70 lines
2.3 KiB
Python
70 lines
2.3 KiB
Python
import jwt
|
|
import pytest
|
|
from fastapi import FastAPI, HTTPException
|
|
from fastapi.testclient import TestClient
|
|
|
|
from modules.auth.supabase_bearer import verify_supabase_token_dep
|
|
from routers.tlsync_token import TLSYNC_TOKEN_AUDIENCE, create_tlsync_token, router
|
|
|
|
|
|
def test_create_tlsync_token_is_short_lived_and_signed(monkeypatch):
|
|
monkeypatch.setenv("TLSYNC_SECRET", "test-tlsync-secret-with-at-least-32-bytes")
|
|
monkeypatch.setenv("TLSYNC_TOKEN_TTL_SECONDS", "120")
|
|
|
|
response = create_tlsync_token({"sub": "user-123"})
|
|
|
|
assert response["token_type"] == "Bearer"
|
|
assert response["expires_in"] == 120
|
|
assert response["token"]
|
|
|
|
payload = jwt.decode(
|
|
response["token"],
|
|
"test-tlsync-secret-with-at-least-32-bytes",
|
|
algorithms=["HS256"],
|
|
audience=TLSYNC_TOKEN_AUDIENCE,
|
|
)
|
|
assert payload["sub"] == "user-123"
|
|
assert payload["exp"] == response["expires_at"]
|
|
assert payload["exp"] - payload["iat"] == 120
|
|
assert payload["jti"]
|
|
|
|
|
|
def test_create_tlsync_token_requires_tlsync_secret(monkeypatch):
|
|
monkeypatch.delenv("TLSYNC_SECRET", raising=False)
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
create_tlsync_token({"sub": "user-123"})
|
|
|
|
assert excinfo.value.status_code == 503
|
|
|
|
|
|
def test_create_tlsync_token_requires_authenticated_subject(monkeypatch):
|
|
monkeypatch.setenv("TLSYNC_SECRET", "test-tlsync-secret-with-at-least-32-bytes")
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
create_tlsync_token({})
|
|
|
|
assert excinfo.value.status_code == 401
|
|
|
|
|
|
def test_tlsync_token_route_uses_authenticated_user_claims(monkeypatch):
|
|
monkeypatch.setenv("TLSYNC_SECRET", "test-tlsync-secret-with-at-least-32-bytes")
|
|
monkeypatch.setenv("TLSYNC_TOKEN_TTL_SECONDS", "60")
|
|
|
|
app = FastAPI()
|
|
app.include_router(router, prefix="/api/tlsync")
|
|
app.dependency_overrides[verify_supabase_token_dep] = lambda: {"sub": "route-user-123"}
|
|
|
|
response = TestClient(app).get("/api/tlsync/token", headers={"Authorization": "Bearer supabase-jwt"})
|
|
|
|
assert response.status_code == 200
|
|
body = response.json()
|
|
payload = jwt.decode(
|
|
body["token"],
|
|
"test-tlsync-secret-with-at-least-32-bytes",
|
|
algorithms=["HS256"],
|
|
audience=TLSYNC_TOKEN_AUDIENCE,
|
|
)
|
|
assert payload["sub"] == "route-user-123"
|
|
assert body["expires_in"] == 60
|