Adriano/TieMeasureFlow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feature/rev04-phase1-stations
TieMeasureFlow/server/tests/test_auth.py
T
Adriano dd2ebf863a feat: FASE 7 - Polish & Testing (security, i18n, test suite, docs) 
Security hardening: CORS lockdown, rate limiting middleware con sliding
window e eviction IP stale, security headers (CSP, HSTS, X-Frame-Options),
session cookie hardening, filename sanitization upload.

i18n completion: internazionalizzati barcode.js e csv-export.js con bridge
window.BARCODE_I18N/CSV_I18N, aggiornati .po IT/EN con 27 nuove stringhe.

Tablet UX: touch target 44px per dispositivi coarse pointer.

Test suite: 101 test totali (76 server + 25 client), copertura completa
di tutti i router API, autenticazione, ruoli, CRUD, SPC, file upload,
security integration. Infrastruttura SQLite async in-memory con fixtures.

Fix critici: MissingGreenlet in recipe_service (selectinload eager),
route ordering tasks.py, auth_service bcrypt diretto, Measurement.id
Integer per SQLite.

Documentazione: API.md (riferimento completo 40+ endpoint),
DEPLOYMENT.md (guida produzione con Docker/Nginx/SSL),
USER_GUIDE.md (manuale utente per ruolo).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 17:10:24 +01:00

97 lines
3.6 KiB
Python
Raw Permalink Blame History

"""Tests for authentication router (/api/auth)."""
import pytest
from httpx import AsyncClient
from tests.conftest import _create_user, auth_headers
class TestLogin:
"""POST /api/auth/login tests."""
async def test_login_success(self, client: AsyncClient, db_session):
"""Successful login returns user data and API key."""
user = await _create_user(
db_session, username="loginuser", password="SecurePass1"
)
resp = await client.post(
"/api/auth/login",
json={"username": "loginuser", "password": "SecurePass1"},
)
assert resp.status_code == 200
data = resp.json()
assert data["user"]["username"] == "loginuser"
assert "api_key" in data
assert len(data["api_key"]) > 0
async def test_login_wrong_password(self, client: AsyncClient, db_session):
"""Login with wrong password returns 401."""
await _create_user(
db_session, username="wrongpw", password="CorrectPass1"
)
resp = await client.post(
"/api/auth/login",
json={"username": "wrongpw", "password": "WrongPass1"},
)
assert resp.status_code == 401
assert "Invalid" in resp.json()["detail"]
async def test_login_unknown_user(self, client: AsyncClient):
"""Login with non-existent username returns 401."""
resp = await client.post(
"/api/auth/login",
json={"username": "nonexistent", "password": "Anything1"},
)
assert resp.status_code == 401
async def test_login_inactive_user(self, client: AsyncClient, db_session):
"""Login with inactive user returns 401."""
await _create_user(
db_session,
username="inactive_user",
password="InactivePass1",
active=False,
)
resp = await client.post(
"/api/auth/login",
json={"username": "inactive_user", "password": "InactivePass1"},
)
assert resp.status_code == 401
async def test_login_missing_fields(self, client: AsyncClient):
"""Login with missing fields returns 422."""
resp = await client.post("/api/auth/login", json={"username": "only"})
assert resp.status_code == 422
async def test_login_returns_api_key(self, client: AsyncClient, db_session):
"""Login response contains a valid api_key string."""
await _create_user(
db_session, username="apikey_user", password="KeyPass123"
)
resp = await client.post(
"/api/auth/login",
json={"username": "apikey_user", "password": "KeyPass123"},
)
assert resp.status_code == 200
api_key = resp.json()["api_key"]
# API key should be a non-empty string (base64url, ~64 chars)
assert isinstance(api_key, str)
assert len(api_key) >= 32
class TestHealthAndAuth:
"""Health check and auth requirement tests."""
async def test_health_check_no_auth(self, client: AsyncClient):
"""Health check endpoint works without authentication."""
resp = await client.get("/api/health")
assert resp.status_code == 200
data = resp.json()
assert data["status"] == "ok"
assert "version" in data
async def test_endpoint_requires_api_key(self, client: AsyncClient):
"""Protected endpoint returns 401 without API key."""
resp = await client.get("/api/users")
assert resp.status_code == 401
assert "API key" in resp.json()["detail"] or "Missing" in resp.json()["detail"]
Reference in New Issue View Git Blame Copy Permalink