# allow: no-sut-import — black-box HTTP test; drives real routes through the Flask test client """Test API v1 authentication guard.""" class TestApiV1Auth: """Test that /api/v1/ endpoints require authentication.""" def test_unauthenticated_returns_401(self, client): """Requests with no username (no g.current_user, no session) get 401.""" response = client.get("/api/v1/") assert response.status_code == 401 data = response.get_json() assert data["error"] == "Authentication required" def test_empty_username_returns_401(self, client, app): """An empty string username should still be rejected.""" with client.session_transaction() as sess: sess["username"] = "" response = client.get("/api/v1/") assert response.status_code == 401 def test_authenticated_via_g_current_user(self, authenticated_client): """A request with g.current_user set passes the auth guard.""" response = authenticated_client.get("/api/v1/") # Should not be 401 — may be 200 or other status depending on # downstream logic, but the auth guard itself should pass. assert response.status_code != 401 def test_authenticated_via_session(self, authenticated_client): """A request with a valid session username passes the auth guard.""" # authenticated_client already has a registered user in the session response = authenticated_client.get("/api/v1/") assert response.status_code != 401 def test_health_endpoint_no_auth_required(self, client): """The /api/v1/health endpoint does not use @api_access_control.""" response = client.get("/api/v1/health") # Health should return 200 even without authentication assert response.status_code == 200