Files
wehub-resource-sync c889a57b6b
Test Suites / Build CI Environment (push) Has been cancelled
Test Suites / Basic Tests (push) Has been cancelled
Test Suites / End-to-End Tests (push) Has been cancelled
Test Suites / CLI Tests (push) Has been cancelled
Test Suites / Slow End-to-End Tests (push) Has been cancelled
Test Suites / Graph Database Tests (push) Has been cancelled
Test Suites / Vector DB Tests (push) Has been cancelled
Test Suites / Temporal Graph Test (push) Has been cancelled
Test Suites / Search Test on Different DBs (push) Has been cancelled
Test Suites / Example Tests (push) Has been cancelled
Test Suites / Notebook Tests (push) Has been cancelled
Test Suites / OS and Python Tests Ubuntu (push) Has been cancelled
Test Suites / OS and Python Tests Extended (push) Has been cancelled
Test Suites / LLM Test Suite (push) Has been cancelled
Test Suites / S3 File Storage Test (push) Has been cancelled
Test Suites / Run Integration Tests (push) Has been cancelled
Test Suites / MCP Tests (push) Has been cancelled
Test Suites / Docker Compose Test (push) Has been cancelled
Test Suites / Docker CI test (push) Has been cancelled
Test Suites / Relational DB Migration Tests (push) Has been cancelled
Test Suites / Distributed Cognee Test (push) Has been cancelled
Test Suites / DB Examples Tests (push) Has been cancelled
Test Suites / Test Completion Status (push) Has been cancelled
Test Suites / Claude Code Review (push) Has been cancelled
Test Suites / basic checks (push) Has been cancelled
build | Build and Push Cognee MCP Docker Image to dockerhub / docker-build-and-push (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
build | Build and Push Docker Image to dockerhub / docker-build-and-push (push) Has been cancelled
Weighted Edges Tests / Test Weighted Edges Core Functionality (3.11) (push) Has been cancelled
Weighted Edges Tests / Test Weighted Edges Core Functionality (3.12) (push) Has been cancelled
Weighted Edges Tests / Test Weighted Edges with Different Graph Databases (kuzu, kuzu) (push) Has been cancelled
Weighted Edges Tests / Test Weighted Edges with Different Graph Databases (neo4j, neo4j) (push) Has been cancelled
Weighted Edges Tests / Test Weighted Edges Examples (push) Has been cancelled
Weighted Edges Tests / Code Quality for Weighted Edges (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:02:24 +08:00

164 lines
6.1 KiB
Python

import os
import uuid
import asyncio
import pytest
from unittest.mock import patch
with patch("dotenv.load_dotenv"):
os.environ["REQUIRE_AUTHENTICATION"] = "true"
os.environ["ENABLE_BACKEND_ACCESS_CONTROL"] = "false"
os.environ["HASH_API_KEY"] = "false"
from fastapi.testclient import TestClient
TEST_USER_EMAIL = "apikey_test_user@example.com"
TEST_USER_PASSWORD = "securepassword123!"
HASH_TEST_USER_EMAIL = "hash_test_user@example.com"
HASH_TEST_USER_PASSWORD = "securepassword123!"
class TestAuthFlow:
"""
End-to-end test: register account, login with JWT, create API key,
and confirm a request authenticated with that API key succeeds.
"""
@pytest.fixture(scope="class")
def client(self):
from cognee.api.client import app
with TestClient(app) as client:
yield client
def test_register_login_create_api_key_and_authenticate(self, client):
# Register a new user (ignore if already exists)
register_response = client.post(
"/api/v1/auth/register",
json={"email": TEST_USER_EMAIL, "password": TEST_USER_PASSWORD},
)
assert register_response.status_code in (201, 400)
# Login and retrieve JWT bearer token
login_response = client.post(
"/api/v1/auth/login",
data={"username": TEST_USER_EMAIL, "password": TEST_USER_PASSWORD},
)
assert login_response.status_code == 200
access_token = login_response.json()["access_token"]
assert access_token
# Create an API key using the bearer token
# Note: There is a maximum number of API keys allowed per user (10)
create_key_response = client.post(
"/api/v1/auth/api-keys",
json={"name": "integration test key"},
headers={"Authorization": f"Bearer {access_token}"},
)
assert create_key_response.status_code == 200
api_key_id = create_key_response.json()["id"]
api_key = create_key_response.json()["key"]
assert api_key
# Test if Cookie authentication works on an authenticated endpoint
me_response = client.get("/api/v1/auth/me")
assert me_response.status_code == 200
# Note: we have to log out so Cookies don't interfere with API key authentication in the next step
client.post("/api/v1/auth/logout", headers={"Authorization": f"Bearer {access_token}"})
# Test if Cookie authentication doesn't work anymore after logging out
me_response = client.get("/api/v1/auth/me")
assert me_response.status_code == 401
# Use only the API key on an authenticated endpoint and confirm it succeeds
me_response = client.get(
"/api/v1/auth/me",
headers={"X-Api-Key": api_key},
)
assert me_response.status_code == 200
assert me_response.json()["email"] == TEST_USER_EMAIL
delete_response = client.delete(
f"/api/v1/auth/api-keys/{api_key_id}", headers={"X-Api-Key": api_key}
)
assert delete_response.status_code == 200, "API key deletion should succeed"
me_response = client.get(
"/api/v1/auth/me",
headers={"X-Api-Key": api_key},
)
assert me_response.status_code == 401, "Deleted API key should no longer authenticate"
# Test if Bearer token works after logging out and deleting API key
me_response = client.get(
"/api/v1/auth/me",
headers={"Authorization": f"Bearer {access_token}"},
)
assert me_response.status_code == 200, (
"Bearer token should still work after logging out and deleting API key"
)
class TestHashApiKey:
"""
Confirm that when HASH_API_KEY=true, the API key stored in the database
is the SHA-256 hash of the raw key, not the raw key itself.
"""
@pytest.fixture(scope="class")
def client(self):
with patch("cognee.modules.users.api_key.hash_api_key.HASH_API_KEY", True):
from cognee.api.client import app
with TestClient(app) as client:
yield client
def test_api_key_is_stored_as_hash(self, client):
from sqlalchemy import select
from cognee.modules.users.models.UserApiKey import UserApiKey
from cognee.infrastructure.databases.relational import get_relational_engine
from cognee.modules.users.api_key.hash_api_key import hash_api_key as compute_hash
# Register (ignore if already exists) and login
client.post(
"/api/v1/auth/register",
json={"email": HASH_TEST_USER_EMAIL, "password": HASH_TEST_USER_PASSWORD},
)
login_response = client.post(
"/api/v1/auth/login",
data={"username": HASH_TEST_USER_EMAIL, "password": HASH_TEST_USER_PASSWORD},
)
assert login_response.status_code == 200
access_token = login_response.json()["access_token"]
# Create an API key with HASH_API_KEY=True active
# Note: There is a maximum number of API keys allowed per user (10)
with patch("cognee.modules.users.api_key.hash_api_key.HASH_API_KEY", True):
create_key_response = client.post(
"/api/v1/auth/api-keys",
json={"name": "hash verification key"},
headers={"Authorization": f"Bearer {access_token}"},
)
assert create_key_response.status_code == 200
raw_key = create_key_response.json()["key"]
key_id = uuid.UUID(create_key_response.json()["id"])
# Query the database directly to verify the stored value is hashed
async def get_stored_api_key():
engine = get_relational_engine()
async with engine.get_async_session() as session:
result = (await session.execute(select(UserApiKey).filter_by(id=key_id))).scalar()
return result.api_key
stored_key = asyncio.run(get_stored_api_key())
assert stored_key != raw_key, "Raw key should not be stored in plaintext"
assert stored_key == compute_hash(raw_key), (
"Stored key should be SHA-256 hash of the raw key"
)