feat: FASE 7 - Polish & Testing (security, i18n, test suite, docs)

Security hardening: CORS lockdown, rate limiting middleware con sliding window e eviction IP stale, security headers (CSP, HSTS, X-Frame-Options), session cookie hardening, filename sanitization upload. i18n completion: internazionalizzati barcode.js e csv-export.js con bridge window.BARCODE_I18N/CSV_I18N, aggiornati .po IT/EN con 27 nuove stringhe. Tablet UX: touch target 44px per dispositivi coarse pointer. Test suite: 101 test totali (76 server + 25 client), copertura completa di tutti i router API, autenticazione, ruoli, CRUD, SPC, file upload, security integration. Infrastruttura SQLite async in-memory con fixtures. Fix critici: MissingGreenlet in recipe_service (selectinload eager), route ordering tasks.py, auth_service bcrypt diretto, Measurement.id Integer per SQLite. Documentazione: API.md (riferimento completo 40+ endpoint), DEPLOYMENT.md (guida produzione con Docker/Nginx/SSL), USER_GUIDE.md (manuale utente per ruolo). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 17:10:24 +01:00
parent 26e5b9343d
commit dd2ebf863a
46 changed files with 6322 additions and 90 deletions
@@ -0,0 +1,96 @@
+"""Tests for authentication router (/api/auth)."""
+import pytest
+from httpx import AsyncClient
+
+from tests.conftest import _create_user, auth_headers
+
+
+class TestLogin:
+    """POST /api/auth/login tests."""
+
+    async def test_login_success(self, client: AsyncClient, db_session):
+        """Successful login returns user data and API key."""
+        user = await _create_user(
+            db_session, username="loginuser", password="SecurePass1"
+        )
+        resp = await client.post(
+            "/api/auth/login",
+            json={"username": "loginuser", "password": "SecurePass1"},
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["user"]["username"] == "loginuser"
+        assert "api_key" in data
+        assert len(data["api_key"]) > 0
+
+    async def test_login_wrong_password(self, client: AsyncClient, db_session):
+        """Login with wrong password returns 401."""
+        await _create_user(
+            db_session, username="wrongpw", password="CorrectPass1"
+        )
+        resp = await client.post(
+            "/api/auth/login",
+            json={"username": "wrongpw", "password": "WrongPass1"},
+        )
+        assert resp.status_code == 401
+        assert "Invalid" in resp.json()["detail"]
+
+    async def test_login_unknown_user(self, client: AsyncClient):
+        """Login with non-existent username returns 401."""
+        resp = await client.post(
+            "/api/auth/login",
+            json={"username": "nonexistent", "password": "Anything1"},
+        )
+        assert resp.status_code == 401
+
+    async def test_login_inactive_user(self, client: AsyncClient, db_session):
+        """Login with inactive user returns 401."""
+        await _create_user(
+            db_session,
+            username="inactive_user",
+            password="InactivePass1",
+            active=False,
+        )
+        resp = await client.post(
+            "/api/auth/login",
+            json={"username": "inactive_user", "password": "InactivePass1"},
+        )
+        assert resp.status_code == 401
+
+    async def test_login_missing_fields(self, client: AsyncClient):
+        """Login with missing fields returns 422."""
+        resp = await client.post("/api/auth/login", json={"username": "only"})
+        assert resp.status_code == 422
+
+    async def test_login_returns_api_key(self, client: AsyncClient, db_session):
+        """Login response contains a valid api_key string."""
+        await _create_user(
+            db_session, username="apikey_user", password="KeyPass123"
+        )
+        resp = await client.post(
+            "/api/auth/login",
+            json={"username": "apikey_user", "password": "KeyPass123"},
+        )
+        assert resp.status_code == 200
+        api_key = resp.json()["api_key"]
+        # API key should be a non-empty string (base64url, ~64 chars)
+        assert isinstance(api_key, str)
+        assert len(api_key) >= 32
+
+
+class TestHealthAndAuth:
+    """Health check and auth requirement tests."""
+
+    async def test_health_check_no_auth(self, client: AsyncClient):
+        """Health check endpoint works without authentication."""
+        resp = await client.get("/api/health")
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["status"] == "ok"
+        assert "version" in data
+
+    async def test_endpoint_requires_api_key(self, client: AsyncClient):
+        """Protected endpoint returns 401 without API key."""
+        resp = await client.get("/api/users")
+        assert resp.status_code == 401
+        assert "API key" in resp.json()["detail"] or "Missing" in resp.json()["detail"]