feat(p0): complete account security privacy and sync hardening

2026-03-08 21:19:12 +03:00
parent 6b724e260f
commit 5909503012
4 changed files with 178 additions and 11 deletions
--- a/tests/test_chat_message_flow.py
+++ b/tests/test_chat_message_flow.py
@@ -301,6 +301,73 @@ async def test_archive_and_pin_chat_are_user_scoped(client, db_session):
    assert u2_row_after_u1_archive["archived"] is False


+async def test_create_private_chat_is_visible_to_other_member_in_chat_list(client, db_session):
+    u1 = await _create_verified_user(client, db_session, "sync_create_u1@example.com", "sync_create_u1", "strongpass123")
+    u2 = await _create_verified_user(client, db_session, "sync_create_u2@example.com", "sync_create_u2", "strongpass123")
+
+    me_u2 = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {u2['access_token']}"})
+    u2_id = me_u2.json()["id"]
+
+    create_chat_response = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [u2_id]},
+    )
+    assert create_chat_response.status_code == 200
+    chat_id = create_chat_response.json()["id"]
+
+    u2_chats = await client.get(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u2['access_token']}"},
+    )
+    assert u2_chats.status_code == 200
+    assert any(item["id"] == chat_id for item in u2_chats.json())
+
+
+async def test_clear_chat_hides_messages_only_for_requesting_user(client, db_session):
+    u1 = await _create_verified_user(client, db_session, "sync_clear_u1@example.com", "sync_clear_u1", "strongpass123")
+    u2 = await _create_verified_user(client, db_session, "sync_clear_u2@example.com", "sync_clear_u2", "strongpass123")
+
+    me_u2 = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {u2['access_token']}"})
+    u2_id = me_u2.json()["id"]
+
+    create_chat_response = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [u2_id]},
+    )
+    assert create_chat_response.status_code == 200
+    chat_id = create_chat_response.json()["id"]
+
+    send_message_response = await client.post(
+        "/api/v1/messages",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+        json={"chat_id": chat_id, "type": "text", "text": "sync clear message"},
+    )
+    assert send_message_response.status_code == 201
+
+    clear_response = await client.post(
+        f"/api/v1/chats/{chat_id}/clear",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+    )
+    assert clear_response.status_code == 204
+
+    u1_messages = await client.get(
+        f"/api/v1/messages/{chat_id}",
+        headers={"Authorization": f"Bearer {u1['access_token']}"},
+    )
+    assert u1_messages.status_code == 200
+    assert u1_messages.json() == []
+
+    u2_messages = await client.get(
+        f"/api/v1/messages/{chat_id}",
+        headers={"Authorization": f"Bearer {u2['access_token']}"},
+    )
+    assert u2_messages.status_code == 200
+    assert len(u2_messages.json()) == 1
+    assert u2_messages.json()[0]["text"] == "sync clear message"
+
+
 async def test_private_chat_respects_contacts_only_policy(client, db_session):
    u1 = await _create_verified_user(client, db_session, "pm_u1@example.com", "pm_user_one", "strongpass123")
    u2 = await _create_verified_user(client, db_session, "pm_u2@example.com", "pm_user_two", "strongpass123")