test(backend): cover auth schemas + login/engagement E2E
Unit: - test_auth_schemas: LoginRequest validation (min/max bounds, extra-fields policy) + serialize_current_user round-trip (RT lead permission set, RT operator subset, display_name None pass-through). Integration (testcontainers Postgres, marked `integration`): - test_login_then_create_and_list_engagement: full sprint-1 user journey — /me → 401, POST /login → 200, /me → 200, POST /engagements → 201, GET /engagements lists the new row, POST /logout → 204, /me → 401. - test_login_rejects_bad_credentials: wrong password AND unknown user return the exact same 401 invalid_credentials envelope (no enumeration leak). - test_logout_without_session_returns_401: /logout on anonymous returns the uniform not_authenticated envelope. Unit total: 61 passed in 0.50s. Integration tests skip locally when testcontainers is absent.
This commit is contained in:
knacky
71
backend/tests/unit/test_auth_schemas.py
Normal file
71
backend/tests/unit/test_auth_schemas.py
Normal file
@@ -0,0 +1,71 @@
|
||||
"""Auth DTOs + current-user serializer (no DB / no Flask context)."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from uuid import uuid4
|
||||
|
||||
import pytest
|
||||
from pydantic import ValidationError
|
||||
|
||||
from mimic.api._helpers import serialize_current_user
|
||||
from mimic.auth.identity import AuthUser
|
||||
from mimic.db.types import UserType
|
||||
from mimic.rbac.matrix import GROUP_PERMISSIONS, GroupName, Permission
|
||||
from mimic.schemas import CurrentUser, LoginRequest
|
||||
|
||||
|
||||
def test_login_request_minimal_payload() -> None:
|
||||
req = LoginRequest.model_validate({"username": "alice@x", "password": "hunter2"})
|
||||
assert req.username == "alice@x"
|
||||
assert req.password == "hunter2"
|
||||
|
||||
|
||||
def test_login_request_rejects_empty() -> None:
|
||||
with pytest.raises(ValidationError):
|
||||
LoginRequest.model_validate({"username": "", "password": "x"})
|
||||
with pytest.raises(ValidationError):
|
||||
LoginRequest.model_validate({"username": "alice", "password": ""})
|
||||
|
||||
|
||||
def test_login_request_rejects_unknown_fields() -> None:
|
||||
# Pydantic 2 default behavior: extra fields are allowed but ignored.
|
||||
# We assert the strict shape stays minimal by passing only known fields.
|
||||
payload = {"username": "alice", "password": "x", "remember_me": True}
|
||||
req = LoginRequest.model_validate(payload)
|
||||
assert not hasattr(req, "remember_me")
|
||||
|
||||
|
||||
def test_serialize_current_user_round_trip() -> None:
|
||||
uid = uuid4()
|
||||
auth_user = AuthUser(
|
||||
id=uid,
|
||||
email="lead@example.org",
|
||||
display_name="Lead",
|
||||
user_type=UserType.RT_LEAD,
|
||||
permissions=frozenset(GROUP_PERMISSIONS[GroupName.RT_LEAD]),
|
||||
groups=frozenset({GroupName.RT_LEAD.value}),
|
||||
)
|
||||
payload: CurrentUser = serialize_current_user(auth_user)
|
||||
assert payload.user_id == uid
|
||||
assert payload.username == "lead@example.org"
|
||||
assert payload.display_name == "Lead"
|
||||
assert payload.role is UserType.RT_LEAD
|
||||
assert payload.groups == [GroupName.RT_LEAD.value]
|
||||
# Permissions are sorted as their string values for stable client diffs.
|
||||
assert payload.permissions == sorted(p.value for p in Permission)
|
||||
|
||||
|
||||
def test_serialize_current_user_operator_subset() -> None:
|
||||
auth_user = AuthUser(
|
||||
id=uuid4(),
|
||||
email="op@example.org",
|
||||
user_type=UserType.RT_OPERATOR,
|
||||
permissions=frozenset(GROUP_PERMISSIONS[GroupName.RT_OPERATOR]),
|
||||
groups=frozenset({GroupName.RT_OPERATOR.value}),
|
||||
)
|
||||
payload = serialize_current_user(auth_user)
|
||||
assert payload.role is UserType.RT_OPERATOR
|
||||
assert payload.display_name is None
|
||||
expected = sorted(p.value for p in GROUP_PERMISSIONS[GroupName.RT_OPERATOR])
|
||||
assert payload.permissions == expected
|
||||
assert Permission.RUN_CONTROL.value not in payload.permissions
|
||||
Reference in New Issue
Block a user