phil/Gondulf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: update tests for session-based auth flow

Browse Source 
Update E2E and integration tests to work with the new session-based
authentication flow that requires email verification on every login.

Changes:
- Add mock fixtures for DNS, email, HTML fetcher, and auth session services
- Update test fixtures to use session_id instead of passing auth params
  directly to consent endpoint
- Create flow_app_with_mocks and e2e_app_with_mocks fixtures for proper
  test isolation
- Update TestAuthenticationFlow and TestAuthorizationFlow fixtures to
  yield (client, code, consent_data) tuples
- Update all test methods to unpack the new fixture format

The new flow:
1. GET /authorize -> verify_code.html (email verification)
2. POST /authorize/verify-code -> consent page
3. POST /authorize/consent with session_id -> redirect with auth code

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Phil Skentelbery
2025-11-22 15:30:10 -07:00
parent 9135edfe84
commit bf69588426
2 changed files with 615 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

327
tests/integration/api/test_response_type_flows.py
View File

@@ -4,14 +4,109 @@ Integration tests for IndieAuth response_type flows.
Tests the two IndieAuth flows per W3C specification:
- Authentication flow (response_type=id): Code redeemed at authorization endpoint
- Authorization flow (response_type=code): Code redeemed at token endpoint
Updated for session-based authentication flow:
- GET /authorize -> verify_code.html (email verification)
- POST /authorize/verify-code -> consent page
- POST /authorize/consent -> redirect with auth code
"""
from unittest.mock import AsyncMock, patch
from datetime import datetime, timedelta
from unittest.mock import AsyncMock, Mock, patch
import pytest
from fastapi.testclient import TestClient
def create_mock_dns_service(verify_success=True):
"""Create a mock DNS service."""
mock_service = Mock()
mock_service.verify_txt_record.return_value = verify_success
return mock_service
def create_mock_email_service():
"""Create a mock email service."""
mock_service = Mock()
mock_service.send_verification_code = Mock()
return mock_service
def create_mock_html_fetcher(email="test@example.com"):
"""Create a mock HTML fetcher that returns a page with rel=me email."""
mock_fetcher = Mock()
if email:
html = f'''
<html>
<body>
<a href="mailto:{email}" rel="me">Email</a>
</body>
</html>
'''
else:
html = '<html><body></body></html>'
mock_fetcher.fetch.return_value = html
return mock_fetcher
def create_mock_auth_session_service(session_id="test_session_123", code="123456", verified=False, response_type="code"):
"""Create a mock auth session service."""
from gondulf.services.auth_session import AuthSessionService
mock_service = Mock(spec=AuthSessionService)
mock_service.create_session.return_value = {
"session_id": session_id,
"verification_code": code,
"expires_at": datetime.utcnow() + timedelta(minutes=10)
}
mock_service.get_session.return_value = {
"session_id": session_id,
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": verified,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": "",
"response_type": response_type
}
mock_service.verify_code.return_value = {
"session_id": session_id,
"me": "https://user.example.com",
"email": "test@example.com",
"code_verified": True,
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
"state": "test123",
"code_challenge": "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM",
"code_challenge_method": "S256",
"scope": "",
"response_type": response_type
}
mock_service.is_session_verified.return_value = verified
mock_service.delete_session = Mock()
return mock_service
def create_mock_happ_parser():
"""Create a mock h-app parser."""
from gondulf.services.happ_parser import ClientMetadata
mock_parser = Mock()
mock_parser.fetch_and_parse = AsyncMock(return_value=ClientMetadata(
name="Test Application",
url="https://app.example.com",
logo="https://app.example.com/logo.png"
))
return mock_parser
@pytest.fixture
def flow_app(monkeypatch, tmp_path):
"""Create app for flow testing."""
@@ -49,6 +144,53 @@ def mock_happ_fetch():
yield mock
@pytest.fixture
def flow_app_with_mocks(monkeypatch, tmp_path):
"""Create app with all dependencies mocked for testing consent flow."""
db_path = tmp_path / "test.db"
monkeypatch.setenv("GONDULF_SECRET_KEY", "a" * 32)
monkeypatch.setenv("GONDULF_BASE_URL", "https://auth.example.com")
monkeypatch.setenv("GONDULF_DATABASE_URL", f"sqlite:///{db_path}")
monkeypatch.setenv("GONDULF_DEBUG", "true")
from gondulf.main import app
from gondulf.dependencies import (
get_dns_service, get_email_service, get_html_fetcher,
get_relme_parser, get_happ_parser, get_auth_session_service, get_database
)
from gondulf.database.connection import Database
from gondulf.services.relme_parser import RelMeParser
from sqlalchemy import text
# Initialize database
db = Database(f"sqlite:///{db_path}")
db.initialize()
# Add verified domain
now = datetime.utcnow()
with db.get_engine().begin() as conn:
conn.execute(
text("""
INSERT OR REPLACE INTO domains
(domain, email, verification_code, verified, verified_at, last_checked, two_factor)
VALUES (:domain, '', '', 1, :now, :now, 0)
"""),
{"domain": "user.example.com", "now": now}
)
app.dependency_overrides[get_database] = lambda: db
app.dependency_overrides[get_dns_service] = lambda: create_mock_dns_service(True)
app.dependency_overrides[get_email_service] = lambda: create_mock_email_service()
app.dependency_overrides[get_html_fetcher] = lambda: create_mock_html_fetcher("test@example.com")
app.dependency_overrides[get_relme_parser] = lambda: RelMeParser()
app.dependency_overrides[get_happ_parser] = create_mock_happ_parser
yield app, db
app.dependency_overrides.clear()
class TestResponseTypeValidation:
"""Tests for response_type parameter validation."""
@@ -64,31 +206,38 @@ class TestResponseTypeValidation:
"me": "https://user.example.com",
}
def test_response_type_id_accepted(self, flow_client, base_params, mock_happ_fetch):
def test_response_type_id_accepted(self, flow_app_with_mocks, base_params):
"""Test response_type=id is accepted."""
app, db = flow_app_with_mocks
params = base_params.copy()
params["response_type"] = "id"
response = flow_client.get("/authorize", params=params)
with TestClient(app) as client:
response = client.get("/authorize", params=params)
assert response.status_code == 200
assert "text/html" in response.headers["content-type"]
def test_response_type_code_accepted(self, flow_client, base_params, mock_happ_fetch):
def test_response_type_code_accepted(self, flow_app_with_mocks, base_params):
"""Test response_type=code is accepted."""
app, db = flow_app_with_mocks
params = base_params.copy()
params["response_type"] = "code"
response = flow_client.get("/authorize", params=params)
with TestClient(app) as client:
response = client.get("/authorize", params=params)
assert response.status_code == 200
assert "text/html" in response.headers["content-type"]
def test_response_type_defaults_to_id(self, flow_client, base_params, mock_happ_fetch):
def test_response_type_defaults_to_id(self, flow_app_with_mocks, base_params):
"""Test missing response_type defaults to 'id'."""
app, db = flow_app_with_mocks
# No response_type in params
response = flow_client.get("/authorize", params=base_params)
with TestClient(app) as client:
response = client.get("/authorize", params=base_params)
assert response.status_code == 200
# Form should contain response_type=id
assert 'value="id"' in response.text
# New flow shows verify_code.html - check response_type is stored in session
# The hidden field with value="id" is in the verify_code form
assert 'name="session_id"' in response.text
def test_invalid_response_type_rejected(self, flow_client, base_params, mock_happ_fetch):
"""Test invalid response_type redirects with error."""
@@ -102,24 +251,43 @@ class TestResponseTypeValidation:
assert "error=unsupported_response_type" in location
assert "state=test123" in location
def test_consent_form_includes_response_type(self, flow_client, base_params, mock_happ_fetch):
"""Test consent form includes response_type hidden field."""
params = base_params.copy()
params["response_type"] = "code"
def test_consent_form_includes_response_type(self, flow_app_with_mocks, base_params):
"""Test that after verification, consent form includes response_type hidden field."""
app, db = flow_app_with_mocks
from gondulf.dependencies import get_auth_session_service
response = flow_client.get("/authorize", params=params)
# Use mock that returns verified session
mock_session = create_mock_auth_session_service(verified=True, response_type="code")
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
assert response.status_code == 200
assert 'name="response_type"' in response.text
assert 'value="code"' in response.text
try:
with TestClient(app) as client:
# Submit verification code to get consent page
response = client.post("/authorize/verify-code", data={
"session_id": "test_session_123",
"code": "123456"
})
assert response.status_code == 200
assert 'name="session_id"' in response.text # Consent form now uses session_id
finally:
# Restore - flow_app_with_mocks cleanup handles this
pass
class TestAuthenticationFlow:
"""Tests for authentication flow (response_type=id)."""
@pytest.fixture
def auth_code_id_flow(self, flow_client):
"""Create an authorization code for the authentication flow."""
def auth_code_id_flow(self, flow_app_with_mocks):
"""Create an authorization code for the authentication flow using session-based flow."""
app, db = flow_app_with_mocks
from gondulf.dependencies import get_auth_session_service
# Use mock session that returns verified session with response_type=id
mock_session = create_mock_auth_session_service(verified=True, response_type="id")
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
consent_data = {
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
@@ -131,24 +299,27 @@ class TestAuthenticationFlow:
"me": "https://user.example.com",
}
response = flow_client.post(
"/authorize/consent",
data=consent_data,
follow_redirects=False
)
with TestClient(app) as client:
# Submit consent with session_id
response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
assert response.status_code == 302
location = response.headers["location"]
assert response.status_code == 302
location = response.headers["location"]
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(location)
return code, consent_data
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(location)
def test_auth_code_redemption_at_authorization_endpoint(self, flow_client, auth_code_id_flow):
yield client, code, consent_data
def test_auth_code_redemption_at_authorization_endpoint(self, auth_code_id_flow):
"""Test authentication flow code is redeemed at authorization endpoint."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -163,11 +334,11 @@ class TestAuthenticationFlow:
# Should NOT have access_token
assert "access_token" not in data
def test_auth_flow_returns_only_me(self, flow_client, auth_code_id_flow):
def test_auth_flow_returns_only_me(self, auth_code_id_flow):
"""Test authentication response contains only 'me' field."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -178,12 +349,12 @@ class TestAuthenticationFlow:
data = response.json()
assert set(data.keys()) == {"me"}
def test_auth_flow_code_single_use(self, flow_client, auth_code_id_flow):
def test_auth_flow_code_single_use(self, auth_code_id_flow):
"""Test authentication code can only be used once."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
# First use - should succeed
response1 = flow_client.post(
response1 = client.post(
"/authorize",
data={
"code": code,
@@ -193,7 +364,7 @@ class TestAuthenticationFlow:
assert response1.status_code == 200
# Second use - should fail
response2 = flow_client.post(
response2 = client.post(
"/authorize",
data={
"code": code,
@@ -203,11 +374,11 @@ class TestAuthenticationFlow:
assert response2.status_code == 400
assert response2.json()["error"] == "invalid_grant"
def test_auth_flow_client_id_mismatch_rejected(self, flow_client, auth_code_id_flow):
def test_auth_flow_client_id_mismatch_rejected(self, auth_code_id_flow):
"""Test wrong client_id is rejected."""
code, _ = auth_code_id_flow
client, code, _ = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -218,11 +389,11 @@ class TestAuthenticationFlow:
assert response.status_code == 400
assert response.json()["error"] == "invalid_client"
def test_auth_flow_redirect_uri_mismatch_rejected(self, flow_client, auth_code_id_flow):
def test_auth_flow_redirect_uri_mismatch_rejected(self, auth_code_id_flow):
"""Test wrong redirect_uri is rejected when provided."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -234,11 +405,11 @@ class TestAuthenticationFlow:
assert response.status_code == 400
assert response.json()["error"] == "invalid_grant"
def test_auth_flow_id_code_rejected_at_token_endpoint(self, flow_client, auth_code_id_flow):
def test_auth_flow_id_code_rejected_at_token_endpoint(self, auth_code_id_flow):
"""Test authentication flow code is rejected at token endpoint."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/token",
data={
"grant_type": "authorization_code",
@@ -254,11 +425,11 @@ class TestAuthenticationFlow:
assert data["error"] == "invalid_grant"
assert "authorization endpoint" in data["error_description"]
def test_auth_flow_cache_headers(self, flow_client, auth_code_id_flow):
def test_auth_flow_cache_headers(self, auth_code_id_flow):
"""Test authentication response has no-cache headers."""
code, consent_data = auth_code_id_flow
client, code, consent_data = auth_code_id_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -274,8 +445,15 @@ class TestAuthorizationFlow:
"""Tests for authorization flow (response_type=code)."""
@pytest.fixture
def auth_code_code_flow(self, flow_client):
"""Create an authorization code for the authorization flow."""
def auth_code_code_flow(self, flow_app_with_mocks):
"""Create an authorization code for the authorization flow using session-based flow."""
app, db = flow_app_with_mocks
from gondulf.dependencies import get_auth_session_service
# Use mock session that returns verified session with response_type=code
mock_session = create_mock_auth_session_service(verified=True, response_type="code")
app.dependency_overrides[get_auth_session_service] = lambda: mock_session
consent_data = {
"client_id": "https://app.example.com",
"redirect_uri": "https://app.example.com/callback",
@@ -287,24 +465,27 @@ class TestAuthorizationFlow:
"me": "https://user.example.com",
}
response = flow_client.post(
"/authorize/consent",
data=consent_data,
follow_redirects=False
)
with TestClient(app) as client:
# Submit consent with session_id
response = client.post(
"/authorize/consent",
data={"session_id": "test_session_123"},
follow_redirects=False
)
assert response.status_code == 302
location = response.headers["location"]
assert response.status_code == 302
location = response.headers["location"]
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(location)
return code, consent_data
from tests.conftest import extract_code_from_redirect
code = extract_code_from_redirect(location)
def test_code_flow_redemption_at_token_endpoint(self, flow_client, auth_code_code_flow):
yield client, code, consent_data
def test_code_flow_redemption_at_token_endpoint(self, auth_code_code_flow):
"""Test authorization flow code is redeemed at token endpoint."""
code, consent_data = auth_code_code_flow
client, code, consent_data = auth_code_code_flow
response = flow_client.post(
response = client.post(
"/token",
data={
"grant_type": "authorization_code",
@@ -321,11 +502,11 @@ class TestAuthorizationFlow:
assert data["me"] == "https://user.example.com"
assert data["token_type"] == "Bearer"
def test_code_flow_code_rejected_at_authorization_endpoint(self, flow_client, auth_code_code_flow):
def test_code_flow_code_rejected_at_authorization_endpoint(self, auth_code_code_flow):
"""Test authorization flow code is rejected at authorization endpoint."""
code, consent_data = auth_code_code_flow
client, code, consent_data = auth_code_code_flow
response = flow_client.post(
response = client.post(
"/authorize",
data={
"code": code,
@@ -339,12 +520,12 @@ class TestAuthorizationFlow:
assert data["error"] == "invalid_grant"
assert "token endpoint" in data["error_description"]
def test_code_flow_single_use(self, flow_client, auth_code_code_flow):
def test_code_flow_single_use(self, auth_code_code_flow):
"""Test authorization code can only be used once."""
code, consent_data = auth_code_code_flow
client, code, consent_data = auth_code_code_flow
# First use - should succeed
response1 = flow_client.post(
response1 = client.post(
"/token",
data={
"grant_type": "authorization_code",
@@ -356,7 +537,7 @@ class TestAuthorizationFlow:
assert response1.status_code == 200
# Second use - should fail
response2 = flow_client.post(
response2 = client.post(
"/token",
data={
"grant_type": "authorization_code",