feat(auth): add AuthService with JWT, lockout and tests

2025-10-13 00:03:02 +02:00
parent 92217301b5
commit aec6357dcb
5 changed files with 291 additions and 14 deletions
--- a/tests/unit/test_auth_service.py
+++ b/tests/unit/test_auth_service.py
@@ -0,0 +1,59 @@
+import pytest
+
+from src.server.services.auth_service import AuthError, AuthService, LockedOutError
+
+
+def test_setup_and_validate_success():
+    svc = AuthService()
+    password = "Str0ng!Pass"
+    svc.setup_master_password(password)
+    assert svc.is_configured()
+
+    assert svc.validate_master_password(password) is True
+
+    resp = svc.create_access_token(subject="tester", remember=False)
+    assert resp.token_type == "bearer"
+    assert resp.access_token
+
+    sess = svc.create_session_model(resp.access_token)
+    assert sess.expires_at is not None
+
+
+@pytest.mark.parametrize(
+    "bad",
+    [
+        "short",
+        "lowercaseonly",
+        "UPPERCASEONLY",
+        "NoSpecial1",
+    ],
+)
+def test_setup_weak_passwords(bad):
+    svc = AuthService()
+    with pytest.raises(ValueError):
+        svc.setup_master_password(bad)
+
+
+def test_failed_attempts_and_lockout():
+    svc = AuthService()
+    password = "An0ther$Good1"
+    svc.setup_master_password(password)
+
+    identifier = "test-ip"
+    # fail max_attempts times
+    for _ in range(svc.max_attempts):
+        assert (
+            svc.validate_master_password("wrongpassword", identifier=identifier)
+            is False
+        )
+
+    # Next attempt must raise LockedOutError
+    with pytest.raises(LockedOutError):
+        svc.validate_master_password(password, identifier=identifier)
+
+
+def test_token_decode_invalid():
+    svc = AuthService()
+    # invalid token should raise AuthError
+    with pytest.raises(AuthError):
+        svc.decode_token("not-a-jwt")