feat(api): add GET/PATCH /accounts/me/security endpoint

Fifth commit in the session-expiration-policy series. Surfaces the session-policy override controls to account owners. - schemas/account_security.py: NEW. SessionPolicyResponse returns both the override (Optional[int]) and the effective value (always present) plus the system min/max bounds, so the frontend can render the Custom-preset form without re-implementing the defaults logic. SessionPolicyUpdateRequest accepts NULL to clear an override. - endpoints/account_security.py: NEW. GET and PATCH on /me/security. Owner-only via require_account_owner. PATCH validates per-field bounds, then validates the effective idle <= absolute invariant (catching the partial-override case the DB CHECK can't see), then writes the row + an account.session_policy_update audit event with old/new/effective_old/effective_new payload. - router.py: registers the new router under _tenant_deps next to accounts.router. Tests added in test_session_policy.py (8 cases): - GET returns NULL overrides + Strict defaults + system bounds. - PATCH persists override; next login JWT reflects new values (60min/240min -> idle_max=3600, abs_max=14400 seconds). - PATCH rejects idle < min (422). - PATCH rejects absolute > max (422). - PATCH rejects idle > absolute when both are set (422). - PATCH rejects partial override that produces effective idle > effective absolute (idle=43200, absolute=NULL with default 20160). - Engineer-role user gets 403. - PATCH writes exactly one audit row with the expected payload shape. 16/16 in test_session_policy. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-13 16:28:51 -04:00
parent b21d2fc234
commit 8cfaef6a9d
4 changed files with 378 additions and 0 deletions
--- a/backend/tests/test_session_policy.py
+++ b/backend/tests/test_session_policy.py
@@ -7,6 +7,7 @@ This file grows across commits:
 - Commit 2: error-detail taxonomy (#11 + wrong-type + bad-signature)
 - Commit 3: claims embedded at login + response fields surfaced (#1, #14)
 - Commit 4: absolute-cap enforcement + grandfather path (#8, #9, #12)
+- Commit 5: GET/PATCH /accounts/me/security (#2, #3, #4, #5, #7, #16)
 """

 import uuid
@@ -196,6 +197,187 @@ def _backdate_auth_time(refresh_token: str, *, seconds_back: int) -> str:
    return jwt.encode(payload, settings.SECRET_KEY, algorithm=settings.ALGORITHM)


+class TestSessionPolicyEndpoint:
+    """§6 tests #2, #3, #4, #5, #7, #16 — GET/PATCH /accounts/me/security."""
+
+    @pytest.mark.asyncio
+    async def test_get_returns_defaults_and_bounds(
+        self, client: AsyncClient, auth_headers: dict
+    ):
+        response = await client.get(
+            "/api/v1/accounts/me/security", headers=auth_headers
+        )
+        assert response.status_code == 200, response.json()
+        body = response.json()
+
+        # No override yet -> effective values are the system defaults.
+        assert body["idle_minutes"] is None
+        assert body["absolute_minutes"] is None
+        assert body["effective_idle_minutes"] == 4320  # 3d Strict default
+        assert body["effective_absolute_minutes"] == 20160  # 14d
+        assert body["idle_minutes_min"] == 15
+        assert body["idle_minutes_max"] == 43200
+        assert body["absolute_minutes_min"] == 60
+        assert body["absolute_minutes_max"] == 129600
+
+    @pytest.mark.asyncio
+    async def test_patch_persists_override_and_returns_new_state(
+        self, client: AsyncClient, auth_headers: dict
+    ):
+        response = await client.patch(
+            "/api/v1/accounts/me/security",
+            headers=auth_headers,
+            json={"idle_minutes": 60, "absolute_minutes": 240},
+        )
+        assert response.status_code == 200, response.json()
+        body = response.json()
+        assert body["idle_minutes"] == 60
+        assert body["absolute_minutes"] == 240
+        assert body["effective_idle_minutes"] == 60
+        assert body["effective_absolute_minutes"] == 240
+
+        # Next login picks up the new policy.
+        login_resp = await client.post(
+            "/api/v1/auth/login/json",
+            json={"email": "test@example.com", "password": "TestPassword123!"},
+        )
+        new_payload = jwt.decode(
+            login_resp.json()["refresh_token"],
+            settings.SECRET_KEY,
+            algorithms=[settings.ALGORITHM],
+        )
+        assert new_payload["idle_max"] == 60 * 60       # 3600 seconds
+        assert new_payload["abs_max"] == 240 * 60       # 14400 seconds
+
+    @pytest.mark.asyncio
+    async def test_patch_rejects_idle_below_min(
+        self, client: AsyncClient, auth_headers: dict
+    ):
+        response = await client.patch(
+            "/api/v1/accounts/me/security",
+            headers=auth_headers,
+            json={"idle_minutes": 5, "absolute_minutes": 60},
+        )
+        assert response.status_code == 422
+        assert "idle_minutes" in response.json()["detail"]
+
+    @pytest.mark.asyncio
+    async def test_patch_rejects_absolute_above_max(
+        self, client: AsyncClient, auth_headers: dict
+    ):
+        response = await client.patch(
+            "/api/v1/accounts/me/security",
+            headers=auth_headers,
+            json={"absolute_minutes": 200000},
+        )
+        assert response.status_code == 422
+
+    @pytest.mark.asyncio
+    async def test_patch_rejects_idle_greater_than_absolute_both_set(
+        self, client: AsyncClient, auth_headers: dict
+    ):
+        response = await client.patch(
+            "/api/v1/accounts/me/security",
+            headers=auth_headers,
+            json={"idle_minutes": 300, "absolute_minutes": 120},
+        )
+        assert response.status_code == 422
+        assert "exceed" in response.json()["detail"].lower()
+
+    @pytest.mark.asyncio
+    async def test_patch_rejects_partial_override_when_effective_invalid(
+        self, client: AsyncClient, auth_headers: dict
+    ):
+        """§6 test #5 — partial override: idle=43200, absolute=NULL ->
+        effective idle (43200) > effective absolute (20160 default) -> 422.
+        """
+        response = await client.patch(
+            "/api/v1/accounts/me/security",
+            headers=auth_headers,
+            json={"idle_minutes": 43200, "absolute_minutes": None},
+        )
+        assert response.status_code == 422
+        assert "exceed" in response.json()["detail"].lower()
+
+    @pytest.mark.asyncio
+    async def test_non_owner_cannot_patch(
+        self, client: AsyncClient, test_user: dict, test_db
+    ):
+        """§6 test #7 — engineer role is forbidden."""
+        from app.models.user import User
+        from sqlalchemy import select
+
+        # Add a second user in the same account with account_role=engineer.
+        result = await test_db.execute(
+            select(User).where(User.email == test_user["email"])
+        )
+        owner = result.scalar_one()
+        engineer = User(
+            email="engineer-policy@example.com",
+            password_hash=owner.password_hash,  # reuse the bcrypt hash
+            name="Engineer",
+            role="engineer",
+            is_super_admin=False,
+            is_active=True,
+            account_id=owner.account_id,
+            account_role="engineer",
+            email_verified_at=datetime.now(timezone.utc),
+        )
+        test_db.add(engineer)
+        await test_db.commit()
+
+        login_resp = await client.post(
+            "/api/v1/auth/login/json",
+            json={
+                "email": "engineer-policy@example.com",
+                "password": test_user["password"],
+            },
+        )
+        assert login_resp.status_code == 200
+        engineer_headers = {
+            "Authorization": f"Bearer {login_resp.json()['access_token']}"
+        }
+
+        response = await client.patch(
+            "/api/v1/accounts/me/security",
+            headers=engineer_headers,
+            json={"idle_minutes": 60, "absolute_minutes": 240},
+        )
+        assert response.status_code == 403
+
+    @pytest.mark.asyncio
+    async def test_patch_writes_audit_row(
+        self, client: AsyncClient, auth_headers: dict, test_db
+    ):
+        """§6 test #16 — PATCH emits one account.session_policy_update
+        audit event with old/new + effective_old/new payload.
+        """
+        from app.models.audit_log import AuditLog
+        from sqlalchemy import select
+
+        response = await client.patch(
+            "/api/v1/accounts/me/security",
+            headers=auth_headers,
+            json={"idle_minutes": 120, "absolute_minutes": 480},
+        )
+        assert response.status_code == 200
+
+        result = await test_db.execute(
+            select(AuditLog).where(AuditLog.action == "account.session_policy_update")
+        )
+        rows = result.scalars().all()
+        assert len(rows) == 1
+        entry = rows[0]
+        assert entry.resource_type == "account"
+        assert entry.details["new"] == {"idle_minutes": 120, "absolute_minutes": 480}
+        assert entry.details["effective_new"] == {
+            "idle_minutes": 120,
+            "absolute_minutes": 480,
+        }
+        assert entry.details["effective_old"]["idle_minutes"] == 4320  # default
+        assert entry.details["effective_old"]["absolute_minutes"] == 20160
+
+
 class TestAbsoluteCap:
    """§6 tests #8, #9, #12 — absolute-cap enforcement and grandfather path."""