fix(security): separate booking and check-in tokens

2026-04-29 21:49:21 +02:00
parent 5cad1871e7
commit 13a05f6d0d
10 changed files with 214 additions and 64 deletions
--- a/backend/bookings/test_api.py
+++ b/backend/bookings/test_api.py
@@ -63,17 +63,18 @@ class BookingApiTests(APITestCase):

    @override_settings(SITE_BASE_URL="https://tickets.azionelab.example")
    def test_reservation_creation_success(self):
-        response = self.client.post(
-            reverse("api-reservation-create", kwargs={"performance_id": self.performance.id}),
-            {
-                "name": "Maria Rossi",
-                "email": "maria@example.com",
-                "phone": "+390600000000",
-                "party_size": 2,
-                "notes": "Front row if possible.",
-            },
-            format="json",
-        )
+        with self.captureOnCommitCallbacks(execute=True):
+            response = self.client.post(
+                reverse("api-reservation-create", kwargs={"performance_id": self.performance.id}),
+                {
+                    "name": "Maria Rossi",
+                    "email": "maria@example.com",
+                    "phone": "+390600000000",
+                    "party_size": 2,
+                    "notes": "Front row if possible.",
+                },
+                format="json",
+            )

        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
        self.assertEqual(response.data["status"], Reservation.Status.PENDING)
@@ -87,6 +88,22 @@ class BookingApiTests(APITestCase):
            mail.outbox[0].body,
        )

+    def test_reservation_creation_schedules_email_after_commit(self):
+        with self.captureOnCommitCallbacks(execute=False) as callbacks:
+            response = self.client.post(
+                reverse("api-reservation-create", kwargs={"performance_id": self.performance.id}),
+                {
+                    "name": "Maria Rossi",
+                    "email": "maria@example.com",
+                    "party_size": 2,
+                },
+                format="json",
+            )
+
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+        self.assertEqual(len(callbacks), 1)
+        self.assertEqual(len(mail.outbox), 0)
+
    def test_reservation_creation_with_insufficient_seats(self):
        response = self.client.post(
            reverse("api-reservation-create", kwargs={"performance_id": self.performance.id}),
@@ -123,6 +140,7 @@ class BookingApiTests(APITestCase):
                "https://tickets.azionelab.example/api/check-ins/preview/?token="
            )
        )
+        self.assertNotIn(raw_token, response.data["qr_code_url"])
        self.assertNotIn("token", response.data)
        self.assertTrue(response.data["qr_code_image"].startswith("data:image/png;base64,"))
        self.assertEqual(reservation.status, Reservation.Status.CONFIRMED)
@@ -174,15 +192,16 @@ class BookingApiTests(APITestCase):
    def test_qr_retrieval_success_for_confirmed_reservation(self):
        reservation = self.create_reservation()
        _, raw_token = generate_confirmation_token(reservation)
-        self.client.post(
+        confirmation_response = self.client.post(
            reverse("api-reservation-confirm"),
            {"token": raw_token},
            format="json",
        )
+        check_in_token = confirmation_response.data["qr_code_url"].split("token=", 1)[1]

        response = self.client.get(
            reverse("api-reservation-qr"),
-            {"token": raw_token},
+            {"token": check_in_token},
        )

        self.assertEqual(response.status_code, status.HTTP_200_OK)
@@ -196,6 +215,23 @@ class BookingApiTests(APITestCase):
        self.assertNotIn("email", response.data)
        self.assertNotIn("name", response.data)

+    def test_qr_retrieval_rejects_confirmation_token(self):
+        reservation = self.create_reservation()
+        _, raw_token = generate_confirmation_token(reservation)
+        self.client.post(
+            reverse("api-reservation-confirm"),
+            {"token": raw_token},
+            format="json",
+        )
+
+        response = self.client.get(
+            reverse("api-reservation-qr"),
+            {"token": raw_token},
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(response.data["status"], "invalid_token")
+
    def test_qr_retrieval_fails_for_invalid_token(self):
        response = self.client.get(
            reverse("api-reservation-qr"),
@@ -214,8 +250,8 @@ class BookingApiTests(APITestCase):
            {"token": raw_token},
        )

-        self.assertEqual(response.status_code, status.HTTP_409_CONFLICT)
-        self.assertEqual(response.data["status"], "reservation_not_confirmed")
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(response.data["status"], "invalid_token")
        self.assertEqual(reservation.status, Reservation.Status.PENDING)

    def create_reservation(self, **overrides):