Update E2E and integration tests to work with the new session-based
authentication flow that requires email verification on every login.
Changes:
- Add mock fixtures for DNS, email, HTML fetcher, and auth session services
- Update test fixtures to use session_id instead of passing auth params
directly to consent endpoint
- Create flow_app_with_mocks and e2e_app_with_mocks fixtures for proper
test isolation
- Update TestAuthenticationFlow and TestAuthorizationFlow fixtures to
yield (client, code, consent_data) tuples
- Update all test methods to unpack the new fixture format
The new flow:
1. GET /authorize -> verify_code.html (email verification)
2. POST /authorize/verify-code -> consent page
3. POST /authorize/consent with session_id -> redirect with auth code
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Clear pre-existing verified domains at the start of each test that expects
an unverified domain to ensure proper test isolation. This prevents test
failures caused by verified domains persisting from earlier tests in the
test session.
Fixes:
- test_dns_failure_shows_instructions
- test_email_discovery_failure_shows_instructions
- test_full_flow_new_domain
- test_unverified_domain_never_sees_consent_directly
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
CRITICAL SECURITY FIX: The authorization endpoint was bypassing domain
verification entirely, allowing anyone to authenticate as any domain.
Changes:
- Add domain verification check in GET /authorize before showing consent
- Add POST /authorize/verify-code endpoint for code validation
- Add verify_code.html and verification_error.html templates
- Add check_domain_verified() and store_verified_domain() functions
- Preserve OAuth parameters through verification flow
Flow for unverified domains:
1. GET /authorize -> Check DB for verified domain
2. If not verified: start 2FA (DNS + email) -> show code entry form
3. POST /authorize/verify-code -> validate code -> store verified
4. Show consent page
5. POST /authorize/consent -> issue authorization code
Verified domains skip directly to consent page.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add comprehensive integration and end-to-end test suites:
- Integration tests for API flows (authorization, token, verification)
- Integration tests for middleware chain and security headers
- Integration tests for domain verification services
- E2E tests for complete authentication flows
- E2E tests for error scenarios and edge cases
- Shared test fixtures and utilities in conftest.py
- Rename Dockerfile to Containerfile for Podman compatibility
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
