fix(devices): address pre-merge review findings

Closes the issues surfaced by the pre-merge code review of the expand-device-support branch. CRITICAL #2 -- update_device double-encrypts secrets in memory. storage/device_store.py round-tripped through device.to_dict() which encrypts hue_username / hue_client_key / ble_govee_key / nanoleaf_token via _enc(), but Device.__init__ does not decrypt. The cached self._items[device_id] thus held ciphertext where plaintext belonged, breaking runtime auth for paired devices on any update -- even an innocuous rename. Sourcing kwargs from vars(device) directly avoids the round-trip. Regression tests cover Nanoleaf and Hue. HIGH #3 -- secrets leaked in GET /api/v1/devices response. DeviceResponse previously returned nanoleaf_token / hue_username / hue_client_key in plaintext (decrypted server-side from storage), defeating the encryption-at-rest. Replaced with nanoleaf_paired and hue_paired booleans. ble_govee_key intentionally stays -- it's a user-managed value pasted from a third-party tool, must remain visible for edit. Frontend types.ts + the one nanoleaf_token reader updated to the boolean. HIGH #4 -- SSRF surface. validate_lan_host() added to net_classify.py; called from each new driver's validate_device (DDP / Yeelight / WiZ / LIFX / Govee / OPC / Nanoleaf) and from pair_device. Rejects literal public IPs with a descriptive ValueError; non-IP hostnames pass through (mDNS labels, bare hostnames). RFC6890 ranges (documentation, former class E) are accepted as LAN-like since Python's ipaddress.is_private treats them so -- correct policy for LedGrab. HIGH #5 -- decrypt failure deletes the device row. _dec() now catches the exception, logs an error, and returns "" instead of propagating. Without the fix, a regenerated data/.secret_key would silently make every Hue / Nanoleaf / BLE-Govee device disappear from the device list on next startup. Regression test asserts a corrupt envelope leaves the device hydratable. HIGH #6 -- update_device route does not rstrip("/") for non-WLED. Moved the trim before the WLED-specific scheme inference so every device type gets consistent URL normalization between create and update. MEDIUM #7 -- Govee discovery port 4002 collision. Added a lazily- initialized module-level asyncio.Lock that serializes concurrent discover_govee_devices() calls; the previous behavior had the second parallel scan silently return [] when the first still held port 4002. Error message also clarified to mention another Govee tool. MEDIUM #8 -- Nanoleaf discover() leaked browser tasks on cancellation. Moved the browser cancel loop into the finally block so an interrupted mDNS scan still tears them down. MEDIUM #9 -- pair endpoint logged user-supplied URL with exc_info=True. Added _sanitize_url_for_log() that strips userinfo + fragment, and demoted the log from exc_info to type(exc).__name__ + str(exc) so a hostile receiver's response body can't end up in the log file. LOW -- Nanoleaf was the only client without a .port property. Added one (returns NANOLEAF_PORT, fixed) for cross-driver symmetry. LOW -- no end-to-end pair-then-create coverage. Added TestPairThenCreateFlow.test_pair_then_create_persists_encrypted_token which exercises the full path: POST /api/v1/devices/pair returned fields, store.create_device, then asserts (a) in-memory plaintext, (b) to_config() plaintext, (c) persisted ciphertext, (d) API response strip + paired-boolean. Tests: 1379 pass (was 1358 -- 21 new regression tests added). ruff clean. TypeScript clean.
2026-05-16 11:06:10 +03:00
parent 7736bc6f58
commit 0e3ae78de7
19 changed files with 431 additions and 40 deletions
@@ -340,3 +340,80 @@ class TestPairDevice:
    def test_missing_required_fields_returns_422(self, client):
        resp = client.post("/api/v1/devices/pair", json={"device_type": "nanoleaf"})
        assert resp.status_code == 422
+
+
+class TestPairThenCreateFlow:
+    """End-to-end coverage: pair, then persist; assert the token is
+    encrypted at rest and decrypted in to_config(), and that the API
+    response strips the secret.
+
+    Closes the LOW gap in the pre-merge review: pair-route tests stopped
+    at the 200 response, never carrying the returned fields through to
+    storage to verify the round-trip and the response-strip.
+    """
+
+    def test_pair_then_create_persists_encrypted_token(self, client, device_store):
+        from ledgrab.api.routes.devices import _device_to_response
+        from ledgrab.core.devices import led_client as _led_client
+        from ledgrab.core.devices.led_client import DeviceHealth
+
+        class _NanoleafLikeStub:
+            @property
+            def device_type(self):
+                return "nanoleaf_like_stub"
+
+            @property
+            def capabilities(self):
+                return {"manual_led_count", "requires_pairing"}
+
+            async def pair_device(self, url):
+                return {"nanoleaf_token": "secret-paired-token"}
+
+            async def validate_device(self, url):
+                return {"led_count": 9}
+
+            def create_client(self, config, *, deps):
+                raise AssertionError("not used")
+
+            async def check_health(self, url, http_client, prev_health=None):
+                return DeviceHealth(online=True)
+
+        _led_client.register_provider(_NanoleafLikeStub())
+        try:
+            # Step 1: pair via the route
+            pair_resp = client.post(
+                "/api/v1/devices/pair",
+                json={"device_type": "nanoleaf_like_stub", "url": "stub://1.2.3.4"},
+            )
+            assert pair_resp.status_code == 200, pair_resp.text
+            fields = pair_resp.json()["fields"]
+            assert fields == {"nanoleaf_token": "secret-paired-token"}
+
+            # Step 2: persist via the store (skip the route's create path
+            # which would require a real validate_device handshake)
+            device = device_store.create_device(
+                name="E2E Paired",
+                url="stub://1.2.3.4",
+                led_count=9,
+                device_type="nanoleaf",
+                **fields,
+            )
+
+            # In-memory device holds plaintext
+            assert device.nanoleaf_token == "secret-paired-token"
+
+            # to_config surfaces plaintext to the provider
+            config = device.to_config()
+            assert config.nanoleaf_token == "secret-paired-token"
+
+            # Persisted row holds ciphertext (envelope prefix)
+            persisted = device.to_dict()
+            assert persisted["nanoleaf_token"].startswith("ENC:v1:")
+            assert persisted["nanoleaf_token"] != "secret-paired-token"
+
+            # API response strips the token; only a boolean flag remains
+            resp = _device_to_response(device).model_dump()
+            assert "nanoleaf_token" not in resp
+            assert resp.get("nanoleaf_paired") is True
+        finally:
+            _led_client._provider_registry.pop("nanoleaf_like_stub", None)