fix(security): separate booking and check-in tokens

2026-04-29 21:49:21 +02:00
parent 5cad1871e7
commit 13a05f6d0d
10 changed files with 214 additions and 64 deletions
--- a/backend/checkins/test_api.py
+++ b/backend/checkins/test_api.py
@@ -87,6 +87,24 @@ class CheckInApiTests(APITestCase):
        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
        self.assertEqual(response.data["status"], "invalid_token")

+    def test_preview_rejects_confirmation_token(self):
+        reservation = self.create_reservation()
+        _, raw_token = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+        self.client.force_authenticate(user=self.staff_user)
+
+        response = self.client.post(
+            reverse("api-check-in-preview"),
+            {"token": raw_token},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(response.data["status"], "invalid_token")
+
    def test_check_in_success_as_staff_user(self):
        reservation = self.create_reservation()
        _, raw_token = self.create_check_in_token(reservation)
@@ -171,6 +189,25 @@ class CheckInApiTests(APITestCase):
        self.assertEqual(second_response.data["status"], "already_checked_in")
        self.assertEqual(CheckIn.objects.filter(reservation=reservation).count(), 1)

+    def test_check_in_rejects_confirmation_token(self):
+        reservation = self.create_reservation()
+        _, raw_token = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+        self.client.force_authenticate(user=self.staff_user)
+
+        response = self.client.post(
+            reverse("api-check-in-confirm"),
+            {"token": raw_token},
+            format="json",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+        self.assertEqual(response.data["status"], "invalid_token")
+        self.assertFalse(CheckIn.objects.filter(reservation=reservation).exists())
+
    def create_reservation(self, **overrides):
        data = {
            "performance": self.performance,