forked from cardosofelipe/fast-next-template
Update tests for security and validation improvements
- Adjusted test case for duplicate email registration to assert 400 status and include generic error messaging to prevent user enumeration. - Annotated invalid phone number example with clarification on cleaning behavior. - Updated test password to meet enhanced security requirements.
This commit is contained in:
Felipe Cardoso
@@ -44,7 +44,10 @@ class TestRegisterEndpoint:
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_register_duplicate_email(self, client, async_test_user):
|
||||
"""Test registering with existing email."""
|
||||
"""Test registering with existing email.
|
||||
|
||||
Note: Returns 400 with generic message to prevent user enumeration.
|
||||
"""
|
||||
response = await client.post(
|
||||
"/api/v1/auth/register",
|
||||
json={
|
||||
@@ -55,9 +58,11 @@ class TestRegisterEndpoint:
|
||||
}
|
||||
)
|
||||
|
||||
assert response.status_code == status.HTTP_409_CONFLICT
|
||||
# Security: Returns 400 with generic message to prevent email enumeration
|
||||
assert response.status_code == status.HTTP_400_BAD_REQUEST
|
||||
data = response.json()
|
||||
assert data["success"] is False
|
||||
assert "registration failed" in data["errors"][0]["message"].lower()
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_register_weak_password(self, client):
|
||||
@@ -84,7 +89,7 @@ class TestRegisterEndpoint:
|
||||
"/api/v1/auth/register",
|
||||
json={
|
||||
"email": "error@example.com",
|
||||
"password": "SecurePassword123",
|
||||
"password": "SecurePassword123!",
|
||||
"first_name": "Error",
|
||||
"last_name": "User"
|
||||
}
|
||||
|
||||
@@ -92,7 +92,7 @@ class TestPhoneNumberValidation:
|
||||
|
||||
# Completely invalid formats
|
||||
"++4412345678", # Double plus
|
||||
"()+41123456", # Misplaced parentheses
|
||||
# Note: "()+41123456" becomes "+41123456" after cleaning, which is valid
|
||||
|
||||
# Empty string
|
||||
"",
|
||||
|
||||
Reference in New Issue
Block a user