From 584c090b80eda7957ea471a330c6009bb87bd01e Mon Sep 17 00:00:00 2001 From: ribardej Date: Thu, 23 Oct 2025 19:04:48 +0200 Subject: [PATCH 01/14] fix(backend): implemented jwt token invalidation so users cannot use it after expiry --- 7project/backend/app/api/auth.py | 17 ++++ 7project/backend/app/app.py | 20 +++++ 7project/backend/app/core/security.py | 45 ++++++++++ 7project/backend/pyproject.toml | 5 +- 7project/backend/tests/conftest.py | 49 +++++++++++ 7project/backend/tests/test_e2e_auth_flow.py | 83 +++++++++++++++++++ .../backend/tests/test_integration_app.py | 53 ++++++++++++ 7 files changed, 271 insertions(+), 1 deletion(-) create mode 100644 7project/backend/app/core/security.py diff --git a/7project/backend/app/api/auth.py b/7project/backend/app/api/auth.py index 075600c..d5c59d8 100644 --- a/7project/backend/app/api/auth.py +++ b/7project/backend/app/api/auth.py @@ -24,6 +24,23 @@ async def delete_me( await user_manager.delete(user) # Keep existing paths as-is under /auth/* and /users/* +from fastapi import Request, Response +from app.core.security import revoke_token, extract_bearer_token + + +@router.post( + "/auth/jwt/logout", + status_code=status.HTTP_204_NO_CONTENT, + tags=["auth"], + summary="Log out and revoke current token", +) +async def custom_logout(request: Request) -> Response: + """Revoke the current bearer token so it cannot be used anymore.""" + token = extract_bearer_token(request) + if token: + revoke_token(token) + return Response(status_code=status.HTTP_204_NO_CONTENT) + router.include_router( fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"] ) diff --git a/7project/backend/app/app.py b/7project/backend/app/app.py index ae50a62..a827694 100644 --- a/7project/backend/app/app.py +++ b/7project/backend/app/app.py @@ -16,6 +16,8 @@ from app.api.csas import router as csas_router from app.api.categories import router as categories_router from app.api.transactions import router as transactions_router from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users, get_oauth_provider, UserManager, get_jwt_strategy +from app.core.security import extract_bearer_token, is_token_revoked, decode_and_verify_jwt +from app.services.user_service import SECRET from fastapi import FastAPI @@ -49,6 +51,24 @@ fastApi.include_router(categories_router) fastApi.include_router(transactions_router) logging.basicConfig(filename='app.log', level=logging.INFO, format='%(asctime)s %(message)s') +@fastApi.middleware("http") +async def auth_guard(request: Request, call_next): + # Enforce revoked/expired JWTs are rejected globally + token = extract_bearer_token(request) + if token: + # Deny if token is revoked + if is_token_revoked(token): + from fastapi import Response, status as _status + return Response(status_code=_status.HTTP_401_UNAUTHORIZED) + # Deny if token is expired or invalid + try: + decode_and_verify_jwt(token, SECRET) + except Exception: + from fastapi import Response, status as _status + return Response(status_code=_status.HTTP_401_UNAUTHORIZED) + return await call_next(request) + + @fastApi.middleware("http") async def log_traffic(request: Request, call_next): start_time = datetime.now() diff --git a/7project/backend/app/core/security.py b/7project/backend/app/core/security.py new file mode 100644 index 0000000..157f653 --- /dev/null +++ b/7project/backend/app/core/security.py @@ -0,0 +1,45 @@ +from typing import Optional +import re +import jwt +from fastapi import Request + +# Simple in-memory revocation store. In production, consider Redis or database. +_REVOKED_TOKENS: set[str] = set() + +# Bearer token regex +_BEARER_RE = re.compile(r"^[Bb]earer\s+(.+)$") + + +def extract_bearer_token(request: Request) -> Optional[str]: + auth = request.headers.get("authorization") + if not auth: + return None + m = _BEARER_RE.match(auth) + if not m: + return None + return m.group(1).strip() + + +def revoke_token(token: str) -> None: + if token: + _REVOKED_TOKENS.add(token) + + +def is_token_revoked(token: str) -> bool: + return token in _REVOKED_TOKENS + + +def decode_and_verify_jwt(token: str, secret: str) -> dict: + """ + Decode the JWT using the shared secret, verifying expiration and signature. + Audience is not verified here to be compatible with fastapi-users default tokens. + Raises jwt.ExpiredSignatureError if expired. + Raises jwt.InvalidTokenError for other issues. + Returns the decoded payload dict on success. + """ + return jwt.decode( + token, + secret, + algorithms=["HS256"], + options={"verify_aud": False}, + ) # verify_exp is True by default \ No newline at end of file diff --git a/7project/backend/pyproject.toml b/7project/backend/pyproject.toml index ef504fe..afdd586 100644 --- a/7project/backend/pyproject.toml +++ b/7project/backend/pyproject.toml @@ -1,2 +1,5 @@ [tool.pytest.ini_options] -pythonpath = "." \ No newline at end of file +pythonpath = "." +asyncio_mode = "auto" +asyncio_default_fixture_loop_scope = "session" +asyncio_default_test_loop_scope = "session" \ No newline at end of file diff --git a/7project/backend/tests/conftest.py b/7project/backend/tests/conftest.py index 1c6dca7..06f5c63 100644 --- a/7project/backend/tests/conftest.py +++ b/7project/backend/tests/conftest.py @@ -1,7 +1,9 @@ import sys +import uuid import types import pytest from fastapi.testclient import TestClient +from httpx import AsyncClient, ASGITransport # Stub sentry_sdk to avoid optional dependency issues during import of app stub = types.ModuleType("sentry_sdk") @@ -20,3 +22,50 @@ def fastapi_app(): @pytest.fixture(scope="session") def client(fastapi_app): return TestClient(fastapi_app, raise_server_exceptions=True) + + +@pytest.fixture(scope="function") +async def test_user(fastapi_app): + """ + Creates a new user asynchronously and returns their credentials. + Does NOT log them in. + Using AsyncClient with ASGITransport avoids event loop conflicts with DB connections. + """ + unique_email = f"testuser_{uuid.uuid4()}@example.com" + password = "a_strong_password" + user_payload = {"email": unique_email, "password": password} + + transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + response = await ac.post("/auth/register", json=user_payload) + assert response.status_code == 201 + + return {"username": unique_email, "password": password} + + +@pytest.fixture(scope="function") +def authenticated_client(client: TestClient): + """ + Creates a new user, logs them in, and returns a client + with the authorization headers already set. + """ + # 1. Create a unique user + unique_email = f"testuser_{uuid.uuid4()}@example.com" + password = "a_strong_password" + user_payload = {"email": unique_email, "password": password} + + register_resp = client.post("/auth/register", json=user_payload) + assert register_resp.status_code == 201 + + # 2. Log in to get the token + login_payload = {"username": unique_email, "password": password} + login_resp = client.post("/auth/jwt/login", data=login_payload) + token = login_resp.json()["access_token"] + + # 3. Set the authorization header for subsequent requests + client.headers = {"Authorization": f"Bearer {token}"} + + yield client + + # Teardown: Clear headers after the test + client.headers.pop("Authorization", None) diff --git a/7project/backend/tests/test_e2e_auth_flow.py b/7project/backend/tests/test_e2e_auth_flow.py index e622f9c..7ad18d2 100644 --- a/7project/backend/tests/test_e2e_auth_flow.py +++ b/7project/backend/tests/test_e2e_auth_flow.py @@ -1,3 +1,6 @@ +import pytest +import uuid +from httpx import AsyncClient, ASGITransport from fastapi import status @@ -13,3 +16,83 @@ def test_e2e_minimal_auth_flow(client): # 3) Protected endpoint should not be accessible without token me = client.get("/users/me") assert me.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN) + + +@pytest.mark.asyncio +async def test_e2e_full_user_lifecycle(fastapi_app, test_user): + # Use an AsyncClient with ASGITransport for async tests + transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + login_payload = test_user + + # 1. Log in with the new credentials + login_resp = await ac.post("/auth/jwt/login", data=login_payload) + assert login_resp.status_code == status.HTTP_200_OK + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # 2. Access a protected endpoint + me_resp = await ac.get("/users/me", headers=headers) + assert me_resp.status_code == status.HTTP_200_OK + assert me_resp.json()["email"] == test_user["username"] + + # 3. Update the user's profile + update_payload = {"first_name": "Test"} + patch_resp = await ac.patch("/users/me", json=update_payload, headers=headers) + assert patch_resp.status_code == status.HTTP_200_OK + assert patch_resp.json()["first_name"] == "Test" + + # 4. Log out + logout_resp = await ac.post("/auth/jwt/logout", headers=headers) + assert logout_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) + + # 5. Verify token is invalid + me_again_resp = await ac.get("/users/me", headers=headers) + assert me_again_resp.status_code == status.HTTP_401_UNAUTHORIZED + + +@pytest.mark.asyncio +async def test_e2e_transaction_workflow(fastapi_app, test_user): + transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + # 1. Log in to get the token + login_resp = await ac.post("/auth/jwt/login", data=test_user) + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # NEW STEP: Create a category first to get a valid ID + category_payload = {"name": "Test Category for E2E"} + create_category_resp = await ac.post("/categories/create", json=category_payload, headers=headers) + assert create_category_resp.status_code == status.HTTP_201_CREATED + category_id = create_category_resp.json()["id"] + + # 2. Create a new transaction + tx_payload = {"amount": -55.40, "description": "Milk and eggs"} + tx_resp = await ac.post("/transactions/create", json=tx_payload, headers=headers) + assert tx_resp.status_code == status.HTTP_201_CREATED + tx_id = tx_resp.json()["id"] + + # 3. Assign the category + assign_resp = await ac.post(f"/transactions/{tx_id}/categories/{category_id}", headers=headers) + assert assign_resp.status_code == status.HTTP_200_OK + + # 4. Verify assignment + get_tx_resp = await ac.get(f"/transactions/{tx_id}", headers=headers) + assert category_id in get_tx_resp.json()["category_ids"] + + # 5. Unassign the category + unassign_resp = await ac.delete(f"/transactions/{tx_id}/categories/{category_id}", headers=headers) + assert unassign_resp.status_code == status.HTTP_200_OK + + # 6. Get the transaction again and verify the category is gone + get_tx_again_resp = await ac.get(f"/transactions/{tx_id}", headers=headers) + final_tx_data = get_tx_again_resp.json() + assert category_id not in final_tx_data["category_ids"] + + # 7. Delete the transaction for cleanup + delete_resp = await ac.delete(f"/transactions/{tx_id}/delete", headers=headers) + assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) + + # NEW STEP: Clean up the created category + delete_category_resp = await ac.delete(f"/categories/{category_id}", headers=headers) + assert delete_category_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) \ No newline at end of file diff --git a/7project/backend/tests/test_integration_app.py b/7project/backend/tests/test_integration_app.py index 6c8733d..5d290aa 100644 --- a/7project/backend/tests/test_integration_app.py +++ b/7project/backend/tests/test_integration_app.py @@ -1,5 +1,6 @@ from fastapi import status import pytest +from httpx import AsyncClient, ASGITransport def test_root_ok(client): @@ -16,3 +17,55 @@ def test_authenticated_route_requires_auth(client): def test_sentry_debug_raises_exception(client): with pytest.raises(ZeroDivisionError): client.get("/sentry-debug") + + +@pytest.mark.asyncio +async def test_create_and_get_category(fastapi_app, test_user): + # Use AsyncClient for async tests + transport = ASGITransport(app=fastapi_app) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + # 1. Log in to get an auth token + login_resp = await ac.post("/auth/jwt/login", data=test_user) + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # 2. Define and create the new category + category_name = "Async Integration Test" + category_payload = {"name": category_name} + create_resp = await ac.post("/categories/create", json=category_payload, headers=headers) + + # 3. Assert creation was successful + assert create_resp.status_code == status.HTTP_201_CREATED + created_data = create_resp.json() + category_id = created_data["id"] + assert created_data["name"] == category_name + + # 4. GET the list of categories to verify + list_resp = await ac.get("/categories/", headers=headers) + assert list_resp.status_code == status.HTTP_200_OK + + # 5. Check that our new category is in the list + categories_list = list_resp.json() + assert any(cat["name"] == category_name for cat in categories_list) + + delete_resp = await ac.delete(f"/categories/{category_id}", headers=headers) + assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) + + +@pytest.mark.asyncio +async def test_create_transaction_missing_amount_fails(fastapi_app, test_user): + transport = ASGITransport(app=fastapi_app) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + # 1. Log in to get an auth token + login_resp = await ac.post("/auth/jwt/login", data=test_user) + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # 2. Define an invalid payload + invalid_payload = {"description": "This should fail"} + + # 3. Attempt to create the transaction + resp = await ac.post("/transactions/create", json=invalid_payload, headers=headers) + + # 4. Assert the expected validation error + assert resp.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY From eb7b2290b8531ede452797c15b0ab7c299995f7a Mon Sep 17 00:00:00 2001 From: Dejan Ribarovski Date: Thu, 23 Oct 2025 19:14:22 +0200 Subject: [PATCH 02/14] Update 7project/backend/app/core/security.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- 7project/backend/app/core/security.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/7project/backend/app/core/security.py b/7project/backend/app/core/security.py index 157f653..2093cbb 100644 --- a/7project/backend/app/core/security.py +++ b/7project/backend/app/core/security.py @@ -3,7 +3,14 @@ import re import jwt from fastapi import Request -# Simple in-memory revocation store. In production, consider Redis or database. +# Simple in-memory revocation store for revoked JWT tokens. +# +# Limitations: +# - All revoked tokens will be lost if the process restarts (data loss on restart). +# - Not suitable for multi-instance deployments: the revocation list is not shared between instances. +# A token revoked in one instance will not be recognized as revoked in others. +# +# For production, use a persistent and shared store (e.g., Redis or a database). _REVOKED_TOKENS: set[str] = set() # Bearer token regex From b0cd7030d8d6d8bdc345ce07222cbe4ae261ff29 Mon Sep 17 00:00:00 2001 From: ribardej Date: Thu, 23 Oct 2025 19:16:14 +0200 Subject: [PATCH 03/14] fix(backend): adressed copilot review --- 7project/backend/app/app.py | 3 +-- 7project/backend/tests/conftest.py | 27 --------------------------- 2 files changed, 1 insertion(+), 29 deletions(-) diff --git a/7project/backend/app/app.py b/7project/backend/app/app.py index a827694..1fd4dce 100644 --- a/7project/backend/app/app.py +++ b/7project/backend/app/app.py @@ -56,15 +56,14 @@ async def auth_guard(request: Request, call_next): # Enforce revoked/expired JWTs are rejected globally token = extract_bearer_token(request) if token: + from fastapi import Response, status as _status # Deny if token is revoked if is_token_revoked(token): - from fastapi import Response, status as _status return Response(status_code=_status.HTTP_401_UNAUTHORIZED) # Deny if token is expired or invalid try: decode_and_verify_jwt(token, SECRET) except Exception: - from fastapi import Response, status as _status return Response(status_code=_status.HTTP_401_UNAUTHORIZED) return await call_next(request) diff --git a/7project/backend/tests/conftest.py b/7project/backend/tests/conftest.py index 06f5c63..596aced 100644 --- a/7project/backend/tests/conftest.py +++ b/7project/backend/tests/conftest.py @@ -42,30 +42,3 @@ async def test_user(fastapi_app): return {"username": unique_email, "password": password} - -@pytest.fixture(scope="function") -def authenticated_client(client: TestClient): - """ - Creates a new user, logs them in, and returns a client - with the authorization headers already set. - """ - # 1. Create a unique user - unique_email = f"testuser_{uuid.uuid4()}@example.com" - password = "a_strong_password" - user_payload = {"email": unique_email, "password": password} - - register_resp = client.post("/auth/register", json=user_payload) - assert register_resp.status_code == 201 - - # 2. Log in to get the token - login_payload = {"username": unique_email, "password": password} - login_resp = client.post("/auth/jwt/login", data=login_payload) - token = login_resp.json()["access_token"] - - # 3. Set the authorization header for subsequent requests - client.headers = {"Authorization": f"Bearer {token}"} - - yield client - - # Teardown: Clear headers after the test - client.headers.pop("Authorization", None) From cf1d520a30411be51bddca6225c1f726748fc42b Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 13:42:01 +0100 Subject: [PATCH 04/14] feat(tests): added testing DB --- .github/workflows/run-tests.yml | 42 ++++++++++++++++--- .../backend/tests/test_unit_user_service.py | 2 +- 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index b71a6d1..eb7f488 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -9,7 +9,7 @@ permissions: on: # Run on every push to the 'main' branch push: - branches: [ "main", "30-create-tests-and-set-up-a-github-pipeline" ] + branches: [ "main", "33-frontend-looks-like-logged-in-even-after-token-expires" ] # Also run on every pull request that targets the 'main' branch pull_request: branches: [ "main" ] @@ -24,6 +24,33 @@ jobs: # Specifies the virtual machine to run the job on. 'ubuntu-latest' is a common and cost-effective choice. runs-on: ubuntu-latest + # 1) Start a MariaDB service container for tests + services: + mariadb: + image: mariadb:11.4 + env: + MARIADB_ROOT_PASSWORD: rootpw + MARIADB_DATABASE: group_project_test + MARIADB_USER: appuser + MARIADB_PASSWORD: apppass + ports: + - 3306:3306 + options: >- + --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" + --health-interval=5s + --health-timeout=2s + --health-retries=20 + + # 2) Expose DB connection settings to steps so your app picks them up + env: + MARIADB_HOST: 127.0.0.1 + MARIADB_PORT: "3306" + MARIADB_DB: group_project_test + MARIADB_USER: appuser + MARIADB_PASSWORD: apppass + # Optional: enable SQL echo logs in CI for debugging + # SQL_ECHO: "1" + # ----------------- # ----- Steps ----- # ----------------- @@ -41,14 +68,19 @@ jobs: with: python-version: '3.11' # Use the Python version that matches your project - # Step 3: Install project dependencies - # Runs shell commands to install the libraries listed in your requirements.txt. + # Step 3: Install project dependencies (from repo root) - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements.txt - - # Step 4: Run your tests! + + # Step 4: Apply DB migrations before running tests + - name: Run Alembic migrations + run: | + alembic upgrade head + working-directory: ./7project/backend + + # Step 5: Run your tests! # Executes the pytest command to run your test suite. - name: Run tests with pytest run: pytest diff --git a/7project/backend/tests/test_unit_user_service.py b/7project/backend/tests/test_unit_user_service.py index 7e89962..dedff0e 100644 --- a/7project/backend/tests/test_unit_user_service.py +++ b/7project/backend/tests/test_unit_user_service.py @@ -19,7 +19,7 @@ def test_get_oauth_provider_known_unknown(): def test_get_jwt_strategy_lifetime(): strategy = user_service.get_jwt_strategy() assert strategy is not None - # Basic smoke check: strategy has a lifetime set to 3600 + # Basic smoke check: strategy has a lifetime set to 604800 assert getattr(strategy, "lifetime_seconds", None) in (604800,) From edb4dfd14779c13e929341bd213ec841d243736d Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 13:50:04 +0100 Subject: [PATCH 05/14] fix(tests): fixed testing DB deployment --- .github/workflows/run-tests.yml | 40 ++++++++++++--------------------- 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index eb7f488..9573551 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -19,69 +19,57 @@ on: # ----------------- # A workflow is made up of one or more jobs that can run in parallel or sequentially. jobs: - # A descriptive name for your job build-and-test: - # Specifies the virtual machine to run the job on. 'ubuntu-latest' is a common and cost-effective choice. runs-on: ubuntu-latest # 1) Start a MariaDB service container for tests services: + # The label 'mariadb' becomes the hostname mariadb: image: mariadb:11.4 env: MARIADB_ROOT_PASSWORD: rootpw - MARIADB_DATABASE: group_project_test + # This DB name now matches what your app expects + MARIADB_DATABASE: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass - ports: - - 3306:3306 - options: >- - --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" - --health-interval=5s - --health-timeout=2s - --health-retries=20 + # 'ports' and 'options' are removed. + # GitHub Actions will use the image's default healthcheck. - # 2) Expose DB connection settings to steps so your app picks them up + # 2) Expose DB connection settings to steps env: - MARIADB_HOST: 127.0.0.1 - MARIADB_PORT: "3306" - MARIADB_DB: group_project_test + # Use the service label 'mariadb' as the host + MARIADB_HOST: mariadb + MARIADB_PORT: "3306" # This is the internal port, which is correct + # Match the database name from the service + MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass - # Optional: enable SQL echo logs in CI for debugging - # SQL_ECHO: "1" # ----------------- # ----- Steps ----- # ----------------- - # A sequence of tasks that will be executed as part of the job. steps: - # Step 1: Check out your repository's code - # This action allows the workflow to access your code. + # ... (your steps remain the same) ... + - name: Check out repository code uses: actions/checkout@v4 - # Step 2: Set up the Python environment - # This action installs a specific version of Python on the runner. - name: Set up Python 3.11 uses: actions/setup-python@v5 with: - python-version: '3.11' # Use the Python version that matches your project + python-version: '3.11' - # Step 3: Install project dependencies (from repo root) - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements.txt - # Step 4: Apply DB migrations before running tests - name: Run Alembic migrations run: | alembic upgrade head working-directory: ./7project/backend - # Step 5: Run your tests! - # Executes the pytest command to run your test suite. - name: Run tests with pytest run: pytest working-directory: ./7project/backend \ No newline at end of file From 65957d78ecca96a4762bbd62adcfc2b22b96bf68 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 14:07:06 +0100 Subject: [PATCH 06/14] fix(tests): fixed testing DB deployment --- .github/workflows/run-tests.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 9573551..0183ae3 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -71,5 +71,10 @@ jobs: working-directory: ./7project/backend - name: Run tests with pytest + env: + MARIADB_HOST: mariadb + MARIADB_DB: group_project # Make sure this matches the service DB + MARIADB_USER: appuser + MARIADB_PASSWORD: apppass run: pytest working-directory: ./7project/backend \ No newline at end of file From 542b05d541d5ea72426fa2377dce4b6fc59c19c7 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 14:11:43 +0100 Subject: [PATCH 07/14] fix(tests): fixed testing DB deployment v3 --- .github/workflows/run-tests.yml | 35 +++++++++++++++++---------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 0183ae3..543106a 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -22,36 +22,33 @@ jobs: build-and-test: runs-on: ubuntu-latest - # 1) Start a MariaDB service container for tests services: - # The label 'mariadb' becomes the hostname mariadb: image: mariadb:11.4 env: MARIADB_ROOT_PASSWORD: rootpw - # This DB name now matches what your app expects - MARIADB_DATABASE: group_project + MARIADB_DATABASE: group_project # Using the DB name your app expects MARIADB_USER: appuser MARIADB_PASSWORD: apppass - # 'ports' and 'options' are removed. - # GitHub Actions will use the image's default healthcheck. + # ADD THIS BLOCK BACK IN + # This forces the job to wait until the DB is + # actually responding before continuing. + options: >- + --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" + --health-interval=5s + --health-timeout=2s + --health-retries=20 - # 2) Expose DB connection settings to steps + # This is the job-level 'env' block + # It will be used by the 'alembic' step env: - # Use the service label 'mariadb' as the host - MARIADB_HOST: mariadb - MARIADB_PORT: "3306" # This is the internal port, which is correct - # Match the database name from the service + MARIADB_HOST: mariadb # Use the service label as the host + MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass - # ----------------- - # ----- Steps ----- - # ----------------- steps: - # ... (your steps remain the same) ... - - name: Check out repository code uses: actions/checkout@v4 @@ -65,15 +62,19 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt + # This step will now wait for the healthcheck to pass + # and will use the job-level 'env' block - name: Run Alembic migrations run: | alembic upgrade head working-directory: ./7project/backend + # This step-level 'env' block overrides any local .env + # file that your pytest setup might be loading - name: Run tests with pytest env: MARIADB_HOST: mariadb - MARIADB_DB: group_project # Make sure this matches the service DB + MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass run: pytest From 55f8e3837639ce2a9d9168515cfb69136e4b0fed Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 14:20:20 +0100 Subject: [PATCH 08/14] fix(tests): fixed testing DB deployment v4 --- .github/workflows/run-tests.yml | 15 ++++++++------- 7project/backend/alembic/env.py | 3 ++- 7project/backend/app/core/db.py | 3 ++- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 543106a..a813431 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -9,7 +9,7 @@ permissions: on: # Run on every push to the 'main' branch push: - branches: [ "main", "33-frontend-looks-like-logged-in-even-after-token-expires" ] + branches: [ "main" ] # Also run on every pull request that targets the 'main' branch pull_request: branches: [ "main" ] @@ -30,9 +30,9 @@ jobs: MARIADB_DATABASE: group_project # Using the DB name your app expects MARIADB_USER: appuser MARIADB_PASSWORD: apppass - # ADD THIS BLOCK BACK IN - # This forces the job to wait until the DB is - # actually responding before continuing. + ports: + - 3306:3306 + # Healthcheck ensures the job only starts when DB is ready options: >- --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" --health-interval=5s @@ -40,9 +40,9 @@ jobs: --health-retries=20 # This is the job-level 'env' block - # It will be used by the 'alembic' step + # It will be used by all steps (alembic, pytest, etc.) env: - MARIADB_HOST: mariadb # Use the service label as the host + MARIADB_HOST: 127.0.0.1 MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser @@ -73,7 +73,8 @@ jobs: # file that your pytest setup might be loading - name: Run tests with pytest env: - MARIADB_HOST: mariadb + MARIADB_HOST: 127.0.0.1 + MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass diff --git a/7project/backend/alembic/env.py b/7project/backend/alembic/env.py index ec52aab..f910b91 100644 --- a/7project/backend/alembic/env.py +++ b/7project/backend/alembic/env.py @@ -25,7 +25,8 @@ if not DATABASE_URL: SYNC_DATABASE_URL = DATABASE_URL.replace("+asyncmy", "+pymysql") -ssl_enabled = os.getenv("MARIADB_HOST", "localhost") != "localhost" +host_env = os.getenv("MARIADB_HOST", "localhost") +ssl_enabled = host_env not in {"localhost", "127.0.0.1"} connect_args = {"ssl": {"ssl": True}} if ssl_enabled else {} def run_migrations_offline() -> None: diff --git a/7project/backend/app/core/db.py b/7project/backend/app/core/db.py index 9c8cad7..1186352 100644 --- a/7project/backend/app/core/db.py +++ b/7project/backend/app/core/db.py @@ -19,7 +19,8 @@ from app.models.user import User from app.models.transaction import Transaction from app.models.categories import Category -ssl_enabled = os.getenv("MARIADB_HOST", "localhost") != "localhost" +host_env = os.getenv("MARIADB_HOST", "localhost") +ssl_enabled = host_env not in {"localhost", "127.0.0.1"} connect_args = {"ssl": {"ssl": True}} if ssl_enabled else {} engine = create_async_engine( From 52f6bd6a5375e597a1857af47288ea5a0e928ba6 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 14:43:26 +0100 Subject: [PATCH 09/14] fix(tests): fixed testing DB deployment v5 --- .github/workflows/deploy-pr.yaml | 20 +---------- .github/workflows/deploy-prod.yaml | 21 +----------- .github/workflows/run-tests.yml | 54 +++++++++--------------------- 3 files changed, 18 insertions(+), 77 deletions(-) diff --git a/.github/workflows/deploy-pr.yaml b/.github/workflows/deploy-pr.yaml index 56938bd..0228e16 100644 --- a/.github/workflows/deploy-pr.yaml +++ b/.github/workflows/deploy-pr.yaml @@ -12,25 +12,7 @@ jobs: test: name: Run Python Tests if: github.event.action != 'closed' - runs-on: ubuntu-latest - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Set up Python 3.11 - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - - name: Run tests with pytest - run: pytest - working-directory: ./7project/backend + uses: ./.github/workflows/run-tests.yml build: if: github.event.action != 'closed' diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml index 7f99e56..0bdfefb 100644 --- a/.github/workflows/deploy-prod.yaml +++ b/.github/workflows/deploy-prod.yaml @@ -23,26 +23,7 @@ concurrency: jobs: test: name: Run Python Tests - if: github.event.action != 'closed' - runs-on: ubuntu-latest - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Set up Python 3.11 - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - - name: Run tests with pytest - run: pytest - working-directory: ./7project/backend + uses: ./.github/workflows/run-tests.yml build: name: Build and push image (reusable) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index a813431..ff3ad3e 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -2,48 +2,31 @@ name: Run Python Tests permissions: contents: read -# ----------------- -# --- Triggers ---- -# ----------------- -# This section defines when the workflow will run. on: - # Run on every push to the 'main' branch - push: - branches: [ "main" ] - # Also run on every pull request that targets the 'main' branch - pull_request: - branches: [ "main" ] + workflow_call: -# ----------------- -# ------ Jobs ----- -# ----------------- -# A workflow is made up of one or more jobs that can run in parallel or sequentially. jobs: build-and-test: runs-on: ubuntu-latest + # 1) Start a MariaDB service container for tests services: + # The label 'mariadb' becomes the hostname mariadb: image: mariadb:11.4 env: MARIADB_ROOT_PASSWORD: rootpw - MARIADB_DATABASE: group_project # Using the DB name your app expects + # This DB name now matches what your app expects + MARIADB_DATABASE: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass - ports: - - 3306:3306 - # Healthcheck ensures the job only starts when DB is ready - options: >- - --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" - --health-interval=5s - --health-timeout=2s - --health-retries=20 - # This is the job-level 'env' block - # It will be used by all steps (alembic, pytest, etc.) + # 2) Expose DB connection settings to steps env: - MARIADB_HOST: 127.0.0.1 - MARIADB_PORT: "3306" + # Use the service label 'mariadb' as the host + MARIADB_HOST: mariadb + MARIADB_PORT: "3306" # This is the internal port, which is correct + # Match the database name from the service MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass @@ -57,26 +40,21 @@ jobs: with: python-version: '3.11' + - name: Add test dependencies to requirements + run: | + echo "pytest==8.4.2" >> ./7project/backend/requirements.txt + echo "pytest-asyncio==1.2.0" >> ./7project/backend/requirements.txt + - name: Install dependencies run: | python -m pip install --upgrade pip - pip install -r requirements.txt + pip install -r ./7project/backend/requirements.txt - # This step will now wait for the healthcheck to pass - # and will use the job-level 'env' block - name: Run Alembic migrations run: | alembic upgrade head working-directory: ./7project/backend - # This step-level 'env' block overrides any local .env - # file that your pytest setup might be loading - name: Run tests with pytest - env: - MARIADB_HOST: 127.0.0.1 - MARIADB_PORT: "3306" - MARIADB_DB: group_project - MARIADB_USER: appuser - MARIADB_PASSWORD: apppass run: pytest working-directory: ./7project/backend \ No newline at end of file From 7529c9b265ad354912fbd97c97008d046fbc81cf Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 19:45:08 +0100 Subject: [PATCH 10/14] fix(tests): fixed testing DB deployment v6 --- .github/workflows/run-tests.yml | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 9f44dbe..bee1ba9 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -2,41 +2,30 @@ name: Run Python Tests permissions: contents: read -# ----------------- -# --- Triggers ---- -# ----------------- -# This section defines when the workflow will run. on: workflow_call: -# ----------------- -# ------ Jobs ----- -# ----------------- -# A workflow is made up of one or more jobs that can run in parallel or sequentially. jobs: - # A descriptive name for your job build-and-test: - # Specifies the virtual machine to run the job on. 'ubuntu-latest' is a common and cost-effective choice. runs-on: ubuntu-latest - # 1) Start a MariaDB service container for tests services: - # The label 'mariadb' becomes the hostname mariadb: image: mariadb:11.4 env: MARIADB_ROOT_PASSWORD: rootpw - # This DB name now matches what your app expects MARIADB_DATABASE: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass + options: >- + --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" + --health-interval=5s + --health-timeout=2s + --health-retries=20 - # 2) Expose DB connection settings to steps env: - # Use the service label 'mariadb' as the host MARIADB_HOST: mariadb - MARIADB_PORT: "3306" # This is the internal port, which is correct - # Match the database name from the service + MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass From 483a859b4b3672c4d9ae543c5717d8236a69a159 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 19:53:26 +0100 Subject: [PATCH 11/14] fix(tests): fixed testing DB deployment v7 --- .github/workflows/run-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index bee1ba9..e0ec110 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -18,7 +18,7 @@ jobs: MARIADB_USER: appuser MARIADB_PASSWORD: apppass options: >- - --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" + --health-cmd="mariadb-admin ping -h 127.0.0.1 -u root -prootpw --silent" --health-interval=5s --health-timeout=2s --health-retries=20 From dddca9d805b3b3dabd6da4d16c1438a47d024fc7 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 19:57:20 +0100 Subject: [PATCH 12/14] fix(tests): fixed testing DB deployment v8 :D --- .github/workflows/run-tests.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index e0ec110..0ef11da 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -49,6 +49,11 @@ jobs: python -m pip install --upgrade pip pip install -r ./7project/backend/requirements.txt + - name: Wait for DB network + run: | + echo "Waiting 15s for the database network to be ready..." + sleep 15 + - name: Run Alembic migrations run: | alembic upgrade head From d9c562f867f8b3d7673119f7fc35e67182fa64ba Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 20:01:21 +0100 Subject: [PATCH 13/14] fix(tests): fixed testing DB deployment v9 :O --- .github/workflows/run-tests.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 0ef11da..ddd0337 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -17,6 +17,8 @@ jobs: MARIADB_DATABASE: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass + ports: + - 3306:3306 options: >- --health-cmd="mariadb-admin ping -h 127.0.0.1 -u root -prootpw --silent" --health-interval=5s @@ -24,7 +26,7 @@ jobs: --health-retries=20 env: - MARIADB_HOST: mariadb + MARIADB_HOST: 127.0.0.1 MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser @@ -49,11 +51,6 @@ jobs: python -m pip install --upgrade pip pip install -r ./7project/backend/requirements.txt - - name: Wait for DB network - run: | - echo "Waiting 15s for the database network to be ready..." - sleep 15 - - name: Run Alembic migrations run: | alembic upgrade head From 4c9879cebfa73e07f68db7adce58774a6df4942a Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 20:04:50 +0100 Subject: [PATCH 14/14] fix(tests): finally fixed the test DB deployment :} --- 7project/backend/tests/test_integration_app.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/7project/backend/tests/test_integration_app.py b/7project/backend/tests/test_integration_app.py index 5d290aa..c924e25 100644 --- a/7project/backend/tests/test_integration_app.py +++ b/7project/backend/tests/test_integration_app.py @@ -14,11 +14,6 @@ def test_authenticated_route_requires_auth(client): assert resp.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN) -def test_sentry_debug_raises_exception(client): - with pytest.raises(ZeroDivisionError): - client.get("/sentry-debug") - - @pytest.mark.asyncio async def test_create_and_get_category(fastapi_app, test_user): # Use AsyncClient for async tests