v1

2026-04-18 07:23:55 +12:00
parent f210020772
commit 6d44e05de4
396 changed files with 75296 additions and 0 deletions
@@ -0,0 +1,81 @@
+"""
+Tests for the /api/v1/auth/* endpoints.
+"""
+import pytest
+from httpx import AsyncClient
+
+pytestmark = pytest.mark.asyncio
+
+
+async def test_login_valid_credentials(client: AsyncClient, admin_user):
+    """Login with correct credentials returns 200 and both tokens."""
+    response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": "admin@example.com", "password": "testpassword"},
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert "access_token" in data
+    assert "refresh_token" in data
+    assert data["token_type"] == "bearer"
+    assert len(data["access_token"]) > 10
+    assert len(data["refresh_token"]) > 10
+
+
+async def test_login_invalid_password(client: AsyncClient, admin_user):
+    """Login with wrong password returns 401."""
+    response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": "admin@example.com", "password": "wrongpassword"},
+    )
+    assert response.status_code == 401
+    assert "Invalid" in response.json()["detail"]
+
+
+async def test_login_unknown_email(client: AsyncClient):
+    """Login with unknown email returns 401."""
+    response = await client.post(
+        "/api/v1/auth/login",
+        json={"email": "nobody@example.com", "password": "whatever"},
+    )
+    assert response.status_code == 401
+
+
+async def test_refresh_token_flow(client: AsyncClient, admin_user):
+    """Valid refresh token returns a new token pair; old token is revoked."""
+    # Login to get initial tokens
+    login_resp = await client.post(
+        "/api/v1/auth/login",
+        json={"email": "admin@example.com", "password": "testpassword"},
+    )
+    assert login_resp.status_code == 200
+    tokens = login_resp.json()
+    original_refresh = tokens["refresh_token"]
+
+    # Use the refresh token to get a new pair
+    refresh_resp = await client.post(
+        "/api/v1/auth/refresh",
+        json={"refresh_token": original_refresh},
+    )
+    assert refresh_resp.status_code == 200
+    new_tokens = refresh_resp.json()
+    assert "access_token" in new_tokens
+    assert "refresh_token" in new_tokens
+    # New refresh token should be different
+    assert new_tokens["refresh_token"] != original_refresh
+
+    # Using the old refresh token should now fail (revoked)
+    reuse_resp = await client.post(
+        "/api/v1/auth/refresh",
+        json={"refresh_token": original_refresh},
+    )
+    assert reuse_resp.status_code == 401
+
+
+async def test_refresh_invalid_token(client: AsyncClient):
+    """Passing a made-up refresh token returns 401."""
+    response = await client.post(
+        "/api/v1/auth/refresh",
+        json={"refresh_token": "not-a-real-token"},
+    )
+    assert response.status_code == 401