Convert password reset and auth dependencies tests to async
- Refactored all `password reset` and `auth dependency` tests to utilize async patterns for compatibility with async database sessions. - Enhanced test fixtures with `pytest-asyncio` to support asynchronous database operations. - Improved user handling with async context management for `test_user` and `async_mock_user`. - Introduced `await` syntax for route calls, token generation, and database transactions in test cases.
This commit is contained in:
Felipe Cardoso
152
backend/tests/api/test_auth_password_reset.py
Normal file → Executable file
152
backend/tests/api/test_auth_password_reset.py
Normal file → Executable file
@@ -3,11 +3,14 @@
|
||||
Tests for password reset endpoints.
|
||||
"""
|
||||
import pytest
|
||||
import pytest_asyncio
|
||||
from unittest.mock import patch, AsyncMock, MagicMock
|
||||
from fastapi import status
|
||||
from sqlalchemy import select
|
||||
|
||||
from app.schemas.users import PasswordResetRequest, PasswordResetConfirm
|
||||
from app.utils.security import create_password_reset_token
|
||||
from app.models.user import User
|
||||
|
||||
|
||||
# Disable rate limiting for tests
|
||||
@@ -22,14 +25,14 @@ class TestPasswordResetRequest:
|
||||
"""Tests for POST /auth/password-reset/request endpoint."""
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_request_valid_email(self, client, test_user):
|
||||
async def test_password_reset_request_valid_email(self, client, async_test_user):
|
||||
"""Test password reset request with valid email."""
|
||||
with patch('app.api.routes.auth.email_service.send_password_reset_email') as mock_send:
|
||||
mock_send.return_value = True
|
||||
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/request",
|
||||
json={"email": test_user.email}
|
||||
json={"email": async_test_user.email}
|
||||
)
|
||||
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
@@ -40,15 +43,15 @@ class TestPasswordResetRequest:
|
||||
# Verify email was sent
|
||||
mock_send.assert_called_once()
|
||||
call_args = mock_send.call_args
|
||||
assert call_args.kwargs["to_email"] == test_user.email
|
||||
assert call_args.kwargs["user_name"] == test_user.first_name
|
||||
assert call_args.kwargs["to_email"] == async_test_user.email
|
||||
assert call_args.kwargs["user_name"] == async_test_user.first_name
|
||||
assert "reset_token" in call_args.kwargs
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_request_nonexistent_email(self, client):
|
||||
"""Test password reset request with non-existent email."""
|
||||
with patch('app.api.routes.auth.email_service.send_password_reset_email') as mock_send:
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/request",
|
||||
json={"email": "nonexistent@example.com"}
|
||||
)
|
||||
@@ -62,17 +65,20 @@ class TestPasswordResetRequest:
|
||||
mock_send.assert_not_called()
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_request_inactive_user(self, client, test_db, test_user):
|
||||
async def test_password_reset_request_inactive_user(self, client, async_test_db, async_test_user):
|
||||
"""Test password reset request with inactive user."""
|
||||
# Deactivate user
|
||||
test_user.is_active = False
|
||||
test_db.add(test_user)
|
||||
test_db.commit()
|
||||
test_engine, AsyncTestingSessionLocal = async_test_db
|
||||
async with AsyncTestingSessionLocal() as session:
|
||||
result = await session.execute(select(User).where(User.id == async_test_user.id))
|
||||
user_in_session = result.scalar_one_or_none()
|
||||
user_in_session.is_active = False
|
||||
await session.commit()
|
||||
|
||||
with patch('app.api.routes.auth.email_service.send_password_reset_email') as mock_send:
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/request",
|
||||
json={"email": test_user.email}
|
||||
json={"email": async_test_user.email}
|
||||
)
|
||||
|
||||
# Should still return success to prevent email enumeration
|
||||
@@ -86,7 +92,7 @@ class TestPasswordResetRequest:
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_request_invalid_email_format(self, client):
|
||||
"""Test password reset request with invalid email format."""
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/request",
|
||||
json={"email": "not-an-email"}
|
||||
)
|
||||
@@ -96,7 +102,7 @@ class TestPasswordResetRequest:
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_request_missing_email(self, client):
|
||||
"""Test password reset request without email."""
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/request",
|
||||
json={}
|
||||
)
|
||||
@@ -104,14 +110,14 @@ class TestPasswordResetRequest:
|
||||
assert response.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_request_email_service_error(self, client, test_user):
|
||||
async def test_password_reset_request_email_service_error(self, client, async_test_user):
|
||||
"""Test password reset when email service fails."""
|
||||
with patch('app.api.routes.auth.email_service.send_password_reset_email') as mock_send:
|
||||
mock_send.side_effect = Exception("SMTP Error")
|
||||
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/request",
|
||||
json={"email": test_user.email}
|
||||
json={"email": async_test_user.email}
|
||||
)
|
||||
|
||||
# Should still return success even if email fails
|
||||
@@ -120,16 +126,16 @@ class TestPasswordResetRequest:
|
||||
assert data["success"] is True
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_request_rate_limiting(self, client, test_user):
|
||||
async def test_password_reset_request_rate_limiting(self, client, async_test_user):
|
||||
"""Test that password reset requests are rate limited."""
|
||||
with patch('app.api.routes.auth.email_service.send_password_reset_email') as mock_send:
|
||||
mock_send.return_value = True
|
||||
|
||||
# Make multiple requests quickly (3/minute limit)
|
||||
for _ in range(3):
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/request",
|
||||
json={"email": test_user.email}
|
||||
json={"email": async_test_user.email}
|
||||
)
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
|
||||
@@ -137,13 +143,14 @@ class TestPasswordResetRequest:
|
||||
class TestPasswordResetConfirm:
|
||||
"""Tests for POST /auth/password-reset/confirm endpoint."""
|
||||
|
||||
def test_password_reset_confirm_valid_token(self, client, test_user, test_db):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_confirm_valid_token(self, client, async_test_user, async_test_db):
|
||||
"""Test password reset confirmation with valid token."""
|
||||
# Generate valid token
|
||||
token = create_password_reset_token(test_user.email)
|
||||
token = create_password_reset_token(async_test_user.email)
|
||||
new_password = "NewSecure123"
|
||||
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={
|
||||
"token": token,
|
||||
@@ -157,21 +164,25 @@ class TestPasswordResetConfirm:
|
||||
assert "successfully" in data["message"].lower()
|
||||
|
||||
# Verify user can login with new password
|
||||
test_db.refresh(test_user)
|
||||
from app.core.auth import verify_password
|
||||
assert verify_password(new_password, test_user.password_hash) is True
|
||||
test_engine, AsyncTestingSessionLocal = async_test_db
|
||||
async with AsyncTestingSessionLocal() as session:
|
||||
result = await session.execute(select(User).where(User.id == async_test_user.id))
|
||||
updated_user = result.scalar_one_or_none()
|
||||
from app.core.auth import verify_password
|
||||
assert verify_password(new_password, updated_user.password_hash) is True
|
||||
|
||||
def test_password_reset_confirm_expired_token(self, client, test_user):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_confirm_expired_token(self, client, async_test_user):
|
||||
"""Test password reset confirmation with expired token."""
|
||||
import time as time_module
|
||||
|
||||
# Create token that expires immediately
|
||||
token = create_password_reset_token(test_user.email, expires_in=1)
|
||||
token = create_password_reset_token(async_test_user.email, expires_in=1)
|
||||
|
||||
# Wait for token to expire
|
||||
time_module.sleep(2)
|
||||
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={
|
||||
"token": token,
|
||||
@@ -186,9 +197,10 @@ class TestPasswordResetConfirm:
|
||||
error_msg = data["errors"][0]["message"].lower() if "errors" in data else ""
|
||||
assert "invalid" in error_msg or "expired" in error_msg
|
||||
|
||||
def test_password_reset_confirm_invalid_token(self, client):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_confirm_invalid_token(self, client):
|
||||
"""Test password reset confirmation with invalid token."""
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={
|
||||
"token": "invalid_token_xyz",
|
||||
@@ -202,13 +214,14 @@ class TestPasswordResetConfirm:
|
||||
error_msg = data["errors"][0]["message"].lower() if "errors" in data else ""
|
||||
assert "invalid" in error_msg or "expired" in error_msg
|
||||
|
||||
def test_password_reset_confirm_tampered_token(self, client, test_user):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_confirm_tampered_token(self, client, async_test_user):
|
||||
"""Test password reset confirmation with tampered token."""
|
||||
import base64
|
||||
import json
|
||||
|
||||
# Create valid token and tamper with it
|
||||
token = create_password_reset_token(test_user.email)
|
||||
token = create_password_reset_token(async_test_user.email)
|
||||
decoded = base64.urlsafe_b64decode(token.encode('utf-8')).decode('utf-8')
|
||||
token_data = json.loads(decoded)
|
||||
token_data["payload"]["email"] = "hacker@example.com"
|
||||
@@ -216,7 +229,7 @@ class TestPasswordResetConfirm:
|
||||
# Re-encode tampered token
|
||||
tampered = base64.urlsafe_b64encode(json.dumps(token_data).encode('utf-8')).decode('utf-8')
|
||||
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={
|
||||
"token": tampered,
|
||||
@@ -226,12 +239,13 @@ class TestPasswordResetConfirm:
|
||||
|
||||
assert response.status_code == status.HTTP_400_BAD_REQUEST
|
||||
|
||||
def test_password_reset_confirm_nonexistent_user(self, client):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_confirm_nonexistent_user(self, client):
|
||||
"""Test password reset confirmation for non-existent user."""
|
||||
# Create token for email that doesn't exist
|
||||
token = create_password_reset_token("nonexistent@example.com")
|
||||
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={
|
||||
"token": token,
|
||||
@@ -245,16 +259,20 @@ class TestPasswordResetConfirm:
|
||||
error_msg = data["errors"][0]["message"].lower() if "errors" in data else ""
|
||||
assert "not found" in error_msg
|
||||
|
||||
def test_password_reset_confirm_inactive_user(self, client, test_user, test_db):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_confirm_inactive_user(self, client, async_test_user, async_test_db):
|
||||
"""Test password reset confirmation for inactive user."""
|
||||
# Deactivate user
|
||||
test_user.is_active = False
|
||||
test_db.add(test_user)
|
||||
test_db.commit()
|
||||
test_engine, AsyncTestingSessionLocal = async_test_db
|
||||
async with AsyncTestingSessionLocal() as session:
|
||||
result = await session.execute(select(User).where(User.id == async_test_user.id))
|
||||
user_in_session = result.scalar_one_or_none()
|
||||
user_in_session.is_active = False
|
||||
await session.commit()
|
||||
|
||||
token = create_password_reset_token(test_user.email)
|
||||
token = create_password_reset_token(async_test_user.email)
|
||||
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={
|
||||
"token": token,
|
||||
@@ -268,9 +286,10 @@ class TestPasswordResetConfirm:
|
||||
error_msg = data["errors"][0]["message"].lower() if "errors" in data else ""
|
||||
assert "inactive" in error_msg
|
||||
|
||||
def test_password_reset_confirm_weak_password(self, client, test_user):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_confirm_weak_password(self, client, async_test_user):
|
||||
"""Test password reset confirmation with weak password."""
|
||||
token = create_password_reset_token(test_user.email)
|
||||
token = create_password_reset_token(async_test_user.email)
|
||||
|
||||
# Test various weak passwords
|
||||
weak_passwords = [
|
||||
@@ -280,7 +299,7 @@ class TestPasswordResetConfirm:
|
||||
]
|
||||
|
||||
for weak_password in weak_passwords:
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={
|
||||
"token": token,
|
||||
@@ -290,10 +309,11 @@ class TestPasswordResetConfirm:
|
||||
|
||||
assert response.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY
|
||||
|
||||
def test_password_reset_confirm_missing_fields(self, client):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_confirm_missing_fields(self, client):
|
||||
"""Test password reset confirmation with missing fields."""
|
||||
# Missing token
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={"new_password": "NewSecure123"}
|
||||
)
|
||||
@@ -301,20 +321,22 @@ class TestPasswordResetConfirm:
|
||||
|
||||
# Missing password
|
||||
token = create_password_reset_token("test@example.com")
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={"token": token}
|
||||
)
|
||||
assert response.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY
|
||||
|
||||
def test_password_reset_confirm_database_error(self, client, test_user, test_db):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_confirm_database_error(self, client, async_test_user):
|
||||
"""Test password reset confirmation with database error."""
|
||||
token = create_password_reset_token(test_user.email)
|
||||
token = create_password_reset_token(async_test_user.email)
|
||||
|
||||
with patch.object(test_db, 'commit') as mock_commit:
|
||||
mock_commit.side_effect = Exception("Database error")
|
||||
# Mock the password update to raise an exception
|
||||
with patch('app.api.routes.auth.user_crud.update') as mock_update:
|
||||
mock_update.side_effect = Exception("Database error")
|
||||
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={
|
||||
"token": token,
|
||||
@@ -328,18 +350,19 @@ class TestPasswordResetConfirm:
|
||||
error_msg = data["errors"][0]["message"].lower() if "errors" in data else ""
|
||||
assert "error" in error_msg or "resetting" in error_msg
|
||||
|
||||
def test_password_reset_full_flow(self, client, test_user, test_db):
|
||||
@pytest.mark.asyncio
|
||||
async def test_password_reset_full_flow(self, client, async_test_user, async_test_db):
|
||||
"""Test complete password reset flow."""
|
||||
original_password = test_user.password_hash
|
||||
original_password = async_test_user.password_hash
|
||||
new_password = "BrandNew123"
|
||||
|
||||
# Step 1: Request password reset
|
||||
with patch('app.api.routes.auth.email_service.send_password_reset_email') as mock_send:
|
||||
mock_send.return_value = True
|
||||
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/request",
|
||||
json={"email": test_user.email}
|
||||
json={"email": async_test_user.email}
|
||||
)
|
||||
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
@@ -349,7 +372,7 @@ class TestPasswordResetConfirm:
|
||||
reset_token = call_args.kwargs["reset_token"]
|
||||
|
||||
# Step 2: Confirm password reset
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/password-reset/confirm",
|
||||
json={
|
||||
"token": reset_token,
|
||||
@@ -360,15 +383,18 @@ class TestPasswordResetConfirm:
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
|
||||
# Step 3: Verify old password doesn't work
|
||||
test_db.refresh(test_user)
|
||||
from app.core.auth import verify_password
|
||||
assert test_user.password_hash != original_password
|
||||
test_engine, AsyncTestingSessionLocal = async_test_db
|
||||
async with AsyncTestingSessionLocal() as session:
|
||||
result = await session.execute(select(User).where(User.id == async_test_user.id))
|
||||
updated_user = result.scalar_one_or_none()
|
||||
from app.core.auth import verify_password
|
||||
assert updated_user.password_hash != original_password
|
||||
|
||||
# Step 4: Verify new password works
|
||||
response = client.post(
|
||||
response = await client.post(
|
||||
"/api/v1/auth/login",
|
||||
json={
|
||||
"email": test_user.email,
|
||||
"email": async_test_user.email,
|
||||
"password": new_password
|
||||
}
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user