left4me/l4d2web/tests/test_auth.py

import pytest

from l4d2web.app import create_app
from l4d2web.auth import hash_password
from l4d2web.db import init_db, session_scope
from l4d2web.models import User


@pytest.fixture
def client(tmp_path, monkeypatch):
    db_url = f"sqlite:///{tmp_path/'auth.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
    init_db()
    return app.test_client()


@pytest.fixture
def seed_user(tmp_path, monkeypatch):
    db_url = f"sqlite:///{tmp_path/'seed.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
    init_db()
    with app.app_context():
        with session_scope() as session:
            user = User(username="alice", password_digest=hash_password("secret"), admin=False)
            session.add(user)
            session.flush()
            user_id = user.id
    return user_id


def test_login_page_renders_form(client) -> None:
    response = client.get("/login")
    text = response.get_data(as_text=True)

    assert response.status_code == 200
    assert '<form method="post" action="/login"' in text
    assert 'name="username"' in text
    assert 'name="password"' in text
    assert "signup" not in text.lower()


def test_login_page_drops_unsafe_encoded_next(client) -> None:
    response = client.get("/login?next=/%5Cevil.com")
    text = response.get_data(as_text=True)

    assert response.status_code == 200
    assert 'name="next"' not in text
    assert "evil.com" not in text


def test_signup_routes_are_gone(client) -> None:
    assert client.get("/signup").status_code == 404
    assert client.post("/signup", data={"username": "alice", "password": "secret"}).status_code == 404


def test_login_redirects_to_safe_next(client) -> None:
    with session_scope() as session:
        session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))

    response = client.post(
        "/login",
        data={"username": "alice", "password": "secret", "next": "/servers"},
    )

    assert response.status_code == 302
    assert response.headers["Location"].endswith("/servers")


def test_login_ignores_unsafe_next(client) -> None:
    with session_scope() as session:
        session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))

    response = client.post(
        "/login",
        data={"username": "alice", "password": "secret", "next": "https://example.com/steal"},
    )

    assert response.status_code == 302
    assert response.headers["Location"].endswith("/dashboard")


def test_login_ignores_backslash_next(client) -> None:
    with session_scope() as session:
        session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))

    response = client.post(
        "/login",
        data={"username": "alice", "password": "secret", "next": "/\\evil.com"},
    )

    assert response.status_code == 302
    assert response.headers["Location"].endswith("/dashboard")


def test_login_ignores_percent_encoded_backslash_next(client) -> None:
    with session_scope() as session:
        session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))

    response = client.post(
        "/login",
        data={"username": "alice", "password": "secret", "next": "/%5Cevil.com"},
    )

    assert response.status_code == 302
    assert response.headers["Location"].endswith("/dashboard")


def test_login_sets_session(client) -> None:
    with session_scope() as session:
        session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))

    response = client.post("/login", data={"username": "alice", "password": "secret"})
    assert response.status_code == 302

    with client.session_transaction() as sess:
        assert sess.get("user_id") is not None


def test_create_user_cli_uses_environment_password(tmp_path, monkeypatch) -> None:
    db_url = f"sqlite:///{tmp_path/'create_user.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    monkeypatch.setenv("LEFT4ME_ADMIN_PASSWORD", "secret")
    app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
    init_db()

    result = app.test_cli_runner().invoke(args=["create-user", "admin", "--admin"])

    assert result.exit_code == 0
    assert "created user admin" in result.output
    with session_scope() as session:
        user = session.query(User).filter_by(username="admin").one()
        assert user.admin is True


def test_create_user_cli_rejects_empty_environment_password(tmp_path, monkeypatch) -> None:
    db_url = f"sqlite:///{tmp_path/'empty_password.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    monkeypatch.setenv("LEFT4ME_ADMIN_PASSWORD", "")
    app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
    init_db()

    result = app.test_cli_runner().invoke(args=["create-user", "admin", "--admin"])

    assert result.exit_code != 0
    assert "password must not be empty" in result.output


def test_create_user_cli_rejects_duplicate_username(tmp_path, monkeypatch) -> None:
    db_url = f"sqlite:///{tmp_path/'duplicate_user.db'}"
    monkeypatch.setenv("DATABASE_URL", db_url)
    monkeypatch.setenv("LEFT4ME_ADMIN_PASSWORD", "secret")
    app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
    init_db()
    with session_scope() as session:
        session.add(User(username="admin", password_digest=hash_password("secret"), admin=True))

    result = app.test_cli_runner().invoke(args=["create-user", "admin", "--admin"])

    assert result.exit_code != 0
    assert "user already exists" in result.output