From 584c090b80eda7957ea471a330c6009bb87bd01e Mon Sep 17 00:00:00 2001 From: ribardej Date: Thu, 23 Oct 2025 19:04:48 +0200 Subject: [PATCH 01/19] fix(backend): implemented jwt token invalidation so users cannot use it after expiry --- 7project/backend/app/api/auth.py | 17 ++++ 7project/backend/app/app.py | 20 +++++ 7project/backend/app/core/security.py | 45 ++++++++++ 7project/backend/pyproject.toml | 5 +- 7project/backend/tests/conftest.py | 49 +++++++++++ 7project/backend/tests/test_e2e_auth_flow.py | 83 +++++++++++++++++++ .../backend/tests/test_integration_app.py | 53 ++++++++++++ 7 files changed, 271 insertions(+), 1 deletion(-) create mode 100644 7project/backend/app/core/security.py diff --git a/7project/backend/app/api/auth.py b/7project/backend/app/api/auth.py index 075600c..d5c59d8 100644 --- a/7project/backend/app/api/auth.py +++ b/7project/backend/app/api/auth.py @@ -24,6 +24,23 @@ async def delete_me( await user_manager.delete(user) # Keep existing paths as-is under /auth/* and /users/* +from fastapi import Request, Response +from app.core.security import revoke_token, extract_bearer_token + + +@router.post( + "/auth/jwt/logout", + status_code=status.HTTP_204_NO_CONTENT, + tags=["auth"], + summary="Log out and revoke current token", +) +async def custom_logout(request: Request) -> Response: + """Revoke the current bearer token so it cannot be used anymore.""" + token = extract_bearer_token(request) + if token: + revoke_token(token) + return Response(status_code=status.HTTP_204_NO_CONTENT) + router.include_router( fastapi_users.get_auth_router(auth_backend), prefix="/auth/jwt", tags=["auth"] ) diff --git a/7project/backend/app/app.py b/7project/backend/app/app.py index ae50a62..a827694 100644 --- a/7project/backend/app/app.py +++ b/7project/backend/app/app.py @@ -16,6 +16,8 @@ from app.api.csas import router as csas_router from app.api.categories import router as categories_router from app.api.transactions import router as transactions_router from app.services.user_service import auth_backend, current_active_verified_user, fastapi_users, get_oauth_provider, UserManager, get_jwt_strategy +from app.core.security import extract_bearer_token, is_token_revoked, decode_and_verify_jwt +from app.services.user_service import SECRET from fastapi import FastAPI @@ -49,6 +51,24 @@ fastApi.include_router(categories_router) fastApi.include_router(transactions_router) logging.basicConfig(filename='app.log', level=logging.INFO, format='%(asctime)s %(message)s') +@fastApi.middleware("http") +async def auth_guard(request: Request, call_next): + # Enforce revoked/expired JWTs are rejected globally + token = extract_bearer_token(request) + if token: + # Deny if token is revoked + if is_token_revoked(token): + from fastapi import Response, status as _status + return Response(status_code=_status.HTTP_401_UNAUTHORIZED) + # Deny if token is expired or invalid + try: + decode_and_verify_jwt(token, SECRET) + except Exception: + from fastapi import Response, status as _status + return Response(status_code=_status.HTTP_401_UNAUTHORIZED) + return await call_next(request) + + @fastApi.middleware("http") async def log_traffic(request: Request, call_next): start_time = datetime.now() diff --git a/7project/backend/app/core/security.py b/7project/backend/app/core/security.py new file mode 100644 index 0000000..157f653 --- /dev/null +++ b/7project/backend/app/core/security.py @@ -0,0 +1,45 @@ +from typing import Optional +import re +import jwt +from fastapi import Request + +# Simple in-memory revocation store. In production, consider Redis or database. +_REVOKED_TOKENS: set[str] = set() + +# Bearer token regex +_BEARER_RE = re.compile(r"^[Bb]earer\s+(.+)$") + + +def extract_bearer_token(request: Request) -> Optional[str]: + auth = request.headers.get("authorization") + if not auth: + return None + m = _BEARER_RE.match(auth) + if not m: + return None + return m.group(1).strip() + + +def revoke_token(token: str) -> None: + if token: + _REVOKED_TOKENS.add(token) + + +def is_token_revoked(token: str) -> bool: + return token in _REVOKED_TOKENS + + +def decode_and_verify_jwt(token: str, secret: str) -> dict: + """ + Decode the JWT using the shared secret, verifying expiration and signature. + Audience is not verified here to be compatible with fastapi-users default tokens. + Raises jwt.ExpiredSignatureError if expired. + Raises jwt.InvalidTokenError for other issues. + Returns the decoded payload dict on success. + """ + return jwt.decode( + token, + secret, + algorithms=["HS256"], + options={"verify_aud": False}, + ) # verify_exp is True by default \ No newline at end of file diff --git a/7project/backend/pyproject.toml b/7project/backend/pyproject.toml index ef504fe..afdd586 100644 --- a/7project/backend/pyproject.toml +++ b/7project/backend/pyproject.toml @@ -1,2 +1,5 @@ [tool.pytest.ini_options] -pythonpath = "." \ No newline at end of file +pythonpath = "." +asyncio_mode = "auto" +asyncio_default_fixture_loop_scope = "session" +asyncio_default_test_loop_scope = "session" \ No newline at end of file diff --git a/7project/backend/tests/conftest.py b/7project/backend/tests/conftest.py index 1c6dca7..06f5c63 100644 --- a/7project/backend/tests/conftest.py +++ b/7project/backend/tests/conftest.py @@ -1,7 +1,9 @@ import sys +import uuid import types import pytest from fastapi.testclient import TestClient +from httpx import AsyncClient, ASGITransport # Stub sentry_sdk to avoid optional dependency issues during import of app stub = types.ModuleType("sentry_sdk") @@ -20,3 +22,50 @@ def fastapi_app(): @pytest.fixture(scope="session") def client(fastapi_app): return TestClient(fastapi_app, raise_server_exceptions=True) + + +@pytest.fixture(scope="function") +async def test_user(fastapi_app): + """ + Creates a new user asynchronously and returns their credentials. + Does NOT log them in. + Using AsyncClient with ASGITransport avoids event loop conflicts with DB connections. + """ + unique_email = f"testuser_{uuid.uuid4()}@example.com" + password = "a_strong_password" + user_payload = {"email": unique_email, "password": password} + + transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + response = await ac.post("/auth/register", json=user_payload) + assert response.status_code == 201 + + return {"username": unique_email, "password": password} + + +@pytest.fixture(scope="function") +def authenticated_client(client: TestClient): + """ + Creates a new user, logs them in, and returns a client + with the authorization headers already set. + """ + # 1. Create a unique user + unique_email = f"testuser_{uuid.uuid4()}@example.com" + password = "a_strong_password" + user_payload = {"email": unique_email, "password": password} + + register_resp = client.post("/auth/register", json=user_payload) + assert register_resp.status_code == 201 + + # 2. Log in to get the token + login_payload = {"username": unique_email, "password": password} + login_resp = client.post("/auth/jwt/login", data=login_payload) + token = login_resp.json()["access_token"] + + # 3. Set the authorization header for subsequent requests + client.headers = {"Authorization": f"Bearer {token}"} + + yield client + + # Teardown: Clear headers after the test + client.headers.pop("Authorization", None) diff --git a/7project/backend/tests/test_e2e_auth_flow.py b/7project/backend/tests/test_e2e_auth_flow.py index e622f9c..7ad18d2 100644 --- a/7project/backend/tests/test_e2e_auth_flow.py +++ b/7project/backend/tests/test_e2e_auth_flow.py @@ -1,3 +1,6 @@ +import pytest +import uuid +from httpx import AsyncClient, ASGITransport from fastapi import status @@ -13,3 +16,83 @@ def test_e2e_minimal_auth_flow(client): # 3) Protected endpoint should not be accessible without token me = client.get("/users/me") assert me.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN) + + +@pytest.mark.asyncio +async def test_e2e_full_user_lifecycle(fastapi_app, test_user): + # Use an AsyncClient with ASGITransport for async tests + transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + login_payload = test_user + + # 1. Log in with the new credentials + login_resp = await ac.post("/auth/jwt/login", data=login_payload) + assert login_resp.status_code == status.HTTP_200_OK + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # 2. Access a protected endpoint + me_resp = await ac.get("/users/me", headers=headers) + assert me_resp.status_code == status.HTTP_200_OK + assert me_resp.json()["email"] == test_user["username"] + + # 3. Update the user's profile + update_payload = {"first_name": "Test"} + patch_resp = await ac.patch("/users/me", json=update_payload, headers=headers) + assert patch_resp.status_code == status.HTTP_200_OK + assert patch_resp.json()["first_name"] == "Test" + + # 4. Log out + logout_resp = await ac.post("/auth/jwt/logout", headers=headers) + assert logout_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) + + # 5. Verify token is invalid + me_again_resp = await ac.get("/users/me", headers=headers) + assert me_again_resp.status_code == status.HTTP_401_UNAUTHORIZED + + +@pytest.mark.asyncio +async def test_e2e_transaction_workflow(fastapi_app, test_user): + transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + # 1. Log in to get the token + login_resp = await ac.post("/auth/jwt/login", data=test_user) + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # NEW STEP: Create a category first to get a valid ID + category_payload = {"name": "Test Category for E2E"} + create_category_resp = await ac.post("/categories/create", json=category_payload, headers=headers) + assert create_category_resp.status_code == status.HTTP_201_CREATED + category_id = create_category_resp.json()["id"] + + # 2. Create a new transaction + tx_payload = {"amount": -55.40, "description": "Milk and eggs"} + tx_resp = await ac.post("/transactions/create", json=tx_payload, headers=headers) + assert tx_resp.status_code == status.HTTP_201_CREATED + tx_id = tx_resp.json()["id"] + + # 3. Assign the category + assign_resp = await ac.post(f"/transactions/{tx_id}/categories/{category_id}", headers=headers) + assert assign_resp.status_code == status.HTTP_200_OK + + # 4. Verify assignment + get_tx_resp = await ac.get(f"/transactions/{tx_id}", headers=headers) + assert category_id in get_tx_resp.json()["category_ids"] + + # 5. Unassign the category + unassign_resp = await ac.delete(f"/transactions/{tx_id}/categories/{category_id}", headers=headers) + assert unassign_resp.status_code == status.HTTP_200_OK + + # 6. Get the transaction again and verify the category is gone + get_tx_again_resp = await ac.get(f"/transactions/{tx_id}", headers=headers) + final_tx_data = get_tx_again_resp.json() + assert category_id not in final_tx_data["category_ids"] + + # 7. Delete the transaction for cleanup + delete_resp = await ac.delete(f"/transactions/{tx_id}/delete", headers=headers) + assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) + + # NEW STEP: Clean up the created category + delete_category_resp = await ac.delete(f"/categories/{category_id}", headers=headers) + assert delete_category_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) \ No newline at end of file diff --git a/7project/backend/tests/test_integration_app.py b/7project/backend/tests/test_integration_app.py index 6c8733d..5d290aa 100644 --- a/7project/backend/tests/test_integration_app.py +++ b/7project/backend/tests/test_integration_app.py @@ -1,5 +1,6 @@ from fastapi import status import pytest +from httpx import AsyncClient, ASGITransport def test_root_ok(client): @@ -16,3 +17,55 @@ def test_authenticated_route_requires_auth(client): def test_sentry_debug_raises_exception(client): with pytest.raises(ZeroDivisionError): client.get("/sentry-debug") + + +@pytest.mark.asyncio +async def test_create_and_get_category(fastapi_app, test_user): + # Use AsyncClient for async tests + transport = ASGITransport(app=fastapi_app) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + # 1. Log in to get an auth token + login_resp = await ac.post("/auth/jwt/login", data=test_user) + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # 2. Define and create the new category + category_name = "Async Integration Test" + category_payload = {"name": category_name} + create_resp = await ac.post("/categories/create", json=category_payload, headers=headers) + + # 3. Assert creation was successful + assert create_resp.status_code == status.HTTP_201_CREATED + created_data = create_resp.json() + category_id = created_data["id"] + assert created_data["name"] == category_name + + # 4. GET the list of categories to verify + list_resp = await ac.get("/categories/", headers=headers) + assert list_resp.status_code == status.HTTP_200_OK + + # 5. Check that our new category is in the list + categories_list = list_resp.json() + assert any(cat["name"] == category_name for cat in categories_list) + + delete_resp = await ac.delete(f"/categories/{category_id}", headers=headers) + assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT) + + +@pytest.mark.asyncio +async def test_create_transaction_missing_amount_fails(fastapi_app, test_user): + transport = ASGITransport(app=fastapi_app) + async with AsyncClient(transport=transport, base_url="http://testserver") as ac: + # 1. Log in to get an auth token + login_resp = await ac.post("/auth/jwt/login", data=test_user) + token = login_resp.json()["access_token"] + headers = {"Authorization": f"Bearer {token}"} + + # 2. Define an invalid payload + invalid_payload = {"description": "This should fail"} + + # 3. Attempt to create the transaction + resp = await ac.post("/transactions/create", json=invalid_payload, headers=headers) + + # 4. Assert the expected validation error + assert resp.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY From eb7b2290b8531ede452797c15b0ab7c299995f7a Mon Sep 17 00:00:00 2001 From: Dejan Ribarovski Date: Thu, 23 Oct 2025 19:14:22 +0200 Subject: [PATCH 02/19] Update 7project/backend/app/core/security.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- 7project/backend/app/core/security.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/7project/backend/app/core/security.py b/7project/backend/app/core/security.py index 157f653..2093cbb 100644 --- a/7project/backend/app/core/security.py +++ b/7project/backend/app/core/security.py @@ -3,7 +3,14 @@ import re import jwt from fastapi import Request -# Simple in-memory revocation store. In production, consider Redis or database. +# Simple in-memory revocation store for revoked JWT tokens. +# +# Limitations: +# - All revoked tokens will be lost if the process restarts (data loss on restart). +# - Not suitable for multi-instance deployments: the revocation list is not shared between instances. +# A token revoked in one instance will not be recognized as revoked in others. +# +# For production, use a persistent and shared store (e.g., Redis or a database). _REVOKED_TOKENS: set[str] = set() # Bearer token regex From b0cd7030d8d6d8bdc345ce07222cbe4ae261ff29 Mon Sep 17 00:00:00 2001 From: ribardej Date: Thu, 23 Oct 2025 19:16:14 +0200 Subject: [PATCH 03/19] fix(backend): adressed copilot review --- 7project/backend/app/app.py | 3 +-- 7project/backend/tests/conftest.py | 27 --------------------------- 2 files changed, 1 insertion(+), 29 deletions(-) diff --git a/7project/backend/app/app.py b/7project/backend/app/app.py index a827694..1fd4dce 100644 --- a/7project/backend/app/app.py +++ b/7project/backend/app/app.py @@ -56,15 +56,14 @@ async def auth_guard(request: Request, call_next): # Enforce revoked/expired JWTs are rejected globally token = extract_bearer_token(request) if token: + from fastapi import Response, status as _status # Deny if token is revoked if is_token_revoked(token): - from fastapi import Response, status as _status return Response(status_code=_status.HTTP_401_UNAUTHORIZED) # Deny if token is expired or invalid try: decode_and_verify_jwt(token, SECRET) except Exception: - from fastapi import Response, status as _status return Response(status_code=_status.HTTP_401_UNAUTHORIZED) return await call_next(request) diff --git a/7project/backend/tests/conftest.py b/7project/backend/tests/conftest.py index 06f5c63..596aced 100644 --- a/7project/backend/tests/conftest.py +++ b/7project/backend/tests/conftest.py @@ -42,30 +42,3 @@ async def test_user(fastapi_app): return {"username": unique_email, "password": password} - -@pytest.fixture(scope="function") -def authenticated_client(client: TestClient): - """ - Creates a new user, logs them in, and returns a client - with the authorization headers already set. - """ - # 1. Create a unique user - unique_email = f"testuser_{uuid.uuid4()}@example.com" - password = "a_strong_password" - user_payload = {"email": unique_email, "password": password} - - register_resp = client.post("/auth/register", json=user_payload) - assert register_resp.status_code == 201 - - # 2. Log in to get the token - login_payload = {"username": unique_email, "password": password} - login_resp = client.post("/auth/jwt/login", data=login_payload) - token = login_resp.json()["access_token"] - - # 3. Set the authorization header for subsequent requests - client.headers = {"Authorization": f"Bearer {token}"} - - yield client - - # Teardown: Clear headers after the test - client.headers.pop("Authorization", None) From cf1d520a30411be51bddca6225c1f726748fc42b Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 13:42:01 +0100 Subject: [PATCH 04/19] feat(tests): added testing DB --- .github/workflows/run-tests.yml | 42 ++++++++++++++++--- .../backend/tests/test_unit_user_service.py | 2 +- 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index b71a6d1..eb7f488 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -9,7 +9,7 @@ permissions: on: # Run on every push to the 'main' branch push: - branches: [ "main", "30-create-tests-and-set-up-a-github-pipeline" ] + branches: [ "main", "33-frontend-looks-like-logged-in-even-after-token-expires" ] # Also run on every pull request that targets the 'main' branch pull_request: branches: [ "main" ] @@ -24,6 +24,33 @@ jobs: # Specifies the virtual machine to run the job on. 'ubuntu-latest' is a common and cost-effective choice. runs-on: ubuntu-latest + # 1) Start a MariaDB service container for tests + services: + mariadb: + image: mariadb:11.4 + env: + MARIADB_ROOT_PASSWORD: rootpw + MARIADB_DATABASE: group_project_test + MARIADB_USER: appuser + MARIADB_PASSWORD: apppass + ports: + - 3306:3306 + options: >- + --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" + --health-interval=5s + --health-timeout=2s + --health-retries=20 + + # 2) Expose DB connection settings to steps so your app picks them up + env: + MARIADB_HOST: 127.0.0.1 + MARIADB_PORT: "3306" + MARIADB_DB: group_project_test + MARIADB_USER: appuser + MARIADB_PASSWORD: apppass + # Optional: enable SQL echo logs in CI for debugging + # SQL_ECHO: "1" + # ----------------- # ----- Steps ----- # ----------------- @@ -41,14 +68,19 @@ jobs: with: python-version: '3.11' # Use the Python version that matches your project - # Step 3: Install project dependencies - # Runs shell commands to install the libraries listed in your requirements.txt. + # Step 3: Install project dependencies (from repo root) - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements.txt - - # Step 4: Run your tests! + + # Step 4: Apply DB migrations before running tests + - name: Run Alembic migrations + run: | + alembic upgrade head + working-directory: ./7project/backend + + # Step 5: Run your tests! # Executes the pytest command to run your test suite. - name: Run tests with pytest run: pytest diff --git a/7project/backend/tests/test_unit_user_service.py b/7project/backend/tests/test_unit_user_service.py index 7e89962..dedff0e 100644 --- a/7project/backend/tests/test_unit_user_service.py +++ b/7project/backend/tests/test_unit_user_service.py @@ -19,7 +19,7 @@ def test_get_oauth_provider_known_unknown(): def test_get_jwt_strategy_lifetime(): strategy = user_service.get_jwt_strategy() assert strategy is not None - # Basic smoke check: strategy has a lifetime set to 3600 + # Basic smoke check: strategy has a lifetime set to 604800 assert getattr(strategy, "lifetime_seconds", None) in (604800,) From edb4dfd14779c13e929341bd213ec841d243736d Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 13:50:04 +0100 Subject: [PATCH 05/19] fix(tests): fixed testing DB deployment --- .github/workflows/run-tests.yml | 40 ++++++++++++--------------------- 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index eb7f488..9573551 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -19,69 +19,57 @@ on: # ----------------- # A workflow is made up of one or more jobs that can run in parallel or sequentially. jobs: - # A descriptive name for your job build-and-test: - # Specifies the virtual machine to run the job on. 'ubuntu-latest' is a common and cost-effective choice. runs-on: ubuntu-latest # 1) Start a MariaDB service container for tests services: + # The label 'mariadb' becomes the hostname mariadb: image: mariadb:11.4 env: MARIADB_ROOT_PASSWORD: rootpw - MARIADB_DATABASE: group_project_test + # This DB name now matches what your app expects + MARIADB_DATABASE: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass - ports: - - 3306:3306 - options: >- - --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" - --health-interval=5s - --health-timeout=2s - --health-retries=20 + # 'ports' and 'options' are removed. + # GitHub Actions will use the image's default healthcheck. - # 2) Expose DB connection settings to steps so your app picks them up + # 2) Expose DB connection settings to steps env: - MARIADB_HOST: 127.0.0.1 - MARIADB_PORT: "3306" - MARIADB_DB: group_project_test + # Use the service label 'mariadb' as the host + MARIADB_HOST: mariadb + MARIADB_PORT: "3306" # This is the internal port, which is correct + # Match the database name from the service + MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass - # Optional: enable SQL echo logs in CI for debugging - # SQL_ECHO: "1" # ----------------- # ----- Steps ----- # ----------------- - # A sequence of tasks that will be executed as part of the job. steps: - # Step 1: Check out your repository's code - # This action allows the workflow to access your code. + # ... (your steps remain the same) ... + - name: Check out repository code uses: actions/checkout@v4 - # Step 2: Set up the Python environment - # This action installs a specific version of Python on the runner. - name: Set up Python 3.11 uses: actions/setup-python@v5 with: - python-version: '3.11' # Use the Python version that matches your project + python-version: '3.11' - # Step 3: Install project dependencies (from repo root) - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements.txt - # Step 4: Apply DB migrations before running tests - name: Run Alembic migrations run: | alembic upgrade head working-directory: ./7project/backend - # Step 5: Run your tests! - # Executes the pytest command to run your test suite. - name: Run tests with pytest run: pytest working-directory: ./7project/backend \ No newline at end of file From 65957d78ecca96a4762bbd62adcfc2b22b96bf68 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 14:07:06 +0100 Subject: [PATCH 06/19] fix(tests): fixed testing DB deployment --- .github/workflows/run-tests.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 9573551..0183ae3 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -71,5 +71,10 @@ jobs: working-directory: ./7project/backend - name: Run tests with pytest + env: + MARIADB_HOST: mariadb + MARIADB_DB: group_project # Make sure this matches the service DB + MARIADB_USER: appuser + MARIADB_PASSWORD: apppass run: pytest working-directory: ./7project/backend \ No newline at end of file From 542b05d541d5ea72426fa2377dce4b6fc59c19c7 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 14:11:43 +0100 Subject: [PATCH 07/19] fix(tests): fixed testing DB deployment v3 --- .github/workflows/run-tests.yml | 35 +++++++++++++++++---------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 0183ae3..543106a 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -22,36 +22,33 @@ jobs: build-and-test: runs-on: ubuntu-latest - # 1) Start a MariaDB service container for tests services: - # The label 'mariadb' becomes the hostname mariadb: image: mariadb:11.4 env: MARIADB_ROOT_PASSWORD: rootpw - # This DB name now matches what your app expects - MARIADB_DATABASE: group_project + MARIADB_DATABASE: group_project # Using the DB name your app expects MARIADB_USER: appuser MARIADB_PASSWORD: apppass - # 'ports' and 'options' are removed. - # GitHub Actions will use the image's default healthcheck. + # ADD THIS BLOCK BACK IN + # This forces the job to wait until the DB is + # actually responding before continuing. + options: >- + --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" + --health-interval=5s + --health-timeout=2s + --health-retries=20 - # 2) Expose DB connection settings to steps + # This is the job-level 'env' block + # It will be used by the 'alembic' step env: - # Use the service label 'mariadb' as the host - MARIADB_HOST: mariadb - MARIADB_PORT: "3306" # This is the internal port, which is correct - # Match the database name from the service + MARIADB_HOST: mariadb # Use the service label as the host + MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass - # ----------------- - # ----- Steps ----- - # ----------------- steps: - # ... (your steps remain the same) ... - - name: Check out repository code uses: actions/checkout@v4 @@ -65,15 +62,19 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt + # This step will now wait for the healthcheck to pass + # and will use the job-level 'env' block - name: Run Alembic migrations run: | alembic upgrade head working-directory: ./7project/backend + # This step-level 'env' block overrides any local .env + # file that your pytest setup might be loading - name: Run tests with pytest env: MARIADB_HOST: mariadb - MARIADB_DB: group_project # Make sure this matches the service DB + MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass run: pytest From 3348e0a035fe780a6aaa4f4f0b98ad509a4e5aa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:17:53 +0100 Subject: [PATCH 08/19] feat(database): encrypt transactions data --- ...29_1326-46b9e702e83f_add_encrypted_type.py | 47 ++++++++++++ 7project/backend/app/models/transaction.py | 10 ++- 7project/backend/requirements.txt | 1 + requirements.txt | 72 ------------------- 4 files changed, 56 insertions(+), 74 deletions(-) create mode 100644 7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py delete mode 100644 requirements.txt diff --git a/7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py b/7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py new file mode 100644 index 0000000..8f9119a --- /dev/null +++ b/7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py @@ -0,0 +1,47 @@ +"""Add encrypted type + +Revision ID: 46b9e702e83f +Revises: 1f2a3c4d5e6f +Create Date: 2025-10-29 13:26:24.568523 + +""" +from typing import Sequence, Union + +import sqlalchemy_utils +from alembic import op +import sqlalchemy as sa +from sqlalchemy.dialects import mysql + +# revision identifiers, used by Alembic. +revision: str = '46b9e702e83f' +down_revision: Union[str, Sequence[str], None] = '1f2a3c4d5e6f' +branch_labels: Union[str, Sequence[str], None] = None +depends_on: Union[str, Sequence[str], None] = None + + +def upgrade() -> None: + """Upgrade schema.""" + # ### commands auto generated by Alembic - please adjust! ### + op.alter_column('transaction', 'amount', + existing_type=mysql.FLOAT(), + type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + existing_nullable=False) + op.alter_column('transaction', 'description', + existing_type=mysql.VARCHAR(length=255), + type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + existing_nullable=True) + # ### end Alembic commands ### + + +def downgrade() -> None: + """Downgrade schema.""" + # ### commands auto generated by Alembic - please adjust! ### + op.alter_column('transaction', 'description', + existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + type_=mysql.VARCHAR(length=255), + existing_nullable=True) + op.alter_column('transaction', 'amount', + existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + type_=mysql.FLOAT(), + existing_nullable=False) + # ### end Alembic commands ### diff --git a/7project/backend/app/models/transaction.py b/7project/backend/app/models/transaction.py index 84f3981..d432437 100644 --- a/7project/backend/app/models/transaction.py +++ b/7project/backend/app/models/transaction.py @@ -1,15 +1,21 @@ +import os from fastapi_users_db_sqlalchemy import GUID from sqlalchemy import Column, Integer, String, Float, ForeignKey, Date, func from sqlalchemy.orm import relationship +from sqlalchemy_utils import EncryptedType +from sqlalchemy_utils.types.encrypted.encrypted_type import FernetEngine + from app.core.base import Base from app.models.categories import association_table +SECRET_KEY = os.environ.get("DB_ENCRYPTION_KEY", "localdev") + class Transaction(Base): __tablename__ = "transaction" id = Column(Integer, primary_key=True, autoincrement=True) - amount = Column(Float, nullable=False) - description = Column(String(length=255), nullable=True) + amount = Column(EncryptedType(Float, SECRET_KEY, engine=FernetEngine), nullable=False) + description = Column(EncryptedType(String(length=255), SECRET_KEY, engine=FernetEngine), nullable=True) date = Column(Date, nullable=False, server_default=func.current_date()) user_id = Column(GUID, ForeignKey("user.id"), nullable=False) diff --git a/7project/backend/requirements.txt b/7project/backend/requirements.txt index 34fc377..d0699ef 100644 --- a/7project/backend/requirements.txt +++ b/7project/backend/requirements.txt @@ -54,6 +54,7 @@ sentry-sdk==2.42.0 six==1.17.0 sniffio==1.3.1 SQLAlchemy==2.0.43 +SQLAlchemy-Utils==0.42.0 starlette==0.48.0 tomli==2.2.1 typing-inspection==0.4.1 diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index f97951f..0000000 --- a/requirements.txt +++ /dev/null @@ -1,72 +0,0 @@ -aio-pika==9.5.6 -aiormq==6.8.1 -aiosqlite==0.21.0 -alembic==1.16.5 -amqp==5.3.1 -annotated-types==0.7.0 -anyio==4.11.0 -argon2-cffi==23.1.0 -argon2-cffi-bindings==25.1.0 -asyncmy==0.2.9 -bcrypt==4.3.0 -billiard==4.2.2 -celery==5.5.3 -certifi==2025.10.5 -cffi==2.0.0 -click==8.1.8 -click-didyoumean==0.3.1 -click-plugins==1.1.1.2 -click-repl==0.3.0 -cryptography==46.0.1 -dnspython==2.7.0 -email_validator==2.2.0 -exceptiongroup==1.3.0 -fastapi==0.117.1 -fastapi-users==14.0.1 -fastapi-users-db-sqlalchemy==7.0.0 -greenlet==3.2.4 -h11==0.16.0 -httpcore==1.0.9 -httptools==0.6.4 -httpx==0.28.1 -httpx-oauth==0.16.1 -idna==3.10 -iniconfig==2.3.0 -kombu==5.5.4 -makefun==1.16.0 -Mako==1.3.10 -MarkupSafe==3.0.2 -multidict==6.6.4 -packaging==25.0 -pamqp==3.3.0 -pluggy==1.6.0 -prompt_toolkit==3.0.52 -propcache==0.3.2 -pwdlib==0.2.1 -pycparser==2.23 -pydantic==2.11.9 -pydantic_core==2.33.2 -Pygments==2.19.2 -PyJWT==2.10.1 -PyMySQL==1.1.2 -pytest==8.4.2 -pytest-asyncio==1.2.0 -python-dateutil==2.9.0.post0 -python-dotenv==1.1.1 -python-multipart==0.0.20 -PyYAML==6.0.2 -six==1.17.0 -sniffio==1.3.1 -SQLAlchemy==2.0.43 -starlette==0.48.0 -tomli==2.2.1 -typing-inspection==0.4.1 -typing_extensions==4.15.0 -tzdata==2025.2 -uvicorn==0.37.0 -uvloop==0.21.0 -vine==5.1.0 -watchfiles==1.1.0 -wcwidth==0.2.14 -websockets==15.0.1 -yarl==1.20.1 From 55f8e3837639ce2a9d9168515cfb69136e4b0fed Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 14:20:20 +0100 Subject: [PATCH 09/19] fix(tests): fixed testing DB deployment v4 --- .github/workflows/run-tests.yml | 15 ++++++++------- 7project/backend/alembic/env.py | 3 ++- 7project/backend/app/core/db.py | 3 ++- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 543106a..a813431 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -9,7 +9,7 @@ permissions: on: # Run on every push to the 'main' branch push: - branches: [ "main", "33-frontend-looks-like-logged-in-even-after-token-expires" ] + branches: [ "main" ] # Also run on every pull request that targets the 'main' branch pull_request: branches: [ "main" ] @@ -30,9 +30,9 @@ jobs: MARIADB_DATABASE: group_project # Using the DB name your app expects MARIADB_USER: appuser MARIADB_PASSWORD: apppass - # ADD THIS BLOCK BACK IN - # This forces the job to wait until the DB is - # actually responding before continuing. + ports: + - 3306:3306 + # Healthcheck ensures the job only starts when DB is ready options: >- --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" --health-interval=5s @@ -40,9 +40,9 @@ jobs: --health-retries=20 # This is the job-level 'env' block - # It will be used by the 'alembic' step + # It will be used by all steps (alembic, pytest, etc.) env: - MARIADB_HOST: mariadb # Use the service label as the host + MARIADB_HOST: 127.0.0.1 MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser @@ -73,7 +73,8 @@ jobs: # file that your pytest setup might be loading - name: Run tests with pytest env: - MARIADB_HOST: mariadb + MARIADB_HOST: 127.0.0.1 + MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass diff --git a/7project/backend/alembic/env.py b/7project/backend/alembic/env.py index ec52aab..f910b91 100644 --- a/7project/backend/alembic/env.py +++ b/7project/backend/alembic/env.py @@ -25,7 +25,8 @@ if not DATABASE_URL: SYNC_DATABASE_URL = DATABASE_URL.replace("+asyncmy", "+pymysql") -ssl_enabled = os.getenv("MARIADB_HOST", "localhost") != "localhost" +host_env = os.getenv("MARIADB_HOST", "localhost") +ssl_enabled = host_env not in {"localhost", "127.0.0.1"} connect_args = {"ssl": {"ssl": True}} if ssl_enabled else {} def run_migrations_offline() -> None: diff --git a/7project/backend/app/core/db.py b/7project/backend/app/core/db.py index 9c8cad7..1186352 100644 --- a/7project/backend/app/core/db.py +++ b/7project/backend/app/core/db.py @@ -19,7 +19,8 @@ from app.models.user import User from app.models.transaction import Transaction from app.models.categories import Category -ssl_enabled = os.getenv("MARIADB_HOST", "localhost") != "localhost" +host_env = os.getenv("MARIADB_HOST", "localhost") +ssl_enabled = host_env not in {"localhost", "127.0.0.1"} connect_args = {"ssl": {"ssl": True}} if ssl_enabled else {} engine = create_async_engine( From 7d2e94e683a33d0b0b31e9987b6e2cb81c017258 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:23:14 +0100 Subject: [PATCH 10/19] feat(database): add encryption key --- .github/workflows/deploy-pr.yaml | 3 ++- .github/workflows/deploy-prod.yaml | 3 ++- 7project/charts/myapp-chart/templates/app-deployment.yaml | 5 +++++ 7project/charts/myapp-chart/templates/prod.yaml | 1 + .../charts/myapp-chart/templates/worker-deployment.yaml | 7 ++++++- 7project/charts/myapp-chart/values.yaml | 1 + 6 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy-pr.yaml b/.github/workflows/deploy-pr.yaml index 56938bd..8a705b2 100644 --- a/.github/workflows/deploy-pr.yaml +++ b/.github/workflows/deploy-pr.yaml @@ -118,7 +118,8 @@ jobs: --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \ --set image.digest="$DIGEST" \ --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \ - --set-string database.password="$DB_PASSWORD" + --set-string database.password="$DB_PASSWORD" \ + --set-string database.encryptionSecret="$PR" - name: Post preview URLs as PR comment uses: actions/github-script@v7 diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml index 7f99e56..769ff0c 100644 --- a/.github/workflows/deploy-prod.yaml +++ b/.github/workflows/deploy-prod.yaml @@ -129,4 +129,5 @@ jobs: --set-string oauth.mojeid.clientSecret="$MOJEID_CLIENT_SECRET" \ --set-string oauth.csas.clientId="$CSAS_CLIENT_ID" \ --set-string oauth.csas.clientSecret="$CSAS_CLIENT_SECRET" \ - --set-string sentry_dsn="$SENTRY_DSN" \ \ No newline at end of file + --set-string sentry_dsn="$SENTRY_DSN" \ + --set-string database.encryptionSecret="${{ secrets.PROD_DB_ENCRYPTION_KEY }}" \ No newline at end of file diff --git a/7project/charts/myapp-chart/templates/app-deployment.yaml b/7project/charts/myapp-chart/templates/app-deployment.yaml index dc85dbd..02afbfb 100644 --- a/7project/charts/myapp-chart/templates/app-deployment.yaml +++ b/7project/charts/myapp-chart/templates/app-deployment.yaml @@ -101,6 +101,11 @@ spec: secretKeyRef: name: prod key: SENTRY_DSN + - name: DB_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: prod + key: DB_ENCRYPTION_KEY livenessProbe: httpGet: path: / diff --git a/7project/charts/myapp-chart/templates/prod.yaml b/7project/charts/myapp-chart/templates/prod.yaml index 0b9442d..abb294a 100644 --- a/7project/charts/myapp-chart/templates/prod.yaml +++ b/7project/charts/myapp-chart/templates/prod.yaml @@ -18,3 +18,4 @@ stringData: RABBITMQ_PASSWORD: {{ .Values.rabbitmq.password | default "" | quote }} RABBITMQ_USERNAME: {{ .Values.rabbitmq.username | quote }} SENTRY_DSN: {{ .Values.sentry_dsn | quote }} + DB_ENCRYPTION_KEY: {{ required "Set .Values.database.encryptionSecret" .Values.database.encryptionSecret | quote }} diff --git a/7project/charts/myapp-chart/templates/worker-deployment.yaml b/7project/charts/myapp-chart/templates/worker-deployment.yaml index 11227d3..fbd5182 100644 --- a/7project/charts/myapp-chart/templates/worker-deployment.yaml +++ b/7project/charts/myapp-chart/templates/worker-deployment.yaml @@ -20,7 +20,7 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: - drop: ["ALL"] + drop: [ "ALL" ] command: - celery - -A @@ -80,3 +80,8 @@ spec: secretKeyRef: name: prod key: CSAS_CLIENT_SECRET + - name: DB_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: prod + key: DB_ENCRYPTION_KEY diff --git a/7project/charts/myapp-chart/values.yaml b/7project/charts/myapp-chart/values.yaml index 867728e..d20fa70 100644 --- a/7project/charts/myapp-chart/values.yaml +++ b/7project/charts/myapp-chart/values.yaml @@ -75,3 +75,4 @@ database: userName: app-demo-user secretName: app-demo-database-secret password: "" + encryptionSecret: "" From e916a57e4e72d1c8b0f7e077ca7fde4e16f78508 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:25:18 +0100 Subject: [PATCH 11/19] fix(tests): move requirements.txt --- .github/workflows/run-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index b71a6d1..1fe9501 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -46,7 +46,7 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install -r requirements.txt + pip install -r ./7project/backend/requirements.txt # Step 4: Run your tests! # Executes the pytest command to run your test suite. From 06dcccb321384ab4d97a1ebfa778add59b138820 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:28:25 +0100 Subject: [PATCH 12/19] fix(tests): add missing dependencies --- .github/workflows/run-tests.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 1fe9501..ffa130e 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -43,6 +43,11 @@ jobs: # Step 3: Install project dependencies # Runs shell commands to install the libraries listed in your requirements.txt. + - name: Add test dependencies to requirements + run: | + echo "pytest==8.4.2" >> ./7project/backend/requirements.txt + echo "pytest-asyncio==1.2.0" >> ./7project/backend/requirements.txt + - name: Install dependencies run: | python -m pip install --upgrade pip From d8ea25943c84441d764e140988dec08f7687411e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:32:25 +0100 Subject: [PATCH 13/19] feat(code): remove sentry debug endpoint --- 7project/backend/app/app.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/7project/backend/app/app.py b/7project/backend/app/app.py index ae50a62..12b2010 100644 --- a/7project/backend/app/app.py +++ b/7project/backend/app/app.py @@ -105,10 +105,6 @@ async def root(): async def authenticated_route(user: User = Depends(current_active_verified_user)): return {"message": f"Hello {user.email}!"} -@fastApi.get("/sentry-debug") -async def trigger_error(): - division_by_zero = 1 / 0 - @fastApi.get("/debug/scrape/csas/all", tags=["debug"]) async def debug_scrape_csas_all(): From 52f6bd6a5375e597a1857af47288ea5a0e928ba6 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 14:43:26 +0100 Subject: [PATCH 14/19] fix(tests): fixed testing DB deployment v5 --- .github/workflows/deploy-pr.yaml | 20 +---------- .github/workflows/deploy-prod.yaml | 21 +----------- .github/workflows/run-tests.yml | 54 +++++++++--------------------- 3 files changed, 18 insertions(+), 77 deletions(-) diff --git a/.github/workflows/deploy-pr.yaml b/.github/workflows/deploy-pr.yaml index 56938bd..0228e16 100644 --- a/.github/workflows/deploy-pr.yaml +++ b/.github/workflows/deploy-pr.yaml @@ -12,25 +12,7 @@ jobs: test: name: Run Python Tests if: github.event.action != 'closed' - runs-on: ubuntu-latest - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Set up Python 3.11 - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - - name: Run tests with pytest - run: pytest - working-directory: ./7project/backend + uses: ./.github/workflows/run-tests.yml build: if: github.event.action != 'closed' diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml index 7f99e56..0bdfefb 100644 --- a/.github/workflows/deploy-prod.yaml +++ b/.github/workflows/deploy-prod.yaml @@ -23,26 +23,7 @@ concurrency: jobs: test: name: Run Python Tests - if: github.event.action != 'closed' - runs-on: ubuntu-latest - - steps: - - name: Check out repository code - uses: actions/checkout@v4 - - - name: Set up Python 3.11 - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - - - name: Run tests with pytest - run: pytest - working-directory: ./7project/backend + uses: ./.github/workflows/run-tests.yml build: name: Build and push image (reusable) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index a813431..ff3ad3e 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -2,48 +2,31 @@ name: Run Python Tests permissions: contents: read -# ----------------- -# --- Triggers ---- -# ----------------- -# This section defines when the workflow will run. on: - # Run on every push to the 'main' branch - push: - branches: [ "main" ] - # Also run on every pull request that targets the 'main' branch - pull_request: - branches: [ "main" ] + workflow_call: -# ----------------- -# ------ Jobs ----- -# ----------------- -# A workflow is made up of one or more jobs that can run in parallel or sequentially. jobs: build-and-test: runs-on: ubuntu-latest + # 1) Start a MariaDB service container for tests services: + # The label 'mariadb' becomes the hostname mariadb: image: mariadb:11.4 env: MARIADB_ROOT_PASSWORD: rootpw - MARIADB_DATABASE: group_project # Using the DB name your app expects + # This DB name now matches what your app expects + MARIADB_DATABASE: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass - ports: - - 3306:3306 - # Healthcheck ensures the job only starts when DB is ready - options: >- - --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" - --health-interval=5s - --health-timeout=2s - --health-retries=20 - # This is the job-level 'env' block - # It will be used by all steps (alembic, pytest, etc.) + # 2) Expose DB connection settings to steps env: - MARIADB_HOST: 127.0.0.1 - MARIADB_PORT: "3306" + # Use the service label 'mariadb' as the host + MARIADB_HOST: mariadb + MARIADB_PORT: "3306" # This is the internal port, which is correct + # Match the database name from the service MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass @@ -57,26 +40,21 @@ jobs: with: python-version: '3.11' + - name: Add test dependencies to requirements + run: | + echo "pytest==8.4.2" >> ./7project/backend/requirements.txt + echo "pytest-asyncio==1.2.0" >> ./7project/backend/requirements.txt + - name: Install dependencies run: | python -m pip install --upgrade pip - pip install -r requirements.txt + pip install -r ./7project/backend/requirements.txt - # This step will now wait for the healthcheck to pass - # and will use the job-level 'env' block - name: Run Alembic migrations run: | alembic upgrade head working-directory: ./7project/backend - # This step-level 'env' block overrides any local .env - # file that your pytest setup might be loading - name: Run tests with pytest - env: - MARIADB_HOST: 127.0.0.1 - MARIADB_PORT: "3306" - MARIADB_DB: group_project - MARIADB_USER: appuser - MARIADB_PASSWORD: apppass run: pytest working-directory: ./7project/backend \ No newline at end of file From 7529c9b265ad354912fbd97c97008d046fbc81cf Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 19:45:08 +0100 Subject: [PATCH 15/19] fix(tests): fixed testing DB deployment v6 --- .github/workflows/run-tests.yml | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 9f44dbe..bee1ba9 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -2,41 +2,30 @@ name: Run Python Tests permissions: contents: read -# ----------------- -# --- Triggers ---- -# ----------------- -# This section defines when the workflow will run. on: workflow_call: -# ----------------- -# ------ Jobs ----- -# ----------------- -# A workflow is made up of one or more jobs that can run in parallel or sequentially. jobs: - # A descriptive name for your job build-and-test: - # Specifies the virtual machine to run the job on. 'ubuntu-latest' is a common and cost-effective choice. runs-on: ubuntu-latest - # 1) Start a MariaDB service container for tests services: - # The label 'mariadb' becomes the hostname mariadb: image: mariadb:11.4 env: MARIADB_ROOT_PASSWORD: rootpw - # This DB name now matches what your app expects MARIADB_DATABASE: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass + options: >- + --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" + --health-interval=5s + --health-timeout=2s + --health-retries=20 - # 2) Expose DB connection settings to steps env: - # Use the service label 'mariadb' as the host MARIADB_HOST: mariadb - MARIADB_PORT: "3306" # This is the internal port, which is correct - # Match the database name from the service + MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass From 483a859b4b3672c4d9ae543c5717d8236a69a159 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 19:53:26 +0100 Subject: [PATCH 16/19] fix(tests): fixed testing DB deployment v7 --- .github/workflows/run-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index bee1ba9..e0ec110 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -18,7 +18,7 @@ jobs: MARIADB_USER: appuser MARIADB_PASSWORD: apppass options: >- - --health-cmd="mysqladmin ping -h 127.0.0.1 -u root -prootpw --silent" + --health-cmd="mariadb-admin ping -h 127.0.0.1 -u root -prootpw --silent" --health-interval=5s --health-timeout=2s --health-retries=20 From dddca9d805b3b3dabd6da4d16c1438a47d024fc7 Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 19:57:20 +0100 Subject: [PATCH 17/19] fix(tests): fixed testing DB deployment v8 :D --- .github/workflows/run-tests.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index e0ec110..0ef11da 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -49,6 +49,11 @@ jobs: python -m pip install --upgrade pip pip install -r ./7project/backend/requirements.txt + - name: Wait for DB network + run: | + echo "Waiting 15s for the database network to be ready..." + sleep 15 + - name: Run Alembic migrations run: | alembic upgrade head From d9c562f867f8b3d7673119f7fc35e67182fa64ba Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 20:01:21 +0100 Subject: [PATCH 18/19] fix(tests): fixed testing DB deployment v9 :O --- .github/workflows/run-tests.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 0ef11da..ddd0337 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -17,6 +17,8 @@ jobs: MARIADB_DATABASE: group_project MARIADB_USER: appuser MARIADB_PASSWORD: apppass + ports: + - 3306:3306 options: >- --health-cmd="mariadb-admin ping -h 127.0.0.1 -u root -prootpw --silent" --health-interval=5s @@ -24,7 +26,7 @@ jobs: --health-retries=20 env: - MARIADB_HOST: mariadb + MARIADB_HOST: 127.0.0.1 MARIADB_PORT: "3306" MARIADB_DB: group_project MARIADB_USER: appuser @@ -49,11 +51,6 @@ jobs: python -m pip install --upgrade pip pip install -r ./7project/backend/requirements.txt - - name: Wait for DB network - run: | - echo "Waiting 15s for the database network to be ready..." - sleep 15 - - name: Run Alembic migrations run: | alembic upgrade head From 4c9879cebfa73e07f68db7adce58774a6df4942a Mon Sep 17 00:00:00 2001 From: ribardej Date: Wed, 29 Oct 2025 20:04:50 +0100 Subject: [PATCH 19/19] fix(tests): finally fixed the test DB deployment :} --- 7project/backend/tests/test_integration_app.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/7project/backend/tests/test_integration_app.py b/7project/backend/tests/test_integration_app.py index 5d290aa..c924e25 100644 --- a/7project/backend/tests/test_integration_app.py +++ b/7project/backend/tests/test_integration_app.py @@ -14,11 +14,6 @@ def test_authenticated_route_requires_auth(client): assert resp.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN) -def test_sentry_debug_raises_exception(client): - with pytest.raises(ZeroDivisionError): - client.get("/sentry-debug") - - @pytest.mark.asyncio async def test_create_and_get_category(fastapi_app, test_user): # Use AsyncClient for async tests