Add tests for auth module

Author: laviprog

.github/workflows/workflow.yml

@@ -10,6 +10,15 @@ jobs:
   tests:
     runs-on: ubuntu-latest
 
+    env:
+      DB_HOST: ${{ secrets.DB_HOST }}
+      DB_PORT: ${{ secrets.DB_PORT }}
+      DB_NAME: ${{ secrets.DB_NAME }}
+      DB_USER: ${{ secrets.DB_USER }}
+      DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+      SECRET_KEY: ${{ secrets.SECRET_KEY }}
+      SECRET_REFRESH_KEY: ${{ secrets.SECRET_REFRESH_KEY }}
+
     steps:
       - uses: actions/checkout@v3
 

pyproject.toml

@@ -11,6 +11,7 @@ dependencies = [
     "black>=25.1.0",
     "fastapi>=0.115.12",
     "freezegun>=1.5.1",
+    "httpx>=0.28.1",
     "isort>=6.0.1",
     "passlib[argon2]>=1.7.4",
     "pydantic>=2.11.4",

pytest.ini

@@ -2,3 +2,6 @@
 pythonpath = . src
 asyncio_mode = auto
 asyncio_default_fixture_loop_scope = function
+filterwarnings =
+    ignore::DeprecationWarning:passlib.*
+    ignore::matplotlib.MatplotlibDeprecationWarning

requirements.in

@@ -14,5 +14,5 @@ passlib[argon2]>=1.7.4
 pyjwt>=2.10.1
 whisperx>=3.3.1
 python-multipart>=0.0.12
-freezegun>=1.5.1
 pytest-asyncio>=0.26.0
+httpx>=0.28.1

requirements.txt

@@ -21,7 +21,9 @@ annotated-types==0.7.0
 antlr4-python3-runtime==4.9.3
     # via omegaconf
 anyio==4.9.0
-    # via starlette
+    # via
+    #   httpx
+    #   starlette
 argon2-cffi==23.1.0
     # via passlib
 argon2-cffi-bindings==21.2.0
@@ -37,7 +39,10 @@ av==14.4.0
 black==25.1.0
     # via -r requirements.in
 certifi==2025.4.26
-    # via requests
+    # via
+    #   httpcore
+    #   httpx
+    #   requests
 cffi==1.17.1
     # via
     #   argon2-cffi-bindings
@@ -88,8 +93,6 @@ flatbuffers==25.2.10
     # via onnxruntime
 fonttools==4.58.0
     # via matplotlib
-freezegun==1.5.1
-    # via -r requirements.in
 frozenlist==1.6.0
     # via
     #   aiohttp
@@ -105,7 +108,13 @@ greenlet==3.2.2
     #   advanced-alchemy
     #   sqlalchemy
 h11==0.16.0
-    # via uvicorn
+    # via
+    #   httpcore
+    #   uvicorn
+httpcore==1.0.9
+    # via httpx
+httpx==0.28.1
+    # via -r requirements.in
 huggingface-hub==0.31.4
     # via
     #   faster-whisper
@@ -120,6 +129,7 @@ hyperpyyaml==1.2.2
 idna==3.10
     # via
     #   anyio
+    #   httpx
     #   requests
     #   yarl
 iniconfig==2.1.0
@@ -281,7 +291,6 @@ pytest-asyncio==0.26.0
     # via -r requirements.in
 python-dateutil==2.9.0.post0
     # via
-    #   freezegun
     #   matplotlib
     #   pandas
 python-dotenv==1.1.0

src/config.py

@@ -12,13 +12,13 @@ class Settings(BaseSettings):
 
     SECRET_KEY: str
     SECRET_REFRESH_KEY: str
-    JWT_ALGORITHM: str
-    ACCESS_TOKEN_EXPIRE_MINUTES: int
-    REFRESH_TOKEN_EXPIRE_DAYS: int
+    JWT_ALGORITHM: str = "HS256"
+    ACCESS_TOKEN_EXPIRE_MINUTES: int = 15
+    REFRESH_TOKEN_EXPIRE_DAYS: int = 7
 
-    DEVICE: str
-    COMPUTE_TYPE: str
-    DOWNLOAD_ROOT: str
+    DEVICE: str = "cpu"
+    COMPUTE_TYPE: str = "float32"
+    DOWNLOAD_ROOT: str = "models"
 
     @property
     def DB_URL(self) -> str:

tests/auth/security/test_passwords.py

@@ -0,0 +1,41 @@
+from src.auth.security.passwords import hash_password, verify_password
+
+
+def test_hash_password_returns_string():
+    """Test that hash_password returns a non-empty string."""
+    password = "test_password"
+    hashed = hash_password(password)
+
+    assert isinstance(hashed, str)
+    assert len(hashed) > 0
+
+
+def test_hash_password_generates_different_hashes():
+    """Test that same password generates different hashes (salt verification)."""
+    password = "test_password"
+    hash1 = hash_password(password)
+    hash2 = hash_password(password)
+
+    assert hash1 != hash2
+
+
+def test_verify_password_correct():
+    """Test that verify_password returns True for correct password."""
+    password = "test_password"
+    hashed = hash_password(password)
+
+    assert verify_password(password, hashed) is True
+
+
+def test_verify_password_incorrect():
+    """Test that verify_password returns False for incorrect password."""
+    password = "test_password"
+    hashed = hash_password(password)
+
+    assert verify_password("wrong_password", hashed) is False
+
+
+def test_hash_format_is_argon2():
+    """Test that hash uses Argon2 format."""
+    hashed = hash_password("test_password")
+    assert hashed.startswith("$argon2")

tests/auth/security/test_token.py

@@ -0,0 +1,115 @@
+from datetime import timedelta
+from uuid import uuid4
+
+import jwt
+import pytest
+from fastapi import HTTPException
+
+from src.auth.security.schemas import TokenPayload
+from src.auth.security.token import (
+    create_access_token,
+    create_refresh_token,
+    create_token,
+    get_data_from_payload,
+    parse_token_payload,
+    verify_refresh_token,
+    verify_token,
+)
+from src.config import settings
+from src.users.models import Role
+
+
+@pytest.fixture
+def token_payload():
+    """Fixture for generating a sample TokenPayload with UUID and role."""
+    return TokenPayload(id=uuid4(), role=Role.USER)
+
+
+def test_create_token_returns_valid_jwt(token_payload):
+    """Test that create_token returns a valid JWT with expected payload and exp."""
+    data = {"id": str(token_payload.id), "role": token_payload.role.value}
+    token = create_token(data, settings.SECRET_KEY, timedelta(minutes=5))
+
+    decoded = jwt.decode(
+        token, settings.SECRET_KEY, algorithms=[settings.JWT_ALGORITHM]
+    )
+    assert decoded["id"] == str(token_payload.id)
+    assert decoded["role"] == token_payload.role.value
+    assert "exp" in decoded
+
+
+def test_get_data_from_payload(token_payload):
+    """Test that get_data_from_payload returns correct dictionary from TokenPayload."""
+    result = get_data_from_payload(token_payload)
+    assert result["id"] == str(token_payload.id)
+    assert result["role"] == token_payload.role.value
+
+
+def test_create_access_token_returns_string(token_payload):
+    """Test that create_access_token returns a string."""
+    token = create_access_token(token_payload)
+    assert isinstance(token, str)
+
+
+def test_create_refresh_token_returns_string(token_payload):
+    """Test that create_refresh_token returns a string."""
+    token = create_refresh_token(token_payload)
+    assert isinstance(token, str)
+
+
+def test_parse_token_payload_valid(token_payload):
+    """Test that parse_token_payload returns TokenPayload when input is valid."""
+    payload = {"id": str(token_payload.id), "role": token_payload.role.value}
+    result = parse_token_payload(payload, "error")
+    assert result.id == token_payload.id
+    assert result.role == token_payload.role
+
+
+@pytest.mark.parametrize(
+    "payload",
+    [
+        {"id": None, "role": "user"},
+        {"id": "123", "role": None},
+        {"id": "123", "role": "notarole"},
+    ],
+)
+def test_parse_token_payload_invalid(payload):
+    """Test that parse_token_payload raises HTTPException on invalid or missing fields."""
+    with pytest.raises(HTTPException):
+        parse_token_payload(payload, "invalid token")
+
+
+def test_verify_token_valid(token_payload):
+    """Test that verify_token returns valid TokenPayload when token is correct."""
+    token = create_access_token(token_payload)
+    result = verify_token(token)
+    assert result.id == token_payload.id
+    assert result.role == token_payload.role
+
+
+def test_verify_refresh_token_valid(token_payload):
+    """Test that verify_refresh_token returns valid TokenPayload when token is correct."""
+    token = create_refresh_token(token_payload)
+    result = verify_refresh_token(token)
+    assert result.id == token_payload.id
+    assert result.role == token_payload.role
+
+
+def test_verify_token_expired(token_payload):
+    """Test that verify_token raises HTTPException on expired token."""
+    token = create_token(
+        {"id": str(token_payload.id), "role": token_payload.role.value},
+        settings.SECRET_KEY,
+        timedelta(seconds=-1),  # already expired
+    )
+    with pytest.raises(HTTPException) as exc:
+        verify_token(token)
+    assert "expired" in str(exc.value.detail).lower()
+
+
+def test_verify_token_invalid():
+    """Test that verify_token raises HTTPException on completely invalid token."""
+    invalid_token = "this.is.not.valid"
+    with pytest.raises(HTTPException) as exc:
+        verify_token(invalid_token)
+    assert "invalid" in str(exc.value.detail).lower()

tests/auth/test_routes.py

@@ -0,0 +1,83 @@
+import uuid
+
+import pytest
+from httpx import ASGITransport, AsyncClient
+
+from src.auth.security.passwords import hash_password
+from src.main import app
+from src.users.dependencies import provide_user_service
+from src.users.models import Role
+
+
+@pytest.fixture
+async def client():
+    async with AsyncClient(
+        transport=ASGITransport(app=app), base_url="http://test"
+    ) as ac:
+        yield ac
+
+
+class MockUser:
+    def __init__(self):
+        self.id = uuid.uuid4()
+        self.username = "user"
+        self.password = hash_password("password")
+        self.role = Role.USER
+
+
+class MockUserService:
+    async def get_one_or_none(self, username: str):
+        if username == "user":
+            return MockUser()
+        return None
+
+
+@pytest.fixture(autouse=True)
+def override_user_service():
+    app.dependency_overrides[provide_user_service] = lambda: MockUserService()
+    yield
+    app.dependency_overrides.clear()
+
+
+@pytest.fixture
+def credentials():
+    return {"username": "user", "password": "password"}
+
+
+@pytest.mark.parametrize(
+    "credentials, expected_status",
+    [
+        ({"username": "user", "password": "incorrect"}, 401),
+        ({"username": "non-existent-user", "password": "password"}, 401),
+        ({"username": "non-existent-user", "password": "wrong"}, 401),
+    ],
+)
+@pytest.mark.asyncio
+async def test_login_failure_cases(credentials, expected_status, client):
+    """Test login failure with various invalid credentials"""
+    response = await client.post("/auth/login", json=credentials)
+    assert response.status_code == expected_status
+
+
+@pytest.mark.asyncio
+async def test_login_token_structure(credentials, client):
+    response = await client.post("/auth/login", json=credentials)
+    data = response.json()
+
+    assert response.status_code == 200
+    assert "access_token" in data
+    assert "refresh_token" in data
+    assert "token_type" in data
+    assert data["token_type"].lower() == "bearer"
+
+
+@pytest.mark.asyncio
+async def test_login_invalid_json(client):
+    response = await client.post("/auth/login", json={"wrong": "data"})
+    assert response.status_code == 422
+
+
+@pytest.mark.asyncio
+async def test_login_no_payload(client):
+    response = await client.post("/auth/login")
+    assert response.status_code == 422