first round of review

2025-12-18 22:24:46 +01:00 · 2025-12-18 22:24:46 +01:00 · da5a0d03eb
commit da5a0d03eb
parent 7ebfb7a2dd
14 changed files with 362 additions and 244 deletions
--- a/backend/tests/test_auth.py
+++ b/backend/tests/test_auth.py
@ -1,28 +1,14 @@
 import pytest
 import uuid

+from auth import COOKIE_NAME
+

 def unique_email(prefix: str = "test") -> str:
    """Generate a unique email for tests sharing the same database."""
    return f"{prefix}-{uuid.uuid4().hex[:8]}@example.com"


-async def create_user_and_get_token(client, email: str = None, password: str = "testpass123") -> str:
-    """Helper to create a user and return their auth token."""
-    if email is None:
-        email = unique_email()
-    response = await client.post(
-        "/api/auth/register",
-        json={"email": email, "password": password},
-    )
-    return response.json()["access_token"]
-
-
-def auth_header(token: str) -> dict:
-    """Helper to create auth headers from token."""
-    return {"Authorization": f"Bearer {token}"}
-
-
 # Registration tests
@pytest.mark.asyncio
 async def test_register_success(client):
@ -33,10 +19,10 @@ async def test_register_success(client):
    )
    assert response.status_code == 200
    data = response.json()
-    assert "access_token" in data
-    assert data["token_type"] == "bearer"
-    assert data["user"]["email"] == email
-    assert "id" in data["user"]
+    assert data["email"] == email
+    assert "id" in data
+    # Cookie should be set
+    assert COOKIE_NAME in response.cookies


@pytest.mark.asyncio
@ -101,9 +87,8 @@ async def test_login_success(client):
    )
    assert response.status_code == 200
    data = response.json()
-    assert "access_token" in data
-    assert data["token_type"] == "bearer"
-    assert data["user"]["email"] == email
+    assert data["email"] == email
+    assert COOKIE_NAME in response.cookies


@pytest.mark.asyncio
@ -148,10 +133,20 @@ async def test_login_missing_fields(client):

 # Get current user tests
@pytest.mark.asyncio
-async def test_get_me_success(client):
+async def test_get_me_success(client_factory):
    email = unique_email("me")
-    token = await create_user_and_get_token(client, email)
-    response = await client.get("/api/auth/me", headers=auth_header(token))
+    
+    # Register and get cookies
+    reg_response = await client_factory.post(
+        "/api/auth/register",
+        json={"email": email, "password": "password123"},
+    )
+    cookies = dict(reg_response.cookies)
+    
+    # Use authenticated client
+    async with client_factory.create(cookies=cookies) as authed:
+        response = await authed.get("/api/auth/me")
+    
    assert response.status_code == 200
    data = response.json()
    assert data["email"] == email
@ -159,94 +154,89 @@ async def test_get_me_success(client):


@pytest.mark.asyncio
-async def test_get_me_no_token(client):
+async def test_get_me_no_cookie(client):
    response = await client.get("/api/auth/me")
-    # HTTPBearer returns 401/403 when credentials are missing
-    assert response.status_code in [401, 403]
+    assert response.status_code == 401


@pytest.mark.asyncio
-async def test_get_me_invalid_token(client):
-    response = await client.get(
-        "/api/auth/me",
-        headers={"Authorization": "Bearer invalidtoken123"},
-    )
+async def test_get_me_invalid_cookie(client_factory):
+    async with client_factory.create(cookies={COOKIE_NAME: "invalidtoken123"}) as authed:
+        response = await authed.get("/api/auth/me")
    assert response.status_code == 401
    assert response.json()["detail"] == "Invalid authentication credentials"


@pytest.mark.asyncio
-async def test_get_me_malformed_auth_header(client):
-    response = await client.get(
-        "/api/auth/me",
-        headers={"Authorization": "NotBearer token123"},
-    )
-    # Invalid scheme returns 401/403
-    assert response.status_code in [401, 403]
-
-
-@pytest.mark.asyncio
-async def test_get_me_expired_token(client):
-    response = await client.get(
-        "/api/auth/me",
-        headers={"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImV4cCI6MH0.invalid"},
-    )
+async def test_get_me_expired_token(client_factory):
+    bad_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImV4cCI6MH0.invalid"
+    async with client_factory.create(cookies={COOKIE_NAME: bad_token}) as authed:
+        response = await authed.get("/api/auth/me")
    assert response.status_code == 401


-# Token validation tests
+# Cookie validation tests
@pytest.mark.asyncio
-async def test_token_from_register_works_for_me(client):
+async def test_cookie_from_register_works_for_me(client_factory):
    email = unique_email("tokentest")
-    register_response = await client.post(
+    
+    reg_response = await client_factory.post(
        "/api/auth/register",
        json={"email": email, "password": "password123"},
    )
-    token = register_response.json()["access_token"]
+    cookies = dict(reg_response.cookies)
+    
+    async with client_factory.create(cookies=cookies) as authed:
+        me_response = await authed.get("/api/auth/me")
    
-    me_response = await client.get("/api/auth/me", headers=auth_header(token))
    assert me_response.status_code == 200
    assert me_response.json()["email"] == email


@pytest.mark.asyncio
-async def test_token_from_login_works_for_me(client):
+async def test_cookie_from_login_works_for_me(client_factory):
    email = unique_email("logintoken")
-    await client.post(
+    
+    await client_factory.post(
        "/api/auth/register",
        json={"email": email, "password": "password123"},
    )
-    login_response = await client.post(
+    login_response = await client_factory.post(
        "/api/auth/login",
        json={"email": email, "password": "password123"},
    )
-    token = login_response.json()["access_token"]
+    cookies = dict(login_response.cookies)
+    
+    async with client_factory.create(cookies=cookies) as authed:
+        me_response = await authed.get("/api/auth/me")
    
-    me_response = await client.get("/api/auth/me", headers=auth_header(token))
    assert me_response.status_code == 200
    assert me_response.json()["email"] == email


 # Multiple users tests
@pytest.mark.asyncio
-async def test_multiple_users_isolated(client):
+async def test_multiple_users_isolated(client_factory):
    email1 = unique_email("user1")
    email2 = unique_email("user2")
    
-    resp1 = await client.post(
+    resp1 = await client_factory.post(
        "/api/auth/register",
        json={"email": email1, "password": "password1"},
    )
-    resp2 = await client.post(
+    resp2 = await client_factory.post(
        "/api/auth/register",
        json={"email": email2, "password": "password2"},
    )
    
-    token1 = resp1.json()["access_token"]
-    token2 = resp2.json()["access_token"]
+    cookies1 = dict(resp1.cookies)
+    cookies2 = dict(resp2.cookies)
    
-    me1 = await client.get("/api/auth/me", headers=auth_header(token1))
-    me2 = await client.get("/api/auth/me", headers=auth_header(token2))
+    async with client_factory.create(cookies=cookies1) as user1:
+        me1 = await user1.get("/api/auth/me")
+    
+    async with client_factory.create(cookies=cookies2) as user2:
+        me2 = await user2.get("/api/auth/me")
    
    assert me1.json()["email"] == email1
    assert me2.json()["email"] == email2
@ -280,3 +270,21 @@ async def test_case_sensitive_password(client):
        json={"email": email, "password": "password123"},
    )
    assert response.status_code == 401
+
+
+# Logout tests
+@pytest.mark.asyncio
+async def test_logout_success(client_factory):
+    email = unique_email("logout")
+    
+    reg_response = await client_factory.post(
+        "/api/auth/register",
+        json={"email": email, "password": "password123"},
+    )
+    cookies = dict(reg_response.cookies)
+    
+    async with client_factory.create(cookies=cookies) as authed:
+        logout_response = await authed.post("/api/auth/logout")
+    
+    assert logout_response.status_code == 200
+    assert logout_response.json() == {"ok": True}