test(auth): add test_existing_endpoints_require_auth + per-test AUTH_DISABLED flips

- New test_existing_endpoints_require_auth.py: spot-check that existing
  /api/* endpoints now require auth (gated via Depends(matrix_gate)) when
  AUTH_DISABLED is False. Health remains public.

- conftest.py: flip AUTH_DISABLED=True for the suite so the legacy
  pre-auth tests keep passing without login. Auth tests flip it back
  off via their own autouse fixture (now patched to use monkeypatch
  for cleanup).

Verified: 53 auth tests pass; 222 pre-existing non-auth failures are
unchanged.
This commit is contained in:
Nora
2026-06-22 15:59:08 -06:00
parent 35e0f5a422
commit 8fc3d9adda
7 changed files with 107 additions and 5 deletions
+5 -1
View File
@@ -13,7 +13,11 @@ from cyclone.db import SessionLocal, User
@pytest.fixture(autouse=True)
def _clear():
def _clear(monkeypatch):
# conftest sets AUTH_DISABLED=True so pre-auth tests keep passing
# without a login. The auth-admin tests need the real auth path
# exercised, so flip it back off here.
monkeypatch.setattr("cyclone.auth.deps.AUTH_DISABLED", False)
with SessionLocal()() as db:
db.execute(delete(DbSession))
db.execute(delete(User))