diff --git a/api/tests/conftest.py b/api/tests/conftest.py index 0672c14..b9b1d53 100644 --- a/api/tests/conftest.py +++ b/api/tests/conftest.py @@ -1,6 +1,7 @@ import pytest from app import create_app from datetime import datetime +from flask_jwt_extended import create_access_token from models import db, User, Task from werkzeug.security import generate_password_hash @@ -48,3 +49,9 @@ def new_task(test_user): db.session.add(task) db.session.commit() return task + +def login_test_user(identity): + """Return Bearer auth header for user identified by provided id""" + access_token = create_access_token(identity=str(identity)) + auth_header = {"Authorization": f"Bearer {access_token}"} + return auth_header \ No newline at end of file diff --git a/api/tests/test_users.py b/api/tests/test_users.py index 58ae67c..231ee9f 100644 --- a/api/tests/test_users.py +++ b/api/tests/test_users.py @@ -1,7 +1,5 @@ +from conftest import login_test_user import json -from models import User, db -from flask_jwt_extended import create_access_token -from werkzeug.security import generate_password_hash def test_create_user(test_client, test_user, test_admin): """New user registration test""" @@ -19,14 +17,12 @@ def test_create_user(test_client, test_user, test_admin): assert response.status_code == 401 # Anonymous cannot create admin users # Login common user and try to create admin user - access_token = create_access_token(identity=str(test_user.id)) - headers = {"Authorization": f"Bearer {access_token}"} + headers = login_test_user(test_user.id) response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json", headers=headers) assert response.status_code == 403 # Common user cannot create admin users # Try to create admin user using admin account - access_token = create_access_token(identity=str(test_admin.id)) - headers = {"Authorization": f"Bearer {access_token}"} + headers = login_test_user(test_admin.id) response = test_client.post("/users", data=json.dumps(admin_user_data), content_type="application/json", headers=headers) assert response.status_code == 201 # Logged administrators can create new admin users @@ -37,11 +33,9 @@ def test_edit_user(test_client, test_user, test_admin): response = test_client.patch(f"/users/{test_admin.id}", data=json.dumps({"username": admin_data["username"], "password": "adminpass"})) assert response.status_code == 401 - # Login users - admin_access_token = create_access_token(identity=str(test_admin.id)) - admin_headers = {"Authorization": f"Bearer {admin_access_token}", "Content-Type": "application/json"} - user_access_token = create_access_token(identity=str(test_user.id)) - user_headers = {"Authorization": f"Bearer {user_access_token}", "Content-Type": "application/json"} + # Login users (get dict with auth header and merge it with dict with rest of headers) + admin_headers = login_test_user(test_admin.id) | {"Content-Type": "application/json"} + user_headers = login_test_user(test_user.id) | {"Content-Type": "application/json"} # Check if PUT request contains all editable fields response = test_client.put(f"/users/{test_user.id}", data=json.dumps({"username": test_user.username, "password": "testpass"}), headers=user_headers) @@ -59,22 +53,15 @@ def test_edit_user(test_client, test_user, test_admin): response = test_client.patch(f"/users/{test_user.id}", data=json.dumps({"username": test_user.username, "password": "testpass"}), headers=admin_headers) assert response.status_code == 200 -def test_remove_user(test_client, test_user, test_user2): +def test_remove_user(test_client, test_user, test_user2, test_admin): "User remove test" - # Create 1 admin account - hashed_pass = generate_password_hash("adminpass") - admin = User(username="testadmin", email="testadmin@example.com", password=hashed_pass, role="Administrator") - db.session.add(admin) - db.session.commit() - # Anonymous try to remove user response = test_client.delete(f"/users/{test_user.id}") assert response.status_code == 401 # Anonymous cannot remove user account # Logged user try to remove other user account - access_token = create_access_token(identity=str(test_user.id)) - headers = {"Authorization": f"Bearer {access_token}"} - response = test_client.delete(f"/users/{admin.id}", headers=headers) + headers = login_test_user(test_user.id) + response = test_client.delete(f"/users/{test_admin.id}", headers=headers) assert response.status_code == 403 # Common user cannot remove other user account # Logged user try to remove own account @@ -82,8 +69,7 @@ def test_remove_user(test_client, test_user, test_user2): assert response.status_code == 200 # Common user can remove their own account # Logged admin can remove other user account - admin_access_token = create_access_token(identity=str(admin.id)) - admin_headers = {"Authorization": f"Bearer {admin_access_token}"} + admin_headers = login_test_user(test_admin.id) response = test_client.delete(f"/users/{test_user2.id}", headers=admin_headers) assert response.status_code == 200 # Admin user can remove other user account @@ -103,28 +89,18 @@ def test_login(test_client, test_user): ) assert response.status_code == 200 # User should be logged - right password -def test_get_users(test_client): +def test_get_users(test_client, test_user, test_admin): """Get all users test""" response = test_client.get("/users") assert response.status_code == 401 # Anonymous cannot get all users data # Common user try to get all users data - hashed_pass = generate_password_hash("testpass") - user = User(username="testuser", email="test@example.com", password=hashed_pass, role="User") - db.session.add(user) - db.session.commit() - access_token = create_access_token(identity=str(user.id)) - headers = {"Authorization": f"Bearer {access_token}"} + headers = login_test_user(test_user.id) response = test_client.get("/users", headers=headers) assert response.status_code == 403 # Common user cannot get all users data # Admin user try to get all users data - hashed_pass = generate_password_hash("adminpass") - user = User(username="testadmin", email="testadmin@example.com", password=hashed_pass, role="Administrator") - db.session.add(user) - db.session.commit() - access_token = create_access_token(identity=str(user.id)) - headers = {"Authorization": f"Bearer {access_token}"} + headers = login_test_user(test_admin.id) response = test_client.get("/users", headers=headers) assert response.status_code == 200 # Admin user should be able to get all users data @@ -132,17 +108,14 @@ def test_get_user_with_token(test_client, test_user, test_admin): """Test to get user data before and after auth using JWT token""" response = test_client.get(f"/users/{test_admin.id}") assert response.status_code == 401 # Try to get user data without login - - access_token = create_access_token(identity=str(test_admin.id)) - admin_headers = {"Authorization": f"Bearer {access_token}"} + admin_headers = login_test_user(test_admin.id) response = test_client.get(f"/users/{test_admin.id}", headers=admin_headers) assert response.status_code == 200 data = response.get_json() assert data["username"] == "adminuser" - access_token = create_access_token(identity=str(test_user.id)) - headers = {"Authorization": f"Bearer {access_token}"} + headers = login_test_user(test_user.id) response = test_client.get(f"/users/{test_user.id}", headers=headers) assert response.status_code == 200 # Common user can get own user data response = test_client.get(f"/users/{test_admin.id}", headers=headers) @@ -152,9 +125,7 @@ def test_get_user_with_token(test_client, test_user, test_admin): def test_user_logout(test_client, test_user): """Test if logout works and JWT token is revoked""" - access_token = create_access_token(identity=str(test_user.id)) - headers = {"Authorization": f"Bearer {access_token}"} - + headers = login_test_user(test_user.id) response = test_client.get(f"/logout", headers=headers) assert response.status_code == 200 # Logged user can logout response = test_client.get(f"/logout", headers=headers)