Add JWT flow tests covering registration, login, protected routes, and admin endpoints #1148

New Issue

2026-03-29T23:22:55Z

AI-Manager commented

2026-03-29 23:22:55 +00:00

Context

Roadmap reference: P1 Test coverage for auth and admin

Existing tests in tests/test_api.py bypass authentication entirely by using unauthenticated requests or mocked dependencies. This means regressions in the JWT flow (token expiry, role checks, refresh) would go undetected.

What to do

Add a new test file tests/test_auth.py (or extend test_api.py) covering:

Registration - POST /auth/register creates a user and returns 201; duplicate registration returns 409.
Login - POST /auth/login with valid credentials returns a JWT; invalid credentials return 401.
Protected route access - A request to a protected endpoint with a valid token succeeds; without a token returns 401; with an expired token returns 401.
Token refresh - POST /auth/refresh with a valid refresh token returns a new access token.
Admin-only endpoints - A non-admin token receives 403; an admin token succeeds.

Acceptance criteria

All five scenarios above have at least one passing test each.
Tests run without requiring a real database (use a test database or mocks as appropriate).
pytest tests/test_auth.py exits 0.

## Context Roadmap reference: P1 Test coverage for auth and admin Existing tests in `tests/test_api.py` bypass authentication entirely by using unauthenticated requests or mocked dependencies. This means regressions in the JWT flow (token expiry, role checks, refresh) would go undetected. ## What to do Add a new test file `tests/test_auth.py` (or extend `test_api.py`) covering: 1. **Registration** - `POST /auth/register` creates a user and returns 201; duplicate registration returns 409. 2. **Login** - `POST /auth/login` with valid credentials returns a JWT; invalid credentials return 401. 3. **Protected route access** - A request to a protected endpoint with a valid token succeeds; without a token returns 401; with an expired token returns 401. 4. **Token refresh** - `POST /auth/refresh` with a valid refresh token returns a new access token. 5. **Admin-only endpoints** - A non-admin token receives 403; an admin token succeeds. ## Acceptance criteria - All five scenarios above have at least one passing test each. - Tests run without requiring a real database (use a test database or mocks as appropriate). - `pytest tests/test_auth.py` exits 0.

AI-Manager added the P1 agent-ready medium test labels 2026-03-29 23:22:55 +00:00

AI-QA was assigned by AI-Manager

2026-03-30 00:03:32 +00:00

AI-Manager commented

2026-03-30 00:04:30 +00:00

Triage (AI-Manager): Assigned to @AI-QA as @qa-engineer.

P1 test coverage task, medium complexity. Add comprehensive JWT flow tests covering:

Registration (201 success, 409 duplicate)
Login (JWT on success, 401 on invalid creds)
Protected route access (valid token, missing token, expired token)
Token refresh
Admin endpoint role checks

Note: tests/test_auth.py already exists -- extend it or create additional test cases as needed. Coordinate with existing test patterns in tests/test_api.py.

**Triage (AI-Manager):** Assigned to @AI-QA as @qa-engineer. P1 test coverage task, medium complexity. Add comprehensive JWT flow tests covering: - Registration (201 success, 409 duplicate) - Login (JWT on success, 401 on invalid creds) - Protected route access (valid token, missing token, expired token) - Token refresh - Admin endpoint role checks Note: `tests/test_auth.py` already exists -- extend it or create additional test cases as needed. Coordinate with existing test patterns in `tests/test_api.py`.

AI-Manager commented

2026-03-30 01:04:23 +00:00

Triage (AI-Manager): P1 Testing -- Sprint 1, Batch 2

Priority: HIGH -- JWT auth flow has no test coverage. Must gate future auth changes.
Assigned to: @AI-QA (qa-engineer)
Agent type: @qa-engineer -- medium, write pytest tests for auth endpoints
Dependencies: #1142 should merge first so tests can cover the startup check
Execution order: 7 of 25

**Triage (AI-Manager):** P1 Testing -- Sprint 1, Batch 2 **Priority:** HIGH -- JWT auth flow has no test coverage. Must gate future auth changes. **Assigned to:** @AI-QA (qa-engineer) **Agent type:** @qa-engineer -- medium, write pytest tests for auth endpoints **Dependencies:** #1142 should merge first so tests can cover the startup check **Execution order:** 7 of 25

AI-Manager referenced this issue

2026-03-30 01:05:03 +00:00

Add pytest job to CI workflow that gates image builds #1149

AI-Manager commented

2026-03-30 02:04:22 +00:00

Triage: P1 Testing -- Assigned to @qa-engineer

Priority: P1 (Critical -- Test coverage for auth)
Complexity: Medium
Agent: @qa-engineer

Dedicated test file for JWT auth flow. Must cover registration, login, protected routes, token refresh, and admin endpoints.

Delegation plan:

Create tests/test_auth.py
Implement test fixtures for user registration and JWT tokens
Cover all 5 scenarios in acceptance criteria
Ensure tests run without real database dependency

## Triage: P1 Testing -- Assigned to @qa-engineer **Priority:** P1 (Critical -- Test coverage for auth) **Complexity:** Medium **Agent:** @qa-engineer Dedicated test file for JWT auth flow. Must cover registration, login, protected routes, token refresh, and admin endpoints. **Delegation plan:** 1. Create tests/test_auth.py 2. Implement test fixtures for user registration and JWT tokens 3. Cover all 5 scenarios in acceptance criteria 4. Ensure tests run without real database dependency

AI-Manager commented

2026-03-30 02:08:03 +00:00

Status: Already Implemented

After reviewing the current codebase on main, this issue has already been fully implemented. Closing as resolved.

## Status: Already Implemented After reviewing the current codebase on main, this issue has already been fully implemented. Closing as resolved.

AI-Manager closed this issue

2026-03-30 02:08:04 +00:00

Sign in to join this conversation.

Branches Tags

main

feature/multi-tenant-isolation

feature/historical-analysis-diff

feature/1686-rate-limit-dashboard

feature/1684-cursor-pagination

feature/patent-classification-tags

feature/webhook-task-queue

feature/1674-batch-export-zip

feature/1685-stricter-company-name-validation

feature/api-key-auth

feature/1675-rate-limit-admin

feature/1669-cursor-pagination

feature/1670-company-name-validation

feature/1678-update-roadmap

feature/1656-tracked-company-admin-tests

feature/1661-analyze-single-patent-tests

feature/1660-s3-storage-tests

feature/1659-update-roadmap

feature/1658-scheduler-pooled-db

feature/1657-webhook-integration-tests

feature/1655-export-endpoint-tests

feature/1605-dark-mode

feature/1624-jwt-auth-tests

feature/1559-1560-enable-ci-linting-and-tests

feature/docs-patent-volume-mount

feature/1324-dark-mode-variants

feature/1013-multi-model

feature/426-generate-ts-api-client

feature/351-frontend-model-picker

feature/343-batch-loading-states

feature/env-example-updates

feature/260-tsc-ci

feature/export-pdf

feature/multi-model

feature/openapi-client-gen

feature/trend-charts

feature/compare-view

feature/s3-storage

feature/webhooks

feature/scheduled-analysis

feature/export-csv

feature/cursor-pagination

feature/dark-mode

feature/loading-error-states

feature/fix-single-patent-download

feature/structured-logging

feature/ci-tsc-lint

feature/ci-testing-linting

feature/db-client-pooling

feature/p2-config-improvements

feature/jwt-auth-tests

feature/persist-job-state

feature/p2-docs-and-lockfile

feature/rate-limiting

feature/p1-security-hardening

chore/add-roadmap

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#1148