backend/tests/test_auth.py

"""
Tests for the /api/v1/auth/* endpoints.
"""
import pytest
from httpx import AsyncClient

pytestmark = pytest.mark.asyncio


async def test_login_valid_credentials(client: AsyncClient, admin_user):
    """Login with correct credentials returns 200 and both tokens."""
    response = await client.post(
        "/api/v1/auth/login",
        json={"email": "admin@example.com", "password": "testpassword"},
    )
    assert response.status_code == 200
    data = response.json()
    assert "access_token" in data
    assert "refresh_token" in data
    assert data["token_type"] == "bearer"
    assert len(data["access_token"]) > 10
    assert len(data["refresh_token"]) > 10


async def test_login_invalid_password(client: AsyncClient, admin_user):
    """Login with wrong password returns 401."""
    response = await client.post(
        "/api/v1/auth/login",
        json={"email": "admin@example.com", "password": "wrongpassword"},
    )
    assert response.status_code == 401
    assert "Invalid" in response.json()["detail"]


async def test_login_unknown_email(client: AsyncClient):
    """Login with unknown email returns 401."""
    response = await client.post(
        "/api/v1/auth/login",
        json={"email": "nobody@example.com", "password": "whatever"},
    )
    assert response.status_code == 401


async def test_refresh_token_flow(client: AsyncClient, admin_user):
    """Valid refresh token returns a new token pair; old token is revoked."""
    # Login to get initial tokens
    login_resp = await client.post(
        "/api/v1/auth/login",
        json={"email": "admin@example.com", "password": "testpassword"},
    )
    assert login_resp.status_code == 200
    tokens = login_resp.json()
    original_refresh = tokens["refresh_token"]

    # Use the refresh token to get a new pair
    refresh_resp = await client.post(
        "/api/v1/auth/refresh",
        json={"refresh_token": original_refresh},
    )
    assert refresh_resp.status_code == 200
    new_tokens = refresh_resp.json()
    assert "access_token" in new_tokens
    assert "refresh_token" in new_tokens
    # New refresh token should be different
    assert new_tokens["refresh_token"] != original_refresh

    # Using the old refresh token should now fail (revoked)
    reuse_resp = await client.post(
        "/api/v1/auth/refresh",
        json={"refresh_token": original_refresh},
    )
    assert reuse_resp.status_code == 401


async def test_refresh_invalid_token(client: AsyncClient):
    """Passing a made-up refresh token returns 401."""
    response = await client.post(
        "/api/v1/auth/refresh",
        json={"refresh_token": "not-a-real-token"},
    )
    assert response.status_code == 401
v1 2026-04-18 07:23:55 +12:00			`"""`
			`Tests for the /api/v1/auth/* endpoints.`
			`"""`
			`import pytest`
			`from httpx import AsyncClient`

			`pytestmark = pytest.mark.asyncio`


			`async def test_login_valid_credentials(client: AsyncClient, admin_user):`
			`"""Login with correct credentials returns 200 and both tokens."""`
			`response = await client.post(`
			`"/api/v1/auth/login",`
			`json={"email": "admin@example.com", "password": "testpassword"},`
			`)`
			`assert response.status_code == 200`
			`data = response.json()`
			`assert "access_token" in data`
			`assert "refresh_token" in data`
			`assert data["token_type"] == "bearer"`
			`assert len(data["access_token"]) > 10`
			`assert len(data["refresh_token"]) > 10`


			`async def test_login_invalid_password(client: AsyncClient, admin_user):`
			`"""Login with wrong password returns 401."""`
			`response = await client.post(`
			`"/api/v1/auth/login",`
			`json={"email": "admin@example.com", "password": "wrongpassword"},`
			`)`
			`assert response.status_code == 401`
			`assert "Invalid" in response.json()["detail"]`


			`async def test_login_unknown_email(client: AsyncClient):`
			`"""Login with unknown email returns 401."""`
			`response = await client.post(`
			`"/api/v1/auth/login",`
			`json={"email": "nobody@example.com", "password": "whatever"},`
			`)`
			`assert response.status_code == 401`


			`async def test_refresh_token_flow(client: AsyncClient, admin_user):`
			`"""Valid refresh token returns a new token pair; old token is revoked."""`
			`# Login to get initial tokens`
			`login_resp = await client.post(`
			`"/api/v1/auth/login",`
			`json={"email": "admin@example.com", "password": "testpassword"},`
			`)`
			`assert login_resp.status_code == 200`
			`tokens = login_resp.json()`
			`original_refresh = tokens["refresh_token"]`

			`# Use the refresh token to get a new pair`
			`refresh_resp = await client.post(`
			`"/api/v1/auth/refresh",`
			`json={"refresh_token": original_refresh},`
			`)`
			`assert refresh_resp.status_code == 200`
			`new_tokens = refresh_resp.json()`
			`assert "access_token" in new_tokens`
			`assert "refresh_token" in new_tokens`
			`# New refresh token should be different`
			`assert new_tokens["refresh_token"] != original_refresh`

			`# Using the old refresh token should now fail (revoked)`
			`reuse_resp = await client.post(`
			`"/api/v1/auth/refresh",`
			`json={"refresh_token": original_refresh},`
			`)`
			`assert reuse_resp.status_code == 401`


			`async def test_refresh_invalid_token(client: AsyncClient):`
			`"""Passing a made-up refresh token returns 401."""`
			`response = await client.post(`
			`"/api/v1/auth/refresh",`
			`json={"refresh_token": "not-a-real-token"},`
			`)`
			`assert response.status_code == 401`