MQL5-Google-Onedrive/scripts/test_web_dashboard.py

import unittest
import sys
import os
import json

# Add scripts directory to path so we can import web_dashboard
sys.path.append(os.path.dirname(os.path.abspath(__file__)))

from web_dashboard import app

class TestWebDashboard(unittest.TestCase):
    def setUp(self):
        self.app = app.test_client()
        self.app.testing = True

    def test_dashboard_route(self):
        """Test that the root route returns HTML."""
        response = self.app.get('/')
        self.assertEqual(response.status_code, 200)
        self.assertIn(b'<!DOCTYPE html>', response.data)
        self.assertIn(b'MQL5 Trading Automation Dashboard', response.data)

    def test_health_route_json(self):
        """Test that the health route returns a JSON response."""
        response = self.app.get('/health')
        self.assertEqual(response.status_code, 200)

        # This is what we expect AFTER the optimization.
        # For TDD, this test will fail initially if I ran it now against the current code
        # (because current code returns HTML for /health).
        try:
            data = json.loads(response.data)
            self.assertEqual(data.get('status'), 'healthy')
        except json.JSONDecodeError:
            self.fail("Response is not valid JSON")

    def test_skip_link_present(self):
        """Test that the skip link is present in the dashboard HTML."""
        response = self.app.get('/')
        self.assertEqual(response.status_code, 200)
        self.assertIn(b'<a href="#status" class="skip-link">Skip to main content</a>', response.data)

    def test_security_headers(self):
        """Test that security headers are present."""
        response = self.app.get('/')
        self.assertEqual(response.status_code, 200)
        self.assertIn('Content-Security-Policy', response.headers)
        self.assertIn('X-Content-Type-Options', response.headers)
        self.assertIn('X-Frame-Options', response.headers)
        self.assertIn('Referrer-Policy', response.headers)

    def test_dashboard_error_handling(self):
        """Test that the dashboard route handles errors gracefully."""
        from unittest.mock import patch

        # Patch get_cached_markdown in the web_dashboard module
        # We simulate an error during dashboard rendering
        with patch('web_dashboard.get_cached_markdown', side_effect=Exception("Sensitive DB Info")):
            response = self.app.get('/')
            self.assertEqual(response.status_code, 500)
            # The error message should be generic
            self.assertIn(b'Internal Server Error', response.data)
            # The specific exception details should NOT be exposed
            self.assertNotIn(b'Sensitive DB Info', response.data)

if __name__ == '__main__':
    unittest.main()
⚡ Bolt: Optimize health check endpoint 💡 What: Separated the /health endpoint from the main dashboard rendering logic. It now returns a lightweight JSON response. 🎯 Why: The previous implementation rendered the full Markdown dashboard for every health check, consuming unnecessary CPU and I/O resources during frequent polling. 📊 Impact: Reduces health check processing time from file reading + markdown parsing (~milliseconds) to a simple JSON return (~microseconds). 🔬 Measurement: Verified with new test script scripts/test_web_dashboard.py and updated render.yaml/app.yaml to use the new endpoint. 2026-01-21 05:17:23 +00:00			`import unittest`
			`import sys`
			`import os`
			`import json`

			`# Add scripts directory to path so we can import web_dashboard`
			`sys.path.append(os.path.dirname(os.path.abspath(__file__)))`

			`from web_dashboard import app`

			`class TestWebDashboard(unittest.TestCase):`
			`def setUp(self):`
			`self.app = app.test_client()`
			`self.app.testing = True`

			`def test_dashboard_route(self):`
			`"""Test that the root route returns HTML."""`
			`response = self.app.get('/')`
			`self.assertEqual(response.status_code, 200)`
			`self.assertIn(b'<!DOCTYPE html>', response.data)`
			`self.assertIn(b'MQL5 Trading Automation Dashboard', response.data)`

			`def test_health_route_json(self):`
			`"""Test that the health route returns a JSON response."""`
			`response = self.app.get('/health')`
			`self.assertEqual(response.status_code, 200)`

			`# This is what we expect AFTER the optimization.`
			`# For TDD, this test will fail initially if I ran it now against the current code`
			`# (because current code returns HTML for /health).`
			`try:`
			`data = json.loads(response.data)`
			`self.assertEqual(data.get('status'), 'healthy')`
			`except json.JSONDecodeError:`
			`self.fail("Response is not valid JSON")`

🎨 Palette: Add skip-to-content link for accessibility 2026-02-08 11:20:56 +00:00			`def test_skip_link_present(self):`
			`"""Test that the skip link is present in the dashboard HTML."""`
			`response = self.app.get('/')`
			`self.assertEqual(response.status_code, 200)`
			`self.assertIn(b'<a href="#status" class="skip-link">Skip to main content</a>', response.data)`

Add security headers to web dashboard (CSP, HSTS, X-Frame-Options) - Implemented `@app.after_request` in `scripts/web_dashboard.py` to inject security headers. - Added `Content-Security-Policy` with `default-src 'self'`, blocking inline scripts. - Added `X-Content-Type-Options: nosniff`. - Added `X-Frame-Options: SAMEORIGIN`. - Added `Referrer-Policy: strict-origin-when-cross-origin`. - Added unit test `test_security_headers` to `scripts/test_web_dashboard.py` to verify header presence. - Mitigates Stored XSS, Clickjacking, and MIME sniffing risks. 2026-02-09 11:27:48 +00:00			`def test_security_headers(self):`
			`"""Test that security headers are present."""`
			`response = self.app.get('/')`
			`self.assertEqual(response.status_code, 200)`
			`self.assertIn('Content-Security-Policy', response.headers)`
			`self.assertIn('X-Content-Type-Options', response.headers)`
			`self.assertIn('X-Frame-Options', response.headers)`
			`self.assertIn('Referrer-Policy', response.headers)`

Fix: Prevent information exposure in web dashboard error handling - Modified scripts/web_dashboard.py to return generic 500 error instead of exception details - Added regression test in scripts/test_web_dashboard.py - Updated .jules/sentinel.md with security learnings 2026-02-24 12:08:11 +00:00			`def test_dashboard_error_handling(self):`
			`"""Test that the dashboard route handles errors gracefully."""`
			`from unittest.mock import patch`

			`# Patch get_cached_markdown in the web_dashboard module`
			`# We simulate an error during dashboard rendering`
			`with patch('web_dashboard.get_cached_markdown', side_effect=Exception("Sensitive DB Info")):`
			`response = self.app.get('/')`
			`self.assertEqual(response.status_code, 500)`
			`# The error message should be generic`
			`self.assertIn(b'Internal Server Error', response.data)`
			`# The specific exception details should NOT be exposed`
			`self.assertNotIn(b'Sensitive DB Info', response.data)`

⚡ Bolt: Optimize health check endpoint 💡 What: Separated the /health endpoint from the main dashboard rendering logic. It now returns a lightweight JSON response. 🎯 Why: The previous implementation rendered the full Markdown dashboard for every health check, consuming unnecessary CPU and I/O resources during frequent polling. 📊 Impact: Reduces health check processing time from file reading + markdown parsing (~milliseconds) to a simple JSON return (~microseconds). 🔬 Measurement: Verified with new test script scripts/test_web_dashboard.py and updated render.yaml/app.yaml to use the new endpoint. 2026-01-21 05:17:23 +00:00			`if __name__ == '__main__':`
			`unittest.main()`