feat: Stage 2 — authentication and setup flow
Backend (tasks 2.1–2.6, 2.10):
- settings_repo: get/set/delete/get_all CRUD for the key-value settings table
- session_repo: create/get/delete/delete_expired for session rows
- setup_service: bcrypt password hashing, one-time-only enforcement,
run_setup() / is_setup_complete() / get_password_hash()
- auth_service: login() with bcrypt verify + token creation,
validate_session() with expiry check, logout()
- setup router: GET /api/setup (status), POST /api/setup (201 / 409)
- auth router: POST /api/auth/login (token + HttpOnly cookie),
POST /api/auth/logout (clears cookie, idempotent)
- SetupRedirectMiddleware: 307 → /api/setup for all API paths until setup done
- require_auth dependency: cookie or Bearer token → Session or 401
- conftest.py: manually bootstraps app.state.db for router tests
(ASGITransport does not trigger ASGI lifespan)
- 85 tests pass; ruff 0 errors; mypy --strict 0 errors
Frontend (tasks 2.7–2.9):
- types/auth.ts, types/setup.ts, api/auth.ts, api/setup.ts
- AuthProvider: sessionStorage-backed context (isAuthenticated, login, logout)
- RequireAuth: guard component → /login?next=<path> when unauthenticated
- SetupPage: Fluent UI form, client-side validation, inline errors
- LoginPage: single password input, ?next= redirect after success
- DashboardPage: placeholder (full impl Stage 5)
- App.tsx: full route tree (/setup, /login, /, *)
This commit is contained in:
85
backend/tests/test_services/test_auth_service.py
Normal file
85
backend/tests/test_services/test_auth_service.py
Normal file
@@ -0,0 +1,85 @@
|
||||
"""Tests for auth_service."""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from pathlib import Path
|
||||
|
||||
import aiosqlite
|
||||
import pytest
|
||||
|
||||
from app.db import init_db
|
||||
from app.services import auth_service, setup_service
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
async def db(tmp_path: Path) -> aiosqlite.Connection: # type: ignore[misc]
|
||||
"""Provide an initialised DB with setup already complete."""
|
||||
conn: aiosqlite.Connection = await aiosqlite.connect(str(tmp_path / "auth.db"))
|
||||
conn.row_factory = aiosqlite.Row
|
||||
await init_db(conn)
|
||||
# Pre-run setup so auth operations have a password hash to check.
|
||||
await setup_service.run_setup(
|
||||
conn,
|
||||
master_password="correctpassword1",
|
||||
database_path="bangui.db",
|
||||
fail2ban_socket="/var/run/fail2ban/fail2ban.sock",
|
||||
timezone="UTC",
|
||||
session_duration_minutes=60,
|
||||
)
|
||||
yield conn
|
||||
await conn.close()
|
||||
|
||||
|
||||
class TestLogin:
|
||||
async def test_login_returns_session_on_correct_password(
|
||||
self, db: aiosqlite.Connection
|
||||
) -> None:
|
||||
"""login() returns a Session on the correct password."""
|
||||
session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
|
||||
assert session.token
|
||||
assert len(session.token) == 64 # 32 bytes → 64 hex chars
|
||||
assert session.expires_at > session.created_at
|
||||
|
||||
async def test_login_raises_on_wrong_password(
|
||||
self, db: aiosqlite.Connection
|
||||
) -> None:
|
||||
"""login() raises ValueError for an incorrect password."""
|
||||
with pytest.raises(ValueError, match="Incorrect password"):
|
||||
await auth_service.login(db, password="wrongpassword", session_duration_minutes=60)
|
||||
|
||||
async def test_login_persists_session(self, db: aiosqlite.Connection) -> None:
|
||||
"""login() stores the session in the database."""
|
||||
from app.repositories import session_repo
|
||||
|
||||
session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
|
||||
stored = await session_repo.get_session(db, session.token)
|
||||
assert stored is not None
|
||||
assert stored.token == session.token
|
||||
|
||||
|
||||
class TestValidateSession:
|
||||
async def test_validate_returns_session_for_valid_token(
|
||||
self, db: aiosqlite.Connection
|
||||
) -> None:
|
||||
"""validate_session() returns the session for a valid token."""
|
||||
session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
|
||||
validated = await auth_service.validate_session(db, session.token)
|
||||
assert validated.token == session.token
|
||||
|
||||
async def test_validate_raises_for_unknown_token(
|
||||
self, db: aiosqlite.Connection
|
||||
) -> None:
|
||||
"""validate_session() raises ValueError for a non-existent token."""
|
||||
with pytest.raises(ValueError, match="not found"):
|
||||
await auth_service.validate_session(db, "deadbeef" * 8)
|
||||
|
||||
|
||||
class TestLogout:
|
||||
async def test_logout_removes_session(self, db: aiosqlite.Connection) -> None:
|
||||
"""logout() deletes the session so it can no longer be validated."""
|
||||
from app.repositories import session_repo
|
||||
|
||||
session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
|
||||
await auth_service.logout(db, session.token)
|
||||
stored = await session_repo.get_session(db, session.token)
|
||||
assert stored is None
|
||||
Reference in New Issue
Block a user