2026-02-05 15:13:06 +08:00
|
|
|
from __future__ import annotations
|
|
|
|
|
|
|
|
|
|
from typing import Callable
|
|
|
|
|
|
2026-02-25 13:34:02 +08:00
|
|
|
import pytest
|
2026-02-05 15:13:06 +08:00
|
|
|
from fastapi import HTTPException
|
|
|
|
|
from fastapi.testclient import TestClient
|
|
|
|
|
|
|
|
|
|
from app import app
|
|
|
|
|
from v1.auth.dependencies import get_auth_service
|
2026-02-25 13:34:02 +08:00
|
|
|
from v1.auth.rate_limit import reset_rate_limit_state
|
2026-02-24 16:38:30 +08:00
|
|
|
from v1.auth.schemas import (
|
2026-02-05 15:13:06 +08:00
|
|
|
AuthUser,
|
2026-02-27 15:22:42 +08:00
|
|
|
PasswordResetConfirmRequest,
|
|
|
|
|
PasswordResetRequest,
|
2026-02-26 14:08:10 +08:00
|
|
|
SessionCreateRequest,
|
|
|
|
|
SessionRefreshRequest,
|
|
|
|
|
SessionResponse,
|
|
|
|
|
UserByEmailResponse,
|
|
|
|
|
VerificationCreateRequest,
|
|
|
|
|
VerificationCreateResponse,
|
|
|
|
|
VerificationResendRequest,
|
|
|
|
|
VerificationVerifyRequest,
|
2026-02-05 15:13:06 +08:00
|
|
|
)
|
|
|
|
|
from v1.auth.service import AuthService
|
|
|
|
|
|
|
|
|
|
|
2026-02-25 13:34:02 +08:00
|
|
|
@pytest.fixture(autouse=True)
|
|
|
|
|
def reset_auth_rate_limit_state() -> None:
|
|
|
|
|
reset_rate_limit_state()
|
|
|
|
|
|
|
|
|
|
|
2026-02-05 15:13:06 +08:00
|
|
|
class FakeAuthService(AuthService):
|
2026-02-26 14:08:10 +08:00
|
|
|
def __init__(self, token_response: SessionResponse) -> None:
|
2026-02-05 15:13:06 +08:00
|
|
|
self._token_response = token_response
|
|
|
|
|
|
2026-02-26 14:08:10 +08:00
|
|
|
async def create_verification(
|
|
|
|
|
self, request: VerificationCreateRequest
|
|
|
|
|
) -> VerificationCreateResponse:
|
2026-02-25 13:34:02 +08:00
|
|
|
if request.email == "exists@example.com":
|
|
|
|
|
raise HTTPException(status_code=422, detail="Invalid signup request")
|
2026-02-26 14:08:10 +08:00
|
|
|
return VerificationCreateResponse(email=request.email)
|
2026-02-25 13:34:02 +08:00
|
|
|
|
2026-02-26 14:08:10 +08:00
|
|
|
async def verify_verification(
|
|
|
|
|
self, request: VerificationVerifyRequest
|
|
|
|
|
) -> SessionResponse:
|
2026-02-25 13:34:02 +08:00
|
|
|
if request.token == "000000":
|
|
|
|
|
raise HTTPException(status_code=401, detail="Invalid verification code")
|
2026-02-05 15:13:06 +08:00
|
|
|
return self._token_response
|
|
|
|
|
|
2026-02-26 14:08:10 +08:00
|
|
|
async def resend_verification(self, request: VerificationResendRequest) -> None:
|
|
|
|
|
return None
|
2026-02-25 13:34:02 +08:00
|
|
|
|
2026-02-26 14:08:10 +08:00
|
|
|
async def create_session(self, request: SessionCreateRequest) -> SessionResponse:
|
2026-02-05 15:13:06 +08:00
|
|
|
raise HTTPException(status_code=401, detail="Invalid credentials")
|
|
|
|
|
|
2026-02-26 14:08:10 +08:00
|
|
|
async def refresh_session(self, request: SessionRefreshRequest) -> SessionResponse:
|
2026-02-05 15:13:06 +08:00
|
|
|
raise HTTPException(status_code=401, detail="Invalid refresh token")
|
|
|
|
|
|
2026-02-26 14:08:10 +08:00
|
|
|
async def delete_session(self, refresh_token: str | None) -> None:
|
2026-02-05 15:13:06 +08:00
|
|
|
return None
|
|
|
|
|
|
2026-02-26 14:08:10 +08:00
|
|
|
async def get_user_by_email(self, email: str) -> UserByEmailResponse:
|
2026-02-25 10:20:43 +08:00
|
|
|
if email == "missing@example.com":
|
|
|
|
|
raise HTTPException(status_code=404, detail="User not found")
|
2026-02-26 14:08:10 +08:00
|
|
|
return UserByEmailResponse(
|
2026-02-25 10:20:43 +08:00
|
|
|
id="user-1",
|
|
|
|
|
email=email,
|
|
|
|
|
created_at="2026-02-24T00:00:00Z",
|
|
|
|
|
email_confirmed_at=None,
|
|
|
|
|
)
|
|
|
|
|
|
2026-02-27 15:22:42 +08:00
|
|
|
async def request_password_reset(self, request: PasswordResetRequest) -> None:
|
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
async def confirm_password_reset(
|
|
|
|
|
self, request: PasswordResetConfirmRequest
|
|
|
|
|
) -> None:
|
|
|
|
|
if request.token == "000000":
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=401, detail="Invalid or expired verification code"
|
|
|
|
|
)
|
|
|
|
|
return None
|
|
|
|
|
|
2026-02-05 15:13:06 +08:00
|
|
|
|
|
|
|
|
def _override_auth_service(service: AuthService) -> Callable[[], AuthService]:
|
|
|
|
|
def _get_service() -> AuthService:
|
|
|
|
|
return service
|
|
|
|
|
|
|
|
|
|
return _get_service
|
|
|
|
|
|
|
|
|
|
|
2026-02-25 13:34:02 +08:00
|
|
|
def test_signup_start_returns_pending_response() -> None:
|
2026-02-05 15:13:06 +08:00
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-05 15:13:06 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/verifications",
|
2026-02-25 10:20:43 +08:00
|
|
|
json={
|
|
|
|
|
"username": "demo",
|
|
|
|
|
"email": "user@example.com",
|
|
|
|
|
"password": "secret123",
|
|
|
|
|
},
|
2026-02-05 15:13:06 +08:00
|
|
|
)
|
2026-02-25 13:34:02 +08:00
|
|
|
assert response.status_code == 202
|
2026-02-26 14:12:39 +08:00
|
|
|
assert response.json() == {"email": "user@example.com"}
|
2026-02-25 13:34:02 +08:00
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_signup_verify_returns_token_response() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 13:34:02 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/verify",
|
2026-02-25 13:34:02 +08:00
|
|
|
json={"email": "user@example.com", "token": "123456"},
|
|
|
|
|
)
|
2026-02-05 15:13:06 +08:00
|
|
|
assert response.status_code == 200
|
|
|
|
|
body = response.json()
|
|
|
|
|
assert body["access_token"] == "access"
|
|
|
|
|
assert body["refresh_token"] == "refresh"
|
|
|
|
|
assert body["user"]["email"] == "user@example.com"
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
2026-02-25 13:34:02 +08:00
|
|
|
def test_signup_resend_returns_generic_message() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 13:34:02 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/resend",
|
|
|
|
|
json={"type": "recovery", "email": "user@example.com"},
|
2026-02-25 13:34:02 +08:00
|
|
|
)
|
2026-02-26 14:08:10 +08:00
|
|
|
assert response.status_code == 204
|
|
|
|
|
assert response.content == b""
|
2026-02-25 13:34:02 +08:00
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_signup_verify_invalid_token_returns_problem_details() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 13:34:02 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/verify",
|
2026-02-25 13:34:02 +08:00
|
|
|
json={"email": "user@example.com", "token": "000000"},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 401
|
|
|
|
|
assert response.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = response.json()
|
|
|
|
|
assert body["title"] == "Unauthorized"
|
|
|
|
|
assert body["status"] == 401
|
|
|
|
|
assert body["detail"] == "Invalid verification code"
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_signup_start_existing_email_returns_problem_details() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 13:34:02 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/verifications",
|
2026-02-25 13:34:02 +08:00
|
|
|
json={
|
|
|
|
|
"username": "demo",
|
|
|
|
|
"email": "exists@example.com",
|
|
|
|
|
"password": "secret123",
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 422
|
|
|
|
|
assert response.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = response.json()
|
2026-03-07 14:55:00 +08:00
|
|
|
assert body["title"] == "Unprocessable Entity"
|
2026-02-25 13:34:02 +08:00
|
|
|
assert body["status"] == 422
|
|
|
|
|
assert body["detail"] == "Invalid signup request"
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_signup_verify_rate_limited_after_too_many_attempts() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 13:34:02 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
for _ in range(10):
|
|
|
|
|
ok = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/verify",
|
2026-02-25 13:34:02 +08:00
|
|
|
json={"email": "user@example.com", "token": "123456"},
|
|
|
|
|
)
|
|
|
|
|
assert ok.status_code == 200
|
|
|
|
|
|
|
|
|
|
blocked = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/verify",
|
2026-02-25 13:34:02 +08:00
|
|
|
json={"email": "user@example.com", "token": "123456"},
|
|
|
|
|
)
|
|
|
|
|
assert blocked.status_code == 429
|
|
|
|
|
assert blocked.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_signup_resend_rate_limited_after_too_many_attempts() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 13:34:02 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
2026-02-26 14:08:10 +08:00
|
|
|
for _ in range(5):
|
2026-02-25 13:34:02 +08:00
|
|
|
ok = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/resend",
|
2026-02-25 13:34:02 +08:00
|
|
|
json={"email": "user@example.com"},
|
|
|
|
|
)
|
2026-02-26 14:08:10 +08:00
|
|
|
assert ok.status_code == 204
|
2026-02-25 13:34:02 +08:00
|
|
|
|
|
|
|
|
blocked = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/resend",
|
2026-02-25 13:34:02 +08:00
|
|
|
json={"email": "user@example.com"},
|
|
|
|
|
)
|
|
|
|
|
assert blocked.status_code == 429
|
|
|
|
|
assert blocked.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_signup_start_rate_limited_after_too_many_attempts() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 13:34:02 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
for _ in range(5):
|
|
|
|
|
ok = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/verifications",
|
2026-02-25 13:34:02 +08:00
|
|
|
json={
|
|
|
|
|
"username": "demo",
|
|
|
|
|
"email": "user@example.com",
|
|
|
|
|
"password": "secret123",
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert ok.status_code == 202
|
|
|
|
|
|
|
|
|
|
blocked = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/verifications",
|
2026-02-25 13:34:02 +08:00
|
|
|
json={
|
|
|
|
|
"username": "demo",
|
|
|
|
|
"email": "user@example.com",
|
|
|
|
|
"password": "secret123",
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert blocked.status_code == 429
|
|
|
|
|
assert blocked.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
2026-02-05 15:13:06 +08:00
|
|
|
def test_login_invalid_returns_problem_details() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-05 15:13:06 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/sessions",
|
2026-02-05 15:13:06 +08:00
|
|
|
json={"email": "user@example.com", "password": "wrongpw"},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 401
|
|
|
|
|
assert response.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = response.json()
|
|
|
|
|
assert body["title"] == "Unauthorized"
|
|
|
|
|
assert body["status"] == 401
|
|
|
|
|
assert body["detail"] == "Invalid credentials"
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_refresh_invalid_returns_problem_details() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-05 15:13:06 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/sessions/refresh",
|
2026-02-05 15:13:06 +08:00
|
|
|
json={"refresh_token": "invalid"},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 401
|
|
|
|
|
assert response.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = response.json()
|
|
|
|
|
assert body["title"] == "Unauthorized"
|
|
|
|
|
assert body["status"] == 401
|
|
|
|
|
assert body["detail"] == "Invalid refresh token"
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_logout_returns_no_content() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-05 15:13:06 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
2026-02-26 14:08:10 +08:00
|
|
|
response = client.request(
|
|
|
|
|
"DELETE",
|
|
|
|
|
"/api/v1/auth/sessions",
|
2026-02-05 15:13:06 +08:00
|
|
|
json={"refresh_token": "refresh"},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 204
|
|
|
|
|
assert response.content == b""
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
2026-02-25 16:51:12 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_login_rate_limited_after_too_many_attempts() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 16:51:12 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
for _ in range(10):
|
|
|
|
|
blocked = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/sessions",
|
2026-02-25 16:51:12 +08:00
|
|
|
json={"email": "user@example.com", "password": "wrongpw"},
|
|
|
|
|
)
|
|
|
|
|
assert blocked.status_code == 401
|
|
|
|
|
|
|
|
|
|
blocked = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/sessions",
|
2026-02-25 16:51:12 +08:00
|
|
|
json={"email": "user@example.com", "password": "wrongpw"},
|
|
|
|
|
)
|
|
|
|
|
assert blocked.status_code == 429
|
|
|
|
|
assert blocked.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = blocked.json()
|
|
|
|
|
assert body["detail"] == "Too many requests"
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_refresh_rate_limited_after_too_many_attempts() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 16:51:12 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
for _ in range(10):
|
|
|
|
|
blocked = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/sessions/refresh",
|
2026-02-25 16:51:12 +08:00
|
|
|
json={"refresh_token": "invalid"},
|
|
|
|
|
)
|
|
|
|
|
assert blocked.status_code == 401
|
|
|
|
|
|
|
|
|
|
blocked = client.post(
|
2026-02-26 14:08:10 +08:00
|
|
|
"/api/v1/auth/sessions/refresh",
|
2026-02-25 16:51:12 +08:00
|
|
|
json={"refresh_token": "invalid"},
|
|
|
|
|
)
|
|
|
|
|
assert blocked.status_code == 429
|
|
|
|
|
assert blocked.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = blocked.json()
|
|
|
|
|
assert body["detail"] == "Too many requests"
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
2026-03-07 14:55:00 +08:00
|
|
|
def test_refresh_rate_limit_not_bypassed_by_changing_refresh_token() -> None:
|
2026-02-25 16:51:12 +08:00
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 16:51:12 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
2026-03-07 14:55:00 +08:00
|
|
|
for index in range(10):
|
|
|
|
|
blocked = client.post(
|
|
|
|
|
"/api/v1/auth/sessions/refresh",
|
|
|
|
|
json={"refresh_token": f"invalid-{index}"},
|
2026-02-25 16:51:12 +08:00
|
|
|
)
|
2026-03-07 14:55:00 +08:00
|
|
|
assert blocked.status_code == 401
|
2026-02-25 16:51:12 +08:00
|
|
|
|
2026-03-07 14:55:00 +08:00
|
|
|
blocked = client.post(
|
|
|
|
|
"/api/v1/auth/sessions/refresh",
|
|
|
|
|
json={"refresh_token": "invalid-extra"},
|
2026-02-25 16:51:12 +08:00
|
|
|
)
|
|
|
|
|
assert blocked.status_code == 429
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
2026-02-05 15:13:06 +08:00
|
|
|
|
|
|
|
|
|
2026-03-07 14:55:00 +08:00
|
|
|
def test_logout_rate_limited_after_too_many_attempts() -> None:
|
2026-02-05 15:13:06 +08:00
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-05 15:13:06 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
2026-03-07 14:55:00 +08:00
|
|
|
for _ in range(10):
|
|
|
|
|
ok = client.request(
|
|
|
|
|
"DELETE",
|
|
|
|
|
"/api/v1/auth/sessions",
|
|
|
|
|
json={"refresh_token": "refresh"},
|
|
|
|
|
)
|
|
|
|
|
assert ok.status_code == 204
|
2026-02-25 10:20:43 +08:00
|
|
|
|
2026-03-07 14:55:00 +08:00
|
|
|
blocked = client.request(
|
|
|
|
|
"DELETE",
|
|
|
|
|
"/api/v1/auth/sessions",
|
|
|
|
|
json={"refresh_token": "refresh"},
|
2026-02-25 10:20:43 +08:00
|
|
|
)
|
2026-03-07 14:55:00 +08:00
|
|
|
assert blocked.status_code == 429
|
|
|
|
|
assert blocked.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = blocked.json()
|
|
|
|
|
assert body["detail"] == "Too many requests"
|
2026-02-25 10:20:43 +08:00
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
2026-03-07 14:55:00 +08:00
|
|
|
def test_logout_rate_limit_not_bypassed_by_changing_refresh_token() -> None:
|
2026-02-25 10:20:43 +08:00
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 10:20:43 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
2026-03-07 14:55:00 +08:00
|
|
|
for index in range(10):
|
|
|
|
|
ok = client.request(
|
|
|
|
|
"DELETE",
|
|
|
|
|
"/api/v1/auth/sessions",
|
|
|
|
|
json={"refresh_token": f"refresh-{index}"},
|
|
|
|
|
)
|
|
|
|
|
assert ok.status_code == 204
|
|
|
|
|
|
|
|
|
|
blocked = client.request(
|
|
|
|
|
"DELETE",
|
|
|
|
|
"/api/v1/auth/sessions",
|
|
|
|
|
json={"refresh_token": "refresh-extra"},
|
2026-02-25 10:20:43 +08:00
|
|
|
)
|
2026-03-07 14:55:00 +08:00
|
|
|
assert blocked.status_code == 429
|
2026-02-25 10:20:43 +08:00
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
2026-03-07 14:55:00 +08:00
|
|
|
def test_signup_start_validation_error_returns_problem_details() -> None:
|
2026-02-25 10:20:43 +08:00
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 10:20:43 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
2026-03-07 14:55:00 +08:00
|
|
|
response = client.post("/api/v1/auth/verifications", json={})
|
|
|
|
|
assert response.status_code == 422
|
2026-02-25 10:20:43 +08:00
|
|
|
assert response.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = response.json()
|
2026-03-07 14:55:00 +08:00
|
|
|
assert body["title"] == "Unprocessable Entity"
|
|
|
|
|
assert body["status"] == 422
|
|
|
|
|
assert body["detail"] == "Invalid request"
|
2026-02-25 10:20:43 +08:00
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
2026-03-07 14:55:00 +08:00
|
|
|
def test_signup_start_missing_username_returns_problem_details() -> None:
|
2026-02-25 10:20:43 +08:00
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
2026-02-26 14:08:10 +08:00
|
|
|
token_response = SessionResponse(
|
2026-02-25 10:20:43 +08:00
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
2026-03-07 14:55:00 +08:00
|
|
|
response = client.post(
|
|
|
|
|
"/api/v1/auth/verifications",
|
|
|
|
|
json={"email": "user@example.com", "password": "secret123"},
|
2026-02-25 10:20:43 +08:00
|
|
|
)
|
2026-03-07 14:55:00 +08:00
|
|
|
assert response.status_code == 422
|
2026-02-25 10:20:43 +08:00
|
|
|
assert response.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = response.json()
|
2026-03-07 14:55:00 +08:00
|
|
|
assert body["title"] == "Unprocessable Entity"
|
|
|
|
|
assert body["status"] == 422
|
|
|
|
|
assert body["detail"] == "Invalid request"
|
2026-02-25 10:20:43 +08:00
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
2026-02-27 15:22:42 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_password_reset_request_returns_204() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
|
|
|
|
token_response = SessionResponse(
|
|
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/resend",
|
2026-02-27 15:22:42 +08:00
|
|
|
json={"email": "user@example.com"},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 204
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_password_reset_confirm_returns_204() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
|
|
|
|
token_response = SessionResponse(
|
|
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/verify",
|
2026-02-27 15:22:42 +08:00
|
|
|
json={
|
2026-03-07 14:55:00 +08:00
|
|
|
"type": "recovery",
|
2026-02-27 15:22:42 +08:00
|
|
|
"email": "user@example.com",
|
|
|
|
|
"token": "123456",
|
|
|
|
|
"new_password": "newpassword123",
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 204
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_password_reset_confirm_invalid_token_returns_401() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
|
|
|
|
token_response = SessionResponse(
|
|
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/verify",
|
2026-02-27 15:22:42 +08:00
|
|
|
json={
|
2026-03-07 14:55:00 +08:00
|
|
|
"type": "recovery",
|
2026-02-27 15:22:42 +08:00
|
|
|
"email": "user@example.com",
|
|
|
|
|
"token": "000000",
|
|
|
|
|
"new_password": "newpassword123",
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 401
|
|
|
|
|
assert response.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
body = response.json()
|
|
|
|
|
assert body["title"] == "Unauthorized"
|
|
|
|
|
assert body["status"] == 401
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_password_reset_confirm_weak_password_returns_422() -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
|
|
|
|
token_response = SessionResponse(
|
|
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
2026-03-07 14:55:00 +08:00
|
|
|
"/api/v1/auth/verify",
|
2026-02-27 15:22:42 +08:00
|
|
|
json={
|
2026-03-07 14:55:00 +08:00
|
|
|
"type": "recovery",
|
2026-02-27 15:22:42 +08:00
|
|
|
"email": "user@example.com",
|
|
|
|
|
"token": "123456",
|
|
|
|
|
"new_password": "123",
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 422
|
|
|
|
|
assert response.headers["content-type"].startswith("application/problem+json")
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
2026-02-28 10:56:09 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestInviteCodeSignup:
|
|
|
|
|
def test_signup_with_valid_invite_code_returns_202(self) -> None:
|
|
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
|
|
|
|
token_response = SessionResponse(
|
|
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
|
|
|
|
"/api/v1/auth/verifications",
|
|
|
|
|
json={
|
|
|
|
|
"username": "demo",
|
|
|
|
|
"email": "user@example.com",
|
|
|
|
|
"password": "secret123",
|
2026-03-12 16:41:45 +08:00
|
|
|
"invite_code": "A2B3",
|
2026-02-28 10:56:09 +08:00
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code == 202
|
|
|
|
|
assert response.json() == {"email": "user@example.com"}
|
|
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
2026-03-12 16:41:45 +08:00
|
|
|
def test_signup_with_invalid_invite_code_length_returns_202(self) -> None:
|
2026-02-28 10:56:09 +08:00
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
|
|
|
|
token_response = SessionResponse(
|
|
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
|
|
|
|
"/api/v1/auth/verifications",
|
|
|
|
|
json={
|
|
|
|
|
"username": "demo",
|
|
|
|
|
"email": "user@example.com",
|
|
|
|
|
"password": "secret123",
|
|
|
|
|
"invite_code": "ABC123",
|
|
|
|
|
},
|
|
|
|
|
)
|
2026-03-12 16:41:45 +08:00
|
|
|
assert response.status_code == 202
|
|
|
|
|
assert response.json() == {"email": "user@example.com"}
|
2026-02-28 10:56:09 +08:00
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
|
|
|
|
|
2026-03-12 16:41:45 +08:00
|
|
|
def test_signup_with_invalid_invite_code_chars_returns_202(self) -> None:
|
2026-02-28 10:56:09 +08:00
|
|
|
user = AuthUser(id="user-1", email="user@example.com")
|
|
|
|
|
token_response = SessionResponse(
|
|
|
|
|
access_token="access",
|
|
|
|
|
refresh_token="refresh",
|
|
|
|
|
expires_in=3600,
|
|
|
|
|
token_type="bearer",
|
|
|
|
|
user=user,
|
|
|
|
|
)
|
|
|
|
|
app.dependency_overrides[get_auth_service] = _override_auth_service(
|
|
|
|
|
FakeAuthService(token_response)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
client = TestClient(app)
|
|
|
|
|
try:
|
|
|
|
|
response = client.post(
|
|
|
|
|
"/api/v1/auth/verifications",
|
|
|
|
|
json={
|
|
|
|
|
"username": "demo",
|
|
|
|
|
"email": "user@example.com",
|
|
|
|
|
"password": "secret123",
|
|
|
|
|
"invite_code": "ABCD1234",
|
|
|
|
|
},
|
|
|
|
|
)
|
2026-03-12 16:41:45 +08:00
|
|
|
assert response.status_code == 202
|
|
|
|
|
assert response.json() == {"email": "user@example.com"}
|
2026-02-28 10:56:09 +08:00
|
|
|
finally:
|
|
|
|
|
app.dependency_overrides = {}
|
