fix(security): separate booking and check-in tokens

2026-04-29 21:49:21 +02:00
parent 5cad1871e7
commit 13a05f6d0d
10 changed files with 214 additions and 64 deletions
--- a/backend/bookings/test_services.py
+++ b/backend/bookings/test_services.py
@@ -19,6 +19,7 @@ from bookings.services import (
    confirm_reservation_from_token,
    create_pending_reservation,
    generate_confirmation_token,
+    retrieve_reservation_qr_from_token,
 )
 from shows.models import Performance, Show, Venue

@@ -64,14 +65,16 @@ class BookingServiceTests(TestCase):
        EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend",
        SITE_BASE_URL="https://tickets.azionelab.example",
    )
-    def test_create_pending_reservation_sends_confirmation_email(self):
-        result = create_pending_reservation(
-            performance_id=self.performance.id,
-            name="Maria Rossi",
-            email="maria@example.com",
-            party_size=1,
-        )
+    def test_create_pending_reservation_sends_confirmation_email_after_commit(self):
+        with self.captureOnCommitCallbacks(execute=True) as callbacks:
+            result = create_pending_reservation(
+                performance_id=self.performance.id,
+                name="Maria Rossi",
+                email="maria@example.com",
+                party_size=1,
+            )

+        self.assertEqual(len(callbacks), 1)
        self.assertEqual(len(mail.outbox), 1)
        self.assertEqual(mail.outbox[0].to, ["maria@example.com"])
        self.assertIn(result.raw_confirmation_token, mail.outbox[0].body)
@@ -80,16 +83,30 @@ class BookingServiceTests(TestCase):
            mail.outbox[0].body,
        )

-    @patch("bookings.emailing.send_mail", side_effect=RuntimeError("SMTP down"))
-    def test_create_pending_reservation_logs_email_failure_without_crashing(self, mocked_send_mail):
-        with self.assertLogs("bookings.emailing", level="ERROR") as captured_logs:
-            result = create_pending_reservation(
+    @override_settings(EMAIL_BACKEND="django.core.mail.backends.locmem.EmailBackend")
+    def test_create_pending_reservation_defers_email_until_commit(self):
+        with self.captureOnCommitCallbacks(execute=False) as callbacks:
+            create_pending_reservation(
                performance_id=self.performance.id,
                name="Maria Rossi",
                email="maria@example.com",
                party_size=1,
            )

+        self.assertEqual(len(callbacks), 1)
+        self.assertEqual(len(mail.outbox), 0)
+
+    @patch("bookings.emailing.send_mail", side_effect=RuntimeError("SMTP down"))
+    def test_create_pending_reservation_logs_email_failure_without_crashing(self, mocked_send_mail):
+        with self.assertLogs("bookings.emailing", level="ERROR") as captured_logs:
+            with self.captureOnCommitCallbacks(execute=True):
+                result = create_pending_reservation(
+                    performance_id=self.performance.id,
+                    name="Maria Rossi",
+                    email="maria@example.com",
+                    party_size=1,
+                )
+
        self.assertEqual(result.reservation.status, Reservation.Status.PENDING)
        self.assertEqual(Reservation.objects.count(), 1)
        mocked_send_mail.assert_called_once()
@@ -130,7 +147,7 @@ class BookingServiceTests(TestCase):
        self.assertEqual(result.available_seats, 1)
        self.assertEqual(
            result.qr_code_url,
-            build_check_in_preview_url(raw_token),
+            build_check_in_preview_url(result.raw_check_in_token),
        )
        self.assertTrue(
            result.qr_code_url.startswith(
@@ -139,6 +156,19 @@ class BookingServiceTests(TestCase):
        )
        self.assertTrue(result.qr_code_image.startswith("data:image/png;base64,"))

+    @override_settings(SITE_BASE_URL="https://tickets.azionelab.example")
+    def test_confirmation_token_cannot_be_reused_as_qr_or_check_in_token(self):
+        reservation = self.create_reservation()
+        _, raw_token = generate_confirmation_token(reservation)
+
+        result = confirm_reservation_from_token(raw_token)
+
+        self.assertNotEqual(raw_token, result.raw_check_in_token)
+        self.assertNotEqual(
+            build_check_in_preview_url(raw_token),
+            result.qr_code_url,
+        )
+
    @override_settings(SITE_BASE_URL="https://tickets.azionelab.example")
    def test_qr_code_is_generated_for_confirmed_reservation(self):
        reservation = self.create_reservation(
@@ -171,6 +201,28 @@ class BookingServiceTests(TestCase):
                raw_check_in_token="opaque-check-in-token",
            )

+    def test_qr_retrieval_rejects_confirmation_token(self):
+        reservation = self.create_reservation()
+        _, raw_confirmation_token = generate_confirmation_token(reservation)
+        confirm_reservation_from_token(raw_confirmation_token)
+
+        with self.assertRaises(InvalidToken):
+            retrieve_reservation_qr_from_token(raw_confirmation_token)
+
+    def test_qr_retrieval_accepts_check_in_token(self):
+        reservation = self.create_reservation()
+        _, raw_confirmation_token = generate_confirmation_token(reservation)
+        result = confirm_reservation_from_token(raw_confirmation_token)
+
+        qr_result = retrieve_reservation_qr_from_token(result.raw_check_in_token)
+
+        self.assertEqual(qr_result.reservation, reservation)
+        self.assertEqual(
+            qr_result.qr_code_url,
+            build_check_in_preview_url(result.raw_check_in_token),
+        )
+        self.assertTrue(qr_result.qr_code_image.startswith("data:image/png;base64,"))
+
    def test_confirmation_fails_when_capacity_is_exhausted(self):
        Reservation.objects.create(
            performance=self.performance,