fix(backend): implemented jwt token invalidation so users cannot use it after expiry

2026-03-22 15:12:08 +01:00 · 2025-10-23 19:04:48 +02:00
parent 4f6d46ba7e
commit 584c090b80
7 changed files with 271 additions and 1 deletions
--- a/7project/backend/tests/conftest.py
+++ b/7project/backend/tests/conftest.py
@@ -1,7 +1,9 @@
 import sys
+import uuid
 import types
 import pytest
 from fastapi.testclient import TestClient
+from httpx import AsyncClient, ASGITransport

 # Stub sentry_sdk to avoid optional dependency issues during import of app
 stub = types.ModuleType("sentry_sdk")
@@ -20,3 +22,50 @@ def fastapi_app():
@pytest.fixture(scope="session")
 def client(fastapi_app):
    return TestClient(fastapi_app, raise_server_exceptions=True)
+
+
+@pytest.fixture(scope="function")
+async def test_user(fastapi_app):
+    """
+    Creates a new user asynchronously and returns their credentials.
+    Does NOT log them in.
+    Using AsyncClient with ASGITransport avoids event loop conflicts with DB connections.
+    """
+    unique_email = f"testuser_{uuid.uuid4()}@example.com"
+    password = "a_strong_password"
+    user_payload = {"email": unique_email, "password": password}
+
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        response = await ac.post("/auth/register", json=user_payload)
+        assert response.status_code == 201
+
+    return {"username": unique_email, "password": password}
+
+
+@pytest.fixture(scope="function")
+def authenticated_client(client: TestClient):
+    """
+    Creates a new user, logs them in, and returns a client
+    with the authorization headers already set.
+    """
+    # 1. Create a unique user
+    unique_email = f"testuser_{uuid.uuid4()}@example.com"
+    password = "a_strong_password"
+    user_payload = {"email": unique_email, "password": password}
+
+    register_resp = client.post("/auth/register", json=user_payload)
+    assert register_resp.status_code == 201
+
+    # 2. Log in to get the token
+    login_payload = {"username": unique_email, "password": password}
+    login_resp = client.post("/auth/jwt/login", data=login_payload)
+    token = login_resp.json()["access_token"]
+
+    # 3. Set the authorization header for subsequent requests
+    client.headers = {"Authorization": f"Bearer {token}"}
+
+    yield client
+
+    # Teardown: Clear headers after the test
+    client.headers.pop("Authorization", None)
--- a/7project/backend/tests/test_e2e_auth_flow.py
+++ b/7project/backend/tests/test_e2e_auth_flow.py
@@ -1,3 +1,6 @@
+import pytest
+import uuid
+from httpx import AsyncClient, ASGITransport
 from fastapi import status


@@ -13,3 +16,83 @@ def test_e2e_minimal_auth_flow(client):
    # 3) Protected endpoint should not be accessible without token
    me = client.get("/users/me")
    assert me.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN)
+
+
+@pytest.mark.asyncio
+async def test_e2e_full_user_lifecycle(fastapi_app, test_user):
+    # Use an AsyncClient with ASGITransport for async tests
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        login_payload = test_user
+
+        # 1. Log in with the new credentials
+        login_resp = await ac.post("/auth/jwt/login", data=login_payload)
+        assert login_resp.status_code == status.HTTP_200_OK
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # 2. Access a protected endpoint
+        me_resp = await ac.get("/users/me", headers=headers)
+        assert me_resp.status_code == status.HTTP_200_OK
+        assert me_resp.json()["email"] == test_user["username"]
+
+        # 3. Update the user's profile
+        update_payload = {"first_name": "Test"}
+        patch_resp = await ac.patch("/users/me", json=update_payload, headers=headers)
+        assert patch_resp.status_code == status.HTTP_200_OK
+        assert patch_resp.json()["first_name"] == "Test"
+
+        # 4. Log out
+        logout_resp = await ac.post("/auth/jwt/logout", headers=headers)
+        assert logout_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+        # 5. Verify token is invalid
+        me_again_resp = await ac.get("/users/me", headers=headers)
+        assert me_again_resp.status_code == status.HTTP_401_UNAUTHORIZED
+
+
+@pytest.mark.asyncio
+async def test_e2e_transaction_workflow(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # 1. Log in to get the token
+        login_resp = await ac.post("/auth/jwt/login", data=test_user)
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # NEW STEP: Create a category first to get a valid ID
+        category_payload = {"name": "Test Category for E2E"}
+        create_category_resp = await ac.post("/categories/create", json=category_payload, headers=headers)
+        assert create_category_resp.status_code == status.HTTP_201_CREATED
+        category_id = create_category_resp.json()["id"]
+
+        # 2. Create a new transaction
+        tx_payload = {"amount": -55.40, "description": "Milk and eggs"}
+        tx_resp = await ac.post("/transactions/create", json=tx_payload, headers=headers)
+        assert tx_resp.status_code == status.HTTP_201_CREATED
+        tx_id = tx_resp.json()["id"]
+
+        # 3. Assign the category
+        assign_resp = await ac.post(f"/transactions/{tx_id}/categories/{category_id}", headers=headers)
+        assert assign_resp.status_code == status.HTTP_200_OK
+
+        # 4. Verify assignment
+        get_tx_resp = await ac.get(f"/transactions/{tx_id}", headers=headers)
+        assert category_id in get_tx_resp.json()["category_ids"]
+
+        # 5. Unassign the category
+        unassign_resp = await ac.delete(f"/transactions/{tx_id}/categories/{category_id}", headers=headers)
+        assert unassign_resp.status_code == status.HTTP_200_OK
+
+        # 6. Get the transaction again and verify the category is gone
+        get_tx_again_resp = await ac.get(f"/transactions/{tx_id}", headers=headers)
+        final_tx_data = get_tx_again_resp.json()
+        assert category_id not in final_tx_data["category_ids"]
+
+        # 7. Delete the transaction for cleanup
+        delete_resp = await ac.delete(f"/transactions/{tx_id}/delete", headers=headers)
+        assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+        # NEW STEP: Clean up the created category
+        delete_category_resp = await ac.delete(f"/categories/{category_id}", headers=headers)
+        assert delete_category_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
--- a/7project/backend/tests/test_integration_app.py
+++ b/7project/backend/tests/test_integration_app.py
@@ -1,5 +1,6 @@
 from fastapi import status
 import pytest
+from httpx import AsyncClient, ASGITransport


 def test_root_ok(client):
@@ -16,3 +17,55 @@ def test_authenticated_route_requires_auth(client):
 def test_sentry_debug_raises_exception(client):
    with pytest.raises(ZeroDivisionError):
        client.get("/sentry-debug")
+
+
+@pytest.mark.asyncio
+async def test_create_and_get_category(fastapi_app, test_user):
+    # Use AsyncClient for async tests
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # 1. Log in to get an auth token
+        login_resp = await ac.post("/auth/jwt/login", data=test_user)
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # 2. Define and create the new category
+        category_name = "Async Integration Test"
+        category_payload = {"name": category_name}
+        create_resp = await ac.post("/categories/create", json=category_payload, headers=headers)
+
+        # 3. Assert creation was successful
+        assert create_resp.status_code == status.HTTP_201_CREATED
+        created_data = create_resp.json()
+        category_id = created_data["id"]
+        assert created_data["name"] == category_name
+
+        # 4. GET the list of categories to verify
+        list_resp = await ac.get("/categories/", headers=headers)
+        assert list_resp.status_code == status.HTTP_200_OK
+
+        # 5. Check that our new category is in the list
+        categories_list = list_resp.json()
+        assert any(cat["name"] == category_name for cat in categories_list)
+
+        delete_resp = await ac.delete(f"/categories/{category_id}", headers=headers)
+        assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+
+@pytest.mark.asyncio
+async def test_create_transaction_missing_amount_fails(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # 1. Log in to get an auth token
+        login_resp = await ac.post("/auth/jwt/login", data=test_user)
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # 2. Define an invalid payload
+        invalid_payload = {"description": "This should fail"}
+
+        # 3. Attempt to create the transaction
+        resp = await ac.post("/transactions/create", json=invalid_payload, headers=headers)
+
+        # 4. Assert the expected validation error
+        assert resp.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY