Allow heading tags (h1-h6) in ContentSanitizer so news editor headings render

services/enhance-worker/tests/test_security.py

@@ -0,0 +1,63 @@
+from pathlib import Path
+
+from fastapi.testclient import TestClient
+
+from app.config import Settings
+from app.main import create_app
+
+
+def make_settings(tmp_path: Path) -> Settings:
+    return Settings(
+        host="127.0.0.1",
+        port=8095,
+        token="secret-token",
+        engine="pillow",
+        device="cpu",
+        max_upload_mb=20,
+        max_input_width=4096,
+        max_input_height=4096,
+        max_output_width=8192,
+        max_output_height=8192,
+        tmp_dir=str(tmp_path / "tmp"),
+        output_dir=str(tmp_path / "output"),
+        result_ttl_minutes=60,
+        model_dir=str(tmp_path / "models"),
+        default_model="realesrgan-x4plus",
+    )
+
+
+def test_upscale_requires_bearer_token(tmp_path: Path) -> None:
+    client = TestClient(create_app(make_settings(tmp_path)))
+
+    response = client.post(
+        "/v1/upscale",
+        json={
+            "job_id": 1,
+            "source_url": "https://example.com/source.webp",
+            "scale": 2,
+            "mode": "standard",
+            "output_format": "webp",
+        },
+    )
+
+    assert response.status_code == 401
+    assert response.json()["detail"] == "Unauthorized"
+
+
+def test_upscale_rejects_invalid_bearer_token(tmp_path: Path) -> None:
+    client = TestClient(create_app(make_settings(tmp_path)))
+
+    response = client.post(
+        "/v1/upscale",
+        headers={"Authorization": "Bearer wrong-token"},
+        json={
+            "job_id": 1,
+            "source_url": "https://example.com/source.webp",
+            "scale": 2,
+            "mode": "standard",
+            "output_format": "webp",
+        },
+    )
+
+    assert response.status_code == 401
+    assert response.json()["detail"] == "Unauthorized"