feat(auth): Complete OIDC security refactor and modernize test suite

- Refactored OIDC flow to implement PKCE, state/nonce validation, and BFF pattern. - Centralized configuration in Settings class (DEV_MODE, FRONTEND_URL, OIDC_REDIRECT_URI). - Updated auth routers to use conditional secure cookie flags based on DEV_MODE. - Modernized and cleaned up test suite by removing legacy Streamlit tests. - Fixed linting errors and unused imports across the backend.
2026-02-15 02:50:26 -08:00
parent 48ad0ebdd7
commit 68c0985482
50 changed files with 222 additions and 515 deletions
--- a/backend/tests/api/test_api_auth.py
+++ b/backend/tests/api/test_api_auth.py
@@ -1,6 +1,6 @@
 import pytest
 from fastapi.testclient import TestClient
-from unittest.mock import MagicMock, patch
+from unittest.mock import patch
 from ea_chatbot.api.main import app
 from ea_chatbot.history.models import User

@@ -66,31 +66,43 @@ def test_protected_route_without_token():
    assert response.status_code == 401

 def test_oidc_login_redirect():
-    """Test that OIDC login returns a redirect URL."""
+    """Test that OIDC login returns a redirect URL and sets session cookie."""
    with patch("ea_chatbot.api.routers.auth.oidc_client") as mock_oidc:
-        mock_oidc.get_login_url.return_value = "https://oidc-provider.com/auth"
+        mock_oidc.get_auth_data.return_value = {
+            "url": "https://oidc-provider.com/auth",
+            "state": "test_state",
+            "nonce": "test_nonce",
+            "code_verifier": "test_verifier"
+        }
        
        response = client.get("/api/v1/auth/oidc/login")
        assert response.status_code == 200
        assert response.json()["url"] == "https://oidc-provider.com/auth"
+        assert "oidc_session" in response.cookies

-def test_oidc_callback_success_ajax():
-    """Test successful OIDC callback and JWT issuance via AJAX."""
+def test_oidc_callback_success():
+    """Test successful OIDC callback and JWT issuance."""
    with patch("ea_chatbot.api.routers.auth.oidc_client") as mock_oidc, \
+         patch("ea_chatbot.api.routers.auth.OIDCSession.decrypt") as mock_decrypt, \
         patch("ea_chatbot.api.routers.auth.history_manager") as mock_hm:
        
-        mock_oidc.exchange_code_for_token.return_value = {"access_token": "oidc-token"}
-        mock_oidc.get_user_info.return_value = {"email": "sso@example.com", "name": "SSO User"}
+        mock_decrypt.return_value = {
+            "state": "test_state",
+            "nonce": "test_nonce",
+            "code_verifier": "test_verifier"
+        }
+        mock_oidc.exchange_code_for_token.return_value = {"id_token": "fake_id_token"}
+        mock_oidc.validate_id_token.return_value = {"email": "sso@example.com", "name": "SSO User"}
        mock_hm.sync_user_from_oidc.return_value = User(id="sso-123", username="sso@example.com", display_name="SSO User")
        
+        client.cookies.set("oidc_session", "fake_token")
        response = client.get(
-            "/api/v1/auth/oidc/callback?code=some-code",
-            headers={"Accept": "application/json"}
+            "/api/v1/auth/oidc/callback?code=some-code&state=test_state",
+            follow_redirects=False
        )
        
-        assert response.status_code == 200
-        assert "access_token" in response.json()
-        assert response.json()["token_type"] == "bearer"
+        assert response.status_code == 302
+        assert "access_token" in response.cookies

 def test_get_me_success():
    """Test getting current user with a valid token."""