feat: Update API token handling to use API-TOKEN header and improve related tests

2025-07-27 22:15:23 +02:00
parent 3dc21337f9
commit 58030914e6
5 changed files with 80 additions and 85 deletions
--- a/tests/core/test_api_token_dependencies.py
+++ b/tests/core/test_api_token_dependencies.py
@@ -41,40 +41,40 @@ class TestApiTokenDependencies:
        """Test successful API token authentication."""
        mock_auth_service.get_user_by_api_token.return_value = test_user

-        authorization = "Bearer test_api_token_123"
+        api_token_header = "test_api_token_123"

-        result = await get_current_user_api_token(mock_auth_service, authorization)
+        result = await get_current_user_api_token(mock_auth_service, api_token_header)

        assert result == test_user
        mock_auth_service.get_user_by_api_token.assert_called_once_with("test_api_token_123")

    @pytest.mark.asyncio
    async def test_get_current_user_api_token_no_header(self, mock_auth_service):
-        """Test API token authentication without Authorization header."""
+        """Test API token authentication without API-TOKEN header."""
        with pytest.raises(HTTPException) as exc_info:
            await get_current_user_api_token(mock_auth_service, None)

        assert exc_info.value.status_code == 401
-        assert "Authorization header required" in exc_info.value.detail
-
-    @pytest.mark.asyncio
-    async def test_get_current_user_api_token_invalid_format(self, mock_auth_service):
-        """Test API token authentication with invalid header format."""
-        authorization = "Invalid format"
-
-        with pytest.raises(HTTPException) as exc_info:
-            await get_current_user_api_token(mock_auth_service, authorization)
-
-        assert exc_info.value.status_code == 401
-        assert "Invalid authorization header format" in exc_info.value.detail
+        assert "API-TOKEN header required" in exc_info.value.detail

    @pytest.mark.asyncio
    async def test_get_current_user_api_token_empty_token(self, mock_auth_service):
        """Test API token authentication with empty token."""
-        authorization = "Bearer "
+        api_token_header = "   "

        with pytest.raises(HTTPException) as exc_info:
-            await get_current_user_api_token(mock_auth_service, authorization)
+            await get_current_user_api_token(mock_auth_service, api_token_header)
+
+        assert exc_info.value.status_code == 401
+        assert "API token required" in exc_info.value.detail
+
+    @pytest.mark.asyncio
+    async def test_get_current_user_api_token_whitespace_token(self, mock_auth_service):
+        """Test API token authentication with whitespace-only token."""
+        api_token_header = "   "
+
+        with pytest.raises(HTTPException) as exc_info:
+            await get_current_user_api_token(mock_auth_service, api_token_header)

        assert exc_info.value.status_code == 401
        assert "API token required" in exc_info.value.detail
@@ -84,10 +84,10 @@ class TestApiTokenDependencies:
        """Test API token authentication with invalid token."""
        mock_auth_service.get_user_by_api_token.return_value = None

-        authorization = "Bearer invalid_token"
+        api_token_header = "invalid_token"

        with pytest.raises(HTTPException) as exc_info:
-            await get_current_user_api_token(mock_auth_service, authorization)
+            await get_current_user_api_token(mock_auth_service, api_token_header)

        assert exc_info.value.status_code == 401
        assert "Invalid API token" in exc_info.value.detail
@@ -101,10 +101,10 @@ class TestApiTokenDependencies:
        test_user.api_token_expires_at = datetime.now(UTC) - timedelta(days=1)
        mock_auth_service.get_user_by_api_token.return_value = test_user

-        authorization = "Bearer expired_token"
+        api_token_header = "expired_token"

        with pytest.raises(HTTPException) as exc_info:
-            await get_current_user_api_token(mock_auth_service, authorization)
+            await get_current_user_api_token(mock_auth_service, api_token_header)

        assert exc_info.value.status_code == 401
        assert "API token has expired" in exc_info.value.detail
@@ -117,10 +117,10 @@ class TestApiTokenDependencies:
        test_user.is_active = False
        mock_auth_service.get_user_by_api_token.return_value = test_user

-        authorization = "Bearer test_token"
+        api_token_header = "test_token"

        with pytest.raises(HTTPException) as exc_info:
-            await get_current_user_api_token(mock_auth_service, authorization)
+            await get_current_user_api_token(mock_auth_service, api_token_header)

        assert exc_info.value.status_code == 401
        assert "Account is deactivated" in exc_info.value.detail
@@ -130,10 +130,10 @@ class TestApiTokenDependencies:
        """Test API token authentication with service exception."""
        mock_auth_service.get_user_by_api_token.side_effect = Exception("Database error")

-        authorization = "Bearer test_token"
+        api_token_header = "test_token"

        with pytest.raises(HTTPException) as exc_info:
-            await get_current_user_api_token(mock_auth_service, authorization)
+            await get_current_user_api_token(mock_auth_service, api_token_header)

        assert exc_info.value.status_code == 401
        assert "Could not validate API token" in exc_info.value.detail
@@ -145,11 +145,11 @@ class TestApiTokenDependencies:
        """Test flexible authentication uses API token when available."""
        mock_auth_service.get_user_by_api_token.return_value = test_user

-        authorization = "Bearer test_api_token_123"
+        api_token_header = "test_api_token_123"
        access_token = "jwt_token"

        result = await get_current_user_flexible(
-            mock_auth_service, access_token, authorization,
+            mock_auth_service, access_token, api_token_header,
        )

        assert result == test_user
@@ -170,22 +170,20 @@ class TestApiTokenDependencies:
        test_user.api_token_expires_at = None
        mock_auth_service.get_user_by_api_token.return_value = test_user

-        authorization = "Bearer test_token"
+        api_token_header = "test_token"

-        result = await get_current_user_api_token(mock_auth_service, authorization)
+        result = await get_current_user_api_token(mock_auth_service, api_token_header)

        assert result == test_user

    @pytest.mark.asyncio
-    async def test_api_token_bearer_case_insensitive(self, mock_auth_service, test_user):
-        """Test that Bearer prefix is case-sensitive (as per OAuth2 spec)."""
+    async def test_api_token_with_whitespace(self, mock_auth_service, test_user):
+        """Test API token with leading/trailing whitespace is handled correctly."""
        mock_auth_service.get_user_by_api_token.return_value = test_user

-        # lowercase bearer should fail
-        authorization = "bearer test_token"
+        api_token_header = "  test_token  "

-        with pytest.raises(HTTPException) as exc_info:
-            await get_current_user_api_token(mock_auth_service, authorization)
+        result = await get_current_user_api_token(mock_auth_service, api_token_header)

-        assert exc_info.value.status_code == 401
-        assert "Invalid authorization header format" in exc_info.value.detail
+        assert result == test_user
+        mock_auth_service.get_user_by_api_token.assert_called_once_with("test_token")