fix(security): authenticate shutdown endpoints with a per-session token

[Dotify71]

Summary

Fixes #1241.

The /shutdown endpoints on both the backend (port 52123) and sync microservice (port 52124) were completely unauthenticated. Any process on the local machine could POST to these endpoints and forcefully terminate PictoPy — a classic local denial-of-service vector.

As discussed with @rohan-pandeyy, completely disabling the shutdown routes is not an option since the Tauri frontend relies on them on Windows. The goal instead is to ensure only PictoPy itself can trigger these endpoints.

Approach

A per-session shared secret is generated once by the backend at startup using Python's secrets module (256-bit hex token) and written to a temp file (pictopy_shutdown.token). Both services and the Tauri frontend read this same file.

Files Changed

File	Change
backend/app/config/settings.py	Generate SHUTDOWN_TOKEN via secrets.token_hex(32) and write to temp file
backend/app/routes/shutdown.py	Require X-Shutdown-Token header; validate with hmac.compare_digest; return 403 on mismatch
sync-microservice/app/config/settings.py	Read the shared token from the temp file written by the backend
sync-microservice/app/routes/shutdown.py	Same token validation as backend
frontend/src-tauri/src/main.rs	Read token file at shutdown; attach X-Shutdown-Token header to every shutdown POST

Security Details

• hmac.compare_digest prevents timing side-channel attacks.
• Token is regenerated on every backend startup — no replay across sessions.

How to Test

# 1. Start backend, then try without token — expect 422
curl -s -o /dev/null -w "%{http_code}" -X POST http://localhost:52123/shutdown

# 2. Try with wrong token — expect 403
curl -s -o /dev/null -w "%{http_code}" -X POST http://localhost:52123/shutdown -H "X-Shutdown-Token: wrong"

# 3. Try with correct token — expect 200
TOKEN=$(cat $(python3 -c 'import tempfile,os; print(os.path.join(tempfile.gettempdir(),"pictopy_shutdown.token"))'))
curl -s -o /dev/null -w "%{http_code}" -X POST http://localhost:52123/shutdown -H "X-Shutdown-Token: $TOKEN"

Summary by CodeRabbit

• Security Improvements

  • Per-startup shutdown token introduced; shutdown requests require a valid token and invalid/missing attempts are rejected.

• Frontend

  • Client now reads and sends the shutdown token with shutdown requests and logs failures.

• Backend

  • Startup emits the per-run token and will fail on token file write errors; shutdown clears the token file on exit.

• Reliability

  • Services wait for and load the shared token at startup; missing token after a timeout aborts startup.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a per-startup shutdown token written to a temp file; backend and sync microservice require and validate X-Shutdown-Token headers; Windows frontend reads the temp token and includes it on shutdown POSTs.

Changes

Shutdown Endpoint Token Authentication

Layer / File(s)	Summary
Backend token generation and configuration backend/app/config/settings.py	Backend imports secrets and tempfile, generates a per-startup hex SHUTDOWN_TOKEN, defines SHUTDOWN_TOKEN_FILE in the system temp dir, writes the token file with owner-only permissions, and exits on write failure.
Backend shutdown route token validation backend/app/routes/shutdown.py	Shutdown endpoint accepts X-Shutdown-Token header (Header(...)), rejects missing tokens (401), validates with hmac.compare_digest against SHUTDOWN_TOKEN (403 on mismatch), and attempts best-effort removal of the token file during shutdown flow.
Sync microservice config declaration sync-microservice/app/config/settings.py	Declares SHUTDOWN_TOKEN_FILE in the OS temp dir and a module-level SHUTDOWN_TOKEN string plus related imports.
Sync microservice startup token polling sync-microservice/app/core/lifespan.py	Startup polls SHUTDOWN_TOKEN_FILE up to ~5s, reads a non-empty token into settings.SHUTDOWN_TOKEN, and raises RuntimeError if token not found in time.
Sync microservice shutdown route token validation sync-microservice/app/routes/shutdown.py	/shutdown accepts X-Shutdown-Token (Header(...)), rejects missing tokens (401), validates with hmac.compare_digest against SHUTDOWN_TOKEN (403 on mismatch), and removes the token file best-effort during delayed shutdown.
Frontend token delivery to authenticated endpoints frontend/src-tauri/src/main.rs	Windows kill_process reads pictopy_shutdown.token from temp dir, trims and uses it to build an x-shutdown-token HeaderMap, reuses a blocking reqwest client, sends shutdown POST requests with cloned headers to backend and sync endpoints, and logs failures; Unix kill helpers now return Result and propagate errors.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

Python, Rust

Poem

🐇 I found a tiny token bright,
Tucked in temp by startup light.
Backend, sync, and frontend share,
A secret hop that guards with care.
Now shutdowns need that whispered key.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately summarizes the primary change—adding authentication to shutdown endpoints via a per-session token.
Linked Issues check	✅ Passed	The implementation addresses issue #1241 by requiring X-Shutdown-Token header validation on both backend and sync shutdown endpoints using constant-time comparison.
Out of Scope Changes check	✅ Passed	The frontend Tauri code changes are necessary to read and send the token header on shutdown. Error handling improvements and file cleanup are reasonable in-scope enhancements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

frontend/src-tauri/src/main.rs (1)

89-97: ⚡ Quick win

Log non-success status codes for easier debugging

Currently only success responses are logged. Logging 4xx/5xx responses would help diagnose authentication or other issues:

♻️ Proposed refactor to improve diagnostics

         match client.post(*url).headers(headers.clone()).send() {
             Ok(resp) => {
                 let status = resp.status();

                 if status.is_success() {
                     println!("[{}] Shutdown OK ({})", name, status);
+                } else {
+                    eprintln!("[{}] Shutdown failed ({})", name, status);
                 }
             }
-            Err(_err) => {}
+            Err(err) => {
+                eprintln!("[{}] Shutdown request error: {}", name, err);
+            }
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src-tauri/src/main.rs` around lines 89 - 97, The shutdown response
handling only logs successful statuses and drops errors; update the Ok(resp)
branch that inspects resp.status() (variables resp and status, and identifier
name) to log non-success HTTP statuses (4xx/5xx) along with the status code and
any useful response body or error text for diagnostics, and replace the empty
Err(_err) arm with a logged error including the error details so both
non-success Ok and Err paths produce actionable logs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/app/config/settings.py`:
- Around line 49-50: The shutdown token file is created with default
(world-readable) permissions; update the write logic that uses
SHUTDOWN_TOKEN_FILE and SHUTDOWN_TOKEN so the file is created with restrictive
permissions (owner read/write only). Implement this by opening/creating the file
with secure mode (e.g., use os.open with flags and mode 0o600, or set
os.fchmod/os.chmod to 0o600 immediately after creation) and ensure the token is
written and the descriptor closed; avoid a window where the file is briefly
world-readable by setting permissions atomically at creation time.

In `@frontend/src-tauri/src/main.rs`:
- Around line 70-73: The code silently treats a missing/empty shutdown token by
using unwrap_or_default on the result of reading token_path which causes missing
header errors; change the logic around token_path and token so that
read_to_string errors are detected and logged (include the error from
std::fs::read_to_string when it Errs) and also emit a warning when the token
string is empty before attempting shutdown; update the block that constructs
token (and any caller that uses token) to log a clear warning including
token_path and the read error or an "empty token" message so backend 422s are
diagnosable.

In `@sync-microservice/app/config/settings.py`:
- Around line 38-44: The current settings.py block reads SHUTDOWN_TOKEN_FILE
once and falls back to generating SHUTDOWN_TOKEN independently, causing
mismatched tokens if the backend writes the file later; change this to attempt
repeated reads of SHUTDOWN_TOKEN_FILE with a short retry loop (e.g., sleep + max
timeout) before generating a fallback token so the sync service uses the backend
token when it becomes available; update the logic around SHUTDOWN_TOKEN_FILE and
SHUTDOWN_TOKEN to retry for a configurable period and only generate
secrets.token_hex(32) after the retry period elapses.

---

Nitpick comments:
In `@frontend/src-tauri/src/main.rs`:
- Around line 89-97: The shutdown response handling only logs successful
statuses and drops errors; update the Ok(resp) branch that inspects
resp.status() (variables resp and status, and identifier name) to log
non-success HTTP statuses (4xx/5xx) along with the status code and any useful
response body or error text for diagnostics, and replace the empty Err(_err) arm
with a logged error including the error details so both non-success Ok and Err
paths produce actionable logs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 720a4107-cad4-43e8-b22e-8b39fd99b609

📥 Commits

Reviewing files that changed from the base of the PR and between 144786b and 3997f8b.

📒 Files selected for processing (5)

• backend/app/config/settings.py
• backend/app/routes/shutdown.py
• frontend/src-tauri/src/main.rs
• sync-microservice/app/config/settings.py
• sync-microservice/app/routes/shutdown.py

[github-actions]

⚠️ This PR has merge conflicts.

Please resolve the merge conflicts before review.

Your PR will only be reviewed by a maintainer after all conflicts have been resolved.

📺 Watch this video to understand why conflicts occur and how to resolve them:
https://www.youtube.com/watch?v=Sqsz1-o7nXk

[Dotify71]

Hi maintainers,
The pr is now ready to merge and have 0 conflicts left.

[rohan-pandeyy]

@coderabbitai, please review the pull request.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== backend/app/config/settings.py ==="
cat backend/app/config/settings.py

echo ""
echo "=== backend/app/routes/shutdown.py ==="
cat backend/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/config/settings.py ==="
cat sync-microservice/app/config/settings.py

echo ""
echo "=== sync-microservice/app/routes/shutdown.py ==="
cat sync-microservice/app/routes/shutdown.py

echo ""
echo "=== frontend/src-tauri/src/main.rs ==="
cat frontend/src-tauri/src/main.rs

Length of output: 21134

---

---

@rohan-pandeyy Sure! Here is a full review of PR #1305.

---

Review: fix(security): authenticate shutdown endpoints with a per-session token

The PR correctly addresses the core vulnerability (#1241) by introducing a shared per-session secret. The use of secrets.token_hex(32) and hmac.compare_digest are the right primitives. Below are findings ranging from important correctness issues to minor nits.

---

🔴 High — Blocking sleep at module import time (sync-microservice/app/config/settings.py)

while _time.monotonic() < _deadline:
    try:
        ...
    except FileNotFoundError:
        pass
    _time.sleep(0.1)  # ← blocks the import for up to 5 seconds

settings.py is imported at module load time by the ASGI app. A synchronous time.sleep loop here delays every test, import, and hot-reload by up to 5 seconds. This should be moved to an explicit initialisation function called once at app startup (e.g., a FastAPI lifespan hook), not embedded inside a module-level statement.

---

🔴 High — Silent broken-state when fallback token is used

If the sync microservice starts before the backend and the retry loop times out:

if not SHUTDOWN_TOKEN:
    SHUTDOWN_TOKEN = secrets.token_hex(32)   # ← different from backend's token
    warnings.warn(...)

The sync service now holds a different token than the one in the token file. The Tauri frontend reads the file and sends the backend's token to both endpoints. Shutdown of the sync service will always return 403 Forbidden — silently leaving it alive. The warning goes to stderr but callers receive no error from the HTTP client (the response is suppressed in main.rs). Consider making this a fatal startup error rather than a degraded fallback.

---

🔴 High — No error handling around token-file write in backend

_fd = os.open(SHUTDOWN_TOKEN_FILE, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
with os.fdopen(_fd, "w") as _f:
    _f.write(SHUTDOWN_TOKEN)

If the temp directory is not writable (restricted environments, certain CI runners), this raises an OSError at import time and crashes the backend before any route is registered. Wrap this in a try/except and log a clear fatal message.

---

🟡 Medium — 0o600 permission not enforced on pre-existing files

os.open(..., os.O_CREAT, 0o600) applies the mode only when creating a new file. If pictopy_shutdown.token already exists from a previous run with looser permissions (e.g., world-readable 0o644), the existing permissions are preserved. After truncating and writing the new token, the file can be read by other users on a multi-user system. Fix:

_fd = os.open(SHUTDOWN_TOKEN_FILE, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
with os.fdopen(_fd, "w") as _f:
    _f.write(SHUTDOWN_TOKEN)
os.chmod(SHUTDOWN_TOKEN_FILE, 0o600)  # enforce regardless of pre-existing permissions

---

🟡 Medium — Missing token returns 422 Unprocessable Entity instead of 401

Header(...) (required header) triggers FastAPI's default 422 validation error when absent. Standard HTTP semantics call for 401 Unauthorized (or 403 Forbidden) on a missing authentication credential. Use Header(default=None) and validate manually:

async def shutdown(x_shutdown_token: Optional[str] = Header(default=None)):
    if x_shutdown_token is None:
        raise HTTPException(status_code=401, detail="Unauthorized")
    if not hmac.compare_digest(x_shutdown_token, SHUTDOWN_TOKEN):
        raise HTTPException(status_code=403, detail="Forbidden")

---

🟡 Medium — Windows kill_process errors are silently discarded

// kill_process_tree
let _ = kill_process(process);   // Result<(), String> discarded

And inside kill_process:

Err(_err) => {}  // HTTP error swallowed

If the HTTP shutdown fails, the process stays alive and no user-visible error is emitted. At a minimum, log the error via eprintln!.

---

🟡 Medium — Token file is never cleaned up

The token file persists in the temp directory after the app exits. While it is overwritten on the next start, a leftover file with a stale token is readable between sessions. Consider deleting it in the shutdown path (e.g., in _delayed_shutdown).

---

🟢 Low — Inconsistent visibility of kill_process

#[cfg(unix)]
fn kill_process(process: &sysinfo::Process) { ... }          // private

#[cfg(windows)]
pub fn kill_process(_process: &sysinfo::Process) -> Result<(), String> { ... }  // public

The pub on the Windows version is unintentional (it is only called locally) and should be fn.

---

🟢 Low — Authenticated HTTP shutdown is Windows-only

On Unix, kill_process sends SIGTERM directly; the authenticated /shutdown HTTP endpoint is never called. This is a reasonable design choice (SIGTERM is the idiomatic Unix signal), but the commit message "authenticate shutdown endpoints" may mislead: the new token mechanism is only exercised on Windows. A comment clarifying this platform difference would help future contributors.

---

✅ What is done well

• secrets.token_hex(32) is the correct CSPRNG for generating secrets.
• hmac.compare_digest prevents timing-side-channel token guessing.
• 0o600 owner-only permissions on the token file is the right baseline.
• Token is regenerated on every backend startup, preventing cross-session replay.
• Both services share a single file rather than needing independent coordination channels.

[Dotify71]

@coderabbitai review:

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== backend/app/config/settings.py ==="
cat backend/app/config/settings.py

echo ""
echo "=== backend/app/routes/shutdown.py ==="
cat backend/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/config/settings.py ==="
cat sync-microservice/app/config/settings.py

echo ""
echo "=== sync-microservice/app/routes/shutdown.py ==="
cat sync-microservice/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/core/lifespan.py ==="
cat sync-microservice/app/core/lifespan.py 2>/dev/null || echo "[FILE NOT FOUND]"

echo ""
echo "=== frontend/src-tauri/src/main.rs ==="
cat frontend/src-tauri/src/main.rs

Length of output: 25461

---

---

@Dotify71 All 8 original findings have been correctly addressed. The code is much improved. However, the refactoring introduced two new issues that need to be fixed before this is ready to merge.

---

🔴 Critical — SHUTDOWN_TOKEN import captures empty string in sync shutdown route

In sync-microservice/app/routes/shutdown.py:

from app.config.settings import SHUTDOWN_TOKEN   # ← captures "" at import time

At module-import time, SHUTDOWN_TOKEN is "" (set in settings.py). Later, the lifespan hook does:

settings.SHUTDOWN_TOKEN = token   # updates the module attribute...

…but the from ... import binding in shutdown.py is a separate local reference that was already bound to "". Python from module import name does not track subsequent reassignments to the module attribute. As a result, hmac.compare_digest(x_shutdown_token, SHUTDOWN_TOKEN) always compares against "" and always returns False — every authenticated request to the sync service will get 403 Forbidden, making the auth mechanism completely broken for that service.

Fix — use a module-level reference instead of a name import:

# sync-microservice/app/routes/shutdown.py
import app.config.settings as _settings   # replaces: from app.config.settings import SHUTDOWN_TOKEN

# ...inside shutdown():
if not hmac.compare_digest(x_shutdown_token, _settings.SHUTDOWN_TOKEN):
    raise HTTPException(status_code=403, detail="Forbidden")

The same pattern applies to the SHUTDOWN_TOKEN_FILE import inside _delayed_shutdown — though SHUTDOWN_TOKEN_FILE is a constant (never reassigned), so it happens to work; but for consistency, using _settings.SHUTDOWN_TOKEN_FILE is cleaner.

Note: The backend's shutdown.py is not affected by this bug because SHUTDOWN_TOKEN is set at module-import time and never reassigned.

---

🟡 Medium — Blocking time.sleep inside async lifespan blocks the event loop

In sync-microservice/app/core/lifespan.py:

time.sleep(0.1)          # blocks the entire asyncio event loop
# ...
time.sleep(retry_interval)   # also blocks

These are synchronous sleeps inside an async context manager. While startup is the only time this runs, it will still freeze the event loop (preventing any async I/O, including other startup tasks or health checks) for up to 5 seconds. Replace both with await asyncio.sleep(...):

import asyncio

# In the token wait loop:
await asyncio.sleep(0.1)

# In the database retry loop:
await asyncio.sleep(retry_interval)

---

✅ All 8 original findings confirmed addressed

#	Finding	Status
1	Blocking sleep at module import	✅ Moved to lifespan hook
2	Silent broken-state / fallback token	✅ Raises RuntimeError
3	No error handling on token-file write	✅ try/except OSError + sys.exit(1)
4	0o600 not enforced on pre-existing files	✅ os.chmod added
5	Missing token returns 422 instead of 401	✅ 401/403 split correctly
6	Rust HTTP errors silently discarded	✅ eprintln! added
7	pub fn kill_process / signature mismatch	✅ fn on both platforms, Unix returns Result
8	Token file never cleaned up	✅ os.remove in _delayed_shutdown

Once the two issues above are addressed (particularly the critical SHUTDOWN_TOKEN import fix), the PR should be in good shape. 🐇

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

sync-microservice/app/config/settings.py (1)

2-2: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove unused imports.

The imports secrets, time, and warnings are not used in this file. They appear to be remnants from the previous implementation that performed token polling at module level. As per coding guidelines, unused imports violate PEP 8.

🧹 Proposed fix

 import os
-import secrets
 import tempfile
-import time as _time
-import warnings
 
 from platformdirs import user_data_dir

Also applies to: 4-5

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sync-microservice/app/config/settings.py` at line 2, Remove the unused
imports from the module: delete the import statements for secrets, time, and
warnings in settings.py (they are no longer used after removing token polling at
module level); keep only the imports that are referenced elsewhere in the file
so the module conforms to PEP8 and avoids unused-import warnings.

Source: Coding guidelines

🧹 Nitpick comments (1)

sync-microservice/app/core/lifespan.py (1)

31-31: 💤 Low value

Move import to module level.

Importing settings inside the function is not idiomatic Python. Unless there's a circular import issue (none is evident), move it to the top of the file with other imports.

♻️ Proposed refactor

 from contextlib import asynccontextmanager
 from fastapi import FastAPI
 import time
+import app.config.settings as settings
 from app.database.folders import (
     db_check_database_connection,
 )

Then remove the import from line 31:

         logger.info("Starting PictoPy Sync Microservice...")
 
         # Wait for shutdown token from backend (up to 5 seconds)
-        import app.config.settings as settings
         logger.info("Waiting for shutdown token from backend...")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sync-microservice/app/core/lifespan.py` at line 31, Move the local import
"import app.config.settings as settings" out of the function and into the
module-level imports at the top of sync-microservice/app/core/lifespan.py
alongside the other imports, then remove the in-function import statement; this
keeps settings available as the module-level name "settings" for any
functions/classes in the file (e.g., the lifespan function) and avoids
non-idiomatic runtime imports.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@sync-microservice/app/core/lifespan.py`:
- Around line 36-43: The current loop only catches FileNotFoundError when
reading settings.SHUTDOWN_TOKEN_FILE, leaving other IO errors unhandled; update
the read block around open(...) / token = f.read().strip() to also catch
PermissionError and OSError (or a broad Exception) and log the failure using
logger.error with the exception details, while preserving the existing behavior
of setting settings.SHUTDOWN_TOKEN and calling logger.info when successful;
reference the settings.SHUTDOWN_TOKEN_FILE, settings.SHUTDOWN_TOKEN and
logger.info/logger.error so reviewers can find and update the open/read/except
handling accordingly.

---

Outside diff comments:
In `@sync-microservice/app/config/settings.py`:
- Line 2: Remove the unused imports from the module: delete the import
statements for secrets, time, and warnings in settings.py (they are no longer
used after removing token polling at module level); keep only the imports that
are referenced elsewhere in the file so the module conforms to PEP8 and avoids
unused-import warnings.

---

Nitpick comments:
In `@sync-microservice/app/core/lifespan.py`:
- Line 31: Move the local import "import app.config.settings as settings" out of
the function and into the module-level imports at the top of
sync-microservice/app/core/lifespan.py alongside the other imports, then remove
the in-function import statement; this keeps settings available as the
module-level name "settings" for any functions/classes in the file (e.g., the
lifespan function) and avoids non-idiomatic runtime imports.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8925eed0-8fdc-45db-b9f4-3840bd2a8aa8

📥 Commits

Reviewing files that changed from the base of the PR and between 45c3b13 and 536b332.

📒 Files selected for processing (6)

• backend/app/config/settings.py
• backend/app/routes/shutdown.py
• frontend/src-tauri/src/main.rs
• sync-microservice/app/config/settings.py
• sync-microservice/app/core/lifespan.py
• sync-microservice/app/routes/shutdown.py

🚧 Files skipped from review as they are similar to previous changes (4)

• backend/app/config/settings.py
• backend/app/routes/shutdown.py
• sync-microservice/app/routes/shutdown.py
• frontend/src-tauri/src/main.rs

[Dotify71]

@coderabbitai review!

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== sync-microservice/app/config/settings.py ==="
cat sync-microservice/app/config/settings.py

echo ""
echo "=== sync-microservice/app/core/lifespan.py ==="
cat sync-microservice/app/core/lifespan.py

echo ""
echo "=== sync-microservice/app/routes/shutdown.py ==="
cat sync-microservice/app/routes/shutdown.py

Length of output: 9009

---

---

@Dotify71 Thanks for the follow-up — the 3 housekeeping items are confirmed. However, I need to flag that the two previously-raised issues from my last review are still present in the current code and were not yet addressed:

---

🔴 Still open — SHUTDOWN_TOKEN captured as "" in sync shutdown route

sync-microservice/app/routes/shutdown.py, line 9:

from app.config.settings import SHUTDOWN_TOKEN   # bound to "" at import time

The lifespan hook later does settings.SHUTDOWN_TOKEN = token, but this has no effect on the SHUTDOWN_TOKEN name already imported into shutdown.py. Python's from module import name creates a separate local binding — it is not a live reference. So hmac.compare_digest(x_shutdown_token, SHUTDOWN_TOKEN) always compares against "" and always returns False. Every authenticated shutdown request to the sync service will get 403 Forbidden.

Fix — replace the from ... import with a module-level reference:

# sync-microservice/app/routes/shutdown.py
import app.config.settings as _settings   # remove: from app.config.settings import SHUTDOWN_TOKEN

# inside shutdown():
if not hmac.compare_digest(x_shutdown_token, _settings.SHUTDOWN_TOKEN):
    raise HTTPException(status_code=403, detail="Forbidden")

# inside _delayed_shutdown():
os.remove(_settings.SHUTDOWN_TOKEN_FILE)

---

🟡 Still open — Blocking time.sleep inside async lifespan

sync-microservice/app/core/lifespan.py:

time.sleep(0.1)          # token wait loop — blocks event loop up to 5 s
...
time.sleep(retry_interval)   # database retry loop — blocks event loop up to 60 s

Both sleeps are synchronous calls inside an async context manager, which freeze the entire asyncio event loop. Replace both with await asyncio.sleep(...):

import asyncio

# token wait loop:
await asyncio.sleep(0.1)

# database retry loop:
await asyncio.sleep(retry_interval)

---

The 3 cleanup items from your latest commit are confirmed ✅. Once the two above are fixed, the PR should be ready. 🐇

[Dotify71]

@coderabbitai review!

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== sync-microservice/app/routes/shutdown.py ==="
cat sync-microservice/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/core/lifespan.py ==="
cat sync-microservice/app/core/lifespan.py

Length of output: 7275

---

---

@Dotify71 Both fixes are confirmed ✅

Issue	Fix	Status
SHUTDOWN_TOKEN captured as "" at import time	from app.config import settings + settings.SHUTDOWN_TOKEN in hmac.compare_digest	✅ Correctly resolved
Blocking time.sleep in async lifespan	await asyncio.sleep(0.1) and await asyncio.sleep(retry_interval)	✅ Correctly resolved

All 10 findings across all three rounds of review are now addressed. The PR is in great shape — well done on the thorough follow-through! 🐇 🎉

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== sync-microservice/app/routes/shutdown.py ==="
cat sync-microservice/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/core/lifespan.py ==="
cat sync-microservice/app/core/lifespan.py

echo ""
echo "=== sync-microservice/app/config/settings.py ==="
cat sync-microservice/app/config/settings.py

Length of output: 9036

---

---

@Dotify71 Both remaining issues are confirmed fixed in the latest commit. ✅

Finding	Status
🔴 SHUTDOWN_TOKEN captured as "" at import time	✅ Fixed — from app.config import settings + settings.SHUTDOWN_TOKEN
🟡 Blocking time.sleep inside async lifespan	✅ Fixed — both sleeps replaced with await asyncio.sleep(...)

One tiny nit (non-blocking): _delayed_shutdown in shutdown.py still has a local from app.config.settings import SHUTDOWN_TOKEN_FILE import, which is fine since SHUTDOWN_TOKEN_FILE is a constant that is never reassigned — but for consistency you could use settings.SHUTDOWN_TOKEN_FILE there as well. Purely cosmetic.

All 10 findings from across the full review are now resolved. The PR looks solid — the security fix is correct, hmac.compare_digest + secrets.token_hex(32) are the right primitives, and the async event-loop safety and module-reference correctness issues are both addressed. 🐇

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== backend/app/config/settings.py ==="
cat backend/app/config/settings.py

echo ""
echo "=== backend/app/routes/shutdown.py ==="
cat backend/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/config/settings.py ==="
cat sync-microservice/app/config/settings.py

echo ""
echo "=== sync-microservice/app/routes/shutdown.py ==="
cat sync-microservice/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/core/lifespan.py ==="
cat sync-microservice/app/core/lifespan.py

echo ""
echo "=== frontend/src-tauri/src/main.rs ==="
cat frontend/src-tauri/src/main.rs

Length of output: 25496

---

---

@Dotify71 All files have been inspected. Every previously flagged finding remains resolved — no new issues were introduced.

✅ Full finding status (all 10 rounds)

#	Finding	Status
1	Blocking sleep at module import	✅ Moved to async lifespan hook
2	Silent broken-state / fallback token	✅ Raises RuntimeError — fatal startup failure
3	No error handling on token-file write	✅ try/except OSError + sys.exit(1)
4	0o600 not enforced on pre-existing files	✅ os.chmod called after write
5	Missing token returns 422 instead of 401	✅ 401/403 split correctly via Header(default=None)
6	Rust HTTP errors silently discarded	✅ eprintln! on failures
7	pub fn kill_process / signature mismatch	✅ fn on both platforms; Unix returns Result
8	Token file never cleaned up	✅ os.remove in _delayed_shutdown
9	SHUTDOWN_TOKEN captured as "" at import (sync route)	✅ from app.config import settings + settings.SHUTDOWN_TOKEN
10	Blocking time.sleep in async lifespan	✅ Replaced with await asyncio.sleep(...)

One lingering nit (non-blocking): _delayed_shutdown in sync-microservice/app/routes/shutdown.py still uses a local from app.config.settings import SHUTDOWN_TOKEN_FILE. Since SHUTDOWN_TOKEN_FILE is a true constant (never reassigned), this is functionally correct — purely cosmetic inconsistency with the settings.SHUTDOWN_TOKEN pattern used elsewhere. Fine to leave as-is or fix at your discretion.

The PR is in excellent shape. 🐇 🎉

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== backend/app/config/settings.py ==="
cat backend/app/config/settings.py

echo ""
echo "=== backend/app/routes/shutdown.py ==="
cat backend/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/config/settings.py ==="
cat sync-microservice/app/config/settings.py

echo ""
echo "=== sync-microservice/app/core/lifespan.py ==="
cat sync-microservice/app/core/lifespan.py

echo ""
echo "=== sync-microservice/app/routes/shutdown.py ==="
cat sync-microservice/app/routes/shutdown.py

echo ""
echo "=== frontend/src-tauri/src/main.rs ==="
cat frontend/src-tauri/src/main.rs

Length of output: 25496

---

---

@Dotify71 All previously flagged issues remain resolved and no new issues were found in this pass.

Final review summary

#	Finding	Status
1	Blocking sleep at module import	✅ Moved to lifespan hook with await asyncio.sleep
2	Silent broken-state / fallback token	✅ Raises RuntimeError on timeout
3	No error handling on token-file write	✅ try/except OSError + sys.exit(1)
4	0o600 not enforced on pre-existing files	✅ os.chmod added after write
5	Missing token returns 422 instead of 401	✅ 401/403 split correctly with manual validation
6	Rust HTTP errors silently discarded	✅ eprintln! logging added
7	pub fn kill_process / signature inconsistency	✅ fn on both platforms, Unix returns Result
8	Token file never cleaned up	✅ os.remove in _delayed_shutdown
9	SHUTDOWN_TOKEN captured as "" at import	✅ from app.config import settings + settings.SHUTDOWN_TOKEN
10	Blocking time.sleep in async lifespan	✅ Both replaced with await asyncio.sleep(...)

The one remaining cosmetic nit (from app.config.settings import SHUTDOWN_TOKEN_FILE inside _delayed_shutdown) is functionally correct since SHUTDOWN_TOKEN_FILE is a constant that is never reassigned — feel free to leave it as-is.

The PR is in great shape. 🐇 🎉

[rohan-pandeyy]

@Dotify71 One more thing before I do a proper review: please try to avoid leaving messy comments in the codebase. Comments are definitely appreciated, but it’s best to keep them concise and clean. Single-line comments are preferred, and at most two lines in rare cases.

[Dotify71]

@coderabbitai review!

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== backend/app/config/settings.py ==="
cat backend/app/config/settings.py

echo ""
echo "=== backend/app/routes/shutdown.py ==="
cat backend/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/config/settings.py ==="
cat sync-microservice/app/config/settings.py

echo ""
echo "=== sync-microservice/app/core/lifespan.py ==="
cat sync-microservice/app/core/lifespan.py

echo ""
echo "=== sync-microservice/app/routes/shutdown.py ==="
cat sync-microservice/app/routes/shutdown.py

echo ""
echo "=== frontend/src-tauri/src/main.rs ==="
cat frontend/src-tauri/src/main.rs

Length of output: 23671

---

---

@Dotify71 Clean pass — all good here.

✅ Full final review summary

#	Finding	Status
1	Blocking sleep at module import	✅ Moved to async lifespan hook
2	Silent broken-state / fallback token	✅ Raises RuntimeError on timeout
3	No error handling on token-file write	✅ try/except OSError + sys.exit(1)
4	0o600 not enforced on pre-existing files	✅ os.chmod added after write
5	Missing token returns 422 instead of 401	✅ 401/403 split with manual validation
6	Rust HTTP errors silently discarded	✅ eprintln! logging added
7	pub fn kill_process / signature inconsistency	✅ fn on both platforms, Unix returns Result
8	Token file never cleaned up	✅ os.remove in _delayed_shutdown
9	SHUTDOWN_TOKEN captured as "" at import	✅ from app.config import settings + settings.SHUTDOWN_TOKEN
10	Blocking time.sleep in async lifespan	✅ Both replaced with await asyncio.sleep(...)
11	Cosmetic: from app.config.settings import SHUTDOWN_TOKEN_FILE in _delayed_shutdown	✅ Now uses settings.SHUTDOWN_TOKEN_FILE consistently

The comment cleanup is also well done — all verbose multi-line blocks are gone, replaced with concise single-line comments throughout. All 11 findings are fully resolved, and no new issues were introduced. The PR is in great shape. 🐇 🎉

[Dotify71]

@rohan-pandeyy Good call! I went through the codebase and stripped down all the verbose multi-line explanations about the token exchange logic.

They've all been replaced with concise, single-line comments. Everything is pushed and ready for your review!

[Dotify71]

Hi @rahulharpal1603, just following up here! I've made sure this PR is fully up to date, and all the requested changes and merge conflicts (if any) have been completely resolved. Could you please take a look and review when you have a moment? Thank you!

[rohan-pandeyy]

@Dotify71, before merging I’d like to see a few additional test results around shutdown behavior and failure modes:

• Can you verify the shutdown process difference between dev mode and prod builds?
• What happens if the backend is shut down externally while the sync microservice is still running?
• What happens if the sync microservice receives a valid shutdown request after the backend has already exited?
• Can you verify the normal Tauri → backend → sync shutdown flow still works on Windows, since that’s the primary reason these endpoints exist?
• Can you test application restart scenarios? For example:
  1. Start PictoPy.
  2. Record the shutdown token.
  3. Shut everything down.
  4. Start again.
  5. Confirm a new token is generated and the old token is rejected.
• What happens if the token file is deleted while the application is running? Does shutdown still work, and is the failure mode acceptable?
• What happens if the token file contains invalid/corrupted contents?
• Verify startup behavior when the sync microservice starts before the backend and has to wait for the token file?
• Confirm that concurrent requests with invalid tokens do not affect service availability or legitimate shutdown requests?
• Have you tested shutdown requests against both ports (52123 and 52124) with:
  • no header
  • malformed header
  • incorrect token
  • correct token

@coderabbitai, can you help cover any additional scenarios for the codebase that required additional testing?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all test files in the repository
echo "=== Test files ==="
fd -e py -g '*test*' --type f
echo ""
fd -e py -g 'test_*' --type f
echo ""
fd -e py --type f | xargs grep -l "def test_" 2>/dev/null | head -30

echo ""
echo "=== backend test directory ==="
find . -type d -name "test*" | head -20

echo ""
echo "=== backend/tests (if exists) ==="
ls -la backend/tests/ 2>/dev/null || echo "[not found]"
ls -la sync-microservice/tests/ 2>/dev/null || echo "[sync tests not found]"

echo ""
echo "=== shutdown-related test files ==="
fd -g '*shutdown*' --type f

Length of output: 2011

---

🏁 Script executed:

#!/bin/bash
echo "=== backend/tests/conftest.py ==="
cat backend/tests/conftest.py

echo ""
echo "=== backend/app/routes/shutdown.py ==="
cat backend/app/routes/shutdown.py

echo ""
echo "=== sync-microservice/app/routes/shutdown.py ==="
cat sync-microservice/app/routes/shutdown.py

echo ""
echo "=== backend/app/config/settings.py ==="
cat backend/app/config/settings.py

echo ""
echo "=== sync-microservice/app/config/settings.py ==="
cat sync-microservice/app/config/settings.py

echo ""
echo "=== sync-microservice/app/core/lifespan.py ==="
cat sync-microservice/app/core/lifespan.py

echo ""
echo "=== One existing test for reference ==="
head -80 backend/tests/test_folders.py

Length of output: 19657

---

---

@rohan-pandeyy Here are the additional scenarios from a code-analysis perspective, along with a ready-to-run test_shutdown.py for the backend (following the existing pattern) and guidance for the sync microservice.

---

Answers to the manual testing questions (from code analysis)

Question	Expected behavior (from code)
Dev vs prod shutdown difference	In dev, settings.py is imported normally and writes the token file. In a frozen/prod build (sys.frozen == True), the MODEL_EXPORTS_PATH changes but shutdown logic is identical — the same secrets.token_hex(32) + file write runs unconditionally. No behavioral difference in shutdown path.
Backend exits while sync is still running	The sync service continues serving normally. The token is already loaded into settings.SHUTDOWN_TOKEN in memory. A shutdown request with the correct token will still authenticate and trigger _delayed_shutdown. os.remove(SHUTDOWN_TOKEN_FILE) in _delayed_shutdown will raise an OSError (file already removed by backend shutdown) but that is caught and logged as a warning — acceptable.
Sync receives valid shutdown after backend has exited	Works fine — token is in memory. The file-removal step in _delayed_shutdown will fail silently (OSError caught).
Windows Tauri→backend→sync flow	Code path: Rust reads token file → builds HeaderMap with x-shutdown-token → POSTs to 52123 then 52124. This is the only path where the token auth is exercised end-to-end. Failures are logged via eprintln!. Worth a manual smoke test on a Windows machine.
Restart / token rotation	Each backend start calls secrets.token_hex(32) at module import → overwrites the token file. The old token is never persisted anywhere other than the file, so it becomes unguessable after overwrite. A leftover curl with an old token will receive 403. ✅
Token file deleted while running	Token is already in memory for both services — shutdown still works normally. The os.remove call in _delayed_shutdown will raise OSError (file not found), caught and logged. Acceptable failure mode.
Token file contains corrupted/invalid content	Backend: sets settings.SHUTDOWN_TOKEN to whatever secrets.token_hex(32) generated — never reads the file itself, so corruption is irrelevant to the backend. Sync service: reads the file in lifespan and assigns settings.SHUTDOWN_TOKEN = token.strip(). Corrupted content (non-hex string, partial write) will be loaded as-is. hmac.compare_digest will compare it against the header and always return False → every shutdown request returns 403. This is a gap — the sync service should validate that the loaded token looks like a valid hex string before accepting it.
Sync starts before backend (token wait loop)	Sync lifespan polls every 100 ms for up to 5 seconds. If the backend writes the file within that window, startup proceeds normally. If not, RuntimeError("Backend shutdown token not found") is raised and the sync service refuses to start. ✅
Concurrent invalid token requests	Each request hits hmac.compare_digest and returns 403 immediately. No state mutation occurs, no rate limiting or lock contention — service remains available to a legitimate shutdown request. The only concern is log noise.
Port 52123 / 52124 header matrix	See automated test matrix below — all 4 cases (no header → 401, malformed → 403, wrong → 403, correct → 200) are covered.

---

Proposed backend/tests/test_shutdown.py

import asyncio
import hmac
import os
import tempfile
from typing import Generator
from unittest.mock import MagicMock, patch

import pytest
from fastapi import FastAPI
from fastapi.testclient import TestClient

from app.routes.shutdown import router as shutdown_router

VALID_TOKEN = "a" * 64  # 32-byte hex equivalent, all lowercase


`@pytest.fixture`()
def app(tmp_path) -> FastAPI:
    """FastAPI app with shutdown router and a known token injected."""
    application = FastAPI()
    application.include_router(shutdown_router)
    return application


`@pytest.fixture`()
def client(app) -> Generator:
    """TestClient that does NOT follow redirects and patches settings."""
    token_file = str(tmp_path / "pictopy_shutdown.token") if False else \
        os.path.join(tempfile.gettempdir(), "test_shutdown.token")

    with patch("app.config.settings.SHUTDOWN_TOKEN", VALID_TOKEN), \
         patch("app.config.settings.SHUTDOWN_TOKEN_FILE", token_file), \
         patch("app.routes.shutdown.asyncio.create_task"):  # prevent actual exit
        with TestClient(app, raise_server_exceptions=False) as c:
            yield c


# ---------------------------------------------------------------------------
# Header matrix tests
# ---------------------------------------------------------------------------

class TestShutdownHeaderMatrix:
    """Cover all four header scenarios on the /shutdown endpoint."""

    def test_no_token_returns_401(self, client):
        """Missing X-Shutdown-Token header must return 401 Unauthorized."""
        resp = client.post("/shutdown")
        assert resp.status_code == 401
        assert resp.json()["detail"] == "Unauthorized"

    def test_empty_token_returns_401(self, client):
        """Empty header value is treated as missing (None after strip by FastAPI)."""
        resp = client.post("/shutdown", headers={"X-Shutdown-Token": ""})
        # FastAPI sends None for empty optional header → 401
        assert resp.status_code in (401, 403)

    def test_malformed_token_returns_403(self, client):
        """A syntactically valid but wrong token returns 403 Forbidden."""
        resp = client.post("/shutdown", headers={"X-Shutdown-Token": "notahextoken"})
        assert resp.status_code == 403
        assert resp.json()["detail"] == "Forbidden"

    def test_wrong_token_returns_403(self, client):
        """A well-formed but incorrect token must return 403."""
        wrong = "b" * 64
        resp = client.post("/shutdown", headers={"X-Shutdown-Token": wrong})
        assert resp.status_code == 403

    def test_correct_token_returns_200(self, client):
        """A correct token must return 200 with shutting_down status."""
        resp = client.post("/shutdown", headers={"X-Shutdown-Token": VALID_TOKEN})
        assert resp.status_code == 200
        body = resp.json()
        assert body["status"] == "shutting_down"


# ---------------------------------------------------------------------------
# Token rotation / restart simulation
# ---------------------------------------------------------------------------

class TestTokenRotation:
    """Verify per-session token semantics."""

    def test_old_token_rejected_after_rotation(self, app):
        """Simulates a restart: new session → new token → old token is rejected."""
        old_token = "c" * 64
        new_token = "d" * 64

        with patch("app.config.settings.SHUTDOWN_TOKEN", new_token), \
             patch("app.routes.shutdown.asyncio.create_task"):
            with TestClient(app) as c:
                resp = c.post("/shutdown", headers={"X-Shutdown-Token": old_token})
                assert resp.status_code == 403

    def test_new_token_accepted_after_rotation(self, app):
        new_token = "e" * 64
        with patch("app.config.settings.SHUTDOWN_TOKEN", new_token), \
             patch("app.routes.shutdown.asyncio.create_task"):
            with TestClient(app) as c:
                resp = c.post("/shutdown", headers={"X-Shutdown-Token": new_token})
                assert resp.status_code == 200


# ---------------------------------------------------------------------------
# Token file cleanup
# ---------------------------------------------------------------------------

class TestTokenFileCleanup:
    """_delayed_shutdown should attempt to remove the token file."""

    def test_token_file_removed_on_shutdown(self, tmp_path):
        token_file = str(tmp_path / "pictopy_shutdown.token")
        token_file_obj = open(token_file, "w")
        token_file_obj.write(VALID_TOKEN)
        token_file_obj.close()

        with patch("app.config.settings.SHUTDOWN_TOKEN", VALID_TOKEN), \
             patch("app.config.settings.SHUTDOWN_TOKEN_FILE", token_file), \
             patch("app.routes.shutdown.os.kill"), \
             patch("app.routes.shutdown.os._exit"):

            from app.routes.shutdown import _delayed_shutdown
            asyncio.get_event_loop().run_until_complete(_delayed_shutdown(delay=0))

        assert not os.path.exists(token_file)

    def test_missing_token_file_does_not_raise(self, tmp_path):
        """If file was already deleted, _delayed_shutdown must not propagate the error."""
        token_file = str(tmp_path / "nonexistent.token")

        with patch("app.config.settings.SHUTDOWN_TOKEN_FILE", token_file), \
             patch("app.routes.shutdown.os.kill"), \
             patch("app.routes.shutdown.os._exit"):

            from app.routes.shutdown import _delayed_shutdown
            # Should complete without raising
            asyncio.get_event_loop().run_until_complete(_delayed_shutdown(delay=0))


# ---------------------------------------------------------------------------
# Concurrent invalid requests
# ---------------------------------------------------------------------------

class TestConcurrentInvalidRequests:
    """Concurrent bad requests must not block a legitimate shutdown."""

    def test_concurrent_invalid_then_valid(self, client):
        wrong = "f" * 64
        for _ in range(10):
            resp = client.post("/shutdown", headers={"X-Shutdown-Token": wrong})
            assert resp.status_code == 403

        # Service still reachable and accepts the correct token
        resp = client.post("/shutdown", headers={"X-Shutdown-Token": VALID_TOKEN})
        assert resp.status_code == 200


# ---------------------------------------------------------------------------
# Corrupted / invalid token content loaded by sync service
# ---------------------------------------------------------------------------

class TestCorruptedTokenContent:
    """If the token file had garbage, hmac.compare_digest must still return False."""

    def test_corrupted_token_always_rejects(self, app):
        corrupted = "\x00\xff partial"
        with patch("app.config.settings.SHUTDOWN_TOKEN", corrupted), \
             patch("app.routes.shutdown.asyncio.create_task"):
            with TestClient(app) as c:
                # Even sending the corrupted string must not crash the endpoint
                resp = c.post("/shutdown", headers={"X-Shutdown-Token": corrupted})
                # hmac.compare_digest may raise TypeError for non-str/bytes — document behavior
                assert resp.status_code in (200, 400, 403, 500)

Note on the corrupted-token test: hmac.compare_digest requires both arguments to be the same type (str or bytes). If the token file contains binary garbage (\x00\xff), reading it as text with open(...).read().strip() may succeed (Python reads arbitrary text) but the comparison itself will still work — both sides are str. The test above documents this edge case explicitly.

---

Additional scenarios not yet covered (recommend adding)

1. GET /shutdown should return 405 — the route is POST-only; a GET should be rejected before token validation.
2. Extremely long token header (DoS via header size) — send a 1 MB X-Shutdown-Token; verify the server returns 4xx and does not exhaust memory.
3. SHUTDOWN_TOKEN is an empty string — if settings.SHUTDOWN_TOKEN ever stays "" (sync fallback path before the RuntimeError fix), hmac.compare_digest("", "") returns True. Worth a regression test that asserts an empty-string token is never accepted.

def test_empty_settings_token_always_rejects(self, app):
    """An empty SHUTDOWN_TOKEN must never grant access, even with an empty header."""
    with patch("app.config.settings.SHUTDOWN_TOKEN", ""):
        with TestClient(app) as c:
            resp = c.post("/shutdown", headers={"X-Shutdown-Token": ""})
            # Empty header is None → 401; but documents that "" ≠ "" guard is NOT present
            assert resp.status_code in (401, 403)

This last point is worth a look at the route code — if the token file is ever empty and loaded as "", the current hmac.compare_digest("", "") would return True, silently granting unauthenticated shutdown access to anyone who sends an empty header. Consider adding an explicit guard:

if not settings.SHUTDOWN_TOKEN:
    raise HTTPException(status_code=503, detail="Service not ready")

🐇