feat(auth): Implement /refresh endpoint and update login/register

2026-02-18 13:37:16 -08:00
parent 78265c399a
commit d11f3dd00c
2 changed files with 112 additions and 5 deletions
--- a/backend/tests/api/test_auth_refresh.py
+++ b/backend/tests/api/test_auth_refresh.py
@@ -0,0 +1,56 @@
+import pytest
+from fastapi.testclient import TestClient
+from ea_chatbot.api.main import app
+from ea_chatbot.api.utils import create_refresh_token, create_access_token
+
+from unittest.mock import patch, MagicMock
+from ea_chatbot.history.models import User
+
+@pytest.fixture
+def client():
+    return TestClient(app)
+
+def test_refresh_token_success(client):
+    # 1. Setup: Create a valid refresh token for a user
+    user_id = "test-user-id"
+    refresh_token = create_refresh_token({"sub": user_id})
+    
+    # 2. Set the cookie manually in the client
+    client.cookies.set("refresh_token", refresh_token)
+    
+    import time
+    time.sleep(1.1) # Wait to ensure iat is different
+    
+    # 3. Call the refresh endpoint with mock
+    with patch("ea_chatbot.api.routers.auth.history_manager") as mock_hm:
+        mock_hm.get_user_by_id.return_value = User(id=user_id, username="test@test.com")
+        
+        response = client.post("/api/v1/auth/refresh")
+    
+        # 4. Assert success
+        assert response.status_code == 200
+        assert "access_token" in response.cookies
+        assert "refresh_token" in response.cookies
+        
+        # Verify tokens are rotated (different from original)
+        assert response.cookies["refresh_token"] != refresh_token
+
+def test_refresh_token_missing_cookie(client):
+    response = client.post("/api/v1/auth/refresh")
+    assert response.status_code == 401
+    assert response.json()["detail"] == "Refresh token missing"
+
+def test_refresh_token_invalid(client):
+    client.cookies.set("refresh_token", "invalid-token")
+    response = client.post("/api/v1/auth/refresh")
+    assert response.status_code == 401
+    assert response.json()["detail"] == "Invalid refresh token"
+
+def test_refresh_token_wrong_type(client):
+    # Using an access token as a refresh token should fail
+    access_token = create_access_token({"sub": "user123"})
+    client.cookies.set("refresh_token", access_token)
+    
+    response = client.post("/api/v1/auth/refresh")
+    assert response.status_code == 401
+    assert response.json()["detail"] == "Invalid token type"