fix(auth): Resolve lint regressions and add security regression test

2026-02-18 14:56:17 -08:00
parent f5aeb9d956
commit cc927e2a90
2 changed files with 19 additions and 5 deletions
--- a/backend/tests/api/test_auth_refresh.py
+++ b/backend/tests/api/test_auth_refresh.py
@@ -60,3 +60,17 @@ def test_refresh_token_wrong_type(client):
    response = client.post("/api/v1/auth/refresh")
    assert response.status_code == 401
    assert response.json()["detail"] == "Invalid token type"
+
+def test_protected_endpoint_rejects_refresh_token(client):
+    """Regression test: Ensure refresh tokens cannot be used to access protected endpoints."""
+    user_id = "test-user-id"
+    refresh_token = create_refresh_token({"sub": user_id})
+    
+    # Attempt to access /auth/me with a refresh token in the cookie
+    client.cookies.set("access_token", refresh_token)
+    
+    response = client.get("/api/v1/auth/me")
+    
+    # Should be rejected with 401
+    assert response.status_code == 401
+    assert "Cannot use refresh token for this endpoint" in response.json()["detail"]