social-app/backend/tests/unit/v1/auth/test_dev_phone_session.py

from __future__ import annotations

from uuid import UUID

import pytest
from pydantic import SecretStr

from core.config.settings import config
from core.http.errors import ApiProblemError
from v1.auth.dev_phone_session import create_dev_phone_session, refresh_dev_phone_session
from v1.auth.schemas import PhoneSessionCreateRequest, SessionRefreshRequest


_TEST_JWT_SECRET = "test-secret-key-with-32-bytes-minimum!!"


@pytest.mark.asyncio
async def test_dev_session_refresh_round_trip(monkeypatch: pytest.MonkeyPatch) -> None:
    monkeypatch.setattr(config.runtime, "environment", "dev")
    monkeypatch.setattr(config.supabase, "jwt_secret", SecretStr(_TEST_JWT_SECRET))
    monkeypatch.setattr(config.supabase, "jwt_issuer", "http://localhost:8001/auth/v1")
    async def _fake_find_or_create_user_by_phone(_phone: str) -> UUID:
        return UUID("00000000-0000-0000-0000-000000000123")

    monkeypatch.setattr(
        "v1.auth.dev_phone_session._find_or_create_user_by_phone",
        _fake_find_or_create_user_by_phone,
    )

    created = await create_dev_phone_session(
        request=PhoneSessionCreateRequest(phone="+8613812345678", token="123456")
    )
    refreshed = await refresh_dev_phone_session(
        request=SessionRefreshRequest(refresh_token=created.refresh_token)
    )

    assert refreshed.user.id == "00000000-0000-0000-0000-000000000123"
    assert refreshed.user.phone == "+8613812345678"
    assert refreshed.access_token
    assert refreshed.refresh_token


@pytest.mark.asyncio
async def test_dev_session_refresh_rejects_invalid_token(
    monkeypatch: pytest.MonkeyPatch,
) -> None:
    monkeypatch.setattr(config.runtime, "environment", "dev")
    monkeypatch.setattr(config.supabase, "jwt_secret", SecretStr(_TEST_JWT_SECRET))
    monkeypatch.setattr(config.supabase, "jwt_issuer", "http://localhost:8001/auth/v1")

    with pytest.raises(ApiProblemError) as exc_info:
        await refresh_dev_phone_session(
            request=SessionRefreshRequest(refresh_token="invalid-token")
        )

    assert exc_info.value.status_code == 401
    assert exc_info.value.code == "AUTH_REFRESH_TOKEN_INVALID"