Add extensive CRUD tests for session and user management; enhance cleanup logic

- Introduced new unit tests for session CRUD operations, including `update_refresh_token`, `cleanup_expired`, and multi-user session handling. - Added comprehensive tests for `CRUDBase` methods, covering edge cases, error handling, and UUID validation. - Reduced default test session creation from 5 to 2 for performance optimization. - Enhanced pagination, filtering, and sorting validations in `get_multi_with_total`. - Improved error handling with descriptive assertions for database exceptions. - Introduced tests for eager-loaded relationships in user sessions for comprehensive coverage.
2025-11-01 12:18:29 +01:00
parent 293fbcb27e
commit 976fd1d4ad
6 changed files with 1502 additions and 34 deletions
--- a/backend/tests/api/test_security_headers.py
+++ b/backend/tests/api/test_security_headers.py
@@ -6,9 +6,9 @@ from unittest.mock import patch
 from app.main import app


-@pytest.fixture
+@pytest.fixture(scope="module")
 def client():
-    """Create a FastAPI test client for the main app."""
+    """Create a FastAPI test client for the main app (module-scoped for speed)."""
    # Mock get_db to avoid database connection issues
    with patch("app.core.database.get_db") as mock_get_db:
        async def mock_session_generator():
@@ -25,46 +25,38 @@ def client():
 class TestSecurityHeaders:
    """Tests for security headers middleware"""

-    def test_x_frame_options_header(self, client):
-        """Test that X-Frame-Options header is set to DENY"""
+    def test_all_security_headers(self, client):
+        """Test all security headers in a single request for speed"""
        response = client.get("/health")
+
+        # Test X-Frame-Options
        assert "X-Frame-Options" in response.headers
        assert response.headers["X-Frame-Options"] == "DENY"

-    def test_x_content_type_options_header(self, client):
-        """Test that X-Content-Type-Options header is set to nosniff"""
-        response = client.get("/health")
+        # Test X-Content-Type-Options
        assert "X-Content-Type-Options" in response.headers
        assert response.headers["X-Content-Type-Options"] == "nosniff"

-    def test_x_xss_protection_header(self, client):
-        """Test that X-XSS-Protection header is set"""
-        response = client.get("/health")
+        # Test X-XSS-Protection
        assert "X-XSS-Protection" in response.headers
        assert response.headers["X-XSS-Protection"] == "1; mode=block"

-    def test_content_security_policy_header(self, client):
-        """Test that Content-Security-Policy header is set"""
-        response = client.get("/health")
+        # Test Content-Security-Policy
        assert "Content-Security-Policy" in response.headers
        assert "default-src 'self'" in response.headers["Content-Security-Policy"]
        assert "frame-ancestors 'none'" in response.headers["Content-Security-Policy"]

-    def test_permissions_policy_header(self, client):
-        """Test that Permissions-Policy header is set"""
-        response = client.get("/health")
+        # Test Permissions-Policy
        assert "Permissions-Policy" in response.headers
        assert "geolocation=()" in response.headers["Permissions-Policy"]
        assert "microphone=()" in response.headers["Permissions-Policy"]
        assert "camera=()" in response.headers["Permissions-Policy"]

-    def test_referrer_policy_header(self, client):
-        """Test that Referrer-Policy header is set"""
-        response = client.get("/health")
+        # Test Referrer-Policy
        assert "Referrer-Policy" in response.headers
        assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"

-    def test_strict_transport_security_not_in_development(self, client):
+    def test_hsts_not_in_development(self, client):
        """Test that Strict-Transport-Security header is not set in development"""
        from app.core.config import settings

@@ -73,18 +65,6 @@ class TestSecurityHeaders:
            response = client.get("/health")
            assert "Strict-Transport-Security" not in response.headers

-    def test_security_headers_on_all_endpoints(self, client):
-        """Test that security headers are present on all endpoints"""
-        # Test health endpoint
-        response = client.get("/health")
-        assert "X-Frame-Options" in response.headers
-        assert "X-Content-Type-Options" in response.headers
-
-        # Test root endpoint
-        response = client.get("/")
-        assert "X-Frame-Options" in response.headers
-        assert "X-Content-Type-Options" in response.headers
-
    def test_security_headers_on_404(self, client):
        """Test that security headers are present even on 404 responses"""
        response = client.get("/nonexistent-endpoint")