test: Implemented auth API router with register/login/me/update-profile…

- "backend/routers/auth.py" - "backend/main.py" - "backend/auth.py" - "backend/requirements.txt" - "backend/tests/conftest.py" - "backend/tests/test_auth.py" GSD-Task: S02/T02
2026-04-03 21:54:11 +00:00 · 2026-04-03 21:54:11 +00:00 · f4020251b9
commit f4020251b9
parent ae62c09881
6 changed files with 535 additions and 7 deletions
--- a/backend/auth.py
+++ b/backend/auth.py
@ -6,10 +6,10 @@ import uuid
 from datetime import datetime, timedelta, timezone
 from typing import Annotated
 import bcrypt
 import jwt
 from fastapi import Depends, HTTPException, status
 from fastapi.security import OAuth2PasswordBearer
 from passlib.context import CryptContext
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
@ -19,17 +19,15 @@ from models import User, UserRole
 # ── Password hashing ─────────────────────────────────────────────────────────
 _pwd_ctx = CryptContext(schemes=["bcrypt"], deprecated="auto")
 def hash_password(plain: str) -> str:
    """Hash a plaintext password with bcrypt."""
-    return _pwd_ctx.hash(plain)
+    return bcrypt.hashpw(plain.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
 def verify_password(plain: str, hashed: str) -> bool:
    """Verify a plaintext password against a bcrypt hash."""
-    return _pwd_ctx.verify(plain, hashed)
+    return bcrypt.checkpw(plain.encode("utf-8"), hashed.encode("utf-8"))
 # ── JWT ──────────────────────────────────────────────────────────────────────
--- a/backend/main.py
+++ b/backend/main.py
@ -12,7 +12,7 @@ from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 from config import get_settings
-from routers import creators, health, ingest, pipeline, reports, search, stats, techniques, topics, videos
+from routers import auth, creators, health, ingest, pipeline, reports, search, stats, techniques, topics, videos
 def _setup_logging() -> None:
@ -78,6 +78,7 @@ app.add_middleware(
 app.include_router(health.router)
 # Versioned API
 app.include_router(auth.router, prefix="/api/v1")
 app.include_router(creators.router, prefix="/api/v1")
 app.include_router(ingest.router, prefix="/api/v1")
 app.include_router(pipeline.router, prefix="/api/v1")
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@ -16,7 +16,7 @@ pyyaml>=6.0,<7.0
 psycopg2-binary>=2.9,<3.0
 watchdog>=4.0,<5.0
 PyJWT>=2.8,<3.0
-passlib[bcrypt]>=1.7,<2.0
+bcrypt>=4.0,<6.0
 # Test dependencies
 pytest>=8.0,<10.0
 pytest-asyncio>=0.24,<1.0
--- a/backend/routers/auth.py
+++ b/backend/routers/auth.py
@ -0,0 +1,168 @@
 """Auth router — registration, login, profile management."""
 from __future__ import annotations
 import logging
 from datetime import datetime, timezone
 from typing import Annotated
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 from auth import (
    create_access_token,
    get_current_user,
    hash_password,
    verify_password,
 )
 from database import get_session
 from models import Creator, InviteCode, User
 from schemas import (
    LoginRequest,
    RegisterRequest,
    TokenResponse,
    UpdateProfileRequest,
    UserResponse,
 )
 logger = logging.getLogger("chrysopedia.auth")
 router = APIRouter(prefix="/auth", tags=["auth"])
 # ── Registration ─────────────────────────────────────────────────────────────
@router.post("/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
 async def register(
    body: RegisterRequest,
    session: Annotated[AsyncSession, Depends(get_session)],
 ):
    """Register a new user with a valid invite code."""
    # 1. Validate invite code
    result = await session.execute(
        select(InviteCode).where(InviteCode.code == body.invite_code)
    )
    invite = result.scalar_one_or_none()
    if invite is None:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invalid invite code")
    now = datetime.now(timezone.utc).replace(tzinfo=None)
    if invite.expires_at is not None and invite.expires_at < now:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invite code has expired")
    if invite.uses_remaining <= 0:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Invite code exhausted")
    # 2. Check email uniqueness
    existing = await session.execute(select(User).where(User.email == body.email))
    if existing.scalar_one_or_none() is not None:
        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="Email already registered")
    # 3. Optionally resolve creator_id from slug
    creator_id = None
    if body.creator_slug:
        creator_result = await session.execute(
            select(Creator).where(Creator.slug == body.creator_slug)
        )
        creator = creator_result.scalar_one_or_none()
        if creator is not None:
            creator_id = creator.id
    # 4. Create user
    user = User(
        email=body.email,
        hashed_password=hash_password(body.password),
        display_name=body.display_name,
        creator_id=creator_id,
    )
    session.add(user)
    # 5. Decrement invite code uses
    invite.uses_remaining -= 1
    await session.commit()
    await session.refresh(user)
    logger.info("User registered: %s (email=%s)", user.id, user.email)
    return user
 # ── Login ────────────────────────────────────────────────────────────────────
@router.post("/login", response_model=TokenResponse)
 async def login(
    body: LoginRequest,
    session: Annotated[AsyncSession, Depends(get_session)],
 ):
    """Authenticate with email + password, return JWT."""
    result = await session.execute(select(User).where(User.email == body.email))
    user = result.scalar_one_or_none()
    if user is None or not verify_password(body.password, user.hashed_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid email or password",
        )
    token = create_access_token(user.id, user.role.value)
    logger.info("User logged in: %s", user.id)
    return TokenResponse(access_token=token)
 # ── Profile ──────────────────────────────────────────────────────────────────
@router.get("/me", response_model=UserResponse)
 async def get_profile(
    current_user: Annotated[User, Depends(get_current_user)],
 ):
    """Return the current user's profile."""
    return current_user
@router.put("/me", response_model=UserResponse)
 async def update_profile(
    body: UpdateProfileRequest,
    current_user: Annotated[User, Depends(get_current_user)],
    session: Annotated[AsyncSession, Depends(get_session)],
 ):
    """Update the current user's display name and/or password."""
    if body.display_name is not None:
        current_user.display_name = body.display_name
    if body.new_password is not None:
        if body.current_password is None:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail="Current password required to set new password",
            )
        if not verify_password(body.current_password, current_user.hashed_password):
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail="Current password is incorrect",
            )
        current_user.hashed_password = hash_password(body.new_password)
    await session.commit()
    await session.refresh(current_user)
    logger.info("Profile updated: %s", current_user.id)
    return current_user
 # ── Seed ─────────────────────────────────────────────────────────────────────
 async def seed_invite_codes(session: AsyncSession) -> None:
    """Create default invite code if none exist. Call from lifespan or CLI."""
    result = await session.execute(select(InviteCode))
    if result.scalar_one_or_none() is None:
        session.add(InviteCode(
            code="CHRYSOPEDIA-ALPHA-2026",
            uses_remaining=100,
        ))
        await session.commit()
        logger.info("Seeded default invite code: CHRYSOPEDIA-ALPHA-2026")
--- a/backend/tests/conftest.py
+++ b/backend/tests/conftest.py
@ -34,9 +34,12 @@ from main import app  # noqa: E402
 from models import (  # noqa: E402
    ContentType,
    Creator,
    InviteCode,
    ProcessingStatus,
    SourceVideo,
    TranscriptSegment,
    User,
    UserRole,
 )
 TEST_DATABASE_URL = os.getenv(
@ -190,3 +193,47 @@ def pre_ingested_video(sync_engine):
        session.close()
    return result
 # ── Auth fixtures ────────────────────────────────────────────────────────────
 _TEST_INVITE_CODE = "TEST-INVITE-2026"
 _TEST_EMAIL = "testuser@chrysopedia.com"
 _TEST_PASSWORD = "securepass123"
@pytest_asyncio.fixture()
 async def invite_code(db_engine):
    """Create a test invite code in the DB and return the code string."""
    factory = async_sessionmaker(db_engine, class_=AsyncSession, expire_on_commit=False)
    async with factory() as session:
        code = InviteCode(code=_TEST_INVITE_CODE, uses_remaining=10)
        session.add(code)
        await session.commit()
    return _TEST_INVITE_CODE
@pytest_asyncio.fixture()
 async def registered_user(client, invite_code):
    """Register a user via the API and return the response dict."""
    resp = await client.post("/api/v1/auth/register", json={
        "email": _TEST_EMAIL,
        "password": _TEST_PASSWORD,
        "display_name": "Test User",
        "invite_code": invite_code,
    })
    assert resp.status_code == 201
    return resp.json()
@pytest_asyncio.fixture()
 async def auth_headers(client, registered_user):
    """Log in and return Authorization headers dict."""
    resp = await client.post("/api/v1/auth/login", json={
        "email": _TEST_EMAIL,
        "password": _TEST_PASSWORD,
    })
    assert resp.status_code == 200
    token = resp.json()["access_token"]
    return {"Authorization": f"Bearer {token}"}
--- a/backend/tests/test_auth.py
+++ b/backend/tests/test_auth.py
@ -0,0 +1,314 @@
 """Integration tests for the auth router — registration, login, profile."""
 import uuid
 from datetime import datetime, timedelta, timezone
 import pytest
 import pytest_asyncio
 from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker
 from models import InviteCode, User
 # ── Registration ─────────────────────────────────────────────────────────────
@pytest.mark.asyncio
 async def test_register_valid(client, invite_code):
    """Register with a valid invite code → 201 + user created."""
    resp = await client.post("/api/v1/auth/register", json={
        "email": "newuser@example.com",
        "password": "strongpass1",
        "display_name": "New User",
        "invite_code": invite_code,
    })
    assert resp.status_code == 201
    data = resp.json()
    assert data["email"] == "newuser@example.com"
    assert data["display_name"] == "New User"
    assert data["role"] == "creator"
    assert "id" in data
    # Password not leaked
    assert "hashed_password" not in data
@pytest.mark.asyncio
 async def test_register_invalid_invite_code(client, invite_code):
    """Register with a wrong invite code → 403."""
    resp = await client.post("/api/v1/auth/register", json={
        "email": "bad@example.com",
        "password": "strongpass1",
        "display_name": "Bad",
        "invite_code": "WRONG-CODE",
    })
    assert resp.status_code == 403
    assert "Invalid invite code" in resp.json()["detail"]
@pytest.mark.asyncio
 async def test_register_expired_invite_code(client, db_engine):
    """Register with an expired invite code → 403."""
    factory = async_sessionmaker(db_engine, class_=AsyncSession, expire_on_commit=False)
    async with factory() as session:
        past = (datetime.now(timezone.utc) - timedelta(days=1)).replace(tzinfo=None)
        session.add(InviteCode(code="EXPIRED-CODE", uses_remaining=10, expires_at=past))
        await session.commit()
    resp = await client.post("/api/v1/auth/register", json={
        "email": "exp@example.com",
        "password": "strongpass1",
        "display_name": "Expired",
        "invite_code": "EXPIRED-CODE",
    })
    assert resp.status_code == 403
    assert "expired" in resp.json()["detail"].lower()
@pytest.mark.asyncio
 async def test_register_exhausted_invite_code(client, db_engine):
    """Register with an invite code that has uses_remaining=0 → 403."""
    factory = async_sessionmaker(db_engine, class_=AsyncSession, expire_on_commit=False)
    async with factory() as session:
        session.add(InviteCode(code="EXHAUSTED", uses_remaining=0))
        await session.commit()
    resp = await client.post("/api/v1/auth/register", json={
        "email": "nope@example.com",
        "password": "strongpass1",
        "display_name": "Nope",
        "invite_code": "EXHAUSTED",
    })
    assert resp.status_code == 403
    assert "exhausted" in resp.json()["detail"].lower()
@pytest.mark.asyncio
 async def test_register_invite_code_decrements(client, db_engine):
    """Invite code uses_remaining decrements after registration."""
    factory = async_sessionmaker(db_engine, class_=AsyncSession, expire_on_commit=False)
    async with factory() as session:
        session.add(InviteCode(code="SINGLE-USE", uses_remaining=1))
        await session.commit()
    # First registration succeeds
    resp = await client.post("/api/v1/auth/register", json={
        "email": "first@example.com",
        "password": "strongpass1",
        "display_name": "First",
        "invite_code": "SINGLE-USE",
    })
    assert resp.status_code == 201
    # Second registration with same code fails (exhausted)
    resp = await client.post("/api/v1/auth/register", json={
        "email": "second@example.com",
        "password": "strongpass1",
        "display_name": "Second",
        "invite_code": "SINGLE-USE",
    })
    assert resp.status_code == 403
@pytest.mark.asyncio
 async def test_register_duplicate_email(client, invite_code, registered_user):
    """Register with an already-used email → 409."""
    resp = await client.post("/api/v1/auth/register", json={
        "email": "testuser@chrysopedia.com",
        "password": "anotherpass1",
        "display_name": "Dup",
        "invite_code": invite_code,
    })
    assert resp.status_code == 409
    assert "already registered" in resp.json()["detail"].lower()
 # ── Login ────────────────────────────────────────────────────────────────────
@pytest.mark.asyncio
 async def test_login_success(client, registered_user):
    """Login with correct credentials → 200 + JWT."""
    resp = await client.post("/api/v1/auth/login", json={
        "email": "testuser@chrysopedia.com",
        "password": "securepass123",
    })
    assert resp.status_code == 200
    data = resp.json()
    assert "access_token" in data
    assert data["token_type"] == "bearer"
@pytest.mark.asyncio
 async def test_login_wrong_password(client, registered_user):
    """Login with wrong password → 401."""
    resp = await client.post("/api/v1/auth/login", json={
        "email": "testuser@chrysopedia.com",
        "password": "wrongpassword",
    })
    assert resp.status_code == 401
@pytest.mark.asyncio
 async def test_login_nonexistent_email(client):
    """Login with an email that doesn't exist → 401."""
    resp = await client.post("/api/v1/auth/login", json={
        "email": "nobody@example.com",
        "password": "somepass123",
    })
    assert resp.status_code == 401
 # ── Profile (GET /me) ───────────────────────────────────────────────────────
@pytest.mark.asyncio
 async def test_get_me_authenticated(client, auth_headers):
    """GET /me with valid token → 200 + profile."""
    resp = await client.get("/api/v1/auth/me", headers=auth_headers)
    assert resp.status_code == 200
    data = resp.json()
    assert data["email"] == "testuser@chrysopedia.com"
    assert data["display_name"] == "Test User"
@pytest.mark.asyncio
 async def test_get_me_no_token(client, db_engine):
    """GET /me without token → 401."""
    resp = await client.get("/api/v1/auth/me")
    assert resp.status_code == 401
@pytest.mark.asyncio
 async def test_get_me_invalid_token(client, db_engine):
    """GET /me with garbage token → 401."""
    resp = await client.get("/api/v1/auth/me", headers={
        "Authorization": "Bearer invalid.garbage.token",
    })
    assert resp.status_code == 401
@pytest.mark.asyncio
 async def test_get_me_expired_token(client, db_engine, invite_code):
    """GET /me with an expired JWT → 401."""
    from auth import create_access_token
    # Register a user first
    resp = await client.post("/api/v1/auth/register", json={
        "email": "expired@example.com",
        "password": "strongpass1",
        "display_name": "Expired Token User",
        "invite_code": invite_code,
    })
    assert resp.status_code == 201
    user_id = resp.json()["id"]
    # Create a token that expires immediately
    token = create_access_token(user_id, "creator", expires_minutes=-1)
    resp = await client.get("/api/v1/auth/me", headers={
        "Authorization": f"Bearer {token}",
    })
    assert resp.status_code == 401
 # ── Profile (PUT /me) ───────────────────────────────────────────────────────
@pytest.mark.asyncio
 async def test_update_display_name(client, auth_headers):
    """PUT /me updates display_name → 200 + new name."""
    resp = await client.put("/api/v1/auth/me", json={
        "display_name": "Updated Name",
    }, headers=auth_headers)
    assert resp.status_code == 200
    assert resp.json()["display_name"] == "Updated Name"
    # Verify persistence
    resp2 = await client.get("/api/v1/auth/me", headers=auth_headers)
    assert resp2.json()["display_name"] == "Updated Name"
@pytest.mark.asyncio
 async def test_update_password(client, invite_code):
    """PUT /me changes password → can login with new password."""
    # Register
    await client.post("/api/v1/auth/register", json={
        "email": "pwchange@example.com",
        "password": "oldpassword1",
        "display_name": "PW User",
        "invite_code": invite_code,
    })
    # Login
    login_resp = await client.post("/api/v1/auth/login", json={
        "email": "pwchange@example.com",
        "password": "oldpassword1",
    })
    token = login_resp.json()["access_token"]
    headers = {"Authorization": f"Bearer {token}"}
    # Change password
    resp = await client.put("/api/v1/auth/me", json={
        "current_password": "oldpassword1",
        "new_password": "newpassword1",
    }, headers=headers)
    assert resp.status_code == 200
    # Old password fails
    resp_old = await client.post("/api/v1/auth/login", json={
        "email": "pwchange@example.com",
        "password": "oldpassword1",
    })
    assert resp_old.status_code == 401
    # New password works
    resp_new = await client.post("/api/v1/auth/login", json={
        "email": "pwchange@example.com",
        "password": "newpassword1",
    })
    assert resp_new.status_code == 200
 # ── Malformed inputs (422 validation) ───────────────────────────────────────
@pytest.mark.asyncio
 async def test_register_missing_fields(client):
    """Register with missing fields → 422."""
    resp = await client.post("/api/v1/auth/register", json={})
    assert resp.status_code == 422
@pytest.mark.asyncio
 async def test_register_empty_password(client):
    """Register with empty password → 422 (min_length=8)."""
    resp = await client.post("/api/v1/auth/register", json={
        "email": "a@b.com",
        "password": "",
        "display_name": "X",
        "invite_code": "CODE",
    })
    assert resp.status_code == 422
@pytest.mark.asyncio
 async def test_login_empty_body(client):
    """Login with empty body → 422."""
    resp = await client.post("/api/v1/auth/login", json={})
    assert resp.status_code == 422
 # ── Public endpoints unaffected ──────────────────────────────────────────────
@pytest.mark.asyncio
 async def test_public_techniques_no_auth(client, db_engine):
    """GET /api/v1/techniques works without auth."""
    resp = await client.get("/api/v1/techniques")
    # 200 even if empty — no 401/403
    assert resp.status_code == 200
@pytest.mark.asyncio
 async def test_public_creators_no_auth(client, db_engine):
    """GET /api/v1/creators works without auth."""
    resp = await client.get("/api/v1/creators")
    assert resp.status_code == 200