Add comprehensive security tests for 8 vulnerability fixes

[manavgup]

Overview

PR #419 fixed 8 critical security vulnerabilities but needs comprehensive security tests to verify the fixes work correctly.

Security Fixes Requiring Tests

1. Search Endpoint Authentication (Issue #8)

File: backend/rag_solution/router/search_router.py
Fix: Added JWT authentication requirement

Tests Needed:

• ✅ Authenticated requests succeed
• ✅ Unauthenticated requests return 401
• ✅ Invalid JWT tokens rejected
• ✅ User can only search their own collections

2. Chat Session Creation (Issue #5)

File: backend/rag_solution/router/chat_router.py
Fix: Added authentication to POST /sessions

Tests Needed:

• ✅ Authenticated users can create sessions
• ✅ Unauthenticated requests return 401
• ✅ user_id set from JWT (not client input)

3. Chat Message Creation (Issue #6)

File: backend/rag_solution/router/chat_router.py
Fix: Added authentication to POST /sessions/{id}/messages

Tests Needed:

• ✅ Authenticated users can add messages to their sessions
• ✅ Users cannot add messages to other users' sessions (403)
• ✅ Unauthenticated requests return 401

4. Chat Message Processing - LLM Abuse Prevention (Issue #7)

File: backend/rag_solution/router/chat_router.py
Fix: Added authentication to POST /sessions/{id}/process

Tests Needed:

• ✅ Authenticated users can process messages
• ✅ Users cannot process messages in other users' sessions (403)
• ✅ Unauthenticated requests blocked (prevents unlimited LLM API abuse)

5. File Download Authentication (Issue #2)

File: backend/rag_solution/router/collection_router.py
Fix: Added authentication check

Tests Needed:

• ✅ Authenticated users can download files from their collections
• ✅ Users cannot download files from other users' collections (403)
• ✅ Unauthenticated requests return 401

6. File Download Authorization (Issue #3)

File: backend/rag_solution/router/collection_router.py
Fix: Added collection access verification

Tests Needed:

• ✅ Users can only download files from collections they have access to
• ✅ Cross-collection access blocked (403)

7. File Deletion Authorization (Issue #4)

File: backend/rag_solution/router/user_routes/file_routes.py
Fix: Added collection access verification before deletion

Tests Needed:

• ✅ Users can delete files from their collections
• ✅ Users cannot delete files from other users' collections (403)
• ✅ Deletion blocked if user doesn't have collection access

8. Path Traversal Prevention (Issue #1)

File: backend/rag_solution/services/file_management_service.py
Fix: Fixed path containment check using is_relative_to()

Tests Needed:

• ✅ Normal file access works
• ✅ Path traversal attempts blocked (../../etc/passwd)
• ✅ Symlink attacks prevented
• ✅ Files outside storage root inaccessible

Implementation Approach

Test Structure

Create backend/tests/security/test_security_fixes.py

Test Helpers

Use FastAPI TestClient with mock JWT tokens

Acceptance Criteria

• All 8 security fixes have corresponding tests
• Tests verify both positive cases (authorized access works) and negative cases (unauthorized access blocked)
• Tests use proper HTTP status codes (401 for unauthenticated, 403 for unauthorized)
• Tests run with pytest -m security
• All tests pass in CI/CD pipeline
• Code coverage >80% for security-critical code paths

Priority

HIGH - These tests are critical for verifying the security fixes in PR #419 work correctly and preventing regression.

Related

• PR fix: Comprehensive security fixes for authentication and authorization #419 - Security vulnerability fixes

Estimated Effort

2-3 hours to write comprehensive security tests for all 8 fixes.