fed8b2eed7
Backend release / release (push) Waiting to run
Bandit Security Scan / bandit_scan (push) Waiting to run
Build and push multi-arch DocsGPT Docker image / build (linux/amd64, ubuntu-latest, amd64) (push) Waiting to run
Build and push multi-arch DocsGPT Docker image / build (linux/arm64, ubuntu-24.04-arm, arm64) (push) Waiting to run
Build and push multi-arch DocsGPT Docker image / manifest (push) Blocked by required conditions
Build and push DocsGPT FE Docker image for development / build (linux/amd64, ubuntu-latest, amd64) (push) Waiting to run
Build and push DocsGPT FE Docker image for development / build (linux/arm64, ubuntu-24.04-arm, arm64) (push) Waiting to run
Build and push DocsGPT FE Docker image for development / manifest (push) Blocked by required conditions
Python linting / ruff (push) Waiting to run
Run python tests with pytest / Run tests and count coverage (3.12) (push) Waiting to run
React Widget Build / build (push) Waiting to run
219 lines
7.4 KiB
Python
219 lines
7.4 KiB
Python
from unittest.mock import Mock, patch
|
|
|
|
import pytest
|
|
|
|
|
|
@pytest.mark.unit
|
|
class TestHandleAuth:
|
|
|
|
def test_returns_local_when_no_auth_type(self):
|
|
from application.auth import handle_auth
|
|
|
|
mock_request = Mock()
|
|
with patch("application.auth.settings") as mock_settings:
|
|
mock_settings.AUTH_TYPE = "none"
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result == {"sub": "local"}
|
|
|
|
def test_returns_none_when_no_jwt_header(self):
|
|
from application.auth import handle_auth
|
|
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = None
|
|
with patch("application.auth.settings") as mock_settings:
|
|
mock_settings.AUTH_TYPE = "simple_jwt"
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result is None
|
|
|
|
def test_decodes_valid_jwt(self):
|
|
from application.auth import handle_auth
|
|
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = "Bearer valid_token"
|
|
|
|
with patch("application.auth.settings") as mock_settings, patch(
|
|
"application.auth.jwt"
|
|
) as mock_jwt:
|
|
mock_settings.AUTH_TYPE = "simple_jwt"
|
|
mock_settings.JWT_SECRET_KEY = "secret"
|
|
mock_jwt.decode.return_value = {"sub": "user123"}
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result == {"sub": "user123"}
|
|
mock_jwt.decode.assert_called_once_with(
|
|
"valid_token",
|
|
"secret",
|
|
algorithms=["HS256"],
|
|
options={"verify_exp": False, "require_exp": False},
|
|
)
|
|
|
|
def test_returns_error_on_invalid_jwt(self):
|
|
from application.auth import handle_auth
|
|
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = "Bearer bad_token"
|
|
|
|
with patch("application.auth.settings") as mock_settings, patch(
|
|
"application.auth.jwt"
|
|
) as mock_jwt:
|
|
mock_settings.AUTH_TYPE = "session_jwt"
|
|
mock_settings.JWT_SECRET_KEY = "secret"
|
|
mock_jwt.decode.side_effect = Exception("Invalid token")
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result["error"] == "invalid_token"
|
|
|
|
def test_strips_bearer_prefix(self):
|
|
from application.auth import handle_auth
|
|
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = "Bearer my_token"
|
|
|
|
with patch("application.auth.settings") as mock_settings, patch(
|
|
"application.auth.jwt"
|
|
) as mock_jwt:
|
|
mock_settings.AUTH_TYPE = "simple_jwt"
|
|
mock_settings.JWT_SECRET_KEY = "secret"
|
|
mock_jwt.decode.return_value = {"sub": "user1"}
|
|
handle_auth(mock_request)
|
|
|
|
mock_jwt.decode.assert_called_once()
|
|
assert mock_jwt.decode.call_args[0][0] == "my_token"
|
|
|
|
|
|
@pytest.mark.unit
|
|
class TestHandleAuthOidc:
|
|
"""AUTH_TYPE=oidc: same local HS256 session tokens, but exp is verified."""
|
|
|
|
def test_returns_none_when_no_jwt_header(self):
|
|
from application.auth import handle_auth
|
|
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = None
|
|
with patch("application.auth.settings") as mock_settings:
|
|
mock_settings.AUTH_TYPE = "oidc"
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result is None
|
|
|
|
def test_decodes_valid_jwt_with_exp_verification(self):
|
|
from application.auth import handle_auth
|
|
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = "Bearer valid_token"
|
|
|
|
with patch("application.auth.settings") as mock_settings, patch(
|
|
"application.auth.jwt"
|
|
) as mock_jwt:
|
|
mock_settings.AUTH_TYPE = "oidc"
|
|
mock_settings.JWT_SECRET_KEY = "secret"
|
|
mock_jwt.decode.return_value = {"sub": "user123", "email": "u@example.com"}
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result == {"sub": "user123", "email": "u@example.com"}
|
|
mock_jwt.decode.assert_called_once_with(
|
|
"valid_token",
|
|
"secret",
|
|
algorithms=["HS256"],
|
|
options={"verify_exp": True, "require_exp": True},
|
|
)
|
|
|
|
def test_expired_token_returns_token_expired(self):
|
|
from jose.exceptions import ExpiredSignatureError
|
|
|
|
from application.auth import handle_auth
|
|
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = "Bearer stale_token"
|
|
|
|
with patch("application.auth.settings") as mock_settings, patch(
|
|
"application.auth.jwt"
|
|
) as mock_jwt:
|
|
mock_settings.AUTH_TYPE = "oidc"
|
|
mock_settings.JWT_SECRET_KEY = "secret"
|
|
mock_jwt.decode.side_effect = ExpiredSignatureError("expired")
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result["error"] == "token_expired"
|
|
|
|
def test_invalid_token_returns_invalid_token(self):
|
|
from application.auth import handle_auth
|
|
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = "Bearer bad_token"
|
|
|
|
with patch("application.auth.settings") as mock_settings, patch(
|
|
"application.auth.jwt"
|
|
) as mock_jwt:
|
|
mock_settings.AUTH_TYPE = "oidc"
|
|
mock_settings.JWT_SECRET_KEY = "secret"
|
|
mock_jwt.decode.side_effect = Exception("bad")
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result["error"] == "invalid_token"
|
|
|
|
def test_token_without_exp_rejected_under_oidc(self):
|
|
# Under oidc, exp is REQUIRED: an exp-less HS256 token signed with the
|
|
# shared secret (e.g. a legacy simple_jwt/session_jwt token) must not
|
|
# authenticate, or it would be valid forever and unrevocable.
|
|
from jose import jwt as real_jwt
|
|
|
|
from application.auth import handle_auth
|
|
|
|
token = real_jwt.encode({"sub": "helper_user"}, "secret", algorithm="HS256")
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = f"Bearer {token}"
|
|
|
|
with patch("application.auth.settings") as mock_settings:
|
|
mock_settings.AUTH_TYPE = "oidc"
|
|
mock_settings.JWT_SECRET_KEY = "secret"
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result["error"] == "invalid_token"
|
|
|
|
def test_expired_token_real_jose(self):
|
|
import time
|
|
|
|
from jose import jwt as real_jwt
|
|
|
|
from application.auth import handle_auth
|
|
|
|
token = real_jwt.encode(
|
|
{"sub": "helper_user", "exp": int(time.time()) - 3600},
|
|
"secret",
|
|
algorithm="HS256",
|
|
)
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = f"Bearer {token}"
|
|
|
|
with patch("application.auth.settings") as mock_settings:
|
|
mock_settings.AUTH_TYPE = "oidc"
|
|
mock_settings.JWT_SECRET_KEY = "secret"
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result["error"] == "token_expired"
|
|
|
|
def test_simple_jwt_still_skips_exp_verification(self):
|
|
import time
|
|
|
|
from jose import jwt as real_jwt
|
|
|
|
from application.auth import handle_auth
|
|
|
|
token = real_jwt.encode(
|
|
{"sub": "local", "exp": int(time.time()) - 3600},
|
|
"secret",
|
|
algorithm="HS256",
|
|
)
|
|
mock_request = Mock()
|
|
mock_request.headers.get.return_value = f"Bearer {token}"
|
|
|
|
with patch("application.auth.settings") as mock_settings:
|
|
mock_settings.AUTH_TYPE = "simple_jwt"
|
|
mock_settings.JWT_SECRET_KEY = "secret"
|
|
result = handle_auth(mock_request)
|
|
|
|
assert result["sub"] == "local"
|