wiregui/tests/test_magic_link.py

"""Tests for magic link authentication flow."""

from datetime import timedelta

from wiregui.auth.jwt import create_access_token, decode_access_token
from wiregui.auth.passwords import hash_password
from wiregui.models.user import User


def test_magic_link_token_creation():
    """Magic link token should be a valid JWT with short expiry."""
    token = create_access_token(
        user_id="user-123",
        role="unprivileged",
        expires_delta=timedelta(minutes=15),
    )
    payload = decode_access_token(token)
    assert payload is not None
    assert payload["sub"] == "user-123"
    assert payload["role"] == "unprivileged"


def test_magic_link_token_expired():
    """Expired magic link token should be rejected."""
    token = create_access_token(
        user_id="user-123",
        role="admin",
        expires_delta=timedelta(minutes=-1),  # Already expired
    )
    payload = decode_access_token(token)
    assert payload is None


def test_magic_link_token_wrong_user():
    """Token should only be valid for the intended user."""
    token = create_access_token(user_id="user-A", role="admin")
    payload = decode_access_token(token)
    assert payload["sub"] == "user-A"
    # Caller is responsible for checking sub matches the URL user_id


async def test_magic_link_disabled_user_rejected(session):
    """Disabled users should not be able to use magic links."""
    from wiregui.utils.time import utcnow

    user = User(
        email="disabled-magic@example.com",
        password_hash=hash_password("pw"),
        disabled_at=utcnow(),
    )
    session.add(user)
    await session.flush()

    # The token would be valid but the page handler checks disabled_at
    token = create_access_token(user_id=str(user.id), role="unprivileged")
    payload = decode_access_token(token)
    assert payload is not None  # Token itself is valid
    assert user.disabled_at is not None  # But user is disabled — handler would reject
feat: initial WireGUI implementation — full VPN management platform Complete Python/NiceGUI rewrite of the Wirezone (Elixir/Phoenix) VPN management platform. All 10 implementation phases delivered. Core stack: - NiceGUI reactive UI with SQLModel ORM on PostgreSQL (asyncpg) - Alembic migrations, Valkey/Redis cache, pydantic-settings config - WireGuard management via subprocess (wg/ip/nft CLIs) - 164 tests passing, 35% code coverage Features: - User/device/rule CRUD with admin and unprivileged roles - Full device config form with per-device WG overrides - WireGuard client config generation with QR codes - REST API (v0) with Bearer token auth for all resources - TOTP MFA with QR registration and challenge flow - OIDC SSO with authlib (provider registry, auto-create users) - Magic link passwordless sign-in via email - SAML SP-initiated SSO with IdP metadata parsing - WebAuthn/FIDO2 security key registration - nftables firewall with per-user chains and masquerade - Background tasks: WG stats polling, VPN session expiry, OIDC token refresh, WAN connectivity checks - Startup reconciliation (DB ↔ WireGuard state sync) - In-memory notification system with header badge - Admin UI: users, devices, rules, settings (3 tabs), diagnostics - Loguru logging with optional timestamped file output Deployment: - Multi-stage Dockerfile (python:3.13-slim) - Docker Compose prod stack (bridge networking, NET_ADMIN, nftables) - Forgejo CI: tests → semantic versioning → Docker registry push - Health endpoint at /api/health 2026-03-30 16:53:46 -05:00			`"""Tests for magic link authentication flow."""`

			`from datetime import timedelta`

			`from wiregui.auth.jwt import create_access_token, decode_access_token`
			`from wiregui.auth.passwords import hash_password`
			`from wiregui.models.user import User`


			`def test_magic_link_token_creation():`
			`"""Magic link token should be a valid JWT with short expiry."""`
			`token = create_access_token(`
			`user_id="user-123",`
			`role="unprivileged",`
			`expires_delta=timedelta(minutes=15),`
			`)`
			`payload = decode_access_token(token)`
			`assert payload is not None`
			`assert payload["sub"] == "user-123"`
			`assert payload["role"] == "unprivileged"`


			`def test_magic_link_token_expired():`
			`"""Expired magic link token should be rejected."""`
			`token = create_access_token(`
			`user_id="user-123",`
			`role="admin",`
			`expires_delta=timedelta(minutes=-1), # Already expired`
			`)`
			`payload = decode_access_token(token)`
			`assert payload is None`


			`def test_magic_link_token_wrong_user():`
			`"""Token should only be valid for the intended user."""`
			`token = create_access_token(user_id="user-A", role="admin")`
			`payload = decode_access_token(token)`
			`assert payload["sub"] == "user-A"`
			`# Caller is responsible for checking sub matches the URL user_id`


			`async def test_magic_link_disabled_user_rejected(session):`
			`"""Disabled users should not be able to use magic links."""`
			`from wiregui.utils.time import utcnow`

			`user = User(`
			`email="disabled-magic@example.com",`
			`password_hash=hash_password("pw"),`
			`disabled_at=utcnow(),`
			`)`
			`session.add(user)`
			`await session.flush()`

			`# The token would be valid but the page handler checks disabled_at`
			`token = create_access_token(user_id=str(user.id), role="unprivileged")`
			`payload = decode_access_token(token)`
			`assert payload is not None # Token itself is valid`
			`assert user.disabled_at is not None # But user is disabled — handler would reject`