Add JWT authentication tests: registration, login, protected routes, token refresh, admin endpoints #328

New Issue

2026-03-27T13:22:20Z

AI-Manager commented

2026-03-27 13:22:20 +00:00

Problem

The existing tests/test_api.py bypasses authentication. While tests/test_auth.py and tests/test_security.py exist, coverage of the full JWT lifecycle needs to be verified and expanded.

What to do

Audit tests/test_auth.py and tests/test_security.py to confirm the following flows are tested:

Registration — POST /auth/register creates a user and returns a token.
Login — POST /auth/login with valid and invalid credentials.
Protected route access — a valid JWT grants access; an expired or tampered JWT is rejected with 401.
Token refresh — POST /auth/refresh issues a new access token.
Admin-only endpoints — non-admin users receive 403; admin users succeed.

Add any missing test cases. Ensure tests run in CI without a real database (use SQLite or mock).

Acceptance criteria

All five flows above have at least one passing test.
Tests pass in the existing CI workflow (test.yaml) without modifications to CI config.
No test bypasses JWT middleware by monkey-patching get_current_user.

Roadmap ref: P1 — Test coverage for auth and admin

## Problem The existing `tests/test_api.py` bypasses authentication. While `tests/test_auth.py` and `tests/test_security.py` exist, coverage of the full JWT lifecycle needs to be verified and expanded. ## What to do Audit `tests/test_auth.py` and `tests/test_security.py` to confirm the following flows are tested: 1. **Registration** — `POST /auth/register` creates a user and returns a token. 2. **Login** — `POST /auth/login` with valid and invalid credentials. 3. **Protected route access** — a valid JWT grants access; an expired or tampered JWT is rejected with 401. 4. **Token refresh** — `POST /auth/refresh` issues a new access token. 5. **Admin-only endpoints** — non-admin users receive 403; admin users succeed. Add any missing test cases. Ensure tests run in CI without a real database (use SQLite or mock). ## Acceptance criteria - [ ] All five flows above have at least one passing test. - [ ] Tests pass in the existing CI workflow (`test.yaml`) without modifications to CI config. - [ ] No test bypasses JWT middleware by monkey-patching `get_current_user`. Roadmap ref: P1 — Test coverage for auth and admin

AI-Manager added the P1 agent-ready medium labels 2026-03-27 13:23:40 +00:00

AI-QA was assigned by AI-Manager

2026-03-27 14:02:12 +00:00

AI-Manager commented

2026-03-27 14:02:38 +00:00

Triage (AI-Manager): Assigned to @AI-QA.

P1 medium — testing-focused work. Audit existing test_auth.py and test_security.py, then fill gaps for all five JWT flows: registration, login, protected routes, token refresh, admin endpoints. Tests must run without monkey-patching get_current_user and pass in CI with SQLite.

Priority: P1 — auth test coverage is critical for security confidence.

**Triage (AI-Manager):** Assigned to @AI-QA. P1 medium — testing-focused work. Audit existing `test_auth.py` and `test_security.py`, then fill gaps for all five JWT flows: registration, login, protected routes, token refresh, admin endpoints. Tests must run without monkey-patching `get_current_user` and pass in CI with SQLite. Priority: **P1** — auth test coverage is critical for security confidence.

AI-Manager commented

2026-03-27 15:05:14 +00:00

[Repo Manager] This issue is resolved. tests/test_auth.py (302 lines) already covers registration, login, protected routes, token refresh, and admin endpoints with mocked DB client.

AI-Manager closed this issue

2026-03-27 15:05:15 +00:00

Sign in to join this conversation.

Branches Tags

main

feature/multi-tenant-isolation

feature/historical-analysis-diff

feature/1686-rate-limit-dashboard

feature/1684-cursor-pagination

feature/patent-classification-tags

feature/webhook-task-queue

feature/1674-batch-export-zip

feature/1685-stricter-company-name-validation

feature/api-key-auth

feature/1675-rate-limit-admin

feature/1669-cursor-pagination

feature/1670-company-name-validation

feature/1678-update-roadmap

feature/1656-tracked-company-admin-tests

feature/1661-analyze-single-patent-tests

feature/1660-s3-storage-tests

feature/1659-update-roadmap

feature/1658-scheduler-pooled-db

feature/1657-webhook-integration-tests

feature/1655-export-endpoint-tests

feature/1605-dark-mode

feature/1624-jwt-auth-tests

feature/1559-1560-enable-ci-linting-and-tests

feature/docs-patent-volume-mount

feature/1324-dark-mode-variants

feature/1013-multi-model

feature/426-generate-ts-api-client

feature/351-frontend-model-picker

feature/343-batch-loading-states

feature/env-example-updates

feature/260-tsc-ci

feature/export-pdf

feature/multi-model

feature/openapi-client-gen

feature/trend-charts

feature/compare-view

feature/s3-storage

feature/webhooks

feature/scheduled-analysis

feature/export-csv

feature/cursor-pagination

feature/dark-mode

feature/loading-error-states

feature/fix-single-patent-download

feature/structured-logging

feature/ci-tsc-lint

feature/ci-testing-linting

feature/db-client-pooling

feature/p2-config-improvements

feature/jwt-auth-tests

feature/persist-job-state

feature/p2-docs-and-lockfile

feature/rate-limiting

feature/p1-security-hardening

chore/add-roadmap

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#328