84 lines
2.3 KiB
Python
84 lines
2.3 KiB
Python
"""Tests for REST API endpoints and token auth."""
|
|
|
|
from wiregui.auth.api_token import _token_hmac, generate_api_token, resolve_bearer_token
|
|
from wiregui.auth.passwords import hash_password
|
|
from wiregui.models.api_token import ApiToken
|
|
from wiregui.models.user import User
|
|
from wiregui.utils.time import utcnow
|
|
|
|
|
|
# --- Token generation ---
|
|
|
|
|
|
def test_generate_api_token():
|
|
plaintext, token_hash = generate_api_token()
|
|
assert len(plaintext) > 20
|
|
assert token_hash == _token_hmac(plaintext)
|
|
|
|
|
|
def test_generate_api_token_unique():
|
|
t1, h1 = generate_api_token()
|
|
t2, h2 = generate_api_token()
|
|
assert t1 != t2
|
|
assert h1 != h2
|
|
|
|
|
|
# --- Token resolution ---
|
|
|
|
|
|
async def test_resolve_valid_token(session):
|
|
user = User(email="api-user@example.com", password_hash=hash_password("x"), role="admin")
|
|
session.add(user)
|
|
await session.flush()
|
|
|
|
plaintext, token_hash = generate_api_token()
|
|
token = ApiToken(token_hash=token_hash, user_id=user.id)
|
|
session.add(token)
|
|
await session.flush()
|
|
|
|
resolved = await resolve_bearer_token(session, plaintext)
|
|
assert resolved is not None
|
|
assert resolved.id == user.id
|
|
|
|
|
|
async def test_resolve_invalid_token(session):
|
|
resolved = await resolve_bearer_token(session, "bogus-token")
|
|
assert resolved is None
|
|
|
|
|
|
async def test_resolve_expired_token(session):
|
|
from datetime import timedelta
|
|
|
|
user = User(email="expired-api@example.com", password_hash=hash_password("x"))
|
|
session.add(user)
|
|
await session.flush()
|
|
|
|
plaintext, token_hash = generate_api_token()
|
|
token = ApiToken(
|
|
token_hash=token_hash,
|
|
user_id=user.id,
|
|
expires_at=utcnow() - timedelta(hours=1),
|
|
)
|
|
session.add(token)
|
|
await session.flush()
|
|
|
|
resolved = await resolve_bearer_token(session, plaintext)
|
|
assert resolved is None
|
|
|
|
|
|
async def test_resolve_token_disabled_user(session):
|
|
user = User(
|
|
email="disabled-api@example.com",
|
|
password_hash=hash_password("x"),
|
|
disabled_at=utcnow(),
|
|
)
|
|
session.add(user)
|
|
await session.flush()
|
|
|
|
plaintext, token_hash = generate_api_token()
|
|
token = ApiToken(token_hash=token_hash, user_id=user.id)
|
|
session.add(token)
|
|
await session.flush()
|
|
|
|
resolved = await resolve_bearer_token(session, plaintext)
|
|
assert resolved is None
|