arbret/backend/tests/test_auth.py

import pytest

from auth import COOKIE_NAME
from tests.helpers import unique_email


# Registration tests
@pytest.mark.asyncio
async def test_register_success(client):
    email = unique_email("register")
    response = await client.post(
        "/api/auth/register",
        json={"email": email, "password": "password123"},
    )
    assert response.status_code == 200
    data = response.json()
    assert data["email"] == email
    assert "id" in data
    assert "roles" in data
    assert "permissions" in data
    # New users get regular role by default
    assert "regular" in data["roles"]
    # Cookie should be set
    assert COOKIE_NAME in response.cookies


@pytest.mark.asyncio
async def test_register_duplicate_email(client):
    email = unique_email("duplicate")
    await client.post(
        "/api/auth/register",
        json={"email": email, "password": "password123"},
    )
    response = await client.post(
        "/api/auth/register",
        json={"email": email, "password": "differentpass"},
    )
    assert response.status_code == 400
    assert response.json()["detail"] == "Email already registered"


@pytest.mark.asyncio
async def test_register_invalid_email(client):
    response = await client.post(
        "/api/auth/register",
        json={"email": "notanemail", "password": "password123"},
    )
    assert response.status_code == 422


@pytest.mark.asyncio
async def test_register_missing_password(client):
    response = await client.post(
        "/api/auth/register",
        json={"email": unique_email()},
    )
    assert response.status_code == 422


@pytest.mark.asyncio
async def test_register_missing_email(client):
    response = await client.post(
        "/api/auth/register",
        json={"password": "password123"},
    )
    assert response.status_code == 422


@pytest.mark.asyncio
async def test_register_empty_body(client):
    response = await client.post("/api/auth/register", json={})
    assert response.status_code == 422


# Login tests
@pytest.mark.asyncio
async def test_login_success(client):
    email = unique_email("login")
    await client.post(
        "/api/auth/register",
        json={"email": email, "password": "password123"},
    )
    response = await client.post(
        "/api/auth/login",
        json={"email": email, "password": "password123"},
    )
    assert response.status_code == 200
    data = response.json()
    assert data["email"] == email
    assert "roles" in data
    assert "permissions" in data
    assert COOKIE_NAME in response.cookies


@pytest.mark.asyncio
async def test_login_wrong_password(client):
    email = unique_email("wrongpass")
    await client.post(
        "/api/auth/register",
        json={"email": email, "password": "correctpassword"},
    )
    response = await client.post(
        "/api/auth/login",
        json={"email": email, "password": "wrongpassword"},
    )
    assert response.status_code == 401
    assert response.json()["detail"] == "Incorrect email or password"


@pytest.mark.asyncio
async def test_login_nonexistent_user(client):
    response = await client.post(
        "/api/auth/login",
        json={"email": unique_email("nonexistent"), "password": "password123"},
    )
    assert response.status_code == 401
    assert response.json()["detail"] == "Incorrect email or password"


@pytest.mark.asyncio
async def test_login_invalid_email_format(client):
    response = await client.post(
        "/api/auth/login",
        json={"email": "invalidemail", "password": "password123"},
    )
    assert response.status_code == 422


@pytest.mark.asyncio
async def test_login_missing_fields(client):
    response = await client.post("/api/auth/login", json={})
    assert response.status_code == 422


# Get current user tests
@pytest.mark.asyncio
async def test_get_me_success(client_factory):
    email = unique_email("me")
    
    # Register and get cookies
    reg_response = await client_factory.post(
        "/api/auth/register",
        json={"email": email, "password": "password123"},
    )
    cookies = dict(reg_response.cookies)
    
    # Use authenticated client
    async with client_factory.create(cookies=cookies) as authed:
        response = await authed.get("/api/auth/me")
    
    assert response.status_code == 200
    data = response.json()
    assert data["email"] == email
    assert "id" in data
    assert "roles" in data
    assert "permissions" in data


@pytest.mark.asyncio
async def test_get_me_no_cookie(client):
    response = await client.get("/api/auth/me")
    assert response.status_code == 401


@pytest.mark.asyncio
async def test_get_me_invalid_cookie(client_factory):
    async with client_factory.create(cookies={COOKIE_NAME: "invalidtoken123"}) as authed:
        response = await authed.get("/api/auth/me")
    assert response.status_code == 401
    assert response.json()["detail"] == "Invalid authentication credentials"


@pytest.mark.asyncio
async def test_get_me_expired_token(client_factory):
    bad_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImV4cCI6MH0.invalid"
    async with client_factory.create(cookies={COOKIE_NAME: bad_token}) as authed:
        response = await authed.get("/api/auth/me")
    assert response.status_code == 401


# Cookie validation tests
@pytest.mark.asyncio
async def test_cookie_from_register_works_for_me(client_factory):
    email = unique_email("tokentest")
    
    reg_response = await client_factory.post(
        "/api/auth/register",
        json={"email": email, "password": "password123"},
    )
    cookies = dict(reg_response.cookies)
    
    async with client_factory.create(cookies=cookies) as authed:
        me_response = await authed.get("/api/auth/me")
    
    assert me_response.status_code == 200
    assert me_response.json()["email"] == email


@pytest.mark.asyncio
async def test_cookie_from_login_works_for_me(client_factory):
    email = unique_email("logintoken")
    
    await client_factory.post(
        "/api/auth/register",
        json={"email": email, "password": "password123"},
    )
    login_response = await client_factory.post(
        "/api/auth/login",
        json={"email": email, "password": "password123"},
    )
    cookies = dict(login_response.cookies)
    
    async with client_factory.create(cookies=cookies) as authed:
        me_response = await authed.get("/api/auth/me")
    
    assert me_response.status_code == 200
    assert me_response.json()["email"] == email


# Multiple users tests
@pytest.mark.asyncio
async def test_multiple_users_isolated(client_factory):
    email1 = unique_email("user1")
    email2 = unique_email("user2")
    
    resp1 = await client_factory.post(
        "/api/auth/register",
        json={"email": email1, "password": "password1"},
    )
    resp2 = await client_factory.post(
        "/api/auth/register",
        json={"email": email2, "password": "password2"},
    )
    
    cookies1 = dict(resp1.cookies)
    cookies2 = dict(resp2.cookies)
    
    async with client_factory.create(cookies=cookies1) as user1:
        me1 = await user1.get("/api/auth/me")
    
    async with client_factory.create(cookies=cookies2) as user2:
        me2 = await user2.get("/api/auth/me")
    
    assert me1.json()["email"] == email1
    assert me2.json()["email"] == email2
    assert me1.json()["id"] != me2.json()["id"]


# Password tests
@pytest.mark.asyncio
async def test_password_is_hashed(client):
    email = unique_email("hashtest")
    await client.post(
        "/api/auth/register",
        json={"email": email, "password": "mySecurePassword123"},
    )
    response = await client.post(
        "/api/auth/login",
        json={"email": email, "password": "mySecurePassword123"},
    )
    assert response.status_code == 200


@pytest.mark.asyncio
async def test_case_sensitive_password(client):
    email = unique_email("casetest")
    await client.post(
        "/api/auth/register",
        json={"email": email, "password": "Password123"},
    )
    response = await client.post(
        "/api/auth/login",
        json={"email": email, "password": "password123"},
    )
    assert response.status_code == 401


# Logout tests
@pytest.mark.asyncio
async def test_logout_success(client_factory):
    email = unique_email("logout")
    
    reg_response = await client_factory.post(
        "/api/auth/register",
        json={"email": email, "password": "password123"},
    )
    cookies = dict(reg_response.cookies)
    
    async with client_factory.create(cookies=cookies) as authed:
        logout_response = await authed.post("/api/auth/logout")
    
    assert logout_response.status_code == 200
    assert logout_response.json() == {"ok": True}
tests passing 2025-12-18 22:08:31 +01:00			`import pytest`

first round of review 2025-12-18 22:24:46 +01:00			`from auth import COOKIE_NAME`
second round of review 2025-12-18 22:31:19 +01:00			`from tests.helpers import unique_email`
tests passing 2025-12-18 22:08:31 +01:00

			`# Registration tests`
			`@pytest.mark.asyncio`
			`async def test_register_success(client):`
			`email = unique_email("register")`
			`response = await client.post(`
			`"/api/auth/register",`
			`json={"email": email, "password": "password123"},`
			`)`
			`assert response.status_code == 200`
			`data = response.json()`
first round of review 2025-12-18 22:24:46 +01:00			`assert data["email"] == email`
			`assert "id" in data`
tests passing 2025-12-18 23:33:32 +01:00			`assert "roles" in data`
			`assert "permissions" in data`
			`# New users get regular role by default`
			`assert "regular" in data["roles"]`
first round of review 2025-12-18 22:24:46 +01:00			`# Cookie should be set`
			`assert COOKIE_NAME in response.cookies`
tests passing 2025-12-18 22:08:31 +01:00

			`@pytest.mark.asyncio`
			`async def test_register_duplicate_email(client):`
			`email = unique_email("duplicate")`
			`await client.post(`
			`"/api/auth/register",`
			`json={"email": email, "password": "password123"},`
			`)`
			`response = await client.post(`
			`"/api/auth/register",`
			`json={"email": email, "password": "differentpass"},`
			`)`
			`assert response.status_code == 400`
			`assert response.json()["detail"] == "Email already registered"`


			`@pytest.mark.asyncio`
			`async def test_register_invalid_email(client):`
			`response = await client.post(`
			`"/api/auth/register",`
			`json={"email": "notanemail", "password": "password123"},`
			`)`
			`assert response.status_code == 422`


			`@pytest.mark.asyncio`
			`async def test_register_missing_password(client):`
			`response = await client.post(`
			`"/api/auth/register",`
			`json={"email": unique_email()},`
			`)`
			`assert response.status_code == 422`


			`@pytest.mark.asyncio`
			`async def test_register_missing_email(client):`
			`response = await client.post(`
			`"/api/auth/register",`
			`json={"password": "password123"},`
			`)`
			`assert response.status_code == 422`


			`@pytest.mark.asyncio`
			`async def test_register_empty_body(client):`
			`response = await client.post("/api/auth/register", json={})`
			`assert response.status_code == 422`


			`# Login tests`
			`@pytest.mark.asyncio`
			`async def test_login_success(client):`
			`email = unique_email("login")`
			`await client.post(`
			`"/api/auth/register",`
			`json={"email": email, "password": "password123"},`
			`)`
			`response = await client.post(`
			`"/api/auth/login",`
			`json={"email": email, "password": "password123"},`
			`)`
			`assert response.status_code == 200`
			`data = response.json()`
first round of review 2025-12-18 22:24:46 +01:00			`assert data["email"] == email`
tests passing 2025-12-18 23:33:32 +01:00			`assert "roles" in data`
			`assert "permissions" in data`
first round of review 2025-12-18 22:24:46 +01:00			`assert COOKIE_NAME in response.cookies`
tests passing 2025-12-18 22:08:31 +01:00

			`@pytest.mark.asyncio`
			`async def test_login_wrong_password(client):`
			`email = unique_email("wrongpass")`
			`await client.post(`
			`"/api/auth/register",`
			`json={"email": email, "password": "correctpassword"},`
			`)`
			`response = await client.post(`
			`"/api/auth/login",`
			`json={"email": email, "password": "wrongpassword"},`
			`)`
			`assert response.status_code == 401`
			`assert response.json()["detail"] == "Incorrect email or password"`


			`@pytest.mark.asyncio`
			`async def test_login_nonexistent_user(client):`
			`response = await client.post(`
			`"/api/auth/login",`
			`json={"email": unique_email("nonexistent"), "password": "password123"},`
			`)`
			`assert response.status_code == 401`
			`assert response.json()["detail"] == "Incorrect email or password"`


			`@pytest.mark.asyncio`
			`async def test_login_invalid_email_format(client):`
			`response = await client.post(`
			`"/api/auth/login",`
			`json={"email": "invalidemail", "password": "password123"},`
			`)`
			`assert response.status_code == 422`


			`@pytest.mark.asyncio`
			`async def test_login_missing_fields(client):`
			`response = await client.post("/api/auth/login", json={})`
			`assert response.status_code == 422`


			`# Get current user tests`
			`@pytest.mark.asyncio`
first round of review 2025-12-18 22:24:46 +01:00			`async def test_get_me_success(client_factory):`
tests passing 2025-12-18 22:08:31 +01:00			`email = unique_email("me")`
first round of review 2025-12-18 22:24:46 +01:00
			`# Register and get cookies`
			`reg_response = await client_factory.post(`
			`"/api/auth/register",`
			`json={"email": email, "password": "password123"},`
			`)`
			`cookies = dict(reg_response.cookies)`

			`# Use authenticated client`
			`async with client_factory.create(cookies=cookies) as authed:`
			`response = await authed.get("/api/auth/me")`

tests passing 2025-12-18 22:08:31 +01:00			`assert response.status_code == 200`
			`data = response.json()`
			`assert data["email"] == email`
			`assert "id" in data`
tests passing 2025-12-18 23:33:32 +01:00			`assert "roles" in data`
			`assert "permissions" in data`
tests passing 2025-12-18 22:08:31 +01:00

			`@pytest.mark.asyncio`
first round of review 2025-12-18 22:24:46 +01:00			`async def test_get_me_no_cookie(client):`
tests passing 2025-12-18 22:08:31 +01:00			`response = await client.get("/api/auth/me")`
first round of review 2025-12-18 22:24:46 +01:00			`assert response.status_code == 401`
tests passing 2025-12-18 22:08:31 +01:00

			`@pytest.mark.asyncio`
first round of review 2025-12-18 22:24:46 +01:00			`async def test_get_me_invalid_cookie(client_factory):`
			`async with client_factory.create(cookies={COOKIE_NAME: "invalidtoken123"}) as authed:`
			`response = await authed.get("/api/auth/me")`
tests passing 2025-12-18 22:08:31 +01:00			`assert response.status_code == 401`
			`assert response.json()["detail"] == "Invalid authentication credentials"`


			`@pytest.mark.asyncio`
first round of review 2025-12-18 22:24:46 +01:00			`async def test_get_me_expired_token(client_factory):`
			`bad_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImV4cCI6MH0.invalid"`
			`async with client_factory.create(cookies={COOKIE_NAME: bad_token}) as authed:`
			`response = await authed.get("/api/auth/me")`
tests passing 2025-12-18 22:08:31 +01:00			`assert response.status_code == 401`


first round of review 2025-12-18 22:24:46 +01:00			`# Cookie validation tests`
tests passing 2025-12-18 22:08:31 +01:00			`@pytest.mark.asyncio`
first round of review 2025-12-18 22:24:46 +01:00			`async def test_cookie_from_register_works_for_me(client_factory):`
tests passing 2025-12-18 22:08:31 +01:00			`email = unique_email("tokentest")`
first round of review 2025-12-18 22:24:46 +01:00
			`reg_response = await client_factory.post(`
tests passing 2025-12-18 22:08:31 +01:00			`"/api/auth/register",`
			`json={"email": email, "password": "password123"},`
			`)`
first round of review 2025-12-18 22:24:46 +01:00			`cookies = dict(reg_response.cookies)`

			`async with client_factory.create(cookies=cookies) as authed:`
			`me_response = await authed.get("/api/auth/me")`
tests passing 2025-12-18 22:08:31 +01:00
			`assert me_response.status_code == 200`
			`assert me_response.json()["email"] == email`


			`@pytest.mark.asyncio`
first round of review 2025-12-18 22:24:46 +01:00			`async def test_cookie_from_login_works_for_me(client_factory):`
tests passing 2025-12-18 22:08:31 +01:00			`email = unique_email("logintoken")`
first round of review 2025-12-18 22:24:46 +01:00
			`await client_factory.post(`
tests passing 2025-12-18 22:08:31 +01:00			`"/api/auth/register",`
			`json={"email": email, "password": "password123"},`
			`)`
first round of review 2025-12-18 22:24:46 +01:00			`login_response = await client_factory.post(`
tests passing 2025-12-18 22:08:31 +01:00			`"/api/auth/login",`
			`json={"email": email, "password": "password123"},`
			`)`
first round of review 2025-12-18 22:24:46 +01:00			`cookies = dict(login_response.cookies)`

			`async with client_factory.create(cookies=cookies) as authed:`
			`me_response = await authed.get("/api/auth/me")`
tests passing 2025-12-18 22:08:31 +01:00
			`assert me_response.status_code == 200`
			`assert me_response.json()["email"] == email`


			`# Multiple users tests`
			`@pytest.mark.asyncio`
first round of review 2025-12-18 22:24:46 +01:00			`async def test_multiple_users_isolated(client_factory):`
tests passing 2025-12-18 22:08:31 +01:00			`email1 = unique_email("user1")`
			`email2 = unique_email("user2")`

first round of review 2025-12-18 22:24:46 +01:00			`resp1 = await client_factory.post(`
tests passing 2025-12-18 22:08:31 +01:00			`"/api/auth/register",`
			`json={"email": email1, "password": "password1"},`
			`)`
first round of review 2025-12-18 22:24:46 +01:00			`resp2 = await client_factory.post(`
tests passing 2025-12-18 22:08:31 +01:00			`"/api/auth/register",`
			`json={"email": email2, "password": "password2"},`
			`)`

first round of review 2025-12-18 22:24:46 +01:00			`cookies1 = dict(resp1.cookies)`
			`cookies2 = dict(resp2.cookies)`

			`async with client_factory.create(cookies=cookies1) as user1:`
			`me1 = await user1.get("/api/auth/me")`
tests passing 2025-12-18 22:08:31 +01:00
first round of review 2025-12-18 22:24:46 +01:00			`async with client_factory.create(cookies=cookies2) as user2:`
			`me2 = await user2.get("/api/auth/me")`
tests passing 2025-12-18 22:08:31 +01:00
			`assert me1.json()["email"] == email1`
			`assert me2.json()["email"] == email2`
			`assert me1.json()["id"] != me2.json()["id"]`


			`# Password tests`
			`@pytest.mark.asyncio`
			`async def test_password_is_hashed(client):`
			`email = unique_email("hashtest")`
			`await client.post(`
			`"/api/auth/register",`
			`json={"email": email, "password": "mySecurePassword123"},`
			`)`
			`response = await client.post(`
			`"/api/auth/login",`
			`json={"email": email, "password": "mySecurePassword123"},`
			`)`
			`assert response.status_code == 200`


			`@pytest.mark.asyncio`
			`async def test_case_sensitive_password(client):`
			`email = unique_email("casetest")`
			`await client.post(`
			`"/api/auth/register",`
			`json={"email": email, "password": "Password123"},`
			`)`
			`response = await client.post(`
			`"/api/auth/login",`
			`json={"email": email, "password": "password123"},`
			`)`
			`assert response.status_code == 401`
first round of review 2025-12-18 22:24:46 +01:00

			`# Logout tests`
			`@pytest.mark.asyncio`
			`async def test_logout_success(client_factory):`
			`email = unique_email("logout")`

			`reg_response = await client_factory.post(`
			`"/api/auth/register",`
			`json={"email": email, "password": "password123"},`
			`)`
			`cookies = dict(reg_response.cookies)`

			`async with client_factory.create(cookies=cookies) as authed:`
			`logout_response = await authed.post("/api/auth/logout")`

			`assert logout_response.status_code == 200`
			`assert logout_response.json() == {"ok": True}`