Lukas
750785680b
Backend (tasks 2.1–2.6, 2.10):
- settings_repo: get/set/delete/get_all CRUD for the key-value settings table
- session_repo: create/get/delete/delete_expired for session rows
- setup_service: bcrypt password hashing, one-time-only enforcement,
run_setup() / is_setup_complete() / get_password_hash()
- auth_service: login() with bcrypt verify + token creation,
validate_session() with expiry check, logout()
- setup router: GET /api/setup (status), POST /api/setup (201 / 409)
- auth router: POST /api/auth/login (token + HttpOnly cookie),
POST /api/auth/logout (clears cookie, idempotent)
- SetupRedirectMiddleware: 307 → /api/setup for all API paths until setup done
- require_auth dependency: cookie or Bearer token → Session or 401
- conftest.py: manually bootstraps app.state.db for router tests
(ASGITransport does not trigger ASGI lifespan)
- 85 tests pass; ruff 0 errors; mypy --strict 0 errors
Frontend (tasks 2.7–2.9):
- types/auth.ts, types/setup.ts, api/auth.ts, api/setup.ts
- AuthProvider: sessionStorage-backed context (isAuthenticated, login, logout)
- RequireAuth: guard component → /login?next=<path> when unauthenticated
- SetupPage: Fluent UI form, client-side validation, inline errors
- LoginPage: single password input, ?next= redirect after success
- DashboardPage: placeholder (full impl Stage 5)
- App.tsx: full route tree (/setup, /login, /, *)
124 lines
4.6 KiB
Python
124 lines
4.6 KiB
Python
"""Tests for the setup router (POST /api/setup, GET /api/setup)."""
|
|
|
|
from __future__ import annotations
|
|
|
|
from httpx import AsyncClient
|
|
|
|
|
|
class TestGetSetupStatus:
|
|
"""GET /api/setup — check setup completion state."""
|
|
|
|
async def test_returns_not_completed_on_fresh_db(self, client: AsyncClient) -> None:
|
|
"""Status endpoint reports setup not done on a fresh database."""
|
|
response = await client.get("/api/setup")
|
|
assert response.status_code == 200
|
|
assert response.json() == {"completed": False}
|
|
|
|
async def test_returns_completed_after_setup(self, client: AsyncClient) -> None:
|
|
"""Status endpoint reports setup done after POST /api/setup."""
|
|
await client.post(
|
|
"/api/setup",
|
|
json={
|
|
"master_password": "supersecret123",
|
|
"database_path": "bangui.db",
|
|
"fail2ban_socket": "/var/run/fail2ban/fail2ban.sock",
|
|
"timezone": "UTC",
|
|
"session_duration_minutes": 60,
|
|
},
|
|
)
|
|
response = await client.get("/api/setup")
|
|
assert response.status_code == 200
|
|
assert response.json() == {"completed": True}
|
|
|
|
|
|
class TestPostSetup:
|
|
"""POST /api/setup — run the first-run configuration wizard."""
|
|
|
|
async def test_accepts_valid_payload(self, client: AsyncClient) -> None:
|
|
"""Setup endpoint returns 201 for a valid first-run payload."""
|
|
response = await client.post(
|
|
"/api/setup",
|
|
json={
|
|
"master_password": "supersecret123",
|
|
"database_path": "bangui.db",
|
|
"fail2ban_socket": "/var/run/fail2ban/fail2ban.sock",
|
|
"timezone": "UTC",
|
|
"session_duration_minutes": 60,
|
|
},
|
|
)
|
|
assert response.status_code == 201
|
|
body = response.json()
|
|
assert "message" in body
|
|
|
|
async def test_rejects_short_password(self, client: AsyncClient) -> None:
|
|
"""Setup endpoint rejects passwords shorter than 8 characters."""
|
|
response = await client.post(
|
|
"/api/setup",
|
|
json={"master_password": "short"},
|
|
)
|
|
assert response.status_code == 422
|
|
|
|
async def test_rejects_second_call(self, client: AsyncClient) -> None:
|
|
"""Setup endpoint returns 409 if setup has already been completed."""
|
|
payload = {
|
|
"master_password": "supersecret123",
|
|
"database_path": "bangui.db",
|
|
"fail2ban_socket": "/var/run/fail2ban/fail2ban.sock",
|
|
"timezone": "UTC",
|
|
"session_duration_minutes": 60,
|
|
}
|
|
first = await client.post("/api/setup", json=payload)
|
|
assert first.status_code == 201
|
|
|
|
second = await client.post("/api/setup", json=payload)
|
|
assert second.status_code == 409
|
|
|
|
async def test_accepts_defaults_for_optional_fields(
|
|
self, client: AsyncClient
|
|
) -> None:
|
|
"""Setup endpoint uses defaults when optional fields are omitted."""
|
|
response = await client.post(
|
|
"/api/setup",
|
|
json={"master_password": "supersecret123"},
|
|
)
|
|
assert response.status_code == 201
|
|
|
|
|
|
class TestSetupRedirectMiddleware:
|
|
"""Verify that the setup-redirect middleware enforces setup-first."""
|
|
|
|
async def test_protected_endpoint_redirects_before_setup(
|
|
self, client: AsyncClient
|
|
) -> None:
|
|
"""Non-setup API requests redirect to /api/setup on a fresh instance."""
|
|
response = await client.get(
|
|
"/api/auth/login",
|
|
follow_redirects=False,
|
|
)
|
|
# Middleware issues 307 redirect to /api/setup
|
|
assert response.status_code == 307
|
|
assert response.headers["location"] == "/api/setup"
|
|
|
|
async def test_health_always_reachable_before_setup(
|
|
self, client: AsyncClient
|
|
) -> None:
|
|
"""Health endpoint is always reachable even before setup."""
|
|
response = await client.get("/api/health")
|
|
assert response.status_code == 200
|
|
|
|
async def test_no_redirect_after_setup(self, client: AsyncClient) -> None:
|
|
"""Protected endpoints are reachable (no redirect) after setup."""
|
|
await client.post(
|
|
"/api/setup",
|
|
json={"master_password": "supersecret123"},
|
|
)
|
|
# /api/auth/login should now be reachable (returns 405 GET not allowed,
|
|
# not a setup redirect)
|
|
response = await client.post(
|
|
"/api/auth/login",
|
|
json={"password": "wrong"},
|
|
follow_redirects=False,
|
|
)
|
|
# 401 wrong password — not a 307 redirect
|
|
assert response.status_code == 401
|