"""Spot-check that existing endpoints now require auth (when AUTH_DISABLED is not set). The conftest in ``tests/conftest.py`` flips ``AUTH_DISABLED=True`` for every test module that does NOT start with ``test_auth`` — this module deliberately is NOT named ``test_auth_*`` so it inherits the default disabled posture... wait, that's the opposite of what we want. This module is named ``test_existing_endpoints_require_auth`` so the conftest will treat it as a legacy test and set ``AUTH_DISABLED=True``, bypassing the auth check entirely. To actually verify the gate, this test's ``client`` fixture flips ``AUTH_DISABLED`` to ``False`` *just for this test*, then restores it afterwards. This way the rest of the suite still sees the disabled posture and existing tests keep passing. """ from __future__ import annotations import pytest from fastapi.testclient import TestClient from sqlalchemy import delete from cyclone.api import app from cyclone.auth import deps as _auth_deps from cyclone.auth.deps import AUTH_DISABLED from cyclone.db import Session as DbSession from cyclone.db import SessionLocal, User @pytest.fixture(autouse=True) def _clear(): with SessionLocal()() as db: db.execute(delete(DbSession)) db.execute(delete(User)) db.commit() yield with SessionLocal()() as db: db.execute(delete(DbSession)) db.execute(delete(User)) db.commit() @pytest.fixture def client(): # Force AUTH_DISABLED=False for these tests so the dep actually checks the cookie. original = AUTH_DISABLED _auth_deps.AUTH_DISABLED = False try: yield TestClient(app) finally: _auth_deps.AUTH_DISABLED = original @pytest.mark.parametrize("method,path", [ ("GET", "/api/claims"), ("GET", "/api/remittances"), ("GET", "/api/providers"), ("GET", "/api/batches"), ("GET", "/api/dashboard/summary"), ("GET", "/api/activity"), ]) def test_existing_get_endpoints_require_auth(client, method, path): resp = client.request(method, path) assert resp.status_code == 401, f"{method} {path} returned {resp.status_code}" def test_health_is_public(client): """``/api/health`` is the public healthcheck and must remain reachable.""" resp = client.get("/api/health") assert resp.status_code != 401, f"/api/health returned {resp.status_code}"