YunxiaoXu/ea-chatbot-lg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): Complete OIDC security refactor and modernize test suite

Browse Source 
- Refactored OIDC flow to implement PKCE, state/nonce validation, and BFF pattern.
- Centralized configuration in Settings class (DEV_MODE, FRONTEND_URL, OIDC_REDIRECT_URI).
- Updated auth routers to use conditional secure cookie flags based on DEV_MODE.
- Modernized and cleaned up test suite by removing legacy Streamlit tests.
- Fixed linting errors and unused imports across the backend.
This commit is contained in:
Yunxiao Xu
2026-02-15 02:50:26 -08:00
parent 48ad0ebdd7
commit 68c0985482
50 changed files with 222 additions and 515 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
backend/tests/api/test_api_auth_cookie.py
View File

@@ -1,6 +1,6 @@
import pytest
from fastapi.testclient import TestClient
from unittest.mock import MagicMock, patch
from unittest.mock import patch
from ea_chatbot.api.main import app
from ea_chatbot.history.models import User
from ea_chatbot.api.utils import create_access_token
@@ -83,15 +83,25 @@ def test_logout_clears_cookie():
def test_oidc_callback_redirects_with_cookie():
"""Test that OIDC callback sets cookie and redirects."""
with patch("ea_chatbot.api.routers.auth.oidc_client") as mock_oidc, \
patch("ea_chatbot.api.routers.auth.OIDCSession.decrypt") as mock_decrypt, \
patch("ea_chatbot.api.routers.auth.history_manager") as mock_hm:
mock_oidc.exchange_code_for_token.return_value = {"access_token": "oidc-token"}
mock_oidc.get_user_info.return_value = {"email": "sso@example.com", "name": "SSO User"}
mock_decrypt.return_value = {
"state": "test_state",
"nonce": "test_nonce",
"code_verifier": "test_verifier"
}
mock_oidc.exchange_code_for_token.return_value = {"id_token": "fake_id_token"}
mock_oidc.validate_id_token.return_value = {"email": "sso@example.com", "name": "SSO User"}
mock_hm.sync_user_from_oidc.return_value = User(id="sso-123", username="sso@example.com", display_name="SSO User")
# Follow_redirects=False to catch the 307/302
response = client.get("/api/v1/auth/oidc/callback?code=some-code", follow_redirects=False)
# Set the session cookie
client.cookies.set("oidc_session", "fake_token")
assert response.status_code in [302, 303, 307]
# Follow_redirects=False to catch the 302
response = client.get("/api/v1/auth/oidc/callback?code=some-code&state=test_state", follow_redirects=False)
assert response.status_code == 302
assert "access_token" in response.cookies
assert "/auth/callback" in response.headers["location"]
# Should redirect to FRONTEND_URL (default http://localhost:5173)
assert "http://localhost:5173" in response.headers["location"]