From eb75d692f5c12224cb8ba1d629440805961af715 Mon Sep 17 00:00:00 2001 From: gahusb Date: Fri, 15 May 2026 08:44:17 +0900 Subject: [PATCH] =?UTF-8?q?test(stock-webai):=20edge=20cases=20=E2=80=94?= =?UTF-8?q?=20401=20no=20leak,=20503=20env=20missing,=20unknown=20date?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Verifies auth failure responses contain no portfolio/sentiment data, 503 when WEBAI_API_KEY env unset (existing endpoints unaffected), news-sentiment unknown date returns empty result. Co-Authored-By: Claude Opus 4.7 (1M context) --- stock/app/test_webai_endpoints.py | 36 +++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/stock/app/test_webai_endpoints.py b/stock/app/test_webai_endpoints.py index 60318fe..34ff1b3 100644 --- a/stock/app/test_webai_endpoints.py +++ b/stock/app/test_webai_endpoints.py @@ -171,3 +171,39 @@ def test_webai_news_sentiment_items_sorted_by_score_desc(client): r = client.get("/api/webai/news-sentiment", headers=HEADERS_OK) items = r.json()["items"] assert [i["score"] for i in items] == [9.0, 5.0, 1.0] + + +def test_webai_401_response_has_no_payload_leak(client): + """인증 실패 응답에는 portfolio/sentiment 데이터가 없어야 한다.""" + _seed_portfolio() + r = client.get("/api/webai/portfolio") # 헤더 없음 + assert r.status_code == 401 + body = r.json() + assert "holdings" not in body + assert "cash" not in body + assert "summary" not in body + + +def test_webai_503_when_env_missing(client, monkeypatch): + """WEBAI_API_KEY env 미설정 시 503, 다른 endpoint 영향 없음.""" + monkeypatch.delenv("WEBAI_API_KEY", raising=False) + + r1 = client.get("/api/webai/portfolio", headers={"X-WebAI-Key": "anything"}) + assert r1.status_code == 503 + + # 기존 endpoint 무영향 — /api/portfolio 는 200 (빈 portfolio) + r2 = client.get("/api/portfolio") + assert r2.status_code == 200 + + +def test_webai_wrong_key_returns_401(client): + r = client.get("/api/webai/portfolio", headers={"X-WebAI-Key": "wrong"}) + assert r.status_code == 401 + + +def test_webai_news_sentiment_unknown_date_returns_empty(client): + r = client.get("/api/webai/news-sentiment?date=1999-01-01", headers=HEADERS_OK) + assert r.status_code == 200 + body = r.json() + assert body["count"] == 0 + assert body["items"] == []