"""Tests for authentication endpoints. Note: Registration now requires an invite code. Tests that need to register users will create invites first via the helper function. """ import pytest from auth import COOKIE_NAME from tests.helpers import unique_email, create_invite_for_registration # Registration tests (with invite) @pytest.mark.asyncio async def test_register_success(client_factory): """Can register with valid invite code.""" email = unique_email("register") # Create invite async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("godfather")) response = await client_factory.post( "/api/auth/register", json={ "email": email, "password": "password123", "invite_identifier": invite_code, }, ) assert response.status_code == 200 data = response.json() assert data["email"] == email assert "id" in data assert "roles" in data assert "permissions" in data # New users get regular role by default assert "regular" in data["roles"] # Cookie should be set assert COOKIE_NAME in response.cookies @pytest.mark.asyncio async def test_register_duplicate_email(client_factory): """Cannot register with already-used email.""" email = unique_email("duplicate") # Create two invites async with client_factory.get_db_session() as db: invite1 = await create_invite_for_registration(db, unique_email("gf1")) invite2 = await create_invite_for_registration(db, unique_email("gf2")) # First registration await client_factory.post( "/api/auth/register", json={ "email": email, "password": "password123", "invite_identifier": invite1, }, ) # Second registration with same email response = await client_factory.post( "/api/auth/register", json={ "email": email, "password": "differentpass", "invite_identifier": invite2, }, ) assert response.status_code == 400 assert response.json()["detail"] == "Email already registered" @pytest.mark.asyncio async def test_register_invalid_email(client_factory): """Cannot register with invalid email format.""" async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("gf")) response = await client_factory.post( "/api/auth/register", json={ "email": "notanemail", "password": "password123", "invite_identifier": invite_code, }, ) assert response.status_code == 422 @pytest.mark.asyncio async def test_register_missing_password(client): """Cannot register without password.""" response = await client.post( "/api/auth/register", json={"email": unique_email(), "invite_identifier": "some-code-00"}, ) assert response.status_code == 422 @pytest.mark.asyncio async def test_register_missing_email(client): """Cannot register without email.""" response = await client.post( "/api/auth/register", json={"password": "password123", "invite_identifier": "some-code-00"}, ) assert response.status_code == 422 @pytest.mark.asyncio async def test_register_missing_invite(client): """Cannot register without invite code.""" response = await client.post( "/api/auth/register", json={"email": unique_email(), "password": "password123"}, ) assert response.status_code == 422 @pytest.mark.asyncio async def test_register_empty_body(client): """Cannot register with empty body.""" response = await client.post("/api/auth/register", json={}) assert response.status_code == 422 # Login tests @pytest.mark.asyncio async def test_login_success(client_factory): """Can login with valid credentials.""" email = unique_email("login") async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("gf")) await client_factory.post( "/api/auth/register", json={ "email": email, "password": "password123", "invite_identifier": invite_code, }, ) response = await client_factory.post( "/api/auth/login", json={"email": email, "password": "password123"}, ) assert response.status_code == 200 data = response.json() assert data["email"] == email assert "roles" in data assert "permissions" in data assert COOKIE_NAME in response.cookies @pytest.mark.asyncio async def test_login_wrong_password(client_factory): """Cannot login with wrong password.""" email = unique_email("wrongpass") async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("gf")) await client_factory.post( "/api/auth/register", json={ "email": email, "password": "correctpassword", "invite_identifier": invite_code, }, ) response = await client_factory.post( "/api/auth/login", json={"email": email, "password": "wrongpassword"}, ) assert response.status_code == 401 assert response.json()["detail"] == "Incorrect email or password" @pytest.mark.asyncio async def test_login_nonexistent_user(client): """Cannot login with non-existent user.""" response = await client.post( "/api/auth/login", json={"email": unique_email("nonexistent"), "password": "password123"}, ) assert response.status_code == 401 assert response.json()["detail"] == "Incorrect email or password" @pytest.mark.asyncio async def test_login_invalid_email_format(client): """Cannot login with invalid email format.""" response = await client.post( "/api/auth/login", json={"email": "invalidemail", "password": "password123"}, ) assert response.status_code == 422 @pytest.mark.asyncio async def test_login_missing_fields(client): """Cannot login with missing fields.""" response = await client.post("/api/auth/login", json={}) assert response.status_code == 422 # Get current user tests @pytest.mark.asyncio async def test_get_me_success(client_factory): """Can get current user info when authenticated.""" email = unique_email("me") async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("gf")) reg_response = await client_factory.post( "/api/auth/register", json={ "email": email, "password": "password123", "invite_identifier": invite_code, }, ) cookies = dict(reg_response.cookies) async with client_factory.create(cookies=cookies) as authed: response = await authed.get("/api/auth/me") assert response.status_code == 200 data = response.json() assert data["email"] == email assert "id" in data assert "roles" in data assert "permissions" in data @pytest.mark.asyncio async def test_get_me_no_cookie(client): """Cannot get current user without auth cookie.""" response = await client.get("/api/auth/me") assert response.status_code == 401 @pytest.mark.asyncio async def test_get_me_invalid_cookie(client_factory): """Cannot get current user with invalid cookie.""" async with client_factory.create(cookies={COOKIE_NAME: "invalidtoken123"}) as authed: response = await authed.get("/api/auth/me") assert response.status_code == 401 assert response.json()["detail"] == "Invalid authentication credentials" @pytest.mark.asyncio async def test_get_me_expired_token(client_factory): """Cannot get current user with expired token.""" bad_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImV4cCI6MH0.invalid" async with client_factory.create(cookies={COOKIE_NAME: bad_token}) as authed: response = await authed.get("/api/auth/me") assert response.status_code == 401 # Cookie validation tests @pytest.mark.asyncio async def test_cookie_from_register_works_for_me(client_factory): """Auth cookie from registration works for subsequent requests.""" email = unique_email("tokentest") async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("gf")) reg_response = await client_factory.post( "/api/auth/register", json={ "email": email, "password": "password123", "invite_identifier": invite_code, }, ) cookies = dict(reg_response.cookies) async with client_factory.create(cookies=cookies) as authed: me_response = await authed.get("/api/auth/me") assert me_response.status_code == 200 assert me_response.json()["email"] == email @pytest.mark.asyncio async def test_cookie_from_login_works_for_me(client_factory): """Auth cookie from login works for subsequent requests.""" email = unique_email("logintoken") async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("gf")) await client_factory.post( "/api/auth/register", json={ "email": email, "password": "password123", "invite_identifier": invite_code, }, ) login_response = await client_factory.post( "/api/auth/login", json={"email": email, "password": "password123"}, ) cookies = dict(login_response.cookies) async with client_factory.create(cookies=cookies) as authed: me_response = await authed.get("/api/auth/me") assert me_response.status_code == 200 assert me_response.json()["email"] == email # Multiple users tests @pytest.mark.asyncio async def test_multiple_users_isolated(client_factory): """Multiple users have isolated sessions.""" email1 = unique_email("user1") email2 = unique_email("user2") async with client_factory.get_db_session() as db: invite1 = await create_invite_for_registration(db, unique_email("gf1")) invite2 = await create_invite_for_registration(db, unique_email("gf2")) resp1 = await client_factory.post( "/api/auth/register", json={ "email": email1, "password": "password1", "invite_identifier": invite1, }, ) resp2 = await client_factory.post( "/api/auth/register", json={ "email": email2, "password": "password2", "invite_identifier": invite2, }, ) cookies1 = dict(resp1.cookies) cookies2 = dict(resp2.cookies) async with client_factory.create(cookies=cookies1) as user1: me1 = await user1.get("/api/auth/me") async with client_factory.create(cookies=cookies2) as user2: me2 = await user2.get("/api/auth/me") assert me1.json()["email"] == email1 assert me2.json()["email"] == email2 assert me1.json()["id"] != me2.json()["id"] # Password tests @pytest.mark.asyncio async def test_password_is_hashed(client_factory): """Passwords are properly hashed (can login with correct password).""" email = unique_email("hashtest") async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("gf")) await client_factory.post( "/api/auth/register", json={ "email": email, "password": "mySecurePassword123", "invite_identifier": invite_code, }, ) response = await client_factory.post( "/api/auth/login", json={"email": email, "password": "mySecurePassword123"}, ) assert response.status_code == 200 @pytest.mark.asyncio async def test_case_sensitive_password(client_factory): """Passwords are case-sensitive.""" email = unique_email("casetest") async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("gf")) await client_factory.post( "/api/auth/register", json={ "email": email, "password": "Password123", "invite_identifier": invite_code, }, ) response = await client_factory.post( "/api/auth/login", json={"email": email, "password": "password123"}, ) assert response.status_code == 401 # Logout tests @pytest.mark.asyncio async def test_logout_success(client_factory): """Can logout successfully.""" email = unique_email("logout") async with client_factory.get_db_session() as db: invite_code = await create_invite_for_registration(db, unique_email("gf")) reg_response = await client_factory.post( "/api/auth/register", json={ "email": email, "password": "password123", "invite_identifier": invite_code, }, ) cookies = dict(reg_response.cookies) async with client_factory.create(cookies=cookies) as authed: logout_response = await authed.post("/api/auth/logout") assert logout_response.status_code == 200 assert logout_response.json() == {"ok": True}