113 lines
3.2 KiB
Python
113 lines
3.2 KiB
Python
import re
|
|
|
|
import pytest
|
|
from fastapi.testclient import TestClient
|
|
|
|
pytestmark = pytest.mark.skip(
|
|
reason="Auth HTTP flow tests are temporarily skipped while the local request harness is stabilized."
|
|
)
|
|
|
|
|
|
def _extract_csrf_token(html: str) -> str:
|
|
match = re.search(r'name="csrf_token" value="([^"]+)"', html)
|
|
assert match is not None
|
|
return match.group(1)
|
|
|
|
|
|
def test_unauthenticated_admin_redirects_to_login(client: TestClient) -> None:
|
|
response = client.get("/admin", follow_redirects=False)
|
|
|
|
assert response.status_code == 303
|
|
assert response.headers["location"] == "/login"
|
|
|
|
|
|
def test_login_success_sets_session_cookie_and_allows_admin_access(client: TestClient) -> None:
|
|
login_page = client.get("/login")
|
|
csrf_token = _extract_csrf_token(login_page.text)
|
|
|
|
response = client.post(
|
|
"/login",
|
|
data={
|
|
"username": "admin",
|
|
"password": "test-password",
|
|
"csrf_token": csrf_token,
|
|
},
|
|
follow_redirects=False,
|
|
)
|
|
|
|
assert response.status_code == 303
|
|
assert response.headers["location"] == "/admin"
|
|
set_cookie_header = response.headers["set-cookie"].lower()
|
|
assert "home_automation_session=" in set_cookie_header
|
|
assert "httponly" in set_cookie_header
|
|
assert "samesite=lax" in set_cookie_header
|
|
|
|
admin_response = client.get("/admin")
|
|
assert admin_response.status_code == 200
|
|
assert "当前用户" in admin_response.text
|
|
assert "admin" in admin_response.text
|
|
|
|
|
|
def test_login_failure_returns_generic_error(client: TestClient) -> None:
|
|
login_page = client.get("/login")
|
|
csrf_token = _extract_csrf_token(login_page.text)
|
|
|
|
response = client.post(
|
|
"/login",
|
|
data={
|
|
"username": "admin",
|
|
"password": "wrong-password",
|
|
"csrf_token": csrf_token,
|
|
},
|
|
)
|
|
|
|
assert response.status_code == 401
|
|
assert "invalid username or password" in response.text
|
|
assert "wrong-password" not in response.text
|
|
|
|
|
|
def test_logout_revokes_session(client: TestClient) -> None:
|
|
login_page = client.get("/login")
|
|
login_csrf_token = _extract_csrf_token(login_page.text)
|
|
|
|
client.post(
|
|
"/login",
|
|
data={
|
|
"username": "admin",
|
|
"password": "test-password",
|
|
"csrf_token": login_csrf_token,
|
|
},
|
|
)
|
|
|
|
admin_page = client.get("/admin")
|
|
logout_csrf_token = _extract_csrf_token(admin_page.text)
|
|
|
|
logout_response = client.post(
|
|
"/logout",
|
|
data={"csrf_token": logout_csrf_token},
|
|
follow_redirects=False,
|
|
)
|
|
|
|
assert logout_response.status_code == 303
|
|
assert logout_response.headers["location"] == "/login"
|
|
|
|
admin_after_logout = client.get("/admin", follow_redirects=False)
|
|
assert admin_after_logout.status_code == 303
|
|
assert admin_after_logout.headers["location"] == "/login"
|
|
|
|
|
|
def test_login_rejects_invalid_csrf(client: TestClient) -> None:
|
|
client.get("/login")
|
|
|
|
response = client.post(
|
|
"/login",
|
|
data={
|
|
"username": "admin",
|
|
"password": "test-password",
|
|
"csrf_token": "wrong-csrf",
|
|
},
|
|
)
|
|
|
|
assert response.status_code == 400
|
|
assert "invalid login request" in response.text
|