feat(agent-chat): complete core workflow and strengthen auth rate limiting

2026-02-25 16:51:12 +08:00
parent 53c72e48e6
commit cd40b2b4f4
62 changed files with 3441 additions and 3 deletions
@@ -416,6 +416,108 @@ def test_logout_returns_no_content() -> None:
        app.dependency_overrides = {}


+def test_login_rate_limited_after_too_many_attempts() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        for _ in range(10):
+            blocked = client.post(
+                "/api/v1/auth/login",
+                json={"email": "user@example.com", "password": "wrongpw"},
+            )
+            assert blocked.status_code == 401
+
+        blocked = client.post(
+            "/api/v1/auth/login",
+            json={"email": "user@example.com", "password": "wrongpw"},
+        )
+        assert blocked.status_code == 429
+        assert blocked.headers["content-type"].startswith("application/problem+json")
+        body = blocked.json()
+        assert body["detail"] == "Too many requests"
+    finally:
+        app.dependency_overrides = {}
+
+
+def test_refresh_rate_limited_after_too_many_attempts() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        for _ in range(10):
+            blocked = client.post(
+                "/api/v1/auth/refresh",
+                json={"refresh_token": "invalid"},
+            )
+            assert blocked.status_code == 401
+
+        blocked = client.post(
+            "/api/v1/auth/refresh",
+            json={"refresh_token": "invalid"},
+        )
+        assert blocked.status_code == 429
+        assert blocked.headers["content-type"].startswith("application/problem+json")
+        body = blocked.json()
+        assert body["detail"] == "Too many requests"
+    finally:
+        app.dependency_overrides = {}
+
+
+def test_logout_rate_limited_after_too_many_attempts() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        for _ in range(10):
+            ok = client.post(
+                "/api/v1/auth/logout",
+                json={"refresh_token": "refresh"},
+            )
+            assert ok.status_code == 204
+
+        blocked = client.post(
+            "/api/v1/auth/logout",
+            json={"refresh_token": "refresh"},
+        )
+        assert blocked.status_code == 429
+        assert blocked.headers["content-type"].startswith("application/problem+json")
+        body = blocked.json()
+        assert body["detail"] == "Too many requests"
+    finally:
+        app.dependency_overrides = {}
+
+
 def test_signup_start_validation_error_returns_problem_details() -> None:
    user = AuthUser(id="user-1", email="user@example.com")
    token_response = AuthTokenResponse(