jwt and password core tests added

Signed-off-by: Rafał Safin <rafal.safin@rafsaf.pl>

Author: Rafał Safin

app/core/security/jwt.py

@@ -58,6 +58,7 @@ def verify_jwt_token(token: str) -> JWTTokenPayload:
             get_settings().security.jwt_secret_key.get_secret_value(),
             algorithms=[JWT_ALGORITHM],
             options={"verify_signature": True},
+            issuer=get_settings().security.jwt_issuer,
         )
     except jwt.InvalidTokenError as e:
         raise HTTPException(

app/tests/conftest.py

@@ -70,6 +70,13 @@ async def fixture_setup_new_test_database() -> None:
         await conn.run_sync(Base.metadata.create_all)
 
 
+@pytest_asyncio.fixture(scope="function", autouse=True)
+async def fixture_clean_get_settings_between_tests() -> AsyncGenerator[None, None]:
+    yield
+
+    get_settings.cache_clear()
+
+
 @pytest_asyncio.fixture(name="default_hashed_password", scope="session")
 async def fixture_default_hashed_password() -> str:
     return get_password_hash(default_user_password)

app/tests/test_auth/test_auth_refresh_token.py

@@ -121,11 +121,11 @@ async def test_refresh_token_success_old_token_is_used(
         },
     )
 
-    test_refresh_token = await session.scalar(
+    used_test_refresh_token = await session.scalar(
         select(RefreshToken).where(RefreshToken.refresh_token == "blaxx")
     )
-    assert test_refresh_token is not None
-    assert test_refresh_token.used
+    assert used_test_refresh_token is not None
+    assert used_test_refresh_token.used
 
 
 async def test_refresh_token_success_jwt_has_valid_token_type(

app/tests/test_core/__init__.py

@@ -0,0 +1,84 @@
+import time
+
+import pytest
+from fastapi import HTTPException
+from freezegun import freeze_time
+from pydantic import SecretStr
+
+from app.core.config import get_settings
+from app.core.security import jwt
+
+
+def test_jwt_access_token_can_be_decoded_back_into_user_id() -> None:
+    user_id = "test_user_id"
+    token = jwt.create_jwt_token(user_id)
+
+    payload = jwt.verify_jwt_token(token=token.access_token)
+    assert payload.sub == user_id
+
+
+@freeze_time("2024-01-01")
+def test_jwt_payload_is_correct() -> None:
+    user_id = "test_user_id"
+    token = jwt.create_jwt_token(user_id)
+
+    assert token.payload.iat == int(time.time())
+    assert token.payload.sub == user_id
+    assert token.payload.iss == get_settings().security.jwt_issuer
+    assert (
+        token.payload.exp
+        == int(time.time()) + get_settings().security.jwt_access_token_expire_secs
+    )
+
+
+def test_jwt_error_after_exp_time() -> None:
+    user_id = "test_user_id"
+    with freeze_time("2024-01-01"):
+        token = jwt.create_jwt_token(user_id)
+    with freeze_time("2024-02-01"):
+        with pytest.raises(HTTPException) as e:
+            jwt.verify_jwt_token(token=token.access_token)
+
+        assert e.value.detail == "Token invalid: Signature has expired"
+
+
+def test_jwt_error_before_iat_time() -> None:
+    user_id = "test_user_id"
+    with freeze_time("2024-01-01"):
+        token = jwt.create_jwt_token(user_id)
+    with freeze_time("2023-12-01"):
+        with pytest.raises(HTTPException) as e:
+            jwt.verify_jwt_token(token=token.access_token)
+
+        assert e.value.detail == "Token invalid: The token is not yet valid (iat)"
+
+
+def test_jwt_error_with_invalid_token() -> None:
+    with pytest.raises(HTTPException) as e:
+        jwt.verify_jwt_token(token="invalid!")
+
+    assert e.value.detail == "Token invalid: Not enough segments"
+
+
+def test_jwt_error_with_invalid_issuer() -> None:
+    user_id = "test_user_id"
+    token = jwt.create_jwt_token(user_id)
+
+    get_settings().security.jwt_issuer = "another_issuer"
+
+    with pytest.raises(HTTPException) as e:
+        jwt.verify_jwt_token(token=token.access_token)
+
+    assert e.value.detail == "Token invalid: Invalid issuer"
+
+
+def test_jwt_error_with_invalid_secret_key() -> None:
+    user_id = "test_user_id"
+    token = jwt.create_jwt_token(user_id)
+
+    get_settings().security.jwt_secret_key = SecretStr("the secret has changed now!")
+
+    with pytest.raises(HTTPException) as e:
+        jwt.verify_jwt_token(token=token.access_token)
+
+    assert e.value.detail == "Token invalid: Signature verification failed"

app/tests/test_core/test_jwt.py

@@ -0,0 +1,11 @@
+from app.core.security.password import get_password_hash, verify_password
+
+
+def test_hashed_password_is_verified() -> None:
+    pwd_hash = get_password_hash("my_password")
+    assert verify_password("my_password", pwd_hash)
+
+
+def test_invalid_password_is_not_verified() -> None:
+    pwd_hash = get_password_hash("my_password")
+    assert not verify_password("my_password_invalid", pwd_hash)