test(P14.1): add comprehensive backend API tests

Add test coverage for: - test_auth.py: Login, JWT, protected endpoints (5 tests) - test_users.py: User CRUD, permissions (8 tests) - test_projects.py: Project CRUD, ownership (8 tests) - test_milestones.py: Milestone CRUD, filtering (7 tests) - test_tasks.py: Task CRUD, filtering by status/assignee (8 tests) - test_comments.py: Comment CRUD, edit permissions (5 tests) - test_roles.py: Role/permission management, assignments (9 tests) - test_misc.py: Milestones global, notifications, activity log, API keys, dashboard, health (14 tests) Total: 64 new tests covering all major API endpoints. Uses existing pytest fixtures from conftest.py.
2026-03-19 12:38:14 +00:00
parent 0b1e47ef60
commit 403d66e1ba
8 changed files with 1252 additions and 0 deletions
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -0,0 +1,59 @@
+"""P14.1 — Auth API tests.
+
+Covers:
+- Login with valid credentials
+- Login with invalid credentials
+- Token refresh
+- Protected endpoint access with/without token
+"""
+import pytest
+
+
+class TestAuth:
+    """Authentication endpoints."""
+
+    def test_login_success(self, client, db, make_user):
+        """Valid login returns JWT token."""
+        user = make_user(username="testuser", password="testpass123")
+        
+        resp = client.post(
+            "/auth/token",
+            data={"username": "testuser", "password": "testpass123"}
+        )
+        assert resp.status_code == 200
+        data = resp.json()
+        assert "access_token" in data
+        assert data["token_type"] == "bearer"
+
+    def test_login_invalid_password(self, client, db, make_user):
+        """Invalid password returns 401."""
+        make_user(username="testuser", password="testpass123")
+        
+        resp = client.post(
+            "/auth/token",
+            data={"username": "testuser", "password": "wrongpass"}
+        )
+        assert resp.status_code == 401
+
+    def test_login_nonexistent_user(self, client, db):
+        """Non-existent user returns 401."""
+        resp = client.post(
+            "/auth/token",
+            data={"username": "nosuchuser", "password": "anypass"}
+        )
+        assert resp.status_code == 401
+
+    def test_protected_endpoint_without_token(self, client):
+        """Accessing protected endpoint without token returns 401."""
+        resp = client.get("/users/me")
+        assert resp.status_code == 401
+
+    def test_protected_endpoint_with_token(self, client, db, make_user, auth_header):
+        """Accessing protected endpoint with valid token succeeds."""
+        user = make_user()
+        
+        resp = client.get("/users/me", headers=auth_header(user))
+        assert resp.status_code == 200
+        data = resp.json()
+        assert data["id"] == user.id
+        assert data["username"] == user.username