test: добавить первый блок unit-тестов для security и auth

RomanVetrov · RomanVetrov · commit 8907586be7fc · 2026-03-09T18:42:20.000+03:00
Что сделано:
- добавлена структура tests/unit с разделением по security и services
- добавлен tests/conftest.py с bootstrap env и корректным import path для app
- добавлены unit-тесты для JWT: roundtrip, тип токена, срок действия, jti
- добавлены async unit-тесты для hash/verify пароля и ограничений длины
- добавлены unit-тесты сервиса auth с mock/AsyncMock на репозиторий и зависимые функции
- добавлена базовая pytest-конфигурация в pyproject.toml (testpaths, asyncio_mode, addopts)
diff --git a/pyproject.toml b/pyproject.toml
@@ -35,3 +35,9 @@ dev = [
     "pytest-asyncio>=1.3.0",
     "ruff>=0.15.5",
 ]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+python_files = ["test_*.py"]
+asyncio_mode = "auto"
+addopts = "-ra"
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -0,0 +1,16 @@
+from __future__ import annotations
+
+import os
+import sys
+from pathlib import Path
+
+ROOT_DIR = Path(__file__).resolve().parents[1]
+if str(ROOT_DIR) not in sys.path:
+    sys.path.insert(0, str(ROOT_DIR))
+
+# Минимальные обязательные переменные для загрузки app.config в тестах.
+os.environ.setdefault(
+    "DATABASE_URL",
+    "postgresql+asyncpg://test_user:test_password@localhost:5432/test_db",
+)
+os.environ.setdefault("SECRET_KEY", "test-secret-key-minimum-32-bytes-value")
diff --git a/tests/unit/security/test_jwt.py b/tests/unit/security/test_jwt.py
@@ -0,0 +1,63 @@
+from __future__ import annotations
+
+from datetime import datetime, timedelta, timezone
+
+import jwt
+import pytest
+
+from app.config import settings
+from app.security.jwt import (
+    TokenExpired,
+    TokenInvalid,
+    create_access_token,
+    create_refresh_token,
+    decode_access_token,
+    decode_refresh_token,
+)
+
+
+def _unix_now() -> int:
+    return int(datetime.now(timezone.utc).timestamp())
+
+
+def test_create_and_decode_access_token_roundtrip() -> None:
+    token = create_access_token(subject="user-123")
+
+    decoded = decode_access_token(token)
+
+    assert decoded.sub == "user-123"
+    assert decoded.payload["type"] == "access"
+
+
+def test_decode_access_token_rejects_refresh_token() -> None:
+    refresh_token, _ = create_refresh_token(subject="user-123")
+
+    with pytest.raises(TokenInvalid, match="Ожидался access токен"):
+        decode_access_token(refresh_token)
+
+
+def test_decode_refresh_token_requires_jti() -> None:
+    payload = {
+        "sub": "user-123",
+        "iat": _unix_now(),
+        "exp": _unix_now() + 60,
+        "type": "refresh",
+    }
+    token_without_jti = jwt.encode(
+        payload=payload,
+        key=settings.SECRET_KEY,
+        algorithm=settings.ALGORITHM,
+    )
+
+    with pytest.raises(TokenInvalid, match="отсутствует jti"):
+        decode_refresh_token(token_without_jti)
+
+
+def test_decode_access_token_raises_for_expired_token() -> None:
+    expired_token = create_access_token(
+        subject="user-123",
+        expires_delta=timedelta(seconds=-1),
+    )
+
+    with pytest.raises(TokenExpired, match="истёк"):
+        decode_access_token(expired_token)
diff --git a/tests/unit/security/test_password.py b/tests/unit/security/test_password.py
@@ -0,0 +1,43 @@
+from __future__ import annotations
+
+import pytest
+
+from app.config import settings
+from app.security.password import hash_password, verify_password
+
+
+@pytest.mark.asyncio
+async def test_hash_and_verify_password_roundtrip() -> None:
+    hashed = await hash_password(password="StrongPass123!")
+
+    assert await verify_password(password="StrongPass123!", hashed_password=hashed)
+
+
+@pytest.mark.asyncio
+async def test_verify_password_returns_false_for_invalid_password() -> None:
+    hashed = await hash_password(password="StrongPass123!")
+
+    assert not await verify_password(password="wrong-pass", hashed_password=hashed)
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "password",
+    ["x" * (settings.ARGON_MAX_PASSWORD_LEN + 1)],
+)
+async def test_hash_password_rejects_overlong_password(password: str) -> None:
+    with pytest.raises(ValueError, match="слишком длинный"):
+        await hash_password(password=password)
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    "password",
+    ["x" * (settings.ARGON_MAX_PASSWORD_LEN + 1)],
+)
+async def test_verify_password_returns_false_for_overlong_password(
+    password: str,
+) -> None:
+    hashed = await hash_password(password="StrongPass123!")
+
+    assert not await verify_password(password=password, hashed_password=hashed)
diff --git a/tests/unit/services/test_auth_service.py b/tests/unit/services/test_auth_service.py
@@ -0,0 +1,139 @@
+from __future__ import annotations
+
+from types import SimpleNamespace
+from unittest.mock import AsyncMock, Mock
+from uuid import uuid4
+
+import pytest
+
+from app.services import auth as auth_service
+
+
+@pytest.fixture
+def fake_session() -> object:
+    return object()
+
+
+@pytest.fixture
+def active_user() -> SimpleNamespace:
+    return SimpleNamespace(
+        id=uuid4(),
+        email="user@example.com",
+        hashed_password="hashed-password",
+        is_active=True,
+    )
+
+
+@pytest.mark.asyncio
+async def test_register_user_raises_when_email_already_exists(
+    monkeypatch: pytest.MonkeyPatch,
+    fake_session: object,
+    active_user: SimpleNamespace,
+) -> None:
+    get_user_by_email = AsyncMock(return_value=active_user)
+    create_user = AsyncMock()
+
+    monkeypatch.setattr(auth_service.user_repo, "get_user_by_email", get_user_by_email)
+    monkeypatch.setattr(auth_service.user_repo, "create_user", create_user)
+
+    with pytest.raises(auth_service.UserAlreadyExists):
+        await auth_service.register_user(fake_session, "user@example.com", "password")
+
+    create_user.assert_not_awaited()
+
+
+@pytest.mark.asyncio
+async def test_register_user_hashes_password_and_creates_user(
+    monkeypatch: pytest.MonkeyPatch,
+    fake_session: object,
+    active_user: SimpleNamespace,
+) -> None:
+    get_user_by_email = AsyncMock(return_value=None)
+    hash_password = AsyncMock(return_value="hashed-by-test")
+    create_user = AsyncMock(return_value=active_user)
+
+    monkeypatch.setattr(auth_service.user_repo, "get_user_by_email", get_user_by_email)
+    monkeypatch.setattr(auth_service, "hash_password", hash_password)
+    monkeypatch.setattr(auth_service.user_repo, "create_user", create_user)
+
+    created = await auth_service.register_user(
+        fake_session,
+        "user@example.com",
+        "password",
+    )
+
+    assert created is active_user
+    hash_password.assert_awaited_once_with(password="password")
+    create_user.assert_awaited_once_with(
+        fake_session,
+        email="user@example.com",
+        hashed_password="hashed-by-test",
+    )
+
+
+@pytest.mark.asyncio
+async def test_authenticate_user_uses_dummy_hash_when_user_not_found(
+    monkeypatch: pytest.MonkeyPatch,
+    fake_session: object,
+) -> None:
+    get_user_by_email = AsyncMock(return_value=None)
+    get_dummy_hash = Mock(return_value="dummy-hash")
+    verify_password = AsyncMock(return_value=False)
+
+    monkeypatch.setattr(auth_service.user_repo, "get_user_by_email", get_user_by_email)
+    monkeypatch.setattr(auth_service, "get_dummy_hash", get_dummy_hash)
+    monkeypatch.setattr(auth_service, "verify_password", verify_password)
+
+    authenticated = await auth_service.authenticate_user(
+        fake_session,
+        "missing@example.com",
+        "password",
+    )
+
+    assert authenticated is None
+    verify_password.assert_awaited_once_with(
+        password="password",
+        hashed_password="dummy-hash",
+    )
+
+
+@pytest.mark.asyncio
+async def test_authenticate_active_user_raises_for_inactive_user(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    inactive_user = SimpleNamespace(is_active=False)
+    authenticate_user = AsyncMock(return_value=inactive_user)
+
+    monkeypatch.setattr(auth_service, "authenticate_user", authenticate_user)
+
+    with pytest.raises(auth_service.UserInactive):
+        await auth_service.authenticate_active_user(
+            object(),
+            "user@example.com",
+            "password",
+        )
+
+
+@pytest.mark.asyncio
+async def test_validate_refresh_subject_raises_when_user_not_found(
+    monkeypatch: pytest.MonkeyPatch,
+    fake_session: object,
+) -> None:
+    get_user_by_id = AsyncMock(return_value=None)
+    monkeypatch.setattr(auth_service.user_repo, "get_user_by_id", get_user_by_id)
+
+    with pytest.raises(auth_service.UserNotFound):
+        await auth_service.validate_refresh_subject(fake_session, uuid4())
+
+
+@pytest.mark.asyncio
+async def test_validate_refresh_subject_raises_when_user_inactive(
+    monkeypatch: pytest.MonkeyPatch,
+    fake_session: object,
+) -> None:
+    inactive_user = SimpleNamespace(is_active=False)
+    get_user_by_id = AsyncMock(return_value=inactive_user)
+    monkeypatch.setattr(auth_service.user_repo, "get_user_by_id", get_user_by_id)
+
+    with pytest.raises(auth_service.UserInactive):
+        await auth_service.validate_refresh_subject(fake_session, uuid4())
