feat(docs): codebase refactor - added src directory

7project/src/backend/tests/conftest.py

@@ -0,0 +1,44 @@
+import sys
+import uuid
+import types
+import pytest
+from fastapi.testclient import TestClient
+from httpx import AsyncClient, ASGITransport
+
+# Stub sentry_sdk to avoid optional dependency issues during import of app
+stub = types.ModuleType("sentry_sdk")
+stub.init = lambda *args, **kwargs: None
+sys.modules.setdefault("sentry_sdk", stub)
+
+# Import the FastAPI application
+from app.app import fastApi as app  # noqa: E402
+
+
+@pytest.fixture(scope="session")
+def fastapi_app():
+    return app
+
+
+@pytest.fixture(scope="session")
+def client(fastapi_app):
+    return TestClient(fastapi_app, raise_server_exceptions=True)
+
+
+@pytest.fixture(scope="function")
+async def test_user(fastapi_app):
+    """
+    Creates a new user asynchronously and returns their credentials.
+    Does NOT log them in.
+    Using AsyncClient with ASGITransport avoids event loop conflicts with DB connections.
+    """
+    unique_email = f"testuser_{uuid.uuid4()}@example.com"
+    password = "a_strong_password"
+    user_payload = {"email": unique_email, "password": password}
+
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        response = await ac.post("/auth/register", json=user_payload)
+        assert response.status_code == 201
+
+    return {"username": unique_email, "password": password}
+

7project/src/backend/tests/test_e2e.py

@@ -0,0 +1,210 @@
+import pytest
+import uuid
+from httpx import AsyncClient, ASGITransport
+from fastapi import status
+
+
+def test_e2e(client):
+    # 1) Service is alive
+    alive = client.get("/")
+    assert alive.status_code == status.HTTP_200_OK
+
+    # 2) Attempt to login without payload should fail fast (validation error)
+    login = client.post("/auth/jwt/login")
+    assert login.status_code in (status.HTTP_400_BAD_REQUEST, status.HTTP_422_UNPROCESSABLE_CONTENT)
+
+    # 3) Protected endpoint should not be accessible without token
+    me = client.get("/users/me")
+    assert me.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN)
+
+
+@pytest.mark.asyncio
+async def test_e2e_full_user_lifecycle(fastapi_app, test_user):
+    # Use an AsyncClient with ASGITransport for async tests
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        login_payload = test_user
+
+        # 1. Log in with the new credentials
+        login_resp = await ac.post("/auth/jwt/login", data=login_payload)
+        assert login_resp.status_code == status.HTTP_200_OK
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # 2. Access a protected endpoint
+        me_resp = await ac.get("/users/me", headers=headers)
+        assert me_resp.status_code == status.HTTP_200_OK
+        assert me_resp.json()["email"] == test_user["username"]
+
+        # 3. Update the user's profile
+        update_payload = {"first_name": "Test"}
+        patch_resp = await ac.patch("/users/me", json=update_payload, headers=headers)
+        assert patch_resp.status_code == status.HTTP_200_OK
+        assert patch_resp.json()["first_name"] == "Test"
+
+        # 4. Log out
+        logout_resp = await ac.post("/auth/jwt/logout", headers=headers)
+        assert logout_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+        # 5. Verify token is invalid
+        me_again_resp = await ac.get("/users/me", headers=headers)
+        assert me_again_resp.status_code == status.HTTP_401_UNAUTHORIZED
+
+
+@pytest.mark.asyncio
+async def test_e2e_transaction_workflow(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # 1. Log in to get the token
+        login_resp = await ac.post("/auth/jwt/login", data=test_user)
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # NEW STEP: Create a category first to get a valid ID
+        category_payload = {"name": "Test Category for E2E"}
+        create_category_resp = await ac.post("/categories/create", json=category_payload, headers=headers)
+        assert create_category_resp.status_code == status.HTTP_201_CREATED
+        category_id = create_category_resp.json()["id"]
+
+        # 2. Create a new transaction
+        tx_payload = {"amount": -55.40, "description": "Milk and eggs"}
+        tx_resp = await ac.post("/transactions/create", json=tx_payload, headers=headers)
+        assert tx_resp.status_code == status.HTTP_201_CREATED
+        tx_id = tx_resp.json()["id"]
+
+        # 3. Assign the category
+        assign_resp = await ac.post(f"/transactions/{tx_id}/categories/{category_id}", headers=headers)
+        assert assign_resp.status_code == status.HTTP_200_OK
+
+        # 4. Verify assignment
+        get_tx_resp = await ac.get(f"/transactions/{tx_id}", headers=headers)
+        assert category_id in get_tx_resp.json()["category_ids"]
+
+        # 5. Unassign the category
+        unassign_resp = await ac.delete(f"/transactions/{tx_id}/categories/{category_id}", headers=headers)
+        assert unassign_resp.status_code == status.HTTP_200_OK
+
+        # 6. Get the transaction again and verify the category is gone
+        get_tx_again_resp = await ac.get(f"/transactions/{tx_id}", headers=headers)
+        final_tx_data = get_tx_again_resp.json()
+        assert category_id not in final_tx_data["category_ids"]
+
+        # 7. Delete the transaction for cleanup
+        delete_resp = await ac.delete(f"/transactions/{tx_id}/delete", headers=headers)
+        assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+        # NEW STEP: Clean up the created category
+        delete_category_resp = await ac.delete(f"/categories/{category_id}", headers=headers)
+        assert delete_category_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+@pytest.mark.asyncio
+async def test_register_then_login_and_fetch_me(fastapi_app):
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # Use unique email to avoid duplicates across runs
+        suffix = uuid.uuid4().hex[:8]
+        email = f"newuser_{suffix}@example.com"
+        password = "StrongPassw0rd!"
+
+        reg = await ac.post("/auth/register", json={"email": email, "password": password})
+        assert reg.status_code in (status.HTTP_201_CREATED, status.HTTP_200_OK)
+
+        login = await ac.post("/auth/jwt/login", data={"username": email, "password": password})
+        assert login.status_code == status.HTTP_200_OK
+        token = login.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+        try:
+            me = await ac.get("/users/me", headers=headers)
+            assert me.status_code == status.HTTP_200_OK
+            assert me.json()["email"] == email
+        finally:
+            # Cleanup: delete the created user so future runs won’t conflict
+            d = await ac.delete("/users/me", headers=headers)
+            assert d.status_code == status.HTTP_204_NO_CONTENT
+
+
+@pytest.mark.asyncio
+async def test_delete_current_user_revokes_access(fastapi_app):
+    transport = ASGITransport(app=fastapi_app, raise_app_exceptions=True)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        email = "todelete@example.com"
+        password = "Passw0rd!"
+        reg = await ac.post("/auth/register", json={"email": email, "password": password})
+        assert reg.status_code in (status.HTTP_200_OK, status.HTTP_201_CREATED)
+
+        login = await ac.post("/auth/jwt/login", data={"username": email, "password": password})
+        token = login.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # Delete self
+        d = await ac.delete("/users/me", headers=headers)
+        assert d.status_code == status.HTTP_204_NO_CONTENT
+
+        # Access should now fail
+        me = await ac.get("/users/me", headers=headers)
+        assert me.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN)
+
+
+@pytest.mark.asyncio
+async def test_update_category_conflict_and_404(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+
+        a = (await ac.post("/categories/create", json={"name": "A"}, headers=h)).json()
+        b = (await ac.post("/categories/create", json={"name": "B"}, headers=h)).json()
+
+        # Attempt to rename A -> B should conflict
+        conflict = await ac.patch(f"/categories/{a['id']}", json={"name": "B"}, headers=h)
+        assert conflict.status_code == status.HTTP_409_CONFLICT
+
+        # Update non-existent
+        missing = await ac.patch("/categories/999999", json={"name": "Z"}, headers=h)
+        assert missing.status_code == status.HTTP_404_NOT_FOUND
+
+@pytest.mark.asyncio
+async def test_category_cross_user_isolation(fastapi_app):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # Generate unique emails for both users
+        sfx = uuid.uuid4().hex[:8]
+        u1 = {"email": f"u1_{sfx}@example.com", "password": "Aaaaaa1!"}
+        u2 = {"email": f"u2_{sfx}@example.com", "password": "Aaaaaa1!"}
+
+        # user1
+        assert (await ac.post("/auth/register", json=u1)).status_code in (200, 201)
+        t1 = (await ac.post("/auth/jwt/login", data={"username": u1["email"], "password": u1["password"]})).json()["access_token"]
+        h1 = {"Authorization": f"Bearer {t1}"}
+
+        # user1 creates a category
+        c = (await ac.post("/categories/create", json={"name": "Private"}, headers=h1)).json()
+        cat_id = c["id"]
+
+        # user2
+        assert (await ac.post("/auth/register", json=u2)).status_code in (200, 201)
+        t2 = (await ac.post("/auth/jwt/login", data={"username": u2["email"], "password": u2["password"]})).json()["access_token"]
+        h2 = {"Authorization": f"Bearer {t2}"}
+
+        try:
+            # user2 cannot read/delete user1's category
+            g = await ac.get(f"/categories/{cat_id}", headers=h2)
+            assert g.status_code == status.HTTP_404_NOT_FOUND
+            d = await ac.delete(f"/categories/{cat_id}", headers=h2)
+            assert d.status_code == status.HTTP_404_NOT_FOUND
+        finally:
+            # Cleanup: remove the created category as its owner
+            try:
+                _ = await ac.delete(f"/categories/{cat_id}", headers=h1)
+            except Exception:
+                pass
+            # Cleanup: delete both users to avoid email conflicts later
+            try:
+                _ = await ac.delete("/users/me", headers=h1)
+            except Exception:
+                pass
+            try:
+                _ = await ac.delete("/users/me", headers=h2)
+            except Exception:
+                pass
+

7project/src/backend/tests/test_integration_app.py

@@ -0,0 +1,159 @@
+from fastapi import status
+import pytest
+from httpx import AsyncClient, ASGITransport
+
+
+@pytest.mark.asyncio
+async def test_create_and_get_category(fastapi_app, test_user):
+    # Use AsyncClient for async tests
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # 1. Log in to get an auth token
+        login_resp = await ac.post("/auth/jwt/login", data=test_user)
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # 2. Define and create the new category
+        category_name = "Async Integration Test"
+        category_payload = {"name": category_name}
+        create_resp = await ac.post("/categories/create", json=category_payload, headers=headers)
+
+        # 3. Assert creation was successful
+        assert create_resp.status_code == status.HTTP_201_CREATED
+        created_data = create_resp.json()
+        category_id = created_data["id"]
+        assert created_data["name"] == category_name
+
+        # 4. GET the list of categories to verify
+        list_resp = await ac.get("/categories/", headers=headers)
+        assert list_resp.status_code == status.HTTP_200_OK
+
+        # 5. Check that our new category is in the list
+        categories_list = list_resp.json()
+        assert any(cat["name"] == category_name for cat in categories_list)
+
+        delete_resp = await ac.delete(f"/categories/{category_id}", headers=headers)
+        assert delete_resp.status_code in (status.HTTP_200_OK, status.HTTP_204_NO_CONTENT)
+
+
+@pytest.mark.asyncio
+async def test_create_transaction_missing_amount_fails(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        # 1. Log in to get an auth token
+        login_resp = await ac.post("/auth/jwt/login", data=test_user)
+        token = login_resp.json()["access_token"]
+        headers = {"Authorization": f"Bearer {token}"}
+
+        # 2. Define an invalid payload
+        invalid_payload = {"description": "This should fail"}
+
+        # 3. Attempt to create the transaction
+        resp = await ac.post("/transactions/create", json=invalid_payload, headers=headers)
+
+        # 4. Assert the expected validation error
+        assert resp.status_code == status.HTTP_422_UNPROCESSABLE_CONTENT
+
+
+@pytest.mark.asyncio
+async def test_login_invalid_credentials(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        bad = await ac.post("/auth/jwt/login", data={"username": test_user["username"], "password": "nope"})
+        assert bad.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_400_BAD_REQUEST)
+        unknown = await ac.post("/auth/jwt/login", data={"username": "nouser@example.com", "password": "x"})
+        assert unknown.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_400_BAD_REQUEST)
+
+
+@pytest.mark.asyncio
+async def test_category_duplicate_name_conflict(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+
+        p = {"name": "Food"}
+        r1 = await ac.post("/categories/create", json=p, headers=h)
+        assert r1.status_code == status.HTTP_201_CREATED
+        r2 = await ac.post("/categories/create", json=p, headers=h)
+        assert r2.status_code == status.HTTP_409_CONFLICT
+
+@pytest.mark.asyncio
+async def test_create_transaction_invalid_date_format(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+        bad = await ac.post("/transactions/create", json={"amount": 10, "description": "x", "date": "31-12-2024"}, headers=h)
+        assert bad.status_code == status.HTTP_400_BAD_REQUEST
+
+@pytest.mark.asyncio
+async def test_update_transaction_rejects_duplicate_category_ids(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+        tx = (await ac.post("/transactions/create", json={"amount": 5, "description": "x"}, headers=h)).json()
+        dup = await ac.patch(f"/transactions/{tx['id']}/edit", json={"category_ids": [1, 1]}, headers=h)
+        assert dup.status_code == status.HTTP_400_BAD_REQUEST
+
+@pytest.mark.asyncio
+async def test_assign_unassign_category_not_found_cases(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+
+        # Create tx and category
+        tx = (await ac.post("/transactions/create", json={"amount": 1, "description": "a"}, headers=h)).json()
+        cat = (await ac.post("/categories/create", json={"name": "X"}, headers=h)).json()
+
+        # Missing transaction
+        r1 = await ac.post(f"/transactions/999999/categories/{cat['id']}", headers=h)
+        assert r1.status_code == status.HTTP_404_NOT_FOUND
+
+        # Missing category
+        r2 = await ac.post(f"/transactions/{tx['id']}/categories/999999", headers=h)
+        assert r2.status_code == status.HTTP_404_NOT_FOUND
+
+@pytest.mark.asyncio
+async def test_transactions_date_filter_and_balance_series(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+
+        # Seed transactions spanning days
+        data = [
+            {"amount": 100, "description": "day1", "date": "2024-01-01"},
+            {"amount": -25, "description": "day2", "date": "2024-01-02"},
+            {"amount": 50, "description": "day3", "date": "2024-01-03"},
+        ]
+        for p in data:
+            r = await ac.post("/transactions/create", json=p, headers=h)
+            assert r.status_code == status.HTTP_201_CREATED
+
+        # Filtered list (2nd and 3rd only)
+        lst = await ac.get("/transactions/", params={"start_date": "2024-01-02", "end_date": "2024-01-03"}, headers=h)
+        assert lst.status_code == status.HTTP_200_OK
+        assert len(lst.json()) == 2
+
+        # Balance series should be cumulative per date
+        series = await ac.get("/transactions/balance_series", headers=h)
+        assert series.status_code == status.HTTP_200_OK
+        s = series.json()
+        assert s == [
+            {"date": "2024-01-01", "balance": 100.0},
+            {"date": "2024-01-02", "balance": 75.0},
+            {"date": "2024-01-03", "balance": 125.0},
+        ]
+
+@pytest.mark.asyncio
+async def test_delete_transaction_not_found(fastapi_app, test_user):
+    transport = ASGITransport(app=fastapi_app)
+    async with AsyncClient(transport=transport, base_url="http://testserver") as ac:
+        token = (await ac.post("/auth/jwt/login", data=test_user)).json()["access_token"]
+        h = {"Authorization": f"Bearer {token}"}
+        r = await ac.delete("/transactions/9999999/delete", headers=h)
+        assert r.status_code == status.HTTP_404_NOT_FOUND
+

7project/src/backend/tests/test_unit_user_service.py

@@ -0,0 +1,62 @@
+import pytest
+from fastapi import status
+from app.services import user_service
+
+
+def test_get_oauth_provider_known_unknown():
+    # Known providers should return a provider instance
+    bankid = user_service.get_oauth_provider("BankID")
+    mojeid = user_service.get_oauth_provider("MojeID")
+    assert bankid is not None
+    assert mojeid is not None
+
+    # Unknown should return None
+    assert user_service.get_oauth_provider("DoesNotExist") is None
+
+
+def test_get_jwt_strategy_lifetime():
+    strategy = user_service.get_jwt_strategy()
+    assert strategy is not None
+    # Basic smoke check: strategy has a lifetime set to 604800
+    assert getattr(strategy, "lifetime_seconds", None) in (604800,)
+
+def test_root_ok(client):
+    resp = client.get("/")
+    assert resp.status_code == status.HTTP_200_OK
+    assert resp.json() == {"status": "ok"}
+
+
+def test_authenticated_route_requires_auth(client):
+    resp = client.get("/authenticated-route")
+    assert resp.status_code in (status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN)
+
+@pytest.mark.asyncio
+async def test_on_after_request_verify_enqueues_email(monkeypatch):
+    calls = {}
+
+    def fake_enqueue_email(to: str, subject: str, body: str):
+        calls.setdefault("emails", []).append({
+            "to": to,
+            "subject": subject,
+            "body": body,
+        })
+
+    # Patch the enqueue_email used inside user_service
+    monkeypatch.setattr(user_service, "enqueue_email", fake_enqueue_email)
+
+    class DummyUser:
+        def __init__(self, email):
+            self.email = email
+
+    mgr = user_service.UserManager(user_db=None)  # user_db not needed for this method
+    user = DummyUser("test@example.com")
+
+    # Call the hook
+    await mgr.on_after_request_verify(user, token="abc123", request=None)
+
+    # Verify one email has been enqueued with expected content
+    assert len(calls.get("emails", [])) == 1
+    email = calls["emails"][0]
+    assert email["to"] == "test@example.com"
+    assert "ověření účtu" in email["subject"].lower()
+    assert "abc123" in email["body"]