counterweight
6c218130e9
- Add ruff as dev dependency - Configure ruff in pyproject.toml with strict 88-char line limit - Ignore B008 (FastAPI Depends pattern is standard) - Allow longer lines in tests for readability - Fix all lint issues in source files - Add Makefile targets: lint-backend, format-backend, fix-backend
473 lines
14 KiB
Python
473 lines
14 KiB
Python
"""Tests for authentication endpoints.
|
|
|
|
Note: Registration now requires an invite code. Tests that need to register
|
|
users will create invites first via the helper function.
|
|
"""
|
|
|
|
import pytest
|
|
|
|
from auth import COOKIE_NAME
|
|
from models import ROLE_REGULAR
|
|
from tests.conftest import create_user_with_roles
|
|
from tests.helpers import create_invite_for_godfather, unique_email
|
|
|
|
|
|
# Registration tests (with invite)
|
|
@pytest.mark.asyncio
|
|
async def test_register_success(client_factory):
|
|
"""Can register with valid invite code."""
|
|
email = unique_email("register")
|
|
|
|
# Create godfather user and invite
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("godfather"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
response = await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "password123",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
assert response.status_code == 200
|
|
data = response.json()
|
|
assert data["email"] == email
|
|
assert "id" in data
|
|
assert "roles" in data
|
|
assert "permissions" in data
|
|
# New users get regular role by default
|
|
assert "regular" in data["roles"]
|
|
# Cookie should be set
|
|
assert COOKIE_NAME in response.cookies
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_register_duplicate_email(client_factory):
|
|
"""Cannot register with already-used email."""
|
|
email = unique_email("duplicate")
|
|
|
|
# Create godfather and two invites
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite1 = await create_invite_for_godfather(db, godfather.id)
|
|
invite2 = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
# First registration
|
|
await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "password123",
|
|
"invite_identifier": invite1,
|
|
},
|
|
)
|
|
|
|
# Second registration with same email
|
|
response = await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "differentpass",
|
|
"invite_identifier": invite2,
|
|
},
|
|
)
|
|
assert response.status_code == 400
|
|
assert response.json()["detail"] == "Email already registered"
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_register_invalid_email(client_factory):
|
|
"""Cannot register with invalid email format."""
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
response = await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": "notanemail",
|
|
"password": "password123",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
assert response.status_code == 422
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_register_missing_password(client):
|
|
"""Cannot register without password."""
|
|
response = await client.post(
|
|
"/api/auth/register",
|
|
json={"email": unique_email(), "invite_identifier": "some-code-00"},
|
|
)
|
|
assert response.status_code == 422
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_register_missing_email(client):
|
|
"""Cannot register without email."""
|
|
response = await client.post(
|
|
"/api/auth/register",
|
|
json={"password": "password123", "invite_identifier": "some-code-00"},
|
|
)
|
|
assert response.status_code == 422
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_register_missing_invite(client):
|
|
"""Cannot register without invite code."""
|
|
response = await client.post(
|
|
"/api/auth/register",
|
|
json={"email": unique_email(), "password": "password123"},
|
|
)
|
|
assert response.status_code == 422
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_register_empty_body(client):
|
|
"""Cannot register with empty body."""
|
|
response = await client.post("/api/auth/register", json={})
|
|
assert response.status_code == 422
|
|
|
|
|
|
# Login tests
|
|
@pytest.mark.asyncio
|
|
async def test_login_success(client_factory):
|
|
"""Can login with valid credentials."""
|
|
email = unique_email("login")
|
|
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "password123",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
response = await client_factory.post(
|
|
"/api/auth/login",
|
|
json={"email": email, "password": "password123"},
|
|
)
|
|
assert response.status_code == 200
|
|
data = response.json()
|
|
assert data["email"] == email
|
|
assert "roles" in data
|
|
assert "permissions" in data
|
|
assert COOKIE_NAME in response.cookies
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_login_wrong_password(client_factory):
|
|
"""Cannot login with wrong password."""
|
|
email = unique_email("wrongpass")
|
|
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "correctpassword",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
response = await client_factory.post(
|
|
"/api/auth/login",
|
|
json={"email": email, "password": "wrongpassword"},
|
|
)
|
|
assert response.status_code == 401
|
|
assert response.json()["detail"] == "Incorrect email or password"
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_login_nonexistent_user(client):
|
|
"""Cannot login with non-existent user."""
|
|
response = await client.post(
|
|
"/api/auth/login",
|
|
json={"email": unique_email("nonexistent"), "password": "password123"},
|
|
)
|
|
assert response.status_code == 401
|
|
assert response.json()["detail"] == "Incorrect email or password"
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_login_invalid_email_format(client):
|
|
"""Cannot login with invalid email format."""
|
|
response = await client.post(
|
|
"/api/auth/login",
|
|
json={"email": "invalidemail", "password": "password123"},
|
|
)
|
|
assert response.status_code == 422
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_login_missing_fields(client):
|
|
"""Cannot login with missing fields."""
|
|
response = await client.post("/api/auth/login", json={})
|
|
assert response.status_code == 422
|
|
|
|
|
|
# Get current user tests
|
|
@pytest.mark.asyncio
|
|
async def test_get_me_success(client_factory):
|
|
"""Can get current user info when authenticated."""
|
|
email = unique_email("me")
|
|
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
reg_response = await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "password123",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
cookies = dict(reg_response.cookies)
|
|
|
|
async with client_factory.create(cookies=cookies) as authed:
|
|
response = await authed.get("/api/auth/me")
|
|
|
|
assert response.status_code == 200
|
|
data = response.json()
|
|
assert data["email"] == email
|
|
assert "id" in data
|
|
assert "roles" in data
|
|
assert "permissions" in data
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_get_me_no_cookie(client):
|
|
"""Cannot get current user without auth cookie."""
|
|
response = await client.get("/api/auth/me")
|
|
assert response.status_code == 401
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_get_me_invalid_cookie(client_factory):
|
|
"""Cannot get current user with invalid cookie."""
|
|
async with client_factory.create(
|
|
cookies={COOKIE_NAME: "invalidtoken123"}
|
|
) as authed:
|
|
response = await authed.get("/api/auth/me")
|
|
assert response.status_code == 401
|
|
assert response.json()["detail"] == "Invalid authentication credentials"
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_get_me_expired_token(client_factory):
|
|
"""Cannot get current user with expired token."""
|
|
bad_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEsImV4cCI6MH0.invalid"
|
|
async with client_factory.create(cookies={COOKIE_NAME: bad_token}) as authed:
|
|
response = await authed.get("/api/auth/me")
|
|
assert response.status_code == 401
|
|
|
|
|
|
# Cookie validation tests
|
|
@pytest.mark.asyncio
|
|
async def test_cookie_from_register_works_for_me(client_factory):
|
|
"""Auth cookie from registration works for subsequent requests."""
|
|
email = unique_email("tokentest")
|
|
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
reg_response = await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "password123",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
cookies = dict(reg_response.cookies)
|
|
|
|
async with client_factory.create(cookies=cookies) as authed:
|
|
me_response = await authed.get("/api/auth/me")
|
|
|
|
assert me_response.status_code == 200
|
|
assert me_response.json()["email"] == email
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_cookie_from_login_works_for_me(client_factory):
|
|
"""Auth cookie from login works for subsequent requests."""
|
|
email = unique_email("logintoken")
|
|
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "password123",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
login_response = await client_factory.post(
|
|
"/api/auth/login",
|
|
json={"email": email, "password": "password123"},
|
|
)
|
|
cookies = dict(login_response.cookies)
|
|
|
|
async with client_factory.create(cookies=cookies) as authed:
|
|
me_response = await authed.get("/api/auth/me")
|
|
|
|
assert me_response.status_code == 200
|
|
assert me_response.json()["email"] == email
|
|
|
|
|
|
# Multiple users tests
|
|
@pytest.mark.asyncio
|
|
async def test_multiple_users_isolated(client_factory):
|
|
"""Multiple users have isolated sessions."""
|
|
email1 = unique_email("user1")
|
|
email2 = unique_email("user2")
|
|
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite1 = await create_invite_for_godfather(db, godfather.id)
|
|
invite2 = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
resp1 = await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email1,
|
|
"password": "password1",
|
|
"invite_identifier": invite1,
|
|
},
|
|
)
|
|
resp2 = await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email2,
|
|
"password": "password2",
|
|
"invite_identifier": invite2,
|
|
},
|
|
)
|
|
|
|
cookies1 = dict(resp1.cookies)
|
|
cookies2 = dict(resp2.cookies)
|
|
|
|
async with client_factory.create(cookies=cookies1) as user1:
|
|
me1 = await user1.get("/api/auth/me")
|
|
|
|
async with client_factory.create(cookies=cookies2) as user2:
|
|
me2 = await user2.get("/api/auth/me")
|
|
|
|
assert me1.json()["email"] == email1
|
|
assert me2.json()["email"] == email2
|
|
assert me1.json()["id"] != me2.json()["id"]
|
|
|
|
|
|
# Password tests
|
|
@pytest.mark.asyncio
|
|
async def test_password_is_hashed(client_factory):
|
|
"""Passwords are properly hashed (can login with correct password)."""
|
|
email = unique_email("hashtest")
|
|
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "mySecurePassword123",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
response = await client_factory.post(
|
|
"/api/auth/login",
|
|
json={"email": email, "password": "mySecurePassword123"},
|
|
)
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_case_sensitive_password(client_factory):
|
|
"""Passwords are case-sensitive."""
|
|
email = unique_email("casetest")
|
|
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "Password123",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
response = await client_factory.post(
|
|
"/api/auth/login",
|
|
json={"email": email, "password": "password123"},
|
|
)
|
|
assert response.status_code == 401
|
|
|
|
|
|
# Logout tests
|
|
@pytest.mark.asyncio
|
|
async def test_logout_success(client_factory):
|
|
"""Can logout successfully."""
|
|
email = unique_email("logout")
|
|
|
|
async with client_factory.get_db_session() as db:
|
|
godfather = await create_user_with_roles(
|
|
db, unique_email("gf"), "pass123", [ROLE_REGULAR]
|
|
)
|
|
invite_code = await create_invite_for_godfather(db, godfather.id)
|
|
|
|
reg_response = await client_factory.post(
|
|
"/api/auth/register",
|
|
json={
|
|
"email": email,
|
|
"password": "password123",
|
|
"invite_identifier": invite_code,
|
|
},
|
|
)
|
|
cookies = dict(reg_response.cookies)
|
|
|
|
async with client_factory.create(cookies=cookies) as authed:
|
|
logout_response = await authed.post("/api/auth/logout")
|
|
|
|
assert logout_response.status_code == 200
|
|
assert logout_response.json() == {"ok": True}
|