a2824b2132
- Added CSRF protection mechanism in the backend with utility functions for token management. - Introduced a new CSRF route to fetch the active CSRF token for SPA bootstrap flows. - Updated the auth routes to validate CSRF tokens on sensitive operations. - Configured PostgreSQL as a database option in the environment settings and Docker Compose. - Created a new SQLite configuration file for local development. - Enhanced the API client to automatically attach CSRF tokens to requests. - Updated various frontend components to utilize the new site origin utility for SEO purposes. - Modified Nginx configuration to improve redirection and SEO headers. - Added tests for CSRF token handling in the authentication routes.
97 lines
3.4 KiB
Python
97 lines
3.4 KiB
Python
"""Tests for session-backed authentication routes."""
|
|
|
|
|
|
class TestAuthRoutes:
|
|
def test_csrf_bootstrap_returns_token(self, client):
|
|
response = client.get('/api/auth/csrf')
|
|
|
|
assert response.status_code == 200
|
|
assert isinstance(response.get_json()['csrf_token'], str)
|
|
assert response.get_json()['csrf_token']
|
|
|
|
def test_register_success(self, client):
|
|
response = client.post(
|
|
'/api/auth/register',
|
|
json={'email': 'user@example.com', 'password': 'secretpass123'},
|
|
)
|
|
|
|
assert response.status_code == 201
|
|
data = response.get_json()
|
|
assert data['user']['email'] == 'user@example.com'
|
|
assert data['user']['plan'] == 'free'
|
|
assert data['user']['role'] == 'user'
|
|
|
|
def test_register_assigns_admin_role_for_allowlisted_email(self, app, client):
|
|
app.config['INTERNAL_ADMIN_EMAILS'] = ('admin@example.com',)
|
|
|
|
response = client.post(
|
|
'/api/auth/register',
|
|
json={'email': 'admin@example.com', 'password': 'secretpass123'},
|
|
)
|
|
|
|
assert response.status_code == 201
|
|
assert response.get_json()['user']['role'] == 'admin'
|
|
|
|
def test_register_duplicate_email(self, client):
|
|
client.post(
|
|
'/api/auth/register',
|
|
json={'email': 'user@example.com', 'password': 'secretpass123'},
|
|
)
|
|
response = client.post(
|
|
'/api/auth/register',
|
|
json={'email': 'user@example.com', 'password': 'secretpass123'},
|
|
)
|
|
|
|
assert response.status_code == 409
|
|
assert 'already exists' in response.get_json()['error'].lower()
|
|
|
|
def test_login_and_me(self, client):
|
|
client.post(
|
|
'/api/auth/register',
|
|
json={'email': 'user@example.com', 'password': 'secretpass123'},
|
|
)
|
|
client.post('/api/auth/logout')
|
|
|
|
login_response = client.post(
|
|
'/api/auth/login',
|
|
json={'email': 'user@example.com', 'password': 'secretpass123'},
|
|
)
|
|
me_response = client.get('/api/auth/me')
|
|
|
|
assert login_response.status_code == 200
|
|
assert me_response.status_code == 200
|
|
me_data = me_response.get_json()
|
|
assert me_data['authenticated'] is True
|
|
assert me_data['user']['email'] == 'user@example.com'
|
|
|
|
def test_login_invalid_password(self, client):
|
|
client.post(
|
|
'/api/auth/register',
|
|
json={'email': 'user@example.com', 'password': 'secretpass123'},
|
|
)
|
|
client.post('/api/auth/logout')
|
|
|
|
response = client.post(
|
|
'/api/auth/login',
|
|
json={'email': 'user@example.com', 'password': 'wrongpass123'},
|
|
)
|
|
|
|
assert response.status_code == 401
|
|
assert 'invalid email or password' in response.get_json()['error'].lower()
|
|
|
|
def test_me_without_session(self, client):
|
|
response = client.get('/api/auth/me')
|
|
|
|
assert response.status_code == 200
|
|
assert response.get_json() == {'authenticated': False, 'user': None}
|
|
|
|
def test_register_rejects_invalid_csrf_token(self, client):
|
|
response = client.post(
|
|
'/api/auth/register',
|
|
json={'email': 'csrf@example.com', 'password': 'secretpass123'},
|
|
headers={'X-CSRF-Token': 'invalid-token'},
|
|
)
|
|
|
|
assert response.status_code == 403
|
|
assert 'csrf' in response.get_json()['error'].lower()
|