From 4385d20ca622a47bdd07c005228afdde63bd5ce3 Mon Sep 17 00:00:00 2001 From: Felipe Cardoso Date: Sun, 1 Mar 2026 14:24:17 +0100 Subject: [PATCH] fix(tests): simplify invalid token test logic in `test_auth_security.py` - Removed unnecessary try-except block for JWT encoding failures. - Adjusted test to directly verify `TokenInvalidError` during decoding. - Clarified comment on HMAC algorithm compatibility (`HS384` vs. `HS256`). --- backend/pyproject.toml | 2 +- backend/tests/core/test_auth_security.py | 14 ++++---------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/backend/pyproject.toml b/backend/pyproject.toml index acbde98..f7ce481 100644 --- a/backend/pyproject.toml +++ b/backend/pyproject.toml @@ -157,7 +157,7 @@ unfixable = [] [tool.ruff.lint.per-file-ignores] "app/alembic/env.py" = ["E402", "F403", "F405"] # Alembic requires specific import order "app/alembic/versions/*.py" = ["E402"] # Migration files have specific structure -"tests/**/*.py" = ["S101", "N806", "B017", "N817", "S110", "ASYNC251", "RUF043", "T20"] # pytest: asserts, CamelCase fixtures, blind exceptions, try-pass patterns, async test helpers, and print for debugging are intentional +"tests/**/*.py" = ["S101", "N806", "B017", "N817", "ASYNC251", "RUF043", "T20"] # pytest: asserts, CamelCase fixtures, blind exceptions, async test helpers, and print for debugging are intentional "app/models/__init__.py" = ["F401"] # __init__ files re-export modules "app/models/base.py" = ["F401"] # Re-exports Base for use by other models "app/utils/test_utils.py" = ["N806"] # SQLAlchemy session factories use CamelCase convention diff --git a/backend/tests/core/test_auth_security.py b/backend/tests/core/test_auth_security.py index b620a7b..5627ba0 100644 --- a/backend/tests/core/test_auth_security.py +++ b/backend/tests/core/test_auth_security.py @@ -148,17 +148,11 @@ class TestJWTAlgorithmSecurityAttacks: payload = {"sub": "user123", "exp": now + 3600, "iat": now, "type": "access"} - # Create token with HS384 instead of HS256 - try: - malicious_token = jwt.encode( - payload, settings.SECRET_KEY, algorithm="HS384" - ) + # Create token with HS384 instead of HS256 (HMAC key works with HS384) + malicious_token = jwt.encode(payload, settings.SECRET_KEY, algorithm="HS384") - with pytest.raises(TokenInvalidError): - decode_token(malicious_token) - except Exception: - # If encoding fails, that's also fine - pass + with pytest.raises(TokenInvalidError): + decode_token(malicious_token) def test_valid_token_with_correct_algorithm_accepted(self): """