Add test coverage for secrets.choice in fallback PSK generation

Verifies that wizard_file uses secrets.choice (not random.choice) to generate the 12-character fallback hotspot password.
[wizard] Use secrets module for fallback AP password generation
2026-02-08 16:51:52 +00:00 · 2026-02-08 07:08:25 -06:00 · 2026-02-08 06:44:45 -06:00 · 2026-02-07 19:21:37 -06:00 · 2026-02-07 15:19:20 -06:00
6 changed files with 39 additions and 6 deletions
--- a/esphome/components/epaper_spi/epaper_spi_spectra_e6.h
+++ b/esphome/components/epaper_spi/epaper_spi_spectra_e6.h
@@ -4,7 +4,7 @@

 namespace esphome::epaper_spi {

-class EPaperSpectraE6 : public EPaperBase {
+class EPaperSpectraE6 final : public EPaperBase {
 public:
  EPaperSpectraE6(const char *name, uint16_t width, uint16_t height, const uint8_t *init_sequence,
                  size_t init_sequence_length)
--- a/esphome/components/epaper_spi/epaper_waveshare.h
+++ b/esphome/components/epaper_spi/epaper_waveshare.h
@@ -6,7 +6,7 @@ namespace esphome::epaper_spi {
 /**
 * An epaper display that needs LUTs to be sent to it.
 */
-class EpaperWaveshare : public EPaperMono {
+class EpaperWaveshare final : public EPaperMono {
 public:
  EpaperWaveshare(const char *name, uint16_t width, uint16_t height, const uint8_t *init_sequence,
                  size_t init_sequence_length, const uint8_t *lut, size_t lut_length, const uint8_t *partial_lut,
--- a/esphome/dashboard/web_server.py
+++ b/esphome/dashboard/web_server.py
@@ -317,6 +317,7 @@ class EsphomeCommandWebSocket(CheckOriginMixin, tornado.websocket.WebSocketHandl
            # Check if the proc was not forcibly closed
            _LOGGER.info("Process exited with return code %s", returncode)
            self.write_message({"event": "exit", "code": returncode})
+            self.close()

    def on_close(self) -> None:
        # Check if proc exists (if 'start' has been run)
--- a/esphome/wizard.py
+++ b/esphome/wizard.py
@@ -1,6 +1,5 @@
 import base64
 from pathlib import Path
-import random
 import secrets
 import string
 from typing import Literal, NotRequired, TypedDict, Unpack
@@ -130,7 +129,7 @@ def wizard_file(**kwargs: Unpack[WizardFileKwargs]) -> str:
    if len(ap_name) > 32:
        ap_name = ap_name_base
    kwargs["fallback_name"] = ap_name
-    kwargs["fallback_psk"] = "".join(random.choice(letters) for _ in range(12))
+    kwargs["fallback_psk"] = "".join(secrets.choice(letters) for _ in range(12))

    base = BASE_CONFIG_FRIENDLY if kwargs.get("friendly_name") else BASE_CONFIG

--- a/tests/dashboard/test_web_server.py
+++ b/tests/dashboard/test_web_server.py
@@ -29,7 +29,7 @@ from esphome.dashboard.entries import (
    bool_to_entry_state,
 )
 from esphome.dashboard.models import build_importable_device_dict
-from esphome.dashboard.web_server import DashboardSubscriber
+from esphome.dashboard.web_server import DashboardSubscriber, EsphomeCommandWebSocket
 from esphome.zeroconf import DiscoveredImport

 from .common import get_fixture_path
@@ -1654,3 +1654,25 @@ async def test_websocket_check_origin_multiple_trusted_domains(
            assert data["event"] == "initial_state"
        finally:
            ws.close()
+
+
+def test_proc_on_exit_calls_close() -> None:
+    """Test _proc_on_exit sends exit event and closes the WebSocket."""
+    handler = Mock(spec=EsphomeCommandWebSocket)
+    handler._is_closed = False
+
+    EsphomeCommandWebSocket._proc_on_exit(handler, 0)
+
+    handler.write_message.assert_called_once_with({"event": "exit", "code": 0})
+    handler.close.assert_called_once()
+
+
+def test_proc_on_exit_skips_when_already_closed() -> None:
+    """Test _proc_on_exit does nothing when WebSocket is already closed."""
+    handler = Mock(spec=EsphomeCommandWebSocket)
+    handler._is_closed = True
+
+    EsphomeCommandWebSocket._proc_on_exit(handler, 0)
+
+    handler.write_message.assert_not_called()
+    handler.close.assert_not_called()
--- a/tests/unit_tests/test_wizard.py
+++ b/tests/unit_tests/test_wizard.py
@@ -2,7 +2,7 @@

 from pathlib import Path
 from typing import Any
-from unittest.mock import MagicMock
+from unittest.mock import MagicMock, patch

 import pytest
 from pytest import MonkeyPatch
@@ -632,3 +632,14 @@ def test_wizard_accepts_rpipico_board(tmp_path: Path, monkeypatch: MonkeyPatch):
    # rpipico doesn't support WiFi, so no api_encryption_key or ota_password
    assert "api_encryption_key" not in call_kwargs
    assert "ota_password" not in call_kwargs
+
+
+def test_fallback_psk_uses_secrets_choice(
+    default_config: dict[str, Any],
+) -> None:
+    """Test that fallback PSK is generated using secrets.choice."""
+    with patch("esphome.wizard.secrets.choice", return_value="X") as mock_choice:
+        config = wz.wizard_file(**default_config)
+
+    assert 'password: "XXXXXXXXXXXX"' in config
+    assert mock_choice.call_count == 12
Author	SHA1	Message	Date
J. Nick Koston	caff93d7b8	Add test coverage for secrets.choice in fallback PSK generation Verifies that wizard_file uses secrets.choice (not random.choice) to generate the 12-character fallback hotspot password.	2026-02-08 07:08:25 -06:00
J. Nick Koston	e039676422	[wizard] Use secrets module for fallback AP password generation Replace random.choice() with secrets.choice() for generating the fallback hotspot password. The random module uses Mersenne Twister which is not cryptographically secure. The secrets module is the correct choice for credential generation. The file already imports secrets for other credential generation.	2026-02-08 06:44:45 -06:00
schrob	7b40e8afcb	[epaper_spi] Declare leaf classes final (#13776 )	2026-02-07 19:21:37 -06:00
J. Nick Koston	a43e3e5948	[dashboard] Close WebSocket after process exit to prevent zombie connections (#13834 )	2026-02-07 15:19:20 -06:00