phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: update tests for session-based auth flow

Browse Source 
Update E2E and integration tests to work with the new session-based
authentication flow that requires email verification on every login.

Changes:
- Add mock fixtures for DNS, email, HTML fetcher, and auth session services
- Update test fixtures to use session_id instead of passing auth params
  directly to consent endpoint
- Create flow_app_with_mocks and e2e_app_with_mocks fixtures for proper
  test isolation
- Update TestAuthenticationFlow and TestAuthorizationFlow fixtures to
  yield (client, code, consent_data) tuples
- Update all test methods to unpack the new fixture format

The new flow:
1. GET /authorize -> verify_code.html (email verification)
2. POST /authorize/verify-code -> consent page
3. POST /authorize/consent with session_id -> redirect with auth code

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil Skentelbery
2025-11-22 15:30:10 -07:00
parent 9135edfe84
commit 790f72e47d
2 changed files with 615 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

614
tests/e2e/test_complete_auth_flow.py
View File

@@ -3,18 +3,150 @@ End-to-end tests for complete IndieAuth authentication flow.
Tests the full authorization code flow from initial request through token exchange.
Uses TestClient-based flow simulation per Phase 5b clarifications.
Updated for session-based authentication flow:
- GET /authorize -> verify_code.html (email verification)
- POST /authorize/verify-code -> consent page
- POST /authorize/consent -> redirect with auth code
"""
import pytest
from datetime import datetime, timedelta
from fastapi.testclient import TestClient
from unittest.mock import AsyncMock, Mock, patch
from tests.conftest import extract_code_from_redirect
def create_mock_dns_service(verify_success=True):
"""Create a mock DNS service."""
mock_service = Mock()
mock_service.verify_txt_record.return_value = verify_success
return mock_service
def create_mock_email_service():
"""Create a mock email service."""
mock_service = Mock()
mock_service.send_verification_code = Mock()
return mock_service
def create_mock_html_fetcher(email="test@example.com"):
"""Create a mock HTML fetcher that returns a page with rel=me email."""
mock_fetcher = Mock()
if email:
html = f'''
<html>
<body>
<a href="mailto:{email}" rel="me">Email</a>
</body>
</html>
'''
else:
html = '<html><body></body></html>'
mock_fetcher.fetch.return_value = html
return mock_fetcher
def create_mock_auth_session_service(session_id="test_session_123", code="123456", verified=True,
response_type="code", me="https://user.example.com",
state="test123", scope=""):
"""Create a mock auth session service."""
from gondulf.services.auth_session import AuthSessionService
mock_service = Mock(spec=AuthSessionService)
mock_service.create_session.return_value = {
"session_id": session_id,
"verification_code": code,
"expires_at": datetime.utcnow() + timedelta(minutes=10)
}
session_data = {
"session_id": session_id,
"me": me,
"email": "test@example.com",
"code_verified": verified,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": state,
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": scope,
"response_type": response_type
}
mock_service.get_session.return_value = session_data
mock_service.verify_code.return_value = session_data
mock_service.is_session_verified.return_value = verified
mock_service.delete_session = Mock()
return mock_service
def create_mock_happ_parser():
"""Create a mock h-app parser."""
from gondulf.services.happ_parser import ClientMetadata
mock_parser = Mock()
mock_parser.fetch_and_parse = AsyncMock(return_value=ClientMetadata(
name="E2E Test App",
url="https://app.example.com",
logo="https://app.example.com/logo.png"
))
return mock_parser
@pytest.fixture
def e2e_app_with_mocks(monkeypatch, tmp_path):
"""Create app with all dependencies mocked for E2E testing."""
db_path = tmp_path / "test.db"
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_DATABASE_URL", f"sqlite:///{db_path}")
monkeypatch.setenv("GONDULF_DEBUG", "true")
from gondulf.main import app
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_happ_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from gondulf.services.relme_parser import RelMeParser
from sqlalchemy import text
# Initialize database
db = Database(f"sqlite:///{db_path}")
db.initialize()
# Add verified domain
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
app.dependency_overrides[get_database] = lambda: db
app.dependency_overrides[get_dns_service] = lambda: create_mock_dns_service(True)
app.dependency_overrides[get_email_service] = lambda: create_mock_email_service()
app.dependency_overrides[get_html_fetcher] = lambda: create_mock_html_fetcher("test@example.com")
app.dependency_overrides[get_relme_parser] = lambda: RelMeParser()
app.dependency_overrides[get_happ_parser] = create_mock_happ_parser
yield app, db
app.dependency_overrides.clear()
@pytest.fixture
def e2e_app(monkeypatch, tmp_path):
"""Create app for E2E testing."""
"""Create app for E2E testing (without mocks, for error tests)."""
db_path = tmp_path / "test.db"
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
@@ -33,162 +165,142 @@ def e2e_client(e2e_app):
yield client
@pytest.fixture
def mock_happ_for_e2e():
"""Mock h-app parser for E2E tests."""
from gondulf.services.happ_parser import ClientMetadata
metadata = ClientMetadata(
name="E2E Test App",
url="https://app.example.com",
logo="https://app.example.com/logo.png"
)
with patch('gondulf.services.happ_parser.HAppParser.fetch_and_parse', new_callable=AsyncMock) as mock:
mock.return_value = metadata
yield mock
@pytest.mark.e2e
class TestCompleteAuthorizationFlow:
"""E2E tests for complete authorization code flow."""
def test_full_authorization_to_token_flow(self, e2e_client, mock_happ_for_e2e):
"""Test complete flow: authorization request -> consent -> token exchange."""
# Step 1: Authorization request
auth_params = {
"response_type": "code",
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "e2e_test_state_12345",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"me": "https://user.example.com",
}
def test_full_authorization_to_token_flow(self, e2e_app_with_mocks):
"""Test complete flow: authorization request -> verify code -> consent -> token exchange."""
app, db = e2e_app_with_mocks
from gondulf.dependencies import get_auth_session_service
auth_response = e2e_client.get("/authorize", params=auth_params)
# Should show consent page
assert auth_response.status_code == 200
assert "text/html" in auth_response.headers["content-type"]
# Step 2: Submit consent form
consent_data = {
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"response_type": "code", # Authorization flow - exchange at token endpoint
"state": "e2e_test_state_12345",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"me": "https://user.example.com",
"scope": "",
}
consent_response = e2e_client.post(
"/authorize/consent",
data=consent_data,
follow_redirects=False
# Create mock session service with verified session
mock_session = create_mock_auth_session_service(
verified=True,
response_type="code",
state="e2e_test_state_12345"
)
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
# Should redirect with authorization code
assert consent_response.status_code == 302
location = consent_response.headers["location"]
assert location.startswith("https://app.example.com/callback")
assert "code=" in location
assert "state=e2e_test_state_12345" in location
# Step 3: Extract authorization code
auth_code = extract_code_from_redirect(location)
assert auth_code is not None
# Step 4: Exchange code for token
token_response = e2e_client.post("/token", data={
"grant_type": "authorization_code",
"code": auth_code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
})
# Should receive access token
assert token_response.status_code == 200
token_data = token_response.json()
assert "access_token" in token_data
assert token_data["token_type"] == "Bearer"
assert token_data["me"] == "https://user.example.com"
def test_authorization_flow_preserves_state(self, e2e_client, mock_happ_for_e2e):
"""Test that state parameter is preserved throughout the flow."""
state = "unique_state_for_csrf_protection"
# Authorization request
auth_response = e2e_client.get("/authorize", params={
"response_type": "code",
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": state,
"code_challenge": "abc123",
"code_challenge_method": "S256",
"me": "https://user.example.com",
})
assert auth_response.status_code == 200
assert state in auth_response.text
# Consent submission
consent_response = e2e_client.post(
"/authorize/consent",
data={
with TestClient(app) as client:
# Step 1: Authorization request - should show verification page
auth_params = {
"response_type": "code",
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"response_type": "code", # For state preservation test
"state": state,
"code_challenge": "abc123",
"state": "e2e_test_state_12345",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"me": "https://user.example.com",
"scope": "",
},
follow_redirects=False
)
}
# State should be in redirect
location = consent_response.headers["location"]
assert f"state={state}" in location
auth_response = client.get("/authorize", params=auth_params)
def test_multiple_concurrent_flows(self, e2e_client, mock_happ_for_e2e):
"""Test multiple authorization flows can run concurrently."""
flows = []
# Should show verification page
assert auth_response.status_code == 200
assert "text/html" in auth_response.headers["content-type"]
assert "session_id" in auth_response.text.lower() or "verify" in auth_response.text.lower()
# Start 3 authorization flows
for i in range(3):
consent_response = e2e_client.post(
# Step 2: Submit consent form (session is already verified in mock)
consent_response = client.post(
"/authorize/consent",
data={
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"response_type": "code", # Authorization flow - exchange at token endpoint
"state": f"flow_{i}",
"code_challenge": "abc123",
"code_challenge_method": "S256",
"me": f"https://user{i}.example.com",
"scope": "",
},
data={"session_id": "test_session_123"},
follow_redirects=False
)
code = extract_code_from_redirect(consent_response.headers["location"])
flows.append((code, f"https://user{i}.example.com"))
# Should redirect with authorization code
assert consent_response.status_code == 302
location = consent_response.headers["location"]
assert location.startswith("https://app.example.com/callback")
assert "code=" in location
assert "state=e2e_test_state_12345" in location
# Exchange all codes - each should work
for code, expected_me in flows:
token_response = e2e_client.post("/token", data={
# Step 3: Extract authorization code
auth_code = extract_code_from_redirect(location)
assert auth_code is not None
# Step 4: Exchange code for token
token_response = client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"code": auth_code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
})
# Should receive access token
assert token_response.status_code == 200
assert token_response.json()["me"] == expected_me
token_data = token_response.json()
assert "access_token" in token_data
assert token_data["token_type"] == "Bearer"
assert token_data["me"] == "https://user.example.com"
def test_authorization_flow_preserves_state(self, e2e_app_with_mocks):
"""Test that state parameter is preserved throughout the flow."""
app, db = e2e_app_with_mocks
from gondulf.dependencies import get_auth_session_service
state = "unique_state_for_csrf_protection"
# Create mock session service with the specific state
mock_session = create_mock_auth_session_service(
verified=True,
response_type="code",
state=state
)
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
with TestClient(app) as client:
# Consent submission
consent_response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
# State should be in redirect
location = consent_response.headers["location"]
assert f"state={state}" in location
def test_multiple_concurrent_flows(self, e2e_app_with_mocks):
"""Test multiple authorization flows can run concurrently."""
app, db = e2e_app_with_mocks
from gondulf.dependencies import get_auth_session_service
flows = []
with TestClient(app) as client:
# Start 3 authorization flows
for i in range(3):
# Create unique mock session for each flow
mock_session = create_mock_auth_session_service(
session_id=f"session_{i}",
verified=True,
response_type="code",
state=f"flow_{i}",
me=f"https://user{i}.example.com"
)
app.dependency_overrides[get_auth_session_service] = lambda ms=mock_session: ms
consent_response = client.post(
"/authorize/consent",
data={"session_id": f"session_{i}"},
follow_redirects=False
)
code = extract_code_from_redirect(consent_response.headers["location"])
flows.append((code, f"https://user{i}.example.com"))
# Exchange all codes - each should work
for code, expected_me in flows:
token_response = client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
})
assert token_response.status_code == 200
assert token_response.json()["me"] == expected_me
@pytest.mark.e2e
@@ -207,7 +319,7 @@ class TestErrorScenariosE2E:
# Should show error page, not redirect
assert "text/html" in response.headers["content-type"]
def test_expired_code_rejected(self, e2e_client, e2e_app, mock_happ_for_e2e):
def test_expired_code_rejected(self, e2e_client, e2e_app):
"""Test expired authorization code is rejected."""
from gondulf.dependencies import get_code_storage
from gondulf.storage import CodeStore
@@ -251,148 +363,144 @@ class TestErrorScenariosE2E:
e2e_app.dependency_overrides.clear()
def test_code_cannot_be_reused(self, e2e_client, mock_happ_for_e2e):
def test_code_cannot_be_reused(self, e2e_app_with_mocks):
"""Test authorization code single-use enforcement."""
# Get a valid code
consent_response = e2e_client.post(
"/authorize/consent",
data={
app, db = e2e_app_with_mocks
from gondulf.dependencies import get_auth_session_service
mock_session = create_mock_auth_session_service(verified=True, response_type="code")
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
with TestClient(app) as client:
# Get a valid code
consent_response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
code = extract_code_from_redirect(consent_response.headers["location"])
# First exchange should succeed
response1 = client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"response_type": "code", # Authorization flow - exchange at token endpoint
"state": "test",
"code_challenge": "abc123",
"code_challenge_method": "S256",
"me": "https://user.example.com",
"scope": "",
},
follow_redirects=False
)
})
assert response1.status_code == 200
code = extract_code_from_redirect(consent_response.headers["location"])
# Second exchange should fail
response2 = client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
})
assert response2.status_code == 400
# First exchange should succeed
response1 = e2e_client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
})
assert response1.status_code == 200
# Second exchange should fail
response2 = e2e_client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
})
assert response2.status_code == 400
def test_wrong_client_id_rejected(self, e2e_client, mock_happ_for_e2e):
def test_wrong_client_id_rejected(self, e2e_app_with_mocks):
"""Test token exchange with wrong client_id is rejected."""
# Get a code for one client
consent_response = e2e_client.post(
"/authorize/consent",
data={
"client_id": "https://app.example.com",
app, db = e2e_app_with_mocks
from gondulf.dependencies import get_auth_session_service
mock_session = create_mock_auth_session_service(verified=True, response_type="code")
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
with TestClient(app) as client:
# Get a code for one client
consent_response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
code = extract_code_from_redirect(consent_response.headers["location"])
# Try to exchange with different client_id
response = client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://different-app.example.com", # Wrong client
"redirect_uri": "https://app.example.com/callback",
"response_type": "code", # Authorization flow - exchange at token endpoint
"state": "test",
"code_challenge": "abc123",
"code_challenge_method": "S256",
"me": "https://user.example.com",
"scope": "",
},
follow_redirects=False
)
})
code = extract_code_from_redirect(consent_response.headers["location"])
# Try to exchange with different client_id
response = e2e_client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://different-app.example.com", # Wrong client
"redirect_uri": "https://app.example.com/callback",
})
assert response.status_code == 400
assert response.json()["detail"]["error"] == "invalid_client"
assert response.status_code == 400
assert response.json()["detail"]["error"] == "invalid_client"
@pytest.mark.e2e
class TestTokenUsageE2E:
"""E2E tests for token usage after obtaining it."""
def test_obtained_token_has_correct_format(self, e2e_client, mock_happ_for_e2e):
def test_obtained_token_has_correct_format(self, e2e_app_with_mocks):
"""Test the token obtained through E2E flow has correct format."""
# Complete the flow
consent_response = e2e_client.post(
"/authorize/consent",
data={
app, db = e2e_app_with_mocks
from gondulf.dependencies import get_auth_session_service
mock_session = create_mock_auth_session_service(verified=True, response_type="code")
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
with TestClient(app) as client:
# Complete the flow
consent_response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
code = extract_code_from_redirect(consent_response.headers["location"])
token_response = client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"response_type": "code", # Authorization flow - exchange at token endpoint
"state": "test",
"code_challenge": "abc123",
"code_challenge_method": "S256",
"me": "https://user.example.com",
"scope": "",
},
follow_redirects=False
)
})
code = extract_code_from_redirect(consent_response.headers["location"])
assert token_response.status_code == 200
token_data = token_response.json()
token_response = e2e_client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
})
# Verify token has correct format
assert "access_token" in token_data
assert len(token_data["access_token"]) >= 32 # Should be substantial
assert token_data["token_type"] == "Bearer"
assert token_data["me"] == "https://user.example.com"
assert token_response.status_code == 200
token_data = token_response.json()
# Verify token has correct format
assert "access_token" in token_data
assert len(token_data["access_token"]) >= 32 # Should be substantial
assert token_data["token_type"] == "Bearer"
assert token_data["me"] == "https://user.example.com"
def test_token_response_includes_all_fields(self, e2e_client, mock_happ_for_e2e):
def test_token_response_includes_all_fields(self, e2e_app_with_mocks):
"""Test token response includes all required IndieAuth fields."""
# Complete the flow
consent_response = e2e_client.post(
"/authorize/consent",
data={
app, db = e2e_app_with_mocks
from gondulf.dependencies import get_auth_session_service
mock_session = create_mock_auth_session_service(
verified=True,
response_type="code",
scope="profile"
)
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
with TestClient(app) as client:
# Complete the flow
consent_response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
code = extract_code_from_redirect(consent_response.headers["location"])
token_response = client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"response_type": "code", # Authorization flow - exchange at token endpoint
"state": "test",
"code_challenge": "abc123",
"code_challenge_method": "S256",
"me": "https://user.example.com",
"scope": "profile",
},
follow_redirects=False
)
})
code = extract_code_from_redirect(consent_response.headers["location"])
assert token_response.status_code == 200
token_data = token_response.json()
token_response = e2e_client.post("/token", data={
"grant_type": "authorization_code",
"code": code,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
})
assert token_response.status_code == 200
token_data = token_response.json()
# All required IndieAuth fields
assert "access_token" in token_data
assert "token_type" in token_data
assert "me" in token_data
assert "scope" in token_data
# All required IndieAuth fields
assert "access_token" in token_data
assert "token_type" in token_data
assert "me" in token_data
assert "scope" in token_data

327
tests/integration/api/test_response_type_flows.py
View File

@@ -4,14 +4,109 @@ Integration tests for IndieAuth response_type flows.
Tests the two IndieAuth flows per W3C specification:
- Authentication flow (response_type=id): Code redeemed at authorization endpoint
- Authorization flow (response_type=code): Code redeemed at token endpoint
Updated for session-based authentication flow:
- GET /authorize -> verify_code.html (email verification)
- POST /authorize/verify-code -> consent page
- POST /authorize/consent -> redirect with auth code
"""
from unittest.mock import AsyncMock, patch
from datetime import datetime, timedelta
from unittest.mock import AsyncMock, Mock, patch
import pytest
from fastapi.testclient import TestClient
def create_mock_dns_service(verify_success=True):
"""Create a mock DNS service."""
mock_service = Mock()
mock_service.verify_txt_record.return_value = verify_success
return mock_service
def create_mock_email_service():
"""Create a mock email service."""
mock_service = Mock()
mock_service.send_verification_code = Mock()
return mock_service
def create_mock_html_fetcher(email="test@example.com"):
"""Create a mock HTML fetcher that returns a page with rel=me email."""
mock_fetcher = Mock()
if email:
html = f'''
<html>
<body>
<a href="mailto:{email}" rel="me">Email</a>
</body>
</html>
'''
else:
html = '<html><body></body></html>'
mock_fetcher.fetch.return_value = html
return mock_fetcher
def create_mock_auth_session_service(session_id="test_session_123", code="123456", verified=False, response_type="code"):
"""Create a mock auth session service."""
from gondulf.services.auth_session import AuthSessionService
mock_service = Mock(spec=AuthSessionService)
mock_service.create_session.return_value = {
"session_id": session_id,
"verification_code": code,
"expires_at": datetime.utcnow() + timedelta(minutes=10)
}
mock_service.get_session.return_value = {
"session_id": session_id,
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": verified,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": "",
"response_type": response_type
}
mock_service.verify_code.return_value = {
"session_id": session_id,
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": True,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": "",
"response_type": response_type
}
mock_service.is_session_verified.return_value = verified
mock_service.delete_session = Mock()
return mock_service
def create_mock_happ_parser():
"""Create a mock h-app parser."""
from gondulf.services.happ_parser import ClientMetadata
mock_parser = Mock()
mock_parser.fetch_and_parse = AsyncMock(return_value=ClientMetadata(
name="Test Application",
url="https://app.example.com",
logo="https://app.example.com/logo.png"
))
return mock_parser
@pytest.fixture
def flow_app(monkeypatch, tmp_path):
"""Create app for flow testing."""
@@ -49,6 +144,53 @@ def mock_happ_fetch():
yield mock
@pytest.fixture
def flow_app_with_mocks(monkeypatch, tmp_path):
"""Create app with all dependencies mocked for testing consent flow."""
db_path = tmp_path / "test.db"
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_DATABASE_URL", f"sqlite:///{db_path}")
monkeypatch.setenv("GONDULF_DEBUG", "true")
from gondulf.main import app
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_happ_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from gondulf.services.relme_parser import RelMeParser
from sqlalchemy import text
# Initialize database
db = Database(f"sqlite:///{db_path}")
db.initialize()
# Add verified domain
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
app.dependency_overrides[get_database] = lambda: db
app.dependency_overrides[get_dns_service] = lambda: create_mock_dns_service(True)
app.dependency_overrides[get_email_service] = lambda: create_mock_email_service()
app.dependency_overrides[get_html_fetcher] = lambda: create_mock_html_fetcher("test@example.com")
app.dependency_overrides[get_relme_parser] = lambda: RelMeParser()
app.dependency_overrides[get_happ_parser] = create_mock_happ_parser
yield app, db
app.dependency_overrides.clear()
class TestResponseTypeValidation:
"""Tests for response_type parameter validation."""
@@ -64,31 +206,38 @@ class TestResponseTypeValidation:
"me": "https://user.example.com",
}
def test_response_type_id_accepted(self, flow_client, base_params, mock_happ_fetch):
def test_response_type_id_accepted(self, flow_app_with_mocks, base_params):
"""Test response_type=id is accepted."""
app, db = flow_app_with_mocks
params = base_params.copy()
params["response_type"] = "id"
response = flow_client.get("/authorize", params=params)
with TestClient(app) as client:
response = client.get("/authorize", params=params)
assert response.status_code == 200
assert "text/html" in response.headers["content-type"]
def test_response_type_code_accepted(self, flow_client, base_params, mock_happ_fetch):
def test_response_type_code_accepted(self, flow_app_with_mocks, base_params):
"""Test response_type=code is accepted."""
app, db = flow_app_with_mocks
params = base_params.copy()
params["response_type"] = "code"
response = flow_client.get("/authorize", params=params)
with TestClient(app) as client:
response = client.get("/authorize", params=params)
assert response.status_code == 200
assert "text/html" in response.headers["content-type"]
def test_response_type_defaults_to_id(self, flow_client, base_params, mock_happ_fetch):
def test_response_type_defaults_to_id(self, flow_app_with_mocks, base_params):
"""Test missing response_type defaults to 'id'."""
app, db = flow_app_with_mocks
# No response_type in params
response = flow_client.get("/authorize", params=base_params)
with TestClient(app) as client:
response = client.get("/authorize", params=base_params)
assert response.status_code == 200
# Form should contain response_type=id
assert 'value="id"' in response.text
# New flow shows verify_code.html - check response_type is stored in session
# The hidden field with value="id" is in the verify_code form
assert 'name="session_id"' in response.text
def test_invalid_response_type_rejected(self, flow_client, base_params, mock_happ_fetch):
"""Test invalid response_type redirects with error."""
@@ -102,24 +251,43 @@ class TestResponseTypeValidation:
assert "error=unsupported_response_type" in location
assert "state=test123" in location
def test_consent_form_includes_response_type(self, flow_client, base_params, mock_happ_fetch):
"""Test consent form includes response_type hidden field."""
params = base_params.copy()
params["response_type"] = "code"
def test_consent_form_includes_response_type(self, flow_app_with_mocks, base_params):
"""Test that after verification, consent form includes response_type hidden field."""
app, db = flow_app_with_mocks
from gondulf.dependencies import get_auth_session_service
response = flow_client.get("/authorize", params=params)
# Use mock that returns verified session
mock_session = create_mock_auth_session_service(verified=True, response_type="code")
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
assert response.status_code == 200
assert 'name="response_type"' in response.text
assert 'value="code"' in response.text
try:
with TestClient(app) as client:
# Submit verification code to get consent page
response = client.post("/authorize/verify-code", data={
"session_id": "test_session_123",
"code": "123456"
})
assert response.status_code == 200
assert 'name="session_id"' in response.text # Consent form now uses session_id
finally:
# Restore - flow_app_with_mocks cleanup handles this
pass
class TestAuthenticationFlow:
"""Tests for authentication flow (response_type=id)."""
@pytest.fixture
def auth_code_id_flow(self, flow_client):
"""Create an authorization code for the authentication flow."""
def auth_code_id_flow(self, flow_app_with_mocks):
"""Create an authorization code for the authentication flow using session-based flow."""
app, db = flow_app_with_mocks
from gondulf.dependencies import get_auth_session_service
# Use mock session that returns verified session with response_type=id
mock_session = create_mock_auth_session_service(verified=True, response_type="id")
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
consent_data = {
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
@@ -131,24 +299,27 @@ class TestAuthenticationFlow:
"me": "https://user.example.com",
}
response = flow_client.post(
"/authorize/consent",
data=consent_data,
follow_redirects=False
)
with TestClient(app) as client:
# Submit consent with session_id
response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
assert response.status_code == 302
location = response.headers["location"]
assert response.status_code == 302
location = response.headers["location"]
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(location)
return code, consent_data
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(location)
def test_auth_code_redemption_at_authorization_endpoint(self, flow_client, auth_code_id_flow):
yield client, code, consent_data
def test_auth_code_redemption_at_authorization_endpoint(self, auth_code_id_flow):
"""Test authentication flow code is redeemed at authorization endpoint."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -163,11 +334,11 @@ class TestAuthenticationFlow:
# Should NOT have access_token
assert "access_token" not in data
def test_auth_flow_returns_only_me(self, flow_client, auth_code_id_flow):
def test_auth_flow_returns_only_me(self, auth_code_id_flow):
"""Test authentication response contains only 'me' field."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -178,12 +349,12 @@ class TestAuthenticationFlow:
data = response.json()
assert set(data.keys()) == {"me"}
def test_auth_flow_code_single_use(self, flow_client, auth_code_id_flow):
def test_auth_flow_code_single_use(self, auth_code_id_flow):
"""Test authentication code can only be used once."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
# First use - should succeed
response1 = flow_client.post(
response1 = client.post(
"/authorize",
data={
"code": code,
@@ -193,7 +364,7 @@ class TestAuthenticationFlow:
assert response1.status_code == 200
# Second use - should fail
response2 = flow_client.post(
response2 = client.post(
"/authorize",
data={
"code": code,
@@ -203,11 +374,11 @@ class TestAuthenticationFlow:
assert response2.status_code == 400
assert response2.json()["error"] == "invalid_grant"
def test_auth_flow_client_id_mismatch_rejected(self, flow_client, auth_code_id_flow):
def test_auth_flow_client_id_mismatch_rejected(self, auth_code_id_flow):
"""Test wrong client_id is rejected."""
code, _ = auth_code_id_flow
client, code, _ = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -218,11 +389,11 @@ class TestAuthenticationFlow:
assert response.status_code == 400
assert response.json()["error"] == "invalid_client"
def test_auth_flow_redirect_uri_mismatch_rejected(self, flow_client, auth_code_id_flow):
def test_auth_flow_redirect_uri_mismatch_rejected(self, auth_code_id_flow):
"""Test wrong redirect_uri is rejected when provided."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -234,11 +405,11 @@ class TestAuthenticationFlow:
assert response.status_code == 400
assert response.json()["error"] == "invalid_grant"
def test_auth_flow_id_code_rejected_at_token_endpoint(self, flow_client, auth_code_id_flow):
def test_auth_flow_id_code_rejected_at_token_endpoint(self, auth_code_id_flow):
"""Test authentication flow code is rejected at token endpoint."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/token",
data={
"grant_type": "authorization_code",
@@ -254,11 +425,11 @@ class TestAuthenticationFlow:
assert data["error"] == "invalid_grant"
assert "authorization endpoint" in data["error_description"]
def test_auth_flow_cache_headers(self, flow_client, auth_code_id_flow):
def test_auth_flow_cache_headers(self, auth_code_id_flow):
"""Test authentication response has no-cache headers."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -274,8 +445,15 @@ class TestAuthorizationFlow:
"""Tests for authorization flow (response_type=code)."""
@pytest.fixture
def auth_code_code_flow(self, flow_client):
"""Create an authorization code for the authorization flow."""
def auth_code_code_flow(self, flow_app_with_mocks):
"""Create an authorization code for the authorization flow using session-based flow."""
app, db = flow_app_with_mocks
from gondulf.dependencies import get_auth_session_service
# Use mock session that returns verified session with response_type=code
mock_session = create_mock_auth_session_service(verified=True, response_type="code")
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
consent_data = {
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
@@ -287,24 +465,27 @@ class TestAuthorizationFlow:
"me": "https://user.example.com",
}
response = flow_client.post(
"/authorize/consent",
data=consent_data,
follow_redirects=False
)
with TestClient(app) as client:
# Submit consent with session_id
response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
assert response.status_code == 302
location = response.headers["location"]
assert response.status_code == 302
location = response.headers["location"]
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(location)
return code, consent_data
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(location)
def test_code_flow_redemption_at_token_endpoint(self, flow_client, auth_code_code_flow):
yield client, code, consent_data
def test_code_flow_redemption_at_token_endpoint(self, auth_code_code_flow):
"""Test authorization flow code is redeemed at token endpoint."""
code, consent_data = auth_code_code_flow
client, code, consent_data = auth_code_code_flow
response = flow_client.post(
response = client.post(
"/token",
data={
"grant_type": "authorization_code",
@@ -321,11 +502,11 @@ class TestAuthorizationFlow:
assert data["me"] == "https://user.example.com"
assert data["token_type"] == "Bearer"
def test_code_flow_code_rejected_at_authorization_endpoint(self, flow_client, auth_code_code_flow):
def test_code_flow_code_rejected_at_authorization_endpoint(self, auth_code_code_flow):
"""Test authorization flow code is rejected at authorization endpoint."""
code, consent_data = auth_code_code_flow
client, code, consent_data = auth_code_code_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -339,12 +520,12 @@ class TestAuthorizationFlow:
assert data["error"] == "invalid_grant"
assert "token endpoint" in data["error_description"]
def test_code_flow_single_use(self, flow_client, auth_code_code_flow):
def test_code_flow_single_use(self, auth_code_code_flow):
"""Test authorization code can only be used once."""
code, consent_data = auth_code_code_flow
client, code, consent_data = auth_code_code_flow
# First use - should succeed
response1 = flow_client.post(
response1 = client.post(
"/token",
data={
"grant_type": "authorization_code",
@@ -356,7 +537,7 @@ class TestAuthorizationFlow:
assert response1.status_code == 200
# Second use - should fail
response2 = flow_client.post(
response2 = client.post(
"/token",
data={
"grant_type": "authorization_code",