zephyrdark
1dae2945c3
All checks were successful
Deploy to Production / deploy (push) Successful in 1m31s
- Hash passwords with SHA-256 on frontend before transmission to prevent raw password exposure in network traffic and server logs - Switch login endpoint from OAuth2 form-data to JSON body - Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD env vars, solving login failure after registration was disabled - Update auth tests to match new SHA-256 + JSON login flow Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
83 lines
2.2 KiB
Python
83 lines
2.2 KiB
Python
"""
|
|
E2E tests for authentication flow.
|
|
"""
|
|
import hashlib
|
|
|
|
import pytest
|
|
from fastapi.testclient import TestClient
|
|
|
|
|
|
def _sha256(password: str) -> str:
|
|
"""SHA-256 hash to match client-side hashing."""
|
|
return hashlib.sha256(password.encode()).hexdigest()
|
|
|
|
|
|
def test_health_check(client: TestClient):
|
|
"""Test health check endpoint."""
|
|
response = client.get("/health")
|
|
assert response.status_code == 200
|
|
assert response.json() == {"status": "healthy"}
|
|
|
|
|
|
def test_login_success(client: TestClient, test_user):
|
|
"""Test successful login."""
|
|
response = client.post(
|
|
"/api/auth/login",
|
|
json={
|
|
"username": "testuser",
|
|
"password": _sha256("testpassword"),
|
|
},
|
|
)
|
|
assert response.status_code == 200
|
|
data = response.json()
|
|
assert "access_token" in data
|
|
assert data["token_type"] == "bearer"
|
|
|
|
|
|
def test_login_wrong_password(client: TestClient, test_user):
|
|
"""Test login with wrong password."""
|
|
response = client.post(
|
|
"/api/auth/login",
|
|
json={
|
|
"username": "testuser",
|
|
"password": _sha256("wrongpassword"),
|
|
},
|
|
)
|
|
assert response.status_code == 401
|
|
|
|
|
|
def test_login_nonexistent_user(client: TestClient):
|
|
"""Test login with nonexistent user."""
|
|
response = client.post(
|
|
"/api/auth/login",
|
|
json={
|
|
"username": "nonexistent",
|
|
"password": _sha256("password"),
|
|
},
|
|
)
|
|
assert response.status_code == 401
|
|
|
|
|
|
def test_get_current_user(client: TestClient, auth_headers):
|
|
"""Test getting current user info."""
|
|
response = client.get("/api/auth/me", headers=auth_headers)
|
|
assert response.status_code == 200
|
|
data = response.json()
|
|
assert data["username"] == "testuser"
|
|
assert data["email"] == "test@example.com"
|
|
|
|
|
|
def test_get_current_user_no_token(client: TestClient):
|
|
"""Test getting current user without token."""
|
|
response = client.get("/api/auth/me")
|
|
assert response.status_code == 401
|
|
|
|
|
|
def test_get_current_user_invalid_token(client: TestClient):
|
|
"""Test getting current user with invalid token."""
|
|
response = client.get(
|
|
"/api/auth/me",
|
|
headers={"Authorization": "Bearer invalid_token"},
|
|
)
|
|
assert response.status_code == 401
|