From f167c6eed7abad5ba206e6efeb03c10c0f4d2b3d Mon Sep 17 00:00:00 2001
From: Davide Scaini <davide.scaini@alumni.cern>
Date: Wed, 3 Jun 2026 22:07:41 +0200
Subject: [PATCH] fix: add local _require_admin guard to proxied endpoints;
 update test to expect 503 without bincio-auth

---
 bincio/serve/routers/admin.py    |  4 ++++
 tests/serve/test_admin_router.py | 13 ++++---------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/bincio/serve/routers/admin.py b/bincio/serve/routers/admin.py
index 65c61be..7d4d5a8 100644
--- a/bincio/serve/routers/admin.py
+++ b/bincio/serve/routers/admin.py
@@ -165,6 +165,7 @@ async def admin_reset_password_code(
     bincio_session: str | None = Cookie(default=None),
 ) -> JSONResponse:
     """Generate a one-time password reset code for a user. Proxied to bincio-auth."""
+    deps._require_admin(bincio_session)
     return await _auth_proxy("POST", f"/api/admin/users/{handle}/reset-password-code", bincio_session)
 
 
@@ -174,6 +175,7 @@ async def admin_suspend(
     bincio_session: str | None = Cookie(default=None),
 ) -> JSONResponse:
     """Suspend a user account. Proxied to bincio-auth."""
+    deps._require_admin(bincio_session)
     return await _auth_proxy("POST", f"/api/admin/users/{handle}/suspend", bincio_session)
 
 
@@ -183,6 +185,7 @@ async def admin_unsuspend(
     bincio_session: str | None = Cookie(default=None),
 ) -> JSONResponse:
     """Re-enable a suspended user account. Proxied to bincio-auth."""
+    deps._require_admin(bincio_session)
     return await _auth_proxy("POST", f"/api/admin/users/{handle}/unsuspend", bincio_session)
 
 
@@ -192,6 +195,7 @@ async def admin_delete_account(
     bincio_session: str | None = Cookie(default=None),
 ) -> JSONResponse:
     """Delete a user account. Proxied to bincio-auth."""
+    deps._require_admin(bincio_session)
     return await _auth_proxy("DELETE", f"/api/admin/users/{handle}/account", bincio_session)
 
 
diff --git a/tests/serve/test_admin_router.py b/tests/serve/test_admin_router.py
index 04d871c..c92ac30 100644
--- a/tests/serve/test_admin_router.py
+++ b/tests/serve/test_admin_router.py
@@ -59,13 +59,8 @@ class TestAdminUserOps:
     def test_delete_account_requires_admin(self, client: TestClient):
         assert client.delete("/api/admin/users/alice/account").status_code == 401
 
-    def test_admin_reset_password_code(self, admin_client: TestClient, tmp_data):
-        from bincio.serve.db import create_user, open_db
-        db = open_db(tmp_data)
-        try:
-            create_user(db, "target", "Target", "targetpass1")
-        except Exception:
-            pass
+    def test_admin_reset_password_code_proxied(self, admin_client: TestClient):
+        # This endpoint proxies to bincio-auth; without BINCIO_AUTH_API configured
+        # in the test environment it returns 503.
         r = admin_client.post("/api/admin/users/target/reset-password-code")
-        assert r.status_code == 200
-        assert "code" in r.json()
+        assert r.status_code == 503