feat: Stage 2 — authentication and setup flow

Backend (tasks 2.1–2.6, 2.10): - settings_repo: get/set/delete/get_all CRUD for the key-value settings table - session_repo: create/get/delete/delete_expired for session rows - setup_service: bcrypt password hashing, one-time-only enforcement, run_setup() / is_setup_complete() / get_password_hash() - auth_service: login() with bcrypt verify + token creation, validate_session() with expiry check, logout() - setup router: GET /api/setup (status), POST /api/setup (201 / 409) - auth router: POST /api/auth/login (token + HttpOnly cookie), POST /api/auth/logout (clears cookie, idempotent) - SetupRedirectMiddleware: 307 → /api/setup for all API paths until setup done - require_auth dependency: cookie or Bearer token → Session or 401 - conftest.py: manually bootstraps app.state.db for router tests (ASGITransport does not trigger ASGI lifespan) - 85 tests pass; ruff 0 errors; mypy --strict 0 errors Frontend (tasks 2.7–2.9): - types/auth.ts, types/setup.ts, api/auth.ts, api/setup.ts - AuthProvider: sessionStorage-backed context (isAuthenticated, login, logout) - RequireAuth: guard component → /login?next=<path> when unauthenticated - SetupPage: Fluent UI form, client-side validation, inline errors - LoginPage: single password input, ?next= redirect after success - DashboardPage: placeholder (full impl Stage 5) - App.tsx: full route tree (/setup, /login, /, *)
2026-02-28 21:33:30 +01:00
parent 7392c930d6
commit 750785680b
26 changed files with 2075 additions and 49 deletions
--- a/backend/tests/test_services/test_auth_service.py
+++ b/backend/tests/test_services/test_auth_service.py
@@ -0,0 +1,85 @@
+"""Tests for auth_service."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import aiosqlite
+import pytest
+
+from app.db import init_db
+from app.services import auth_service, setup_service
+
+
+@pytest.fixture
+async def db(tmp_path: Path) -> aiosqlite.Connection:  # type: ignore[misc]
+    """Provide an initialised DB with setup already complete."""
+    conn: aiosqlite.Connection = await aiosqlite.connect(str(tmp_path / "auth.db"))
+    conn.row_factory = aiosqlite.Row
+    await init_db(conn)
+    # Pre-run setup so auth operations have a password hash to check.
+    await setup_service.run_setup(
+        conn,
+        master_password="correctpassword1",
+        database_path="bangui.db",
+        fail2ban_socket="/var/run/fail2ban/fail2ban.sock",
+        timezone="UTC",
+        session_duration_minutes=60,
+    )
+    yield conn
+    await conn.close()
+
+
+class TestLogin:
+    async def test_login_returns_session_on_correct_password(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """login() returns a Session on the correct password."""
+        session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
+        assert session.token
+        assert len(session.token) == 64  # 32 bytes → 64 hex chars
+        assert session.expires_at > session.created_at
+
+    async def test_login_raises_on_wrong_password(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """login() raises ValueError for an incorrect password."""
+        with pytest.raises(ValueError, match="Incorrect password"):
+            await auth_service.login(db, password="wrongpassword", session_duration_minutes=60)
+
+    async def test_login_persists_session(self, db: aiosqlite.Connection) -> None:
+        """login() stores the session in the database."""
+        from app.repositories import session_repo
+
+        session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
+        stored = await session_repo.get_session(db, session.token)
+        assert stored is not None
+        assert stored.token == session.token
+
+
+class TestValidateSession:
+    async def test_validate_returns_session_for_valid_token(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """validate_session() returns the session for a valid token."""
+        session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
+        validated = await auth_service.validate_session(db, session.token)
+        assert validated.token == session.token
+
+    async def test_validate_raises_for_unknown_token(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """validate_session() raises ValueError for a non-existent token."""
+        with pytest.raises(ValueError, match="not found"):
+            await auth_service.validate_session(db, "deadbeef" * 8)
+
+
+class TestLogout:
+    async def test_logout_removes_session(self, db: aiosqlite.Connection) -> None:
+        """logout() deletes the session so it can no longer be validated."""
+        from app.repositories import session_repo
+
+        session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
+        await auth_service.logout(db, session.token)
+        stored = await session_repo.get_session(db, session.token)
+        assert stored is None
--- a/backend/tests/test_services/test_setup_service.py
+++ b/backend/tests/test_services/test_setup_service.py
@@ -0,0 +1,97 @@
+"""Tests for setup_service and settings_repo."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import aiosqlite
+import pytest
+
+from app.db import init_db
+from app.repositories import settings_repo
+from app.services import setup_service
+
+
+@pytest.fixture
+async def db(tmp_path: Path) -> aiosqlite.Connection:  # type: ignore[misc]
+    """Provide an initialised aiosqlite connection for service-level tests."""
+    conn: aiosqlite.Connection = await aiosqlite.connect(str(tmp_path / "test.db"))
+    conn.row_factory = aiosqlite.Row
+    await init_db(conn)
+    yield conn
+    await conn.close()
+
+
+class TestIsSetupComplete:
+    async def test_returns_false_on_fresh_db(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """Setup is not complete on a fresh database."""
+        assert await setup_service.is_setup_complete(db) is False
+
+    async def test_returns_true_after_run_setup(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """Setup is marked complete after run_setup() succeeds."""
+        await setup_service.run_setup(
+            db,
+            master_password="mypassword1",
+            database_path="bangui.db",
+            fail2ban_socket="/var/run/fail2ban/fail2ban.sock",
+            timezone="UTC",
+            session_duration_minutes=60,
+        )
+        assert await setup_service.is_setup_complete(db) is True
+
+
+class TestRunSetup:
+    async def test_persists_all_settings(self, db: aiosqlite.Connection) -> None:
+        """run_setup() stores every provided setting."""
+        await setup_service.run_setup(
+            db,
+            master_password="mypassword1",
+            database_path="/data/bangui.db",
+            fail2ban_socket="/tmp/f2b.sock",
+            timezone="Europe/Berlin",
+            session_duration_minutes=120,
+        )
+        all_settings = await settings_repo.get_all_settings(db)
+        assert all_settings["database_path"] == "/data/bangui.db"
+        assert all_settings["fail2ban_socket"] == "/tmp/f2b.sock"
+        assert all_settings["timezone"] == "Europe/Berlin"
+        assert all_settings["session_duration_minutes"] == "120"
+
+    async def test_password_stored_as_bcrypt_hash(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """The master password is stored as a bcrypt hash, not plain text."""
+        import bcrypt
+
+        await setup_service.run_setup(
+            db,
+            master_password="mypassword1",
+            database_path="bangui.db",
+            fail2ban_socket="/var/run/fail2ban/fail2ban.sock",
+            timezone="UTC",
+            session_duration_minutes=60,
+        )
+        stored = await setup_service.get_password_hash(db)
+        assert stored is not None
+        assert stored != "mypassword1"
+        # Verify it is a valid bcrypt hash.
+        assert bcrypt.checkpw(b"mypassword1", stored.encode())
+
+    async def test_raises_if_setup_already_complete(
+        self, db: aiosqlite.Connection
+    ) -> None:
+        """run_setup() raises RuntimeError if called a second time."""
+        kwargs = {
+            "master_password": "mypassword1",
+            "database_path": "bangui.db",
+            "fail2ban_socket": "/var/run/fail2ban/fail2ban.sock",
+            "timezone": "UTC",
+            "session_duration_minutes": 60,
+        }
+        await setup_service.run_setup(db, **kwargs)  # type: ignore[arg-type]
+        with pytest.raises(RuntimeError, match="already been completed"):
+            await setup_service.run_setup(db, **kwargs)  # type: ignore[arg-type]