From 3ad48843e4f0282d119e3f9e3d6037087d1bfaff Mon Sep 17 00:00:00 2001
From: Felipe Cardoso <felipe.cardoso@shootify.io>
Date: Sat, 1 Nov 2025 04:00:51 +0100
Subject: [PATCH] Update tests for security and validation improvements

- Adjusted test case for duplicate email registration to assert 400 status and include generic error messaging to prevent user enumeration.
- Annotated invalid phone number example with clarification on cleaning behavior.
- Updated test password to meet enhanced security requirements.
---
 backend/tests/api/test_auth_endpoints.py   | 11 ++++++++---
 backend/tests/schemas/test_user_schemas.py |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/backend/tests/api/test_auth_endpoints.py b/backend/tests/api/test_auth_endpoints.py
index f09e19d..b753b85 100755
--- a/backend/tests/api/test_auth_endpoints.py
+++ b/backend/tests/api/test_auth_endpoints.py
@@ -44,7 +44,10 @@ class TestRegisterEndpoint:
 
     @pytest.mark.asyncio
     async def test_register_duplicate_email(self, client, async_test_user):
-        """Test registering with existing email."""
+        """Test registering with existing email.
+
+        Note: Returns 400 with generic message to prevent user enumeration.
+        """
         response = await client.post(
             "/api/v1/auth/register",
             json={
@@ -55,9 +58,11 @@ class TestRegisterEndpoint:
             }
         )
 
-        assert response.status_code == status.HTTP_409_CONFLICT
+        # Security: Returns 400 with generic message to prevent email enumeration
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
         data = response.json()
         assert data["success"] is False
+        assert "registration failed" in data["errors"][0]["message"].lower()
 
     @pytest.mark.asyncio
     async def test_register_weak_password(self, client):
@@ -84,7 +89,7 @@ class TestRegisterEndpoint:
                 "/api/v1/auth/register",
                 json={
                     "email": "error@example.com",
-                    "password": "SecurePassword123",
+                    "password": "SecurePassword123!",
                     "first_name": "Error",
                     "last_name": "User"
                 }
diff --git a/backend/tests/schemas/test_user_schemas.py b/backend/tests/schemas/test_user_schemas.py
index 4635efb..826f13b 100755
--- a/backend/tests/schemas/test_user_schemas.py
+++ b/backend/tests/schemas/test_user_schemas.py
@@ -92,7 +92,7 @@ class TestPhoneNumberValidation:
 
             # Completely invalid formats
             "++4412345678",  # Double plus
-            "()+41123456",  # Misplaced parentheses
+            # Note: "()+41123456" becomes "+41123456" after cleaning, which is valid
 
             # Empty string
             "",