testing and enhancing security

app/config.py

@@ -1,18 +1,60 @@
 # config.py
 import os
+import json
+import secrets
 from pathlib import Path
 from dotenv import load_dotenv
+from cachelib.file import FileSystemCache
+
 
 BASE_DIR = Path(__file__).resolve().parent.parent
 load_dotenv(BASE_DIR / ".env")
 
+# Define secrets file location next to database
+SECRETS_FILE = BASE_DIR / "database" / "secrets.json"
+DATABASE_DIR = BASE_DIR / "database"
+
+def generate_secret_key():
+    """Generate a secure random secret key."""
+    return secrets.token_hex(32)
+
+def load_secrets():
+    """Load secrets from the secrets file."""
+    if not SECRETS_FILE.exists():
+        return {}
+    
+    try:
+        with open(SECRETS_FILE, "r") as f:
+            return json.load(f)
+    except (json.JSONDecodeError, FileNotFoundError):
+        return {}
+
+def save_secrets(secrets_dict):
+    """Save secrets to the secrets file."""
+    # Ensure database directory exists
+    DATABASE_DIR.mkdir(exist_ok=True)
+    
+    with open(SECRETS_FILE, "w") as f:
+        json.dump(secrets_dict, f, indent=2)
+
+def get_or_create_secret(key, generator_func):
+    """Get a secret from the secrets file or create it if it doesn't exist."""
+    secrets_dict = load_secrets()
+    
+    if key not in secrets_dict:
+        secrets_dict[key] = generator_func()
+        save_secrets(secrets_dict)
+        
+    return secrets_dict[key]
+
+
 class BaseConfig:
     # Flask
     TEMPLATES_AUTO_RELOAD = True
-    SECRET_KEY = os.getenv("SECRET_KEY", "dev-only-override-me")
+    SECRET_KEY = get_or_create_secret("SECRET_KEY", generate_secret_key)
     # Sessions
-    SESSION_TYPE = "filesystem"
-    SESSION_FILE_DIR = BASE_DIR / "database" / "sessions"
+    SESSION_TYPE = 'filesystem'  # Required session type configuration
+    SESSION_CACHELIB = FileSystemCache(str(BASE_DIR / "database" / "sessions"))
     # Babel / i18n
     LANGUAGES = {
         "en": "english", "de": "german", "zh": "chinese", "fr": "french",
@@ -32,4 +74,4 @@ class DevelopmentConfig(BaseConfig):
     DEBUG = True
 
 class ProductionConfig(BaseConfig):
-    DEBUG = False
+    DEBUG = False

docs/contribute/development.md

@@ -12,6 +12,15 @@ If you want to contribute to Wizarr, here is how
 2. Move into the directory `cd wizarr`
 3. (Optional but recommended) Create a python virtual environment with `python -m venv venv`
 4. Enter the python venv with `source venv/bin/activate`
-5. Install dependencies with `pip install -r requirements.txt`
+5. Install dependencies with `uv sync --locked`
 6. Start Wizarr with `flask run`
 7. Wizarr is now accessible at http://127.0.0.1:5000
+
+### Running Tests
+
+To run the test suite, ensure your dependencies (including development dependencies) are installed, then invoke pytest via `uv`:
+
+```bash
+uv sync --locked
+uv run pytest
+```

pyproject.toml

@@ -27,3 +27,10 @@ dependencies = [
     "sqlalchemy>=2.0.41",
     "wtforms>=3.2.1",
 ]
+
+[dependency-groups]
+dev = [
+    "pytest>=8.3.5",
+    "pytest-flask>=1.3.0",
+    "pytest-mock>=3.14.1",
+]

pytest.ini

@@ -0,0 +1,5 @@
+[pytest]
+minversion = 6.0
+addopts = -ra -q
+testpaths = tests
+python_files = test_*.py

tests/conftest.py

@@ -0,0 +1,31 @@
+import pytest
+
+from app import create_app
+from app.config import BaseConfig
+from app.extensions import db
+
+
+class TestConfig(BaseConfig):
+    TESTING = True
+    WTF_CSRF_ENABLED = False
+    SQLALCHEMY_DATABASE_URI = "sqlite:///:memory:"
+
+
+@pytest.fixture(scope="session")
+def app():
+    app = create_app(TestConfig)
+    with app.app_context():
+        db.create_all()
+    yield app
+    with app.app_context():
+        db.drop_all()
+
+
+@pytest.fixture
+def client(app):
+    return app.test_client()
+
+
+@pytest.fixture
+def runner(app):
+    return app.test_cli_runner()

tests/test_wizard_steps.py

@@ -0,0 +1,54 @@
+import frontmatter
+
+import pytest
+
+from app.blueprints.wizard.routes import _eligible, _render, _steps
+
+
+def test_eligible_with_requirements_met():
+    post = frontmatter.Post('body', **{'requires': ['a', 'b']})
+    cfg = {'a': True, 'b': True}
+    assert _eligible(post, cfg)
+
+
+def test_eligible_with_requirements_not_met():
+    post = frontmatter.Post('body', **{'requires': ['a', 'b']})
+    cfg = {'a': True, 'b': False}
+    assert not _eligible(post, cfg)
+    cfg = {}
+    assert not _eligible(post, cfg)
+
+
+def test_render_jinja_and_markdown(app):
+    post = frontmatter.Post('{{ name }} **bold**')
+    html = _render(post, {'name': 'Alice'})
+    assert '<strong>bold</strong>' in html
+    assert 'Alice' in html
+
+
+def test_steps_filters_and_loads(tmp_path, monkeypatch):
+    server_dir = tmp_path / 'myserver'
+    server_dir.mkdir()
+    # step requiring 'ok'
+    f1 = server_dir / 'one.md'
+    f1.write_text('''---
+requires:
+- ok
+---
+Step1''')
+    # step without requirements
+    f2 = server_dir / 'two.md'
+    f2.write_text('''---
+requires: []
+---
+Step2''')
+    # point BASE_DIR to our temp path
+    monkeypatch.setattr(
+        'app.blueprints.wizard.routes.BASE_DIR', tmp_path
+    )
+    cfg = {'ok': True}
+    steps = _steps('myserver', cfg)
+    assert len(steps) == 2
+    cfg = {'ok': False}
+    steps = _steps('myserver', cfg)
+    assert len(steps) == 1

uv.lock

@@ -334,6 +334,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/76/c6/c88e154df9c4e1a2a66ccf0005a88dfb2650c1dffb6f5ce603dfbd452ce3/idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3", size = 70442 },
 ]
 
+[[package]]
+name = "iniconfig"
+version = "2.1.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/f2/97/ebf4da567aa6827c909642694d71c9fcf53e5b504f2d96afea02718862f3/iniconfig-2.1.0.tar.gz", hash = "sha256:3abbd2e30b36733fee78f9c7f7308f2d0050e88f0087fd25c2645f63c773e1c7", size = 4793 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/2c/e1/e6716421ea10d38022b952c159d5161ca1193197fb744506875fbb87ea7b/iniconfig-2.1.0-py3-none-any.whl", hash = "sha256:9deba5723312380e77435581c6bf4935c94cbfab9b1ed33ef8d238ea168eb760", size = 6050 },
+]
+
 [[package]]
 name = "itsdangerous"
 version = "2.2.0"
@@ -466,6 +475,56 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/24/42/400828990b1884bb3d18d6cdbd1c26f91f1ca256619d057bd5f5d8a9ec7b/plexapi-4.17.0-py3-none-any.whl", hash = "sha256:cf42a990205c0327a2ab1d2871087a91b50596e6e960b99a185bf657525e6938", size = 166667 },
 ]
 
+[[package]]
+name = "pluggy"
+version = "1.6.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/f9/e2/3e91f31a7d2b083fe6ef3fa267035b518369d9511ffab804f839851d2779/pluggy-1.6.0.tar.gz", hash = "sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3", size = 69412 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/54/20/4d324d65cc6d9205fabedc306948156824eb9f0ee1633355a8f7ec5c66bf/pluggy-1.6.0-py3-none-any.whl", hash = "sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746", size = 20538 },
+]
+
+[[package]]
+name = "pytest"
+version = "8.3.5"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "colorama", marker = "sys_platform == 'win32'" },
+    { name = "iniconfig" },
+    { name = "packaging" },
+    { name = "pluggy" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/ae/3c/c9d525a414d506893f0cd8a8d0de7706446213181570cdbd766691164e40/pytest-8.3.5.tar.gz", hash = "sha256:f4efe70cc14e511565ac476b57c279e12a855b11f48f212af1080ef2263d3845", size = 1450891 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/30/3d/64ad57c803f1fa1e963a7946b6e0fea4a70df53c1a7fed304586539c2bac/pytest-8.3.5-py3-none-any.whl", hash = "sha256:c69214aa47deac29fad6c2a4f590b9c4a9fdb16a403176fe154b79c0b4d4d820", size = 343634 },
+]
+
+[[package]]
+name = "pytest-flask"
+version = "1.3.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "flask" },
+    { name = "pytest" },
+    { name = "werkzeug" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/fb/23/32b36d2f769805c0f3069ca8d9eeee77b27fcf86d41d40c6061ddce51c7d/pytest-flask-1.3.0.tar.gz", hash = "sha256:58be1c97b21ba3c4d47e0a7691eb41007748506c36bf51004f78df10691fa95e", size = 35816 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/de/03/7a917fda3d0e96b4e80ab1f83a6628ec4ee4a882523b49417d3891bacc9e/pytest_flask-1.3.0-py3-none-any.whl", hash = "sha256:c0e36e6b0fddc3b91c4362661db83fa694d1feb91fa505475be6732b5bc8c253", size = 13105 },
+]
+
+[[package]]
+name = "pytest-mock"
+version = "3.14.1"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "pytest" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/71/28/67172c96ba684058a4d24ffe144d64783d2a270d0af0d9e792737bddc75c/pytest_mock-3.14.1.tar.gz", hash = "sha256:159e9edac4c451ce77a5cdb9fc5d1100708d2dd4ba3c3df572f14097351af80e", size = 33241 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/b2/05/77b60e520511c53d1c1ca75f1930c7dd8e971d0c4379b7f4b3f9644685ba/pytest_mock-3.14.1-py3-none-any.whl", hash = "sha256:178aefcd11307d874b4cd3100344e7e2d888d9791a6a1d9bfe90fbc1b74fd1d0", size = 9923 },
+]
+
 [[package]]
 name = "python-dateutil"
 version = "2.9.0.post0"
@@ -687,6 +746,13 @@ dependencies = [
     { name = "wtforms" },
 ]
 
+[package.dev-dependencies]
+dev = [
+    { name = "pytest" },
+    { name = "pytest-flask" },
+    { name = "pytest-mock" },
+]
+
 [package.metadata]
 requires-dist = [
     { name = "boto3", specifier = ">=1.38.18" },
@@ -712,6 +778,13 @@ requires-dist = [
     { name = "wtforms", specifier = ">=3.2.1" },
 ]
 
+[package.metadata.requires-dev]
+dev = [
+    { name = "pytest", specifier = ">=8.3.5" },
+    { name = "pytest-flask", specifier = ">=1.3.0" },
+    { name = "pytest-mock", specifier = ">=3.14.1" },
+]
+
 [[package]]
 name = "wtforms"
 version = "3.2.1"