feat: lock playlist/shows endpoints behind Bearer token auth

The five internal endpoints (/playlist, /playlist/{position}, /shows, /shows/by-episode/{ep}, /shows/{id}) now require admin authentication. Dashboard JS, Sopel plugin, and Limnoria plugin updated to send the token on GET requests. Six new 401 tests added. Made-with: Cursor
2026-04-02 12:06:27 -04:00
parent 425a7047c3
commit 4dd3f43ae3
5 changed files with 92 additions and 31 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -57,9 +57,12 @@ def test_health(client):
    assert data["poller_alive"] is True


+AUTH = {"Authorization": "Bearer test-token"}
+
+
 def test_playlist(client, db):
    _seed_show(db)
-    resp = client.get("/playlist")
+    resp = client.get("/playlist", headers=AUTH)
    assert resp.status_code == 200
    data = resp.json()
    assert "episode_number" in data
@@ -70,20 +73,20 @@ def test_playlist(client, db):

 def test_playlist_by_position(client, db):
    _seed_show(db)
-    resp = client.get("/playlist/2")
+    resp = client.get("/playlist/2", headers=AUTH)
    assert resp.status_code == 200
    assert resp.json()["title"] == "Song B"


 def test_playlist_by_position_not_found(client, db):
    _seed_show(db)
-    resp = client.get("/playlist/99")
+    resp = client.get("/playlist/99", headers=AUTH)
    assert resp.status_code == 404


 def test_shows_list(client, db):
    _seed_show(db)
-    resp = client.get("/shows")
+    resp = client.get("/shows", headers=AUTH)
    assert resp.status_code == 200
    data = resp.json()
    assert len(data) >= 1
@@ -92,7 +95,7 @@ def test_shows_list(client, db):

 def test_shows_detail(client, db):
    show = _seed_show(db)
-    resp = client.get(f"/shows/{show.id}")
+    resp = client.get(f"/shows/{show.id}", headers=AUTH)
    assert resp.status_code == 200
    data = resp.json()
    assert "episode_number" in data
@@ -132,7 +135,7 @@ def test_show_by_episode(client, db):
               datetime(2026, 3, 14, 1, 0, 0, tzinfo=timezone.utc), "{}")
    db.upsert_track(t1)
    db.set_show_tracks(show.id, [t1.id])
-    resp = client.get("/shows/by-episode/530")
+    resp = client.get("/shows/by-episode/530", headers=AUTH)
    assert resp.status_code == 200
    data = resp.json()
    assert data["episode_number"] == 530
@@ -140,7 +143,7 @@ def test_show_by_episode(client, db):


 def test_show_by_episode_not_found(client):
-    resp = client.get("/shows/by-episode/999")
+    resp = client.get("/shows/by-episode/999", headers=AUTH)
    assert resp.status_code == 404


@@ -154,6 +157,46 @@ def test_no_login_route_without_config(client):
    assert resp.status_code == 404


+# --- Auth-required (401) tests ---
+
+
+def test_playlist_requires_auth(client, db):
+    _seed_show(db)
+    resp = client.get("/playlist")
+    assert resp.status_code == 401
+
+
+def test_playlist_with_token(client, db):
+    _seed_show(db)
+    resp = client.get("/playlist", headers=AUTH)
+    assert resp.status_code == 200
+
+
+def test_playlist_by_position_requires_auth(client, db):
+    _seed_show(db)
+    resp = client.get("/playlist/1")
+    assert resp.status_code == 401
+
+
+def test_shows_requires_auth(client):
+    resp = client.get("/shows")
+    assert resp.status_code == 401
+
+
+def test_shows_detail_requires_auth(client, db):
+    show = _seed_show(db)
+    resp = client.get(f"/shows/{show.id}")
+    assert resp.status_code == 401
+
+
+def test_show_by_episode_requires_auth(client, db):
+    week_start = datetime(2026, 3, 12, 2, 0, 0, tzinfo=timezone.utc)
+    week_end = datetime(2026, 3, 19, 2, 0, 0, tzinfo=timezone.utc)
+    db.get_or_create_show(week_start, week_end, episode_number=530)
+    resp = client.get("/shows/by-episode/530")
+    assert resp.status_code == 401
+
+
 # --- Public endpoint tests ---