fix: stabilize auth and generation workflows
This commit is contained in:
@@ -1,8 +1,9 @@
|
||||
"""认证相关测试。"""
|
||||
|
||||
"""认证相关测试。"""
|
||||
|
||||
from fastapi.testclient import TestClient
|
||||
|
||||
from app.core.security import create_access_token, decode_access_token
|
||||
|
||||
from app.core.config import settings
|
||||
from app.core.security import create_access_token, decode_access_token
|
||||
|
||||
|
||||
class TestJWT:
|
||||
@@ -55,10 +56,43 @@ class TestSession:
|
||||
assert data["user"] is None
|
||||
|
||||
|
||||
class TestSignout:
|
||||
"""登出测试。"""
|
||||
|
||||
def test_signout(self, auth_client: TestClient):
|
||||
"""测试登出。"""
|
||||
response = auth_client.post("/auth/signout", follow_redirects=False)
|
||||
assert response.status_code == 302
|
||||
class TestSignout:
|
||||
"""登出测试。"""
|
||||
|
||||
def test_signout(self, auth_client: TestClient):
|
||||
"""测试登出。"""
|
||||
response = auth_client.post("/auth/signout")
|
||||
assert response.status_code == 204
|
||||
assert response.content == b""
|
||||
set_cookie_headers = response.headers.get_list("set-cookie")
|
||||
assert any("access_token=" in value for value in set_cookie_headers)
|
||||
|
||||
|
||||
class TestDevSigninRedirect:
|
||||
"""开发登录重定向测试。"""
|
||||
|
||||
def test_dev_signin_uses_allowed_next_url(self, client: TestClient, monkeypatch):
|
||||
"""允许的 next 参数应作为登录完成后的回跳地址。"""
|
||||
monkeypatch.setattr(settings, "cors_origins", ["http://localhost:5173", "http://localhost:5174"])
|
||||
|
||||
response = client.get(
|
||||
"/auth/dev/signin",
|
||||
params={"next": "http://localhost:5174/console/providers"},
|
||||
follow_redirects=False,
|
||||
)
|
||||
|
||||
assert response.status_code == 302
|
||||
assert response.headers["location"] == "http://localhost:5174/console/providers"
|
||||
|
||||
def test_dev_signin_rejects_untrusted_next_url(self, client: TestClient, monkeypatch):
|
||||
"""不可信的 next 参数应回退到默认前端地址,避免开放重定向。"""
|
||||
monkeypatch.setattr(settings, "cors_origins", ["http://localhost:5173", "http://localhost:5174"])
|
||||
|
||||
response = client.get(
|
||||
"/auth/dev/signin",
|
||||
params={"next": "https://evil.example/steal"},
|
||||
follow_redirects=False,
|
||||
)
|
||||
|
||||
assert response.status_code == 302
|
||||
assert response.headers["location"] == "http://localhost:5173/my-stories"
|
||||
|
||||
Reference in New Issue
Block a user