preloop

Overview Schema Related Servers Score Discussions

test_auth_comprehensive.py•44.4 KiB

"""Comprehensive tests for auth router endpoints. These tests cover: 1. Login notification background thread (string capture fix) 2. Password validation 3. Token refresh flows 4. Registration flows and edge cases 5. Onboarding flows 6. Error handling paths """ import pytest import uuid from datetime import datetime, timedelta, timezone from unittest.mock import patch, MagicMock from fastapi import FastAPI from fastapi.testclient import TestClient from sqlalchemy.exc import IntegrityError from sqlalchemy.orm import Session from preloop.api.auth.router import router as auth_router, authenticate_user from preloop.api.auth.jwt import ( create_access_token, decode_token, verify_password, get_password_hash, ) from preloop.models.models.user import User from preloop.utils.tokens import TokenError # Set up test app app = FastAPI() app.include_router(auth_router, prefix="/auth") client = TestClient(app) # ============================================================================ # Fixtures # ============================================================================ @pytest.fixture def db_session_mock(): """Create a mock database session.""" with patch("preloop.api.auth.router.get_db_session") as mock_get_db: db_session = MagicMock(spec=Session) mock_execute = MagicMock() mock_scalars = MagicMock() mock_scalars.first.return_value = None mock_execute.scalars.return_value = mock_scalars db_session.execute.return_value = mock_execute # Mock the query chain for CRUD methods mock_query = MagicMock() mock_query.filter.return_value = mock_query mock_query.first.return_value = None mock_query.all.return_value = [] db_session.query.return_value = mock_query mock_get_db.return_value = iter([db_session]) yield db_session @pytest.fixture def mock_user(): """Create a mock user with all required attributes.""" user = MagicMock(spec=User) user.id = uuid.uuid4() user.username = "testuser" user.email = "test@example.com" user.hashed_password = get_password_hash("password123") user.is_active = True user.last_login = None user.account_id = uuid.uuid4() user.full_name = "Test User" user.email_verified = True return user @pytest.fixture def mock_inactive_user(): """Create a mock inactive user.""" user = MagicMock(spec=User) user.id = uuid.uuid4() user.username = "inactiveuser" user.email = "inactive@example.com" user.hashed_password = get_password_hash("password123") user.is_active = False user.last_login = None return user # ============================================================================ # Login Notification Background Thread Tests # ============================================================================ class TestLoginNotificationBackgroundThread: """Tests for login notification background thread. These tests verify that the fix for capturing string values instead of ORM objects works correctly. The issue was that the background thread would access user.username and user.email after the session was closed, causing DetachedInstanceError. """ @pytest.mark.asyncio async def test_login_notification_captures_string_values(self, mock_user): """Test that login notification captures string values before thread starts.""" mock_user.last_login = datetime.now(timezone.utc) - timedelta(days=10) captured_username = None captured_email = None with ( patch("preloop.api.auth.router.get_db_session") as mock_get_db, patch("preloop.api.auth.router.crud_user") as mock_crud_user, patch("preloop.api.auth.router.verify_password") as mock_verify, patch( "preloop.api.auth.router.should_notify_on_login" ) as mock_should_notify, patch( "preloop.api.auth.router.notify_admins_user_login_after_inactivity" ) as mock_notify, patch("threading.Thread") as mock_thread_class, ): db_session = MagicMock() mock_get_db.return_value = iter([db_session]) mock_crud_user.get_by_username.return_value = mock_user mock_verify.return_value = True mock_should_notify.return_value = True # Capture the thread target function def capture_thread_call(*args, **kwargs): nonlocal captured_username, captured_email target = kwargs.get("target") if target: # Execute the target to capture what it passes target() mock_thread = MagicMock() return mock_thread mock_thread_class.side_effect = capture_thread_call # Authenticate user result = await authenticate_user( "testuser", "password123", source_ip="192.168.1.1" ) # Verify the notification was called with string values assert mock_notify.called call_kwargs = mock_notify.call_args.kwargs assert call_kwargs["username"] == "testuser" assert call_kwargs["email"] == "test@example.com" @pytest.mark.asyncio async def test_login_notification_skipped_for_testclient(self, mock_user): """Test that login notification is skipped for testclient IP.""" mock_user.last_login = datetime.now(timezone.utc) - timedelta(days=10) with ( patch("preloop.api.auth.router.get_db_session") as mock_get_db, patch("preloop.api.auth.router.crud_user") as mock_crud_user, patch("preloop.api.auth.router.verify_password") as mock_verify, patch( "preloop.api.auth.router.should_notify_on_login" ) as mock_should_notify, patch("threading.Thread") as mock_thread_class, ): db_session = MagicMock() mock_get_db.return_value = iter([db_session]) mock_crud_user.get_by_username.return_value = mock_user mock_verify.return_value = True mock_should_notify.return_value = True # Authenticate with testclient IP result = await authenticate_user( "testuser", "password123", source_ip="testclient" ) # Thread should not be created for testclient mock_thread_class.assert_not_called() @pytest.mark.asyncio async def test_login_notification_not_sent_for_recent_login(self, mock_user): """Test that notification is not sent for recently active users.""" mock_user.last_login = datetime.now(timezone.utc) - timedelta(days=2) with ( patch("preloop.api.auth.router.get_db_session") as mock_get_db, patch("preloop.api.auth.router.crud_user") as mock_crud_user, patch("preloop.api.auth.router.verify_password") as mock_verify, patch( "preloop.api.auth.router.should_notify_on_login" ) as mock_should_notify, patch("threading.Thread") as mock_thread_class, ): db_session = MagicMock() mock_get_db.return_value = iter([db_session]) mock_crud_user.get_by_username.return_value = mock_user mock_verify.return_value = True mock_should_notify.return_value = False # Recent login # Authenticate user result = await authenticate_user( "testuser", "password123", source_ip="192.168.1.1" ) # Thread should not be created for recent logins mock_thread_class.assert_not_called() @pytest.mark.asyncio async def test_login_notification_handles_thread_exception(self, mock_user): """Test that notification thread exceptions are handled gracefully.""" mock_user.last_login = datetime.now(timezone.utc) - timedelta(days=10) with ( patch("preloop.api.auth.router.get_db_session") as mock_get_db, patch("preloop.api.auth.router.crud_user") as mock_crud_user, patch("preloop.api.auth.router.verify_password") as mock_verify, patch( "preloop.api.auth.router.should_notify_on_login" ) as mock_should_notify, patch( "preloop.api.auth.router.notify_admins_user_login_after_inactivity" ) as mock_notify, patch("threading.Thread") as mock_thread_class, ): db_session = MagicMock() mock_get_db.return_value = iter([db_session]) mock_crud_user.get_by_username.return_value = mock_user mock_verify.return_value = True mock_should_notify.return_value = True mock_notify.side_effect = Exception("Notification service unavailable") # Execute the thread target function def execute_thread_target(*args, **kwargs): target = kwargs.get("target") if target: target() # This should not raise return MagicMock() mock_thread_class.side_effect = execute_thread_target # Should not raise despite notification error result = await authenticate_user( "testuser", "password123", source_ip="192.168.1.1" ) assert result == mock_user # ============================================================================ # Password Validation Tests # ============================================================================ class TestPasswordValidation: """Tests for password validation and hashing.""" def test_password_hashing(self): """Test that password hashing works correctly.""" password = "securepassword123" hashed = get_password_hash(password) assert hashed != password assert hashed.startswith("$2b$") # bcrypt prefix def test_password_verification_success(self): """Test successful password verification.""" password = "securepassword123" hashed = get_password_hash(password) assert verify_password(password, hashed) is True def test_password_verification_failure(self): """Test failed password verification.""" password = "securepassword123" hashed = get_password_hash(password) assert verify_password("wrongpassword", hashed) is False def test_password_change_wrong_current(self, db_session_mock): """Test password change with wrong current password.""" from preloop.api.auth.jwt import get_current_active_user from preloop.models.db.session import get_db_session mock_user = MagicMock(spec=User) mock_user.hashed_password = get_password_hash("currentpassword") mock_user.is_active = True app.dependency_overrides[get_current_active_user] = lambda: mock_user app.dependency_overrides[get_db_session] = lambda: db_session_mock try: response = client.put( "/auth/users/me/password", json={ "current_password": "wrongpassword", "new_password": "newsecurepassword123", }, ) assert response.status_code == 400 assert "Incorrect current password" in response.json()["detail"] finally: app.dependency_overrides.clear() def test_password_minimum_length_registration(self, db_session_mock): """Test that password must meet minimum length during registration.""" # Password too short (less than 8 characters) response = client.post( "/auth/register", json={ "username": "testuser", "email": "test@example.com", "password": "short", "full_name": "Test User", }, ) assert response.status_code == 422 # Validation error def test_password_minimum_length_reset(self, db_session_mock): """Test that password must meet minimum length during reset.""" response = client.post( "/auth/reset-password", json={ "token": "sometoken", "new_password": "short", }, ) assert response.status_code == 422 # Validation error # ============================================================================ # Token Refresh Tests # ============================================================================ class TestTokenRefresh: """Tests for token refresh functionality.""" def test_refresh_token_success(self, db_session_mock, mock_user): """Test successful token refresh.""" # Create a valid refresh token refresh_token = create_access_token( data={"sub": str(mock_user.id), "scopes": [], "refresh": True}, expires_delta=timedelta(days=7), ) mock_query = MagicMock() mock_query.filter.return_value = mock_query mock_query.first.return_value = mock_user db_session_mock.query.return_value = mock_query with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get.return_value = mock_user response = client.post( "/auth/refresh", json={"refresh_token": refresh_token}, ) assert response.status_code == 200 data = response.json() assert "access_token" in data assert "refresh_token" in data assert data["token_type"] == "bearer" def test_refresh_token_not_refresh_type(self, db_session_mock): """Test refresh fails when using access token instead of refresh token.""" # Create an access token (not a refresh token) access_token = create_access_token( data={"sub": str(uuid.uuid4()), "scopes": []}, # No refresh: True expires_delta=timedelta(minutes=30), ) response = client.post( "/auth/refresh", json={"refresh_token": access_token}, ) assert response.status_code == 401 assert "Invalid refresh token" in response.json()["detail"] def test_refresh_token_invalid_user_id(self, db_session_mock): """Test refresh fails with invalid user ID in token.""" # Create a refresh token with invalid user ID refresh_token = create_access_token( data={"sub": "not-a-uuid", "scopes": [], "refresh": True}, expires_delta=timedelta(days=7), ) response = client.post( "/auth/refresh", json={"refresh_token": refresh_token}, ) assert response.status_code == 401 def test_refresh_token_user_not_found(self, db_session_mock): """Test refresh fails when user not found.""" user_id = uuid.uuid4() refresh_token = create_access_token( data={"sub": str(user_id), "scopes": [], "refresh": True}, expires_delta=timedelta(days=7), ) with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get.return_value = None response = client.post( "/auth/refresh", json={"refresh_token": refresh_token}, ) assert response.status_code == 401 assert "User not found or inactive" in response.json()["detail"] def test_refresh_token_inactive_user(self, db_session_mock, mock_inactive_user): """Test refresh fails for inactive users.""" refresh_token = create_access_token( data={"sub": str(mock_inactive_user.id), "scopes": [], "refresh": True}, expires_delta=timedelta(days=7), ) with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get.return_value = mock_inactive_user response = client.post( "/auth/refresh", json={"refresh_token": refresh_token}, ) assert response.status_code == 401 assert "User not found or inactive" in response.json()["detail"] def test_refresh_token_expired(self, db_session_mock): """Test refresh fails for expired tokens.""" # Create an expired refresh token refresh_token = create_access_token( data={"sub": str(uuid.uuid4()), "scopes": [], "refresh": True}, expires_delta=timedelta(seconds=-1), # Already expired ) response = client.post( "/auth/refresh", json={"refresh_token": refresh_token}, ) assert response.status_code == 401 def test_refresh_token_preserves_scopes(self, db_session_mock, mock_user): """Test that refresh preserves scopes from original token.""" original_scopes = ["read:data", "write:data"] refresh_token = create_access_token( data={"sub": str(mock_user.id), "scopes": original_scopes, "refresh": True}, expires_delta=timedelta(days=7), ) with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get.return_value = mock_user response = client.post( "/auth/refresh", json={"refresh_token": refresh_token}, ) assert response.status_code == 200 # Decode the new access token to verify scopes new_access_token = response.json()["access_token"] token_data = decode_token(new_access_token) assert token_data.scopes == original_scopes # ============================================================================ # Registration Flow Tests # ============================================================================ class TestRegistrationFlows: """Tests for registration flows and edge cases.""" def test_registration_creates_account_and_user(self, db_session_mock): """Test that registration creates both account and user.""" with ( patch("preloop.api.auth.router.crud_account") as mock_account, patch("preloop.api.auth.router.crud_user") as mock_user_crud, patch("preloop.api.auth.router.crud_role") as mock_role, patch("preloop.api.auth.router.crud_user_role") as mock_user_role, patch("preloop.api.auth.router.complete_new_account_setup_background"), ): mock_account_obj = MagicMock() mock_account_obj.id = uuid.uuid4() mock_account_obj.organization_name = "testuser's Organization" mock_account.create.return_value = mock_account_obj mock_user_obj = MagicMock() mock_user_obj.id = uuid.uuid4() mock_user_obj.username = "testuser" mock_user_obj.email = "test@example.com" mock_user_obj.full_name = "Test User" mock_user_obj.email_verified = False mock_user_obj.is_active = True mock_user_obj.created_at = datetime.now(timezone.utc) mock_user_crud.create.return_value = mock_user_obj mock_user_crud.get_by_username.return_value = None mock_user_crud.get_by_email.return_value = None mock_role_obj = MagicMock() mock_role_obj.id = uuid.uuid4() mock_role_obj.name = "owner" mock_role.get_by_name.return_value = mock_role_obj response = client.post( "/auth/register", json={ "username": "testuser", "email": "test@example.com", "password": "securepassword123", "full_name": "Test User", }, ) assert response.status_code == 201 mock_account.create.assert_called_once() mock_user_crud.create.assert_called_once() mock_user_role.create.assert_called_once() def test_registration_disabled_returns_403(self, db_session_mock): """Test that registration returns 403 when disabled.""" with patch("preloop.api.auth.router.settings") as mock_settings: mock_settings.registration_enabled = False response = client.post( "/auth/register", json={ "username": "testuser", "email": "test@example.com", "password": "securepassword123", "full_name": "Test User", }, ) assert response.status_code == 403 assert "Registration is disabled" in response.json()["detail"] def test_registration_username_validation(self, db_session_mock): """Test username validation during registration.""" # Username with special characters response = client.post( "/auth/register", json={ "username": "test-user", # Contains hyphen "email": "test@example.com", "password": "securepassword123", "full_name": "Test User", }, ) assert response.status_code == 422 # Validation error def test_registration_username_too_short(self, db_session_mock): """Test username minimum length during registration.""" response = client.post( "/auth/register", json={ "username": "ab", # Less than 3 characters "email": "test@example.com", "password": "securepassword123", "full_name": "Test User", }, ) assert response.status_code == 422 # Validation error def test_registration_invalid_email(self, db_session_mock): """Test email validation during registration.""" response = client.post( "/auth/register", json={ "username": "testuser", "email": "not-an-email", "password": "securepassword123", "full_name": "Test User", }, ) assert response.status_code == 422 # Validation error def test_registration_integrity_error_rollback(self, db_session_mock): """Test that registration rolls back on integrity error.""" with ( patch("preloop.api.auth.router.crud_account") as mock_account, patch("preloop.api.auth.router.crud_user") as mock_user_crud, patch("preloop.api.auth.router.crud_role") as mock_role, patch("preloop.api.auth.router.crud_user_role") as mock_user_role, ): mock_account_obj = MagicMock() mock_account_obj.id = uuid.uuid4() mock_account.create.return_value = mock_account_obj mock_user_obj = MagicMock() mock_user_obj.id = uuid.uuid4() mock_user_obj.username = "testuser" mock_user_obj.email = "test@example.com" mock_user_obj.full_name = "Test User" mock_user_obj.email_verified = False mock_user_obj.is_active = True mock_user_obj.created_at = datetime.now(timezone.utc) mock_user_crud.get_by_username.return_value = None mock_user_crud.get_by_email.return_value = None mock_user_crud.create.return_value = mock_user_obj mock_role.get_by_name.return_value = MagicMock(id=uuid.uuid4()) # Simulate integrity error on final commit (after user role creation) def commit_side_effect(): # Raise on the commit in the try block raise IntegrityError("mock", "mock", "mock") db_session_mock.commit.side_effect = commit_side_effect response = client.post( "/auth/register", json={ "username": "testuser", "email": "test@example.com", "password": "securepassword123", "full_name": "Test User", }, ) assert response.status_code == 400 db_session_mock.rollback.assert_called() def test_registration_without_owner_role(self, db_session_mock): """Test registration continues when owner role not found.""" with ( patch("preloop.api.auth.router.crud_account") as mock_account, patch("preloop.api.auth.router.crud_user") as mock_user_crud, patch("preloop.api.auth.router.crud_role") as mock_role, patch("preloop.api.auth.router.crud_user_role") as mock_user_role, patch("preloop.api.auth.router.complete_new_account_setup_background"), ): mock_account_obj = MagicMock() mock_account_obj.id = uuid.uuid4() mock_account.create.return_value = mock_account_obj mock_user_obj = MagicMock() mock_user_obj.id = uuid.uuid4() mock_user_obj.username = "testuser" mock_user_obj.email = "test@example.com" mock_user_obj.full_name = "Test User" mock_user_obj.email_verified = False mock_user_obj.is_active = True mock_user_obj.created_at = datetime.now(timezone.utc) mock_user_crud.create.return_value = mock_user_obj mock_user_crud.get_by_username.return_value = None mock_user_crud.get_by_email.return_value = None # Owner role not found mock_role.get_by_name.return_value = None response = client.post( "/auth/register", json={ "username": "testuser", "email": "test@example.com", "password": "securepassword123", "full_name": "Test User", }, ) # Should still succeed, just without role assignment assert response.status_code == 201 mock_user_role.create.assert_not_called() # ============================================================================ # Onboarding Flow Tests # ============================================================================ class TestOnboardingFlows: """Tests for onboarding flows (Stripe checkout completion).""" def test_complete_onboarding_success(self, db_session_mock): """Test successful onboarding completion.""" mock_user = MagicMock(spec=User) mock_user.id = uuid.uuid4() mock_user.username = "tempuser123" mock_user.email = "test@example.com" mock_user.hashed_password = "NEEDS_RESET" with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get_by_email.return_value = mock_user mock_crud.get_by_username.return_value = None response = client.post( "/auth/complete-onboarding", json={ "email": "test@example.com", "username": "newusername", "password": "newsecurepassword123", }, ) assert response.status_code == 200 data = response.json() assert "access_token" in data assert "refresh_token" in data assert data["token_type"] == "bearer" def test_complete_onboarding_user_not_found(self, db_session_mock): """Test onboarding fails when user not found.""" with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get_by_email.return_value = None response = client.post( "/auth/complete-onboarding", json={ "email": "nonexistent@example.com", "username": "newusername", "password": "newsecurepassword123", }, ) assert response.status_code == 404 assert "User not found" in response.json()["detail"] def test_complete_onboarding_already_completed(self, db_session_mock): """Test onboarding fails when already completed.""" mock_user = MagicMock(spec=User) mock_user.id = uuid.uuid4() mock_user.username = "existinguser" mock_user.email = "test@example.com" mock_user.hashed_password = get_password_hash( "existingpassword" ) # Not NEEDS_RESET with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get_by_email.return_value = mock_user response = client.post( "/auth/complete-onboarding", json={ "email": "test@example.com", "username": "newusername", "password": "newsecurepassword123", }, ) assert response.status_code == 400 assert "Onboarding already completed" in response.json()["detail"] def test_complete_onboarding_username_taken(self, db_session_mock): """Test onboarding fails when new username is taken.""" mock_user = MagicMock(spec=User) mock_user.id = uuid.uuid4() mock_user.username = "tempuser123" mock_user.email = "test@example.com" mock_user.hashed_password = "NEEDS_RESET" existing_user = MagicMock(spec=User) existing_user.id = uuid.uuid4() existing_user.username = "takenusername" with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get_by_email.return_value = mock_user mock_crud.get_by_username.return_value = existing_user response = client.post( "/auth/complete-onboarding", json={ "email": "test@example.com", "username": "takenusername", "password": "newsecurepassword123", }, ) assert response.status_code == 400 assert "Username is already taken" in response.json()["detail"] def test_complete_onboarding_keep_same_username(self, db_session_mock): """Test onboarding succeeds when keeping the same username.""" mock_user = MagicMock(spec=User) mock_user.id = uuid.uuid4() mock_user.username = "sameusername" mock_user.email = "test@example.com" mock_user.hashed_password = "NEEDS_RESET" with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get_by_email.return_value = mock_user # Don't need to check for existing username if it's the same response = client.post( "/auth/complete-onboarding", json={ "email": "test@example.com", "username": "sameusername", # Same as current "password": "newsecurepassword123", }, ) assert response.status_code == 200 # get_by_username should not be called since username didn't change mock_crud.get_by_username.assert_not_called() # ============================================================================ # Email Verification Tests # ============================================================================ class TestEmailVerification: """Tests for email verification flow.""" def test_verify_email_success(self, db_session_mock): """Test successful email verification.""" mock_user = MagicMock(spec=User) mock_user.email = "test@example.com" mock_user.email_verified = False with ( patch("preloop.api.auth.router.verify_token") as mock_verify_token, patch("preloop.api.auth.router.crud_user") as mock_crud, ): mock_verify_token.return_value = "test@example.com" mock_crud.get_by_email.return_value = mock_user response = client.post( "/auth/verify-email", json={"token": "valid_token"}, ) assert response.status_code == 200 assert "Email verified successfully" in response.json()["message"] assert mock_user.email_verified is True def test_verify_email_invalid_token(self, db_session_mock): """Test email verification with invalid token.""" with patch("preloop.api.auth.router.verify_token") as mock_verify_token: mock_verify_token.side_effect = TokenError("Invalid token") response = client.post( "/auth/verify-email", json={"token": "invalid_token"}, ) assert response.status_code == 400 assert "Invalid token" in response.json()["detail"] def test_verify_email_user_not_found(self, db_session_mock): """Test email verification when user not found. Note: Due to the exception handling in the router, HTTPException raised for "User not found" gets caught by the outer Exception handler and results in a 500 error. This test verifies the current behavior. """ with ( patch("preloop.api.auth.router.verify_token") as mock_verify_token, patch("preloop.api.auth.router.crud_user") as mock_crud, ): mock_verify_token.return_value = "nonexistent@example.com" mock_crud.get_by_email.return_value = None response = client.post( "/auth/verify-email", json={"token": "valid_token"}, ) # The HTTPException is caught by the outer except block, returning 500 assert response.status_code == 500 assert "Error verifying email" in response.json()["detail"] # ============================================================================ # Password Reset Tests # ============================================================================ class TestPasswordReset: """Tests for password reset flow.""" def test_forgot_password_existing_user(self, db_session_mock): """Test forgot password with existing user.""" mock_user = MagicMock(spec=User) mock_user.email = "test@example.com" with ( patch("preloop.api.auth.router.crud_user") as mock_crud, patch( "preloop.api.auth.router.create_password_reset_token" ) as mock_create_token, patch( "preloop.api.auth.router.send_password_reset_email" ) as mock_send_email, ): mock_crud.get_by_email.return_value = mock_user mock_create_token.return_value = "reset_token" response = client.post( "/auth/forgot-password", json={"email": "test@example.com"}, ) assert response.status_code == 200 # Always returns success message for security assert "password reset link" in response.json()["message"].lower() def test_forgot_password_nonexistent_user(self, db_session_mock): """Test forgot password with nonexistent user returns same message.""" with patch("preloop.api.auth.router.crud_user") as mock_crud: mock_crud.get_by_email.return_value = None response = client.post( "/auth/forgot-password", json={"email": "nonexistent@example.com"}, ) # Should return success to prevent email enumeration assert response.status_code == 200 assert "password reset link" in response.json()["message"].lower() def test_reset_password_success(self, db_session_mock): """Test successful password reset.""" mock_user = MagicMock(spec=User) mock_user.email = "test@example.com" with ( patch("preloop.api.auth.router.verify_token") as mock_verify_token, patch("preloop.api.auth.router.crud_user") as mock_crud, ): mock_verify_token.return_value = "test@example.com" mock_crud.get_by_email.return_value = mock_user response = client.post( "/auth/reset-password", json={ "token": "valid_reset_token", "new_password": "newsecurepassword123", }, ) assert response.status_code == 200 assert "Password reset successfully" in response.json()["message"] def test_reset_password_invalid_token(self, db_session_mock): """Test password reset with invalid token.""" with patch("preloop.api.auth.router.verify_token") as mock_verify_token: mock_verify_token.side_effect = TokenError("Invalid or expired token") response = client.post( "/auth/reset-password", json={ "token": "invalid_token", "new_password": "newsecurepassword123", }, ) assert response.status_code == 400 def test_reset_password_user_not_found(self, db_session_mock): """Test password reset when user not found. Note: Due to the exception handling in the router, HTTPException raised for "User not found" gets caught by the outer Exception handler and results in a 500 error. This test verifies the current behavior. """ with ( patch("preloop.api.auth.router.verify_token") as mock_verify_token, patch("preloop.api.auth.router.crud_user") as mock_crud, ): mock_verify_token.return_value = "nonexistent@example.com" mock_crud.get_by_email.return_value = None response = client.post( "/auth/reset-password", json={ "token": "valid_token", "new_password": "newsecurepassword123", }, ) # The HTTPException is caught by the outer except block, returning 500 assert response.status_code == 500 assert "Error resetting password" in response.json()["detail"] # ============================================================================ # Login Flow Tests # ============================================================================ class TestLoginFlows: """Tests for login flows.""" def test_login_form_success(self): """Test successful login with form data.""" mock_user = MagicMock(spec=User) mock_user.id = uuid.uuid4() mock_user.username = "testuser" with patch("preloop.api.auth.router.authenticate_user") as mock_auth: mock_auth.return_value = mock_user response = client.post( "/auth/token", data={"username": "testuser", "password": "password123"}, ) assert response.status_code == 200 data = response.json() assert "access_token" in data assert "refresh_token" in data assert data["token_type"] == "bearer" def test_login_form_failure(self): """Test failed login with form data.""" with patch("preloop.api.auth.router.authenticate_user") as mock_auth: mock_auth.return_value = None response = client.post( "/auth/token", data={"username": "wronguser", "password": "wrongpassword"}, ) assert response.status_code == 401 assert "Incorrect username or password" in response.json()["detail"] def test_login_json_success(self): """Test successful login with JSON data.""" mock_user = MagicMock(spec=User) mock_user.id = uuid.uuid4() mock_user.username = "testuser" with patch("preloop.api.auth.router.authenticate_user") as mock_auth: mock_auth.return_value = mock_user response = client.post( "/auth/token/json", json={"username": "testuser", "password": "password123"}, ) assert response.status_code == 200 data = response.json() assert "access_token" in data assert "refresh_token" in data def test_login_json_failure(self): """Test failed login with JSON data.""" with patch("preloop.api.auth.router.authenticate_user") as mock_auth: mock_auth.return_value = None response = client.post( "/auth/token/json", json={"username": "wronguser", "password": "wrongpassword"}, ) assert response.status_code == 401 @pytest.mark.asyncio async def test_authenticate_user_not_found(self): """Test authentication fails when user not found.""" with ( patch("preloop.api.auth.router.get_db_session") as mock_get_db, patch("preloop.api.auth.router.crud_user") as mock_crud, ): db_session = MagicMock() mock_get_db.return_value = iter([db_session]) mock_crud.get_by_username.return_value = None result = await authenticate_user("nonexistent", "password123") assert result is None @pytest.mark.asyncio async def test_authenticate_user_inactive(self, mock_inactive_user): """Test authentication fails for inactive user.""" with ( patch("preloop.api.auth.router.get_db_session") as mock_get_db, patch("preloop.api.auth.router.crud_user") as mock_crud, patch("preloop.api.auth.router.verify_password") as mock_verify, ): db_session = MagicMock() mock_get_db.return_value = iter([db_session]) mock_crud.get_by_username.return_value = mock_inactive_user mock_verify.return_value = True result = await authenticate_user("inactiveuser", "password123") assert result is None # ============================================================================ # API Key Tests # ============================================================================ class TestApiKeyEndpoints: """Tests for API key management endpoints.""" def test_create_api_key_success(self, db_session_mock): """Test successful API key creation.""" from preloop.api.auth.jwt import get_current_active_user mock_user = MagicMock(spec=User) mock_user.id = uuid.uuid4() mock_user.account_id = uuid.uuid4() mock_user.is_active = True app.dependency_overrides[get_current_active_user] = lambda: mock_user try: # Setup the session to properly create the API key created_at = datetime.now(timezone.utc) def refresh_side_effect(obj): obj.id = uuid.uuid4() obj.created_at = created_at obj.last_used_at = None db_session_mock.add = MagicMock() db_session_mock.commit = MagicMock() db_session_mock.refresh = MagicMock(side_effect=refresh_side_effect) response = client.post( "/auth/api-keys", json={"name": "Test Key", "scopes": []}, ) assert response.status_code == 201 data = response.json() assert data["name"] == "Test Key" assert "key" in data finally: app.dependency_overrides.clear() def test_create_api_key_duplicate_name(self, db_session_mock): """Test API key creation fails with duplicate name.""" from preloop.api.auth.jwt import get_current_active_user mock_user = MagicMock(spec=User) mock_user.id = uuid.uuid4() mock_user.account_id = uuid.uuid4() mock_user.is_active = True app.dependency_overrides[get_current_active_user] = lambda: mock_user try: # Simulate integrity error for duplicate name mock_error = IntegrityError("mock", "mock", "mock") mock_error.orig = MagicMock() mock_error.orig.diag = MagicMock() mock_error.orig.diag.constraint_name = "uix_api_key_account_id_name" db_session_mock.commit.side_effect = mock_error response = client.post( "/auth/api-keys", json={"name": "Duplicate Key", "scopes": []}, ) assert response.status_code == 400 assert "already exists" in response.json()["detail"] finally: app.dependency_overrides.clear() def test_delete_api_key_not_found(self, db_session_mock): """Test deleting non-existent API key.""" from preloop.api.auth.jwt import get_current_active_user mock_user = MagicMock(spec=User) mock_user.username = "testuser" mock_user.is_active = True app.dependency_overrides[get_current_active_user] = lambda: mock_user try: with patch("preloop.api.auth.router.crud_api_key") as mock_crud: mock_crud.get_by_id_and_user.return_value = None response = client.delete(f"/auth/api-keys/{uuid.uuid4()}") # The endpoint catches Exception and returns 500 # But HTTP 404 gets raised before that assert response.status_code in [404, 500] finally: app.dependency_overrides.clear()

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/yconst/preloop'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

test_auth_comprehensive.py•44.4 KiB