Added full suite of tests & added testing to CI/CD

2025-04-23 00:51:14 +02:00
parent e15a5c7612
commit be00f021ba
27 changed files with 1035 additions and 48 deletions
--- a/backend/tests/test_auth.py
+++ b/backend/tests/test_auth.py
@@ -61,8 +61,8 @@ def test_refresh_token(db: Session, client: TestClient) -> None:

    response = client.post(
        "/api/auth/refresh",
-        headers={"Authorization": f"Bearer {access_token}"},
-        cookies={"refresh_token": refresh_token},
+        headers={"Authorization": f"Bearer {access_token}", "Content-Type": "application/json"},
+        json={"refresh_token": refresh_token},
    )
    assert response.status_code == status.HTTP_200_OK

@@ -80,8 +80,8 @@ def test_logout(db: Session, client: TestClient) -> None:

    response = client.post(
        "/api/auth/logout",
-        headers={"Authorization": f"Bearer {access_token}"},
-        cookies={"refresh_token": refresh_token},
+        headers={"Authorization": f"Bearer {access_token}", "Content-Type": "application/json"},
+        json={"refresh_token": refresh_token},
    )
    assert response.status_code == status.HTTP_200_OK

@@ -98,7 +98,8 @@ def test_logout(db: Session, client: TestClient) -> None:

    response = client.post(
        "/api/auth/refresh",
-        cookies={"refresh_token": refresh_token},
+        headers={"Authorization": f"Bearer {access_token}", "Content-Type": "application/json"},
+        json={"refresh_token": refresh_token},
    )
    assert response.status_code == status.HTTP_401_UNAUTHORIZED

@@ -177,4 +178,53 @@ def test_delete_user(db: Session, client: TestClient) -> None:
    # Verify that the user is deleted
    deleted_user = db.query(User).filter(User.username == user.username).first()
    assert deleted_user is None
-    
+
+def test_get_user_forbidden(db: Session, client: TestClient) -> None:
+    """Test getting another user's profile (should be forbidden)."""
+    user1, password_user1 = generators.create_user(db, username="user1_get_forbidden")
+    user2, _ = generators.create_user(db, username="user2_get_forbidden")
+
+    # Log in as user1
+    login_rsp = generators.login(db, user1.username, password_user1)
+    access_token = login_rsp["access_token"]
+
+    # Try to get user2's profile
+    response = client.get(
+        f"/api/user/{user2.username}",
+        headers={"Authorization": f"Bearer {access_token}"},
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+def test_update_user_forbidden(db: Session, client: TestClient) -> None:
+    """Test updating another user's profile (should be forbidden)."""
+    user1, password_user1 = generators.create_user(db, username="user1_update_forbidden")
+    user2, _ = generators.create_user(db, username="user2_update_forbidden")
+    new_name = fake.name()
+
+    # Log in as user1
+    login_rsp = generators.login(db, user1.username, password_user1)
+    access_token = login_rsp["access_token"]
+
+    # Try to update user2's profile
+    response = client.patch(
+        f"/api/user/{user2.username}",
+        headers={"Authorization": f"Bearer {access_token}"},
+        json={"name": new_name},
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+def test_delete_user_forbidden(db: Session, client: TestClient) -> None:
+    """Test deleting another user's profile (should be forbidden)."""
+    user1, password_user1 = generators.create_user(db, username="user1_delete_forbidden")
+    user2, _ = generators.create_user(db, username="user2_delete_forbidden")
+
+    # Log in as user1
+    login_rsp = generators.login(db, user1.username, password_user1)
+    access_token = login_rsp["access_token"]
+
+    # Try to delete user2's profile
+    response = client.delete(
+        f"/api/user/{user2.username}",
+        headers={"Authorization": f"Bearer {access_token}"},
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN