fix lint issue, added more tests

vdinica-mdsol · vdinica-mdsol · commit c8c4d1e405ce · 2025-11-12T13:55:51.000+02:00
diff --git a/mauth_client/utils.py b/mauth_client/utils.py
@@ -33,7 +33,32 @@ def decode(byte_string: bytes) -> str:
         encoding = charset_normalizer.detect(byte_string)["encoding"]
         return byte_string.decode(encoding)
 
+
 def is_exempt_request_path(path: str, exempt: set) -> bool:
+    """
+    Check if a request path should be exempt from authentication based on prefix matching.
+
+    This function performs prefix matching with path separator boundary checking to prevent
+    false positives. A path matches an exempt prefix only if it starts with the exempt path
+    followed by a path separator ('/').
+
+    :param str path: The request path to check (e.g., '/health/live', '/api/users')
+    :param set exempt: Set of exempt path prefixes (e.g., {'/health', '/metrics'})
+    :return: True if the path matches any exempt prefix, False otherwise
+    :rtype: bool
+
+    Examples:
+        Matching cases (returns True):
+        - path='/health/live', exempt={'/health'} -> True
+        - path='/health/ready', exempt={'/health'} -> True
+        - path='/metrics/prometheus', exempt={'/metrics'} -> True
+
+        Non-matching cases (returns False):
+        - path='/health', exempt={'/health'} -> False (exact match without trailing slash)
+        - path='/api-admin', exempt={'/api'} -> False (not a path separator boundary)
+        - path='/app_status_admin', exempt={'/app_status'} -> False (underscore, not separator)
+        - path='/healthcare', exempt={'/health'} -> False (different path)
+    """
     for exempt_path in exempt:
         # Exact match or prefix match with path separator
         # For instance this prevents /api matching /api-admin or /app_status matching /app_status_admin
diff --git a/tests/utils_test.py b/tests/utils_test.py
@@ -154,3 +154,19 @@ def test_real_world_monitoring_paths(self):
         self.assertTrue(is_exempt_request_path("/status/app", exempt))
         self.assertTrue(is_exempt_request_path("/actuator/health", exempt))
         self.assertFalse(is_exempt_request_path("/api/metrics", exempt))
+
+    def test_long_nested_paths(self):
+        """Test deeply nested paths with multiple levels."""
+        exempt = {"/api"}
+        # Test very long nested paths
+        self.assertTrue(is_exempt_request_path("/api/v1/organizations/123/projects/456/resources/789/items", exempt))
+        self.assertTrue(is_exempt_request_path("/api/internal/admin/users/settings/preferences/notifications", exempt))
+
+        exempt_nested = {"/admin/dashboard"}
+        self.assertTrue(is_exempt_request_path(
+            "/admin/dashboard/analytics/reports/monthly/2024/november/summary",
+            exempt_nested
+        ))
+
+        # Should not match similar but non-matching long paths
+        self.assertFalse(is_exempt_request_path("/api-v1/dashboard-v2/analytics", exempt_nested))
