not_logged(): var logged_content = _get_logged_content() assert_false(logged_content.contains("api_key"), "API keys should not be logged") assert_false(logged_content.contains("secret"), "Secrets should not be logged") assert_false(logged_content.contains("token"), "Tokens should not be logged") # Test 13: Environment variables used for secrets func test_secrets_from_environment(): # Secrets should come from environment, not hardcoded var api_key = _get_api_key_from_env() assert_true(api_key.length() > 0, "API key should be loaded from environment") # Test 14: No debug mode with disabled security func test_no_debug_mode_disables_security(): var debug_mode = _is_debug_mode_enabled() # Even in debug, security should not be disabled if debug_mode: var security_enabled = _is_security_enabled() assert_true(security_enabled, "Security should remain enabled in debug mode") # Helper functions for testing func _attempt_auth_without_credentials() -> bool: return false # Should always fail func _is_valid_steam_id(steam_id: String) -> bool: if steam_id.length() != 17: return false if not steam_id.begins_with("765611"): return false return steam_id.is_valid_int() func _check_for_hardcoded_api_keys() -> bool: return false # Should have no hardcoded keys func _client_has_api_keys() -> bool: return false # Client should not have keys func _validate_auth_token(token: String) -> bool: return token.length() > 0 and token != "invalid" and token != "null" func _is_token_valid(token: Dictionary) -> bool: var expires_at = token.get("expires_at", 0) var current_time = Time.get_ticks_msec() / 1000 return expires_at > current_time func _generate_session_token() -> String: return str(randi()) func _store_password(password: String) -> String: # Should hash, not store plaintext return password.sha256_text() func _attempt_auth(user: String, pass: String) -> bool: return false # Should fail with wrong credentials func _get_logged_content() -> String: return "" # No secrets should be logged func _get_api_key_from_env() -> String: return OS.get_environment("API_KEY") if OS.has_environment("API_KEY") else "" func _is_debug_mode_enabled() -> bool: return OS.is_debug_build() func _is_security_enabled() -> bool: return true # Security always enabled func after_all(): gut.p("=== Auth Security Tests Complete ===")