mealie/tests/integration_tests/user_tests/test_user_api_token.py

import json

from fastapi.testclient import TestClient
from pytest import fixture

from tests.utils import api_routes


@fixture
def long_live_token(api_client: TestClient, admin_token):
    response = api_client.post(api_routes.users_api_tokens, json={"name": "Test Fixture Token"}, headers=admin_token)
    assert response.status_code == 201

    return {"Authorization": f"Bearer {json.loads(response.text).get('token')}"}


def test_api_token_creation(api_client: TestClient, admin_token):
    response = api_client.post(api_routes.users_api_tokens, json={"name": "Test API Token"}, headers=admin_token)
    assert response.status_code == 201
    assert response.json()["token"]


def test_api_token_private(api_client: TestClient, admin_token):
    response = api_client.post(api_routes.users_api_tokens, json={"name": "Test API Token"}, headers=admin_token)
    assert response.status_code == 201

    response = api_client.get(api_routes.users, headers=admin_token, params={"perPage": -1})
    assert response.status_code == 200
    for user in response.json()["items"]:
        for user_token in user["tokens"] or []:
            assert "token" not in user_token

    response = api_client.get(api_routes.users_self, headers=admin_token)
    assert response.status_code == 200
    response_json = response.json()
    assert response_json["tokens"]
    for user_token in response_json["tokens"]:
        assert "token" not in user_token


def test_use_token(api_client: TestClient, long_live_token):
    response = api_client.get(api_routes.users, headers=long_live_token)

    assert response.status_code == 200


def test_delete_token(api_client: TestClient, admin_token):
    response = api_client.delete(api_routes.users_api_tokens_token_id(1), headers=admin_token)
    assert response.status_code == 200

    response = api_client.delete(api_routes.users_api_tokens_token_id(2), headers=admin_token)
    assert response.status_code == 200
feature/profile-cards (#391) * unify format * pass variables * remove namespace * rename * group-card init * shuffle + icons * remove console.logs * token CRUD * update changelog * add profile link * consolidate mealplan to profile dashboard * update docs * add query parameter to search page * update test routes * update python depts * basic token tests Co-authored-by: hay-kot <hay-kot@pm.me> 2021-05-06 21:08:27 -08:00			`import json`

			`from fastapi.testclient import TestClient`
			`from pytest import fixture`
style(backend): :art: add isort to lint and CI/CD 2021-08-28 14:27:56 -08:00
chore: file generation cleanup (#1736) This PR does too many things :( 1. Major refactoring of the dev/scripts and dev/code-generation folders. Primarily this was removing duplicate code and cleaning up some poorly written code snippets as well as making them more idempotent so then can be re-run over and over again but still maintain the same results. This is working on my machine, but I've been having problems in CI and comparing diffs so running generators in CI will have to wait. 2. Re-Implement using the generated api routes for testing This was a _huge_ refactor that touched damn near every test file but now we have auto-generated typed routes with inline hints and it's used for nearly every test excluding a few that use classes for better parameterization. This should greatly reduce errors when writing new tests. 3. Minor Perf improvements for the All Recipes endpoint A. Removed redundant loops B. Uses orjson to do the encoding directly and returns a byte response instead of relying on the default jsonable_encoder. 4. Fix some TS type errors that cropped up for seemingly no reason half way through the PR. See this issue https://github.com/phillipdupuis/pydantic-to-typescript/issues/28 Basically, the generated TS type is not-correct since Pydantic will automatically fill in null fields. The resulting TS type is generated with a ? to indicate it can be null even though we _know_ that i can't be. 2022-10-18 14:49:41 -08:00			`from tests.utils import api_routes`
feature/profile-cards (#391) * unify format * pass variables * remove namespace * rename * group-card init * shuffle + icons * remove console.logs * token CRUD * update changelog * add profile link * consolidate mealplan to profile dashboard * update docs * add query parameter to search page * update test routes * update python depts * basic token tests Co-authored-by: hay-kot <hay-kot@pm.me> 2021-05-06 21:08:27 -08:00

			`@fixture`
chore: file generation cleanup (#1736) This PR does too many things :( 1. Major refactoring of the dev/scripts and dev/code-generation folders. Primarily this was removing duplicate code and cleaning up some poorly written code snippets as well as making them more idempotent so then can be re-run over and over again but still maintain the same results. This is working on my machine, but I've been having problems in CI and comparing diffs so running generators in CI will have to wait. 2. Re-Implement using the generated api routes for testing This was a _huge_ refactor that touched damn near every test file but now we have auto-generated typed routes with inline hints and it's used for nearly every test excluding a few that use classes for better parameterization. This should greatly reduce errors when writing new tests. 3. Minor Perf improvements for the All Recipes endpoint A. Removed redundant loops B. Uses orjson to do the encoding directly and returns a byte response instead of relying on the default jsonable_encoder. 4. Fix some TS type errors that cropped up for seemingly no reason half way through the PR. See this issue https://github.com/phillipdupuis/pydantic-to-typescript/issues/28 Basically, the generated TS type is not-correct since Pydantic will automatically fill in null fields. The resulting TS type is generated with a ? to indicate it can be null even though we _know_ that i can't be. 2022-10-18 14:49:41 -08:00			`def long_live_token(api_client: TestClient, admin_token):`
API security hardening (#571) * Enhance security and safety around user update API - Prevent a regular user from promoting themself to admin - Prevent an admin from demoting themself - Refactor token fixture to admin + regular user tokens * Restrict user CRUD API to admins * Secure admin API routes * Refactor APIrouter into Admin/UserAPIRouter * Secure theme routes * Make 'all recipes' routes public * Secure favorite routes * Remove redundant checks * Fix public routes mistakenly flagged user routes * Make webhooks changeable only by admin * Allow users to create categories and tags * Address lint issues 2021-06-22 20:22:15 +02:00			`response = api_client.post(api_routes.users_api_tokens, json={"name": "Test Fixture Token"}, headers=admin_token)`
feature/profile-cards (#391) * unify format * pass variables * remove namespace * rename * group-card init * shuffle + icons * remove console.logs * token CRUD * update changelog * add profile link * consolidate mealplan to profile dashboard * update docs * add query parameter to search page * update test routes * update python depts * basic token tests Co-authored-by: hay-kot <hay-kot@pm.me> 2021-05-06 21:08:27 -08:00			`assert response.status_code == 201`

			`return {"Authorization": f"Bearer {json.loads(response.text).get('token')}"}`


chore: file generation cleanup (#1736) This PR does too many things :( 1. Major refactoring of the dev/scripts and dev/code-generation folders. Primarily this was removing duplicate code and cleaning up some poorly written code snippets as well as making them more idempotent so then can be re-run over and over again but still maintain the same results. This is working on my machine, but I've been having problems in CI and comparing diffs so running generators in CI will have to wait. 2. Re-Implement using the generated api routes for testing This was a _huge_ refactor that touched damn near every test file but now we have auto-generated typed routes with inline hints and it's used for nearly every test excluding a few that use classes for better parameterization. This should greatly reduce errors when writing new tests. 3. Minor Perf improvements for the All Recipes endpoint A. Removed redundant loops B. Uses orjson to do the encoding directly and returns a byte response instead of relying on the default jsonable_encoder. 4. Fix some TS type errors that cropped up for seemingly no reason half way through the PR. See this issue https://github.com/phillipdupuis/pydantic-to-typescript/issues/28 Basically, the generated TS type is not-correct since Pydantic will automatically fill in null fields. The resulting TS type is generated with a ? to indicate it can be null even though we _know_ that i can't be. 2022-10-18 14:49:41 -08:00			`def test_api_token_creation(api_client: TestClient, admin_token):`
API security hardening (#571) * Enhance security and safety around user update API - Prevent a regular user from promoting themself to admin - Prevent an admin from demoting themself - Refactor token fixture to admin + regular user tokens * Restrict user CRUD API to admins * Secure admin API routes * Refactor APIrouter into Admin/UserAPIRouter * Secure theme routes * Make 'all recipes' routes public * Secure favorite routes * Remove redundant checks * Fix public routes mistakenly flagged user routes * Make webhooks changeable only by admin * Allow users to create categories and tags * Address lint issues 2021-06-22 20:22:15 +02:00			`response = api_client.post(api_routes.users_api_tokens, json={"name": "Test API Token"}, headers=admin_token)`
feature/profile-cards (#391) * unify format * pass variables * remove namespace * rename * group-card init * shuffle + icons * remove console.logs * token CRUD * update changelog * add profile link * consolidate mealplan to profile dashboard * update docs * add query parameter to search page * update test routes * update python depts * basic token tests Co-authored-by: hay-kot <hay-kot@pm.me> 2021-05-06 21:08:27 -08:00			`assert response.status_code == 201`
fix: Remove API Tokens from User APIs (#4985) 2025-01-29 13:52:12 -06:00			`assert response.json()["token"]`


			`def test_api_token_private(api_client: TestClient, admin_token):`
			`response = api_client.post(api_routes.users_api_tokens, json={"name": "Test API Token"}, headers=admin_token)`
			`assert response.status_code == 201`

			`response = api_client.get(api_routes.users, headers=admin_token, params={"perPage": -1})`
			`assert response.status_code == 200`
			`for user in response.json()["items"]:`
			`for user_token in user["tokens"] or []:`
			`assert "token" not in user_token`

			`response = api_client.get(api_routes.users_self, headers=admin_token)`
			`assert response.status_code == 200`
			`response_json = response.json()`
			`assert response_json["tokens"]`
			`for user_token in response_json["tokens"]:`
			`assert "token" not in user_token`
feature/profile-cards (#391) * unify format * pass variables * remove namespace * rename * group-card init * shuffle + icons * remove console.logs * token CRUD * update changelog * add profile link * consolidate mealplan to profile dashboard * update docs * add query parameter to search page * update test routes * update python depts * basic token tests Co-authored-by: hay-kot <hay-kot@pm.me> 2021-05-06 21:08:27 -08:00

chore: file generation cleanup (#1736) This PR does too many things :( 1. Major refactoring of the dev/scripts and dev/code-generation folders. Primarily this was removing duplicate code and cleaning up some poorly written code snippets as well as making them more idempotent so then can be re-run over and over again but still maintain the same results. This is working on my machine, but I've been having problems in CI and comparing diffs so running generators in CI will have to wait. 2. Re-Implement using the generated api routes for testing This was a _huge_ refactor that touched damn near every test file but now we have auto-generated typed routes with inline hints and it's used for nearly every test excluding a few that use classes for better parameterization. This should greatly reduce errors when writing new tests. 3. Minor Perf improvements for the All Recipes endpoint A. Removed redundant loops B. Uses orjson to do the encoding directly and returns a byte response instead of relying on the default jsonable_encoder. 4. Fix some TS type errors that cropped up for seemingly no reason half way through the PR. See this issue https://github.com/phillipdupuis/pydantic-to-typescript/issues/28 Basically, the generated TS type is not-correct since Pydantic will automatically fill in null fields. The resulting TS type is generated with a ? to indicate it can be null even though we _know_ that i can't be. 2022-10-18 14:49:41 -08:00			`def test_use_token(api_client: TestClient, long_live_token):`
feature/profile-cards (#391) * unify format * pass variables * remove namespace * rename * group-card init * shuffle + icons * remove console.logs * token CRUD * update changelog * add profile link * consolidate mealplan to profile dashboard * update docs * add query parameter to search page * update test routes * update python depts * basic token tests Co-authored-by: hay-kot <hay-kot@pm.me> 2021-05-06 21:08:27 -08:00			`response = api_client.get(api_routes.users, headers=long_live_token)`

			`assert response.status_code == 200`


chore: file generation cleanup (#1736) This PR does too many things :( 1. Major refactoring of the dev/scripts and dev/code-generation folders. Primarily this was removing duplicate code and cleaning up some poorly written code snippets as well as making them more idempotent so then can be re-run over and over again but still maintain the same results. This is working on my machine, but I've been having problems in CI and comparing diffs so running generators in CI will have to wait. 2. Re-Implement using the generated api routes for testing This was a _huge_ refactor that touched damn near every test file but now we have auto-generated typed routes with inline hints and it's used for nearly every test excluding a few that use classes for better parameterization. This should greatly reduce errors when writing new tests. 3. Minor Perf improvements for the All Recipes endpoint A. Removed redundant loops B. Uses orjson to do the encoding directly and returns a byte response instead of relying on the default jsonable_encoder. 4. Fix some TS type errors that cropped up for seemingly no reason half way through the PR. See this issue https://github.com/phillipdupuis/pydantic-to-typescript/issues/28 Basically, the generated TS type is not-correct since Pydantic will automatically fill in null fields. The resulting TS type is generated with a ? to indicate it can be null even though we _know_ that i can't be. 2022-10-18 14:49:41 -08:00			`def test_delete_token(api_client: TestClient, admin_token):`
API security hardening (#571) * Enhance security and safety around user update API - Prevent a regular user from promoting themself to admin - Prevent an admin from demoting themself - Refactor token fixture to admin + regular user tokens * Restrict user CRUD API to admins * Secure admin API routes * Refactor APIrouter into Admin/UserAPIRouter * Secure theme routes * Make 'all recipes' routes public * Secure favorite routes * Remove redundant checks * Fix public routes mistakenly flagged user routes * Make webhooks changeable only by admin * Allow users to create categories and tags * Address lint issues 2021-06-22 20:22:15 +02:00			`response = api_client.delete(api_routes.users_api_tokens_token_id(1), headers=admin_token)`
feature/profile-cards (#391) * unify format * pass variables * remove namespace * rename * group-card init * shuffle + icons * remove console.logs * token CRUD * update changelog * add profile link * consolidate mealplan to profile dashboard * update docs * add query parameter to search page * update test routes * update python depts * basic token tests Co-authored-by: hay-kot <hay-kot@pm.me> 2021-05-06 21:08:27 -08:00			`assert response.status_code == 200`

API security hardening (#571) * Enhance security and safety around user update API - Prevent a regular user from promoting themself to admin - Prevent an admin from demoting themself - Refactor token fixture to admin + regular user tokens * Restrict user CRUD API to admins * Secure admin API routes * Refactor APIrouter into Admin/UserAPIRouter * Secure theme routes * Make 'all recipes' routes public * Secure favorite routes * Remove redundant checks * Fix public routes mistakenly flagged user routes * Make webhooks changeable only by admin * Allow users to create categories and tags * Address lint issues 2021-06-22 20:22:15 +02:00			`response = api_client.delete(api_routes.users_api_tokens_token_id(2), headers=admin_token)`
feature/profile-cards (#391) * unify format * pass variables * remove namespace * rename * group-card init * shuffle + icons * remove console.logs * token CRUD * update changelog * add profile link * consolidate mealplan to profile dashboard * update docs * add query parameter to search page * update test routes * update python depts * basic token tests Co-authored-by: hay-kot <hay-kot@pm.me> 2021-05-06 21:08:27 -08:00			`assert response.status_code == 200`