fixed tests (access_token -> csrf_token)

HardMax71 · HardMax71 · commit 227eb352ebd0 · 2025-07-06T20:42:39.000+02:00
diff --git a/backend/tests/integration/test_auth_api.py b/backend/tests/integration/test_auth_api.py
@@ -37,9 +37,10 @@ async def setup(self, client: AsyncClient, db: AsyncIOMotorDatabase) -> None:
             pytest.fail(f"Auth setup: Login failed: {login_response.status_code} {login_response.text}")
 
         login_data = login_response.json()
-        assert "access_token" in login_data
-        self.token = login_data["access_token"]
-        self.headers = {"Authorization": f"Bearer {self.token}"}
+        assert "csrf_token" in login_data
+        assert "message" in login_data
+        self.csrf_token = login_data["csrf_token"]
+        self.headers = {"X-CSRF-Token": self.csrf_token}
 
     @pytest.mark.asyncio
     async def test_login_success(self) -> None:
@@ -49,7 +50,10 @@ async def test_login_success(self) -> None:
             data={"username": self.test_username, "password": self.test_password},
         )
         assert login_response.status_code == 200
-        assert "access_token" in login_response.json()
+        data = login_response.json()
+        assert "csrf_token" in data
+        assert "message" in data
+        assert data["message"] == "Login successful"
 
     @pytest.mark.asyncio
     async def test_login_wrong_password(self) -> None:
@@ -103,20 +107,22 @@ async def test_register_duplicate_user(self) -> None:
     @pytest.mark.asyncio
     async def test_verify_token_valid(self) -> None:
         """Verify a valid token (using token from setup)."""
-        response = await self.client.get("/api/v1/verify-token", headers=self.headers)
+        response = await self.client.get("/api/v1/verify-token")
         assert response.status_code == 200
         data = response.json()
-        assert data == {"valid": True, "username": self.test_username}
+        assert data["valid"] == True
+        assert data["username"] == self.test_username
+        assert "csrf_token" in data
 
     @pytest.mark.asyncio
     async def test_verify_token_invalid_token(self) -> None:
         """Verify an invalid/malformed token fails."""
-        invalid_headers = {"Authorization": "Bearer invalidtoken"}
-        response = await self.client.get("/api/v1/verify-token", headers=invalid_headers)
+        # Clear cookies to simulate invalid token
+        response = await self.client.get("/api/v1/verify-token", cookies={})
         assert response.status_code == 401
 
     @pytest.mark.asyncio
     async def test_verify_token_no_token(self) -> None:
         """Verify request fails without token."""
-        response = await self.client.get("/api/v1/verify-token")  # No headers
+        response = await self.client.get("/api/v1/verify-token", cookies={})  # No cookies
         assert response.status_code == 401
diff --git a/backend/tests/integration/test_execution_api.py b/backend/tests/integration/test_execution_api.py
@@ -40,9 +40,10 @@ async def setup(self, client: AsyncClient, db: AsyncIOMotorDatabase) -> None:
         if login_response.status_code != 200:
             pytest.fail(f"Exec setup: Login failed: {login_response.status_code} {login_response.text}")
         login_data = login_response.json()
-        assert "access_token" in login_data
-        self.token = login_data["access_token"]
-        self.headers = {"Authorization": f"Bearer {self.token}"}
+        assert "csrf_token" in login_data
+        assert "message" in login_data
+        self.csrf_token = login_data["csrf_token"]
+        self.headers = {"X-CSRF-Token": self.csrf_token}
 
     @pytest.mark.asyncio
     async def test_execute_script_success_workflow(self) -> None:
@@ -146,7 +147,7 @@ async def test_k8s_resource_limits(self) -> None:
     async def test_execute_endpoint_without_auth(self) -> None:
         """Test accessing execute endpoint without authentication (should succeed)."""
         execution_request = {"script": "print('no auth test should pass')"}
-        response = await self.client.post("/api/v1/execute", json=execution_request)  # No headers
+        response = await self.client.post("/api/v1/execute", json=execution_request, cookies={})  # No cookies
         # Expect 200 OK because the endpoint is public
         assert response.status_code == 200
         assert "execution_id" in response.json()
@@ -155,6 +156,6 @@ async def test_execute_endpoint_without_auth(self) -> None:
     @pytest.mark.asyncio
     async def test_result_endpoint_without_auth(self) -> None:
         non_existent_id = "nonexistent-public-id-999"
-        response = await self.client.get(f"/api/v1/result/{non_existent_id}")  # No headers
+        response = await self.client.get(f"/api/v1/result/{non_existent_id}", cookies={})  # No cookies
         # Expect 404 Not Found because the ID doesn't exist, *not* 401 because the endpoint is public
         assert response.status_code == 404
diff --git a/backend/tests/integration/test_saved_scripts_api.py b/backend/tests/integration/test_saved_scripts_api.py
@@ -35,9 +35,10 @@ async def setup(self, client: AsyncClient, db: AsyncIOMotorDatabase) -> None:
         if login_response.status_code != 200:
             pytest.fail(f"Scripts setup: Login failed: {login_response.status_code} {login_response.text}")
         login_data = login_response.json()
-        assert "access_token" in login_data
-        self.token = login_data["access_token"]
-        self.headers = {"Authorization": f"Bearer {self.token}"}
+        assert "csrf_token" in login_data
+        assert "message" in login_data
+        self.csrf_token = login_data["csrf_token"]
+        self.headers = {"X-CSRF-Token": self.csrf_token}
 
     @pytest.mark.asyncio
     async def test_saved_scripts_crud_workflow(self) -> None:
@@ -132,11 +133,12 @@ async def test_list_scripts_empty(self) -> None:
     async def test_scripts_endpoints_without_auth(self) -> None:
         """Test accessing scripts endpoints without authentication."""
         script_data = {"name": "No Auth", "script": "print('no')"}
-        response_post = await self.client.post("/api/v1/scripts", json=script_data)
-        response_get_list = await self.client.get("/api/v1/scripts")
-        response_get_one = await self.client.get("/api/v1/scripts/some-id")
-        response_put = await self.client.put("/api/v1/scripts/some-id", json=script_data)
-        response_delete = await self.client.delete("/api/v1/scripts/some-id")
+        # Use empty cookies to simulate no authentication
+        response_post = await self.client.post("/api/v1/scripts", json=script_data, cookies={})
+        response_get_list = await self.client.get("/api/v1/scripts", cookies={})
+        response_get_one = await self.client.get("/api/v1/scripts/some-id", cookies={})
+        response_put = await self.client.put("/api/v1/scripts/some-id", json=script_data, cookies={})
+        response_delete = await self.client.delete("/api/v1/scripts/some-id", cookies={})
 
         assert response_post.status_code == 401
         assert response_get_list.status_code == 401
