galaxis-po/backend/tests/e2e/test_auth_flow.py

"""
E2E tests for authentication flow.
"""
import hashlib

import pytest
from fastapi.testclient import TestClient


def _sha256(password: str) -> str:
    """SHA-256 hash to match client-side hashing."""
    return hashlib.sha256(password.encode()).hexdigest()


def test_health_check(client: TestClient):
    """Test health check endpoint."""
    response = client.get("/health")
    assert response.status_code == 200
    assert response.json() == {"status": "healthy"}


def test_login_success(client: TestClient, test_user):
    """Test successful login."""
    response = client.post(
        "/api/auth/login",
        json={
            "username": "testuser",
            "password": _sha256("testpassword"),
        },
    )
    assert response.status_code == 200
    data = response.json()
    assert "access_token" in data
    assert data["token_type"] == "bearer"


def test_login_wrong_password(client: TestClient, test_user):
    """Test login with wrong password."""
    response = client.post(
        "/api/auth/login",
        json={
            "username": "testuser",
            "password": _sha256("wrongpassword"),
        },
    )
    assert response.status_code == 401


def test_login_nonexistent_user(client: TestClient):
    """Test login with nonexistent user."""
    response = client.post(
        "/api/auth/login",
        json={
            "username": "nonexistent",
            "password": _sha256("password"),
        },
    )
    assert response.status_code == 401


def test_get_current_user(client: TestClient, auth_headers):
    """Test getting current user info."""
    response = client.get("/api/auth/me", headers=auth_headers)
    assert response.status_code == 200
    data = response.json()
    assert data["username"] == "testuser"
    assert data["email"] == "test@example.com"


def test_get_current_user_no_token(client: TestClient):
    """Test getting current user without token."""
    response = client.get("/api/auth/me")
    assert response.status_code == 401


def test_get_current_user_invalid_token(client: TestClient):
    """Test getting current user with invalid token."""
    response = client.get(
        "/api/auth/me",
        headers={"Authorization": "Bearer invalid_token"},
    )
    assert response.status_code == 401
feat: add E2E tests for backend and frontend Backend (pytest): - Auth flow tests (login, token, protected routes) - Portfolio CRUD and transaction tests - Strategy endpoint tests - Backtest flow tests - Snapshot and returns tests Frontend (Playwright): - Auth page tests - Portfolio navigation tests - Strategy page tests - Backtest page tests - Playwright configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 12:30:13 +09:00			`"""`
			`E2E tests for authentication flow.`
			`"""`
feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`import hashlib`

feat: add E2E tests for backend and frontend Backend (pytest): - Auth flow tests (login, token, protected routes) - Portfolio CRUD and transaction tests - Strategy endpoint tests - Backtest flow tests - Snapshot and returns tests Frontend (Playwright): - Auth page tests - Portfolio navigation tests - Strategy page tests - Backtest page tests - Playwright configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 12:30:13 +09:00			`import pytest`
			`from fastapi.testclient import TestClient`


feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`def _sha256(password: str) -> str:`
			`"""SHA-256 hash to match client-side hashing."""`
			`return hashlib.sha256(password.encode()).hexdigest()`


feat: add E2E tests for backend and frontend Backend (pytest): - Auth flow tests (login, token, protected routes) - Portfolio CRUD and transaction tests - Strategy endpoint tests - Backtest flow tests - Snapshot and returns tests Frontend (Playwright): - Auth page tests - Portfolio navigation tests - Strategy page tests - Backtest page tests - Playwright configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 12:30:13 +09:00			`def test_health_check(client: TestClient):`
			`"""Test health check endpoint."""`
			`response = client.get("/health")`
			`assert response.status_code == 200`
			`assert response.json() == {"status": "healthy"}`


			`def test_login_success(client: TestClient, test_user):`
			`"""Test successful login."""`
			`response = client.post(`
			`"/api/auth/login",`
feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`json={`
feat: add E2E tests for backend and frontend Backend (pytest): - Auth flow tests (login, token, protected routes) - Portfolio CRUD and transaction tests - Strategy endpoint tests - Backtest flow tests - Snapshot and returns tests Frontend (Playwright): - Auth page tests - Portfolio navigation tests - Strategy page tests - Backtest page tests - Playwright configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 12:30:13 +09:00			`"username": "testuser",`
feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`"password": _sha256("testpassword"),`
feat: add E2E tests for backend and frontend Backend (pytest): - Auth flow tests (login, token, protected routes) - Portfolio CRUD and transaction tests - Strategy endpoint tests - Backtest flow tests - Snapshot and returns tests Frontend (Playwright): - Auth page tests - Portfolio navigation tests - Strategy page tests - Backtest page tests - Playwright configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 12:30:13 +09:00			`},`
			`)`
			`assert response.status_code == 200`
			`data = response.json()`
			`assert "access_token" in data`
			`assert data["token_type"] == "bearer"`


			`def test_login_wrong_password(client: TestClient, test_user):`
			`"""Test login with wrong password."""`
			`response = client.post(`
			`"/api/auth/login",`
feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`json={`
feat: add E2E tests for backend and frontend Backend (pytest): - Auth flow tests (login, token, protected routes) - Portfolio CRUD and transaction tests - Strategy endpoint tests - Backtest flow tests - Snapshot and returns tests Frontend (Playwright): - Auth page tests - Portfolio navigation tests - Strategy page tests - Backtest page tests - Playwright configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 12:30:13 +09:00			`"username": "testuser",`
feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`"password": _sha256("wrongpassword"),`
feat: add E2E tests for backend and frontend Backend (pytest): - Auth flow tests (login, token, protected routes) - Portfolio CRUD and transaction tests - Strategy endpoint tests - Backtest flow tests - Snapshot and returns tests Frontend (Playwright): - Auth page tests - Portfolio navigation tests - Strategy page tests - Backtest page tests - Playwright configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 12:30:13 +09:00			`},`
			`)`
			`assert response.status_code == 401`


			`def test_login_nonexistent_user(client: TestClient):`
			`"""Test login with nonexistent user."""`
			`response = client.post(`
			`"/api/auth/login",`
feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`json={`
feat: add E2E tests for backend and frontend Backend (pytest): - Auth flow tests (login, token, protected routes) - Portfolio CRUD and transaction tests - Strategy endpoint tests - Backtest flow tests - Snapshot and returns tests Frontend (Playwright): - Auth page tests - Portfolio navigation tests - Strategy page tests - Backtest page tests - Playwright configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 12:30:13 +09:00			`"username": "nonexistent",`
feat: client-side password hashing and admin user auto-seeding - Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 22:21:36 +09:00			`"password": _sha256("password"),`
feat: add E2E tests for backend and frontend Backend (pytest): - Auth flow tests (login, token, protected routes) - Portfolio CRUD and transaction tests - Strategy endpoint tests - Backtest flow tests - Snapshot and returns tests Frontend (Playwright): - Auth page tests - Portfolio navigation tests - Strategy page tests - Backtest page tests - Playwright configuration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-03 12:30:13 +09:00			`},`
			`)`
			`assert response.status_code == 401`


			`def test_get_current_user(client: TestClient, auth_headers):`
			`"""Test getting current user info."""`
			`response = client.get("/api/auth/me", headers=auth_headers)`
			`assert response.status_code == 200`
			`data = response.json()`
			`assert data["username"] == "testuser"`
			`assert data["email"] == "test@example.com"`


			`def test_get_current_user_no_token(client: TestClient):`
			`"""Test getting current user without token."""`
			`response = client.get("/api/auth/me")`
			`assert response.status_code == 401`


			`def test_get_current_user_invalid_token(client: TestClient):`
			`"""Test getting current user with invalid token."""`
			`response = client.get(`
			`"/api/auth/me",`
			`headers={"Authorization": "Bearer invalid_token"},`
			`)`
			`assert response.status_code == 401`