test(auth): add test_existing_endpoints_require_auth + per-test AUTH_DISABLED flips

- New test_existing_endpoints_require_auth.py: spot-check that existing
  /api/* endpoints now require auth (gated via Depends(matrix_gate)) when
  AUTH_DISABLED is False. Health remains public.

- conftest.py: flip AUTH_DISABLED=True for the suite so the legacy
  pre-auth tests keep passing without login. Auth tests flip it back
  off via their own autouse fixture (now patched to use monkeypatch
  for cleanup).

Verified: 53 auth tests pass; 222 pre-existing non-auth failures are
unchanged.
This commit is contained in:
Nora
2026-06-22 15:59:08 -06:00
parent 35e0f5a422
commit 8fc3d9adda
7 changed files with 107 additions and 5 deletions
+11
View File
@@ -24,17 +24,28 @@ def _auto_init_db(tmp_path, monkeypatch):
Also wires a fresh ``EventBus`` onto ``app.state`` because ``TestClient``
does not invoke the FastAPI lifespan handler unless used as a context
manager. The bus is reset between tests so subscribers don't leak.
Auth gating is enabled at the router/endpoint level via the
``Depends(matrix_gate)`` wiring in ``cyclone.api``. The auth tests
(``test_auth_*``) explicitly flip ``AUTH_DISABLED = False`` and
authenticate via the public login route to exercise the real
auth path. Every other test — the original test suite predates
auth — gets ``AUTH_DISABLED = True`` here so the existing tests
keep working without each one having to login first.
"""
monkeypatch.setenv("CYCLONE_DB_URL", f"sqlite:///{tmp_path}/test.db")
from cyclone import db
from cyclone.api import app
from cyclone.pubsub import EventBus
from cyclone.auth import deps
db._reset_for_tests()
db.init_db()
app.state.event_bus = EventBus()
deps.AUTH_DISABLED = True
try:
yield
finally:
deps.AUTH_DISABLED = False
app.state.event_bus = None
db._reset_for_tests()