fix(security): separate booking and check-in tokens

2026-04-29 21:49:21 +02:00
parent 5cad1871e7
commit 13a05f6d0d
10 changed files with 214 additions and 64 deletions
--- a/backend/checkins/test_services.py
+++ b/backend/checkins/test_services.py
@@ -62,6 +62,17 @@ class CheckInServiceTests(TestCase):
        with self.assertRaises(InvalidToken):
            preview_check_in_token("invalid-token", staff_user=self.staff_user)

+    def test_preview_rejects_confirmation_token_even_for_confirmed_reservation(self):
+        reservation = self.create_reservation()
+        _, raw_token = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+
+        with self.assertRaises(InvalidToken):
+            preview_check_in_token(raw_token, staff_user=self.staff_user)
+
    def test_check_in_succeeds_for_confirmed_reservation(self):
        reservation = self.create_reservation()
        _, raw_token = self.create_check_in_token(reservation)
@@ -114,6 +125,17 @@ class CheckInServiceTests(TestCase):
        with self.assertRaises(MissingStaffUser):
            confirm_check_in_from_token(raw_token, staff_user=None)

+    def test_check_in_rejects_confirmation_token_even_for_confirmed_reservation(self):
+        reservation = self.create_reservation()
+        _, raw_token = ReservationToken.create_token(
+            reservation=reservation,
+            purpose=ReservationToken.Purpose.CONFIRMATION,
+            expires_at=timezone.now() + timedelta(hours=2),
+        )
+
+        with self.assertRaises(InvalidToken):
+            confirm_check_in_from_token(raw_token, staff_user=self.staff_user)
+
    def create_reservation(self, **overrides):
        data = {
            "performance": self.performance,