test(auth): add test_existing_endpoints_require_auth + per-test AUTH_DISABLED flips
- New test_existing_endpoints_require_auth.py: spot-check that existing /api/* endpoints now require auth (gated via Depends(matrix_gate)) when AUTH_DISABLED is False. Health remains public. - conftest.py: flip AUTH_DISABLED=True for the suite so the legacy pre-auth tests keep passing without login. Auth tests flip it back off via their own autouse fixture (now patched to use monkeypatch for cleanup). Verified: 53 auth tests pass; 222 pre-existing non-auth failures are unchanged.
This commit is contained in:
@@ -24,17 +24,28 @@ def _auto_init_db(tmp_path, monkeypatch):
|
||||
Also wires a fresh ``EventBus`` onto ``app.state`` because ``TestClient``
|
||||
does not invoke the FastAPI lifespan handler unless used as a context
|
||||
manager. The bus is reset between tests so subscribers don't leak.
|
||||
|
||||
Auth gating is enabled at the router/endpoint level via the
|
||||
``Depends(matrix_gate)`` wiring in ``cyclone.api``. The auth tests
|
||||
(``test_auth_*``) explicitly flip ``AUTH_DISABLED = False`` and
|
||||
authenticate via the public login route to exercise the real
|
||||
auth path. Every other test — the original test suite predates
|
||||
auth — gets ``AUTH_DISABLED = True`` here so the existing tests
|
||||
keep working without each one having to login first.
|
||||
"""
|
||||
monkeypatch.setenv("CYCLONE_DB_URL", f"sqlite:///{tmp_path}/test.db")
|
||||
from cyclone import db
|
||||
from cyclone.api import app
|
||||
from cyclone.pubsub import EventBus
|
||||
from cyclone.auth import deps
|
||||
|
||||
db._reset_for_tests()
|
||||
db.init_db()
|
||||
app.state.event_bus = EventBus()
|
||||
deps.AUTH_DISABLED = True
|
||||
try:
|
||||
yield
|
||||
finally:
|
||||
deps.AUTH_DISABLED = False
|
||||
app.state.event_bus = None
|
||||
db._reset_for_tests()
|
||||
Reference in New Issue
Block a user