מie dZddlmZddlZddlmcmZddl Z ddl m Z m Z ddl mZmZmZmZddlZddlZ ddlmZmZddlmZddlZdZ d/ d0d Z d1 d2d Z d3 d4d Zej>d Z ej>dZ!GddZ"GddZ#GddZ$GddZ%ejLjOe dGddZ(ejLjOe dGddZ)ejLjOe dGddZ*Gdd Z+ejLjOe dGd!d"Z,ejLjOe dGd#d$Z-Gd%d&Z.e/d'k(rFddl0Z0e0jbe jdd(d)e3d*d+d,gd-.Z4e jje4jlyy#e$rd ZYwxYw)5u Genesis Customer Auth — Test Suite ==================================== Module 5: Supabase Customer Auth Black-box and white-box tests for: - core/auth/supabase_client.py (SupabaseAuth) - core/auth/middleware.py (get_current_user, require_auth) - api/auth/routes.py (FastAPI auth router) Test coverage: BB1: sign_up returns user dict with id and email (3 tests) BB2: sign_in returns session with access_token (3 tests) BB3: get_user returns user profile from valid JWT (2 tests) BB4: sign_out invalidates session (2 tests) BB5: Invalid JWT returns 401 (2 tests) BB6: Missing auth header returns 401 (1 test) BB7: Auth routes return proper HTTP status codes (4 tests) WB1: Supabase SDK client initialized with correct URL/key (2 tests) WB2: Middleware extracts Bearer token correctly (2 tests) WB3: require_auth checks subscription tier (3 tests) WB4: ImportError raised when supabase SDK missing (1 test) All tests mock the Supabase SDK. ZERO live API calls. FastAPI route tests use httpx.AsyncClient with ASGITransport. VERIFICATION_STAMP Story: 5.05 Verified By: parallel-builder Verified At: 2026-02-25 Tests: 26/26 Coverage: 100% ) annotationsN)AnyDict) AsyncMock MagicMockpatch PropertyMockFastAPIDepends) TestClientTFcft}||_||_|dd|_d|_d|_|S)z#Return a mock Supabase User object.z Test User)subscription_tiernamez2026-01-01T00:00:00)ridemail user_metadata created_at updated_at)uidrtierusers ./mnt/e/genesis-system/tests/infra/test_auth.py _mock_userr=s9 ;DDGDJ/3[ID+DO+DO KcRt}||_||_d|_d|_|S)z&Return a mock Supabase Session object.bearer)r access_token refresh_token expires_in token_type)rr sessions r _mock_sessionr$Ls0 kG'G)GG!G Nrcrt}t||||_|rt|_|Sd|_|S)z$Return a mock Supabase AuthResponse.N)rrrr$r#)rrrinclude_sessionresponses r_mock_auth_responser(Ys={HsE40HM*9}H O@DH Orc#Kt}t}t||_t|_tjt j d|i5tdd5td|j5|dddddddddy#1swYxYw#1swYxYw#1swYyxYww)z8Patch supabase.create_client so no live SDK is required. return_valuesupabase-core.auth.supabase_client._SUPABASE_AVAILABLETz'core.auth.supabase_client.create_clientN)r create_clientClientrdictsysmodules) mock_client mock_modules rmock_supabase_moduler5js+K+K ){ CK"K CKK*k!: ;" BD I "@+B[B[\ "!! " """ " " " """sNAB? B3&B'=BB' B3 B?B$ B''B0 ,B33B<8B?cddlm}ddlmcm}|j}d|_|ddd}||_||_||_|S) z8Return a SupabaseAuth instance backed by the mocked SDK.r SupabaseAuthNTzhttps://test.supabase.coz test-anon-keyztest-service-key)urlanon_key service_key)core.auth.supabase_clientr8authsupabase_client_SUPABASE_AVAILABLE_client _admin_client)r5r8sc_modorig_availableclients r auth_clientrEysQ7..//N!%F  & &F *FN/F!/F MrceZdZdZej j dZej j dZej j dZ y) TestSignUpuBB1 — sign_up behaviour.cKt|jj_|jddd{}d}||v}|st j d|fd||ft j |dtjvst j|rt j |nddz}d d |iz}tt j|dx}}|dd }d }||k(}|slt j d |fd||ft j |t j |dz} dd| iz} tt j| dx}x}}y7.w)u7BB1.1 — Result dict has 'user' key with non-empty id.new@example.com password123Nrinz%(py1)s in %(py3)sresultpy1py3assert %(py5)spy5r user-abc-123==z%(py1)s == %(py4)srPpy4assert %(py6)spy6) r(r=sign_upr+ @pytest_ar_call_reprcompare _saferepr @py_builtinslocals_should_repr_global_nameAssertionError_format_explanation selfrEr5rN @py_assert0 @py_assert2 @py_format4 @py_format6 @py_assert3 @py_format5 @py_format7s r!test_sign_up_returns_user_with_idz,TestSignUp.test_sign_up_returns_user_with_ids:M9N!!))6"**+C6C4B4C6N) __name__ __module__ __qualname____doc__pytestmarkasynciornrqryrrrGrGs_$ [[66 [[<< [[ @ @rrGceZdZdZej j dZej j dZej j dZ y) TestSignInuBB2 — sign_in behaviour.cKt|jj_|j ddd{}|d}d}||k(}|slt j d|fd||ft j|t j|dz}d d |iz}tt j|dx}x}}y7w) u,BB2.1 — Result has top-level access_token.user@example.comrJNrfake-jwt-tokenrUrWrXrZr[) r(r=sign_in_with_passwordr+sign_inr]r^r_rcrdrps r!test_sign_in_returns_access_tokenz,TestSignIn.test_sign_in_returns_access_tokensH[G\!!77D"**+=}MMn%9)99%)99999%)9999%999)99999999Ns9CCBCcKt|jj_|j ddd{}d}||v}|st j d|fd||ft j|dtjvst j|rt j|nddz}d d |iz}tt j|dx}}|dd }d }||k(}|slt j d |fd||ft j|t j|dz} dd| iz} tt j| dx}x}}|dd}d}||k(}|slt j d |fd||ft j|t j|dz} dd| iz} tt j| dx}x}}y7w)u6BB2.2 — Result has 'session' dict with token fields.rrJNr#rKrMrNrOrRrSrrrUrWrXrZr[r fake-refresh-token) r(r=rr+rr]r^r_r`rarbrcrdres r#test_sign_in_returns_session_objectz.TestSignIn.test_sign_in_returns_session_objectsMH[G\!!77D"**+=}MM"yF""""yF"""y""""""F"""F"""""""i 0D4DD04DDDDD04DDDD0DDD4DDDDDDDDi 1I5II15IIIII15IIII1III5IIIIIIIINs9G/G,F1G/cKtd|jj_t j td5|j ddd{dddy7 #1swYyxYww)u5BB2.3 — Exception raised on authentication failure.zInvalid credentialsmatchzbad@example.com wrongpassN) Exceptionr=r side_effectr~raisesrrfrEr5s r4test_sign_in_propagates_exception_on_bad_credentialsz?TestSignIn.test_sign_in_propagates_exception_on_bad_credentialssr GP !G !!77C]]9,A B F%%&7E E E F F E F Fs0AA4A(A&A( A4&A((A1-A4N) rzr{r|r}r~rrrrrrrrrrsa$ [[::  [[JJ [[FFrrceZdZdZej j dZej j dZy) TestGetUseruBB3 — get_user behaviour.cKt}t|_||jj_|j dd{}|d}d}||k(}|slt jd|fd||ft j|t j|dz}dd |iz} tt j| dx}x}}|d }d }||k(}|slt jd|fd||ft j|t j|dz}dd |iz} tt j| dx}x}}|d }d }||k(}|slt jd|fd||ft j|t j|dz}dd |iz} tt j| dx}x}}y7w)u;BB3.1 — Valid JWT returns user dict with expected fields.zvalid-jwt-tokenNrrTrUrWrXrZr[rtest@example.comrrs) rrrr=get_userr+r]r^r_rcrd) rfrEr5 mock_responserNrgrkrhrlrms r+test_get_user_returns_profile_for_valid_jwtz7TestGetUser.test_get_user_returns_profile_for_valid_jwts: " '\ :G!!**7"++,=>>d|-~-|~----|~---|---~-------g4"44"44444"4444444"44444444)*7i7*i7777*i777*777i7777777?sA G G FGcKtd|jj_t j t d5|jdd{dddy7 #1swYyxYww)u0BB3.2 — Invalid/expired JWT raises ValueError.z JWT expiredzInvalid or expired JWTrz expired-jwtN)rr=rrr~r ValueErrorrs r0test_get_user_raises_value_error_for_invalid_jwtz.override_auths   /protectedcKd|diSwNuser_idrrrs r protectedz,TestInvalidJWT._build_app..protected!tDz* * ) fastapir core.auth.middlewarer= middlewaredependency_overrides_get_auth_clientgetr get_current_user)rfrr mwapprrs ` r _build_appzTestInvalidJWT._build_appsa#))i 9F  !4!45  !()<) : : : :&9&9 : : : : :rN)rzr{r|r}rrrrrrrrs5& ':rrceZdZdZdZy)TestMissingAuthHeaderu%BB6 — Missing Authorization header.cPddlm}m}ddlmcm}|}|j d||jfd}t|d}|j d}|j}d} || v} | stjd | fd || fd tjvstj|rtj|nd tj|tj| d z} d d| iz} t!tj"| dx}x} } y)u;BB6.1 — Request without Authorization header returns 401.rr NrcKd|diSwrrrs rrzHTestMissingAuthHeader.test_missing_header_returns_401..protectedWrrFr)rrKz3%(py2)s {%(py2)s = %(py0)s.status_code } in %(py5)srrrrrr r rr=rrrr rr]r^r`rarbr_rcrd) rfr r rrrrDrrrrkrjrs rtest_missing_header_returns_401z5TestMissingAuthHeader.test_missing_header_returns_401Ps,))i  !()<)z=TestAuthRouteStatusCodes.app_with_mock_auth..sir) rr api.auth.routesrrinclude_routerrrr\rsign_in_magic_linkreset_passwordr)rfr rrrrs @rapp_with_mock_authz+TestAuthRouteStatusCodes.app_with_mock_authjs $:i ;' K %)*3!#2RI).&*(D 4  &)*3!#2RI).&*(D! 4  (1;? ( $$-$#?  /@  +I~rc|\}}t|}|jddddd}|j}d}||k(}|stjd|fd ||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| dx}x}}y)u0BB7.1 — POST /auth/signup returns 201 Created.z /auth/signuprIz Secure123!Jane)rpasswordrrrUrrrrrN r postrr]r^r`rarbr_rcrd rfrr_rDrrrrkrjrs rtest_signup_returns_201z0TestAuthRouteStatusCodes.test_signup_returns_201s#QC{{ ,,PVW &3&3&&&&3&&&&&&t&&&t&&&&&&3&&&&&&&rc|\}}t|}|jdddd}|j}d}||k(}|stjd|fd||fd t j vstj|rtj|nd tj|tj|d z} d d | iz} ttj| d x}x}}y )u*BB7.2 — POST /auth/login returns 200 OK.z /auth/loginrrJ)rrrrUrrrrrNrrs rtest_login_returns_200z/TestAuthRouteStatusCodes.test_login_returns_200s#QC{{ -=I &3&3&&&&3&&&&&&t&&&t&&&&&&3&&&&&&&rc|\}}t|}|jdddi}|j}d}||k(}|stjd|fd||fdt j vstj|rtj|ndtj|tj|d z} d d | iz} ttj| d x}x}}y ) u/BB7.3 — POST /auth/magic-link returns 200 OK.z/auth/magic-linkrrrr"rUrrrrrNrrs rtest_magic_link_returns_200z4TestAuthRouteStatusCodes.test_magic_link_returns_200s#QC{{ -. &3&3&&&&3&&&&&&t&&&t&&&&&&3&&&&&&&rc|\}}t|}|jdddi}|j}d}||k(}|stjd|fd||fdt j vstj|rtj|ndtj|tj|d z} d d | iz} ttj| d x}x}}y ) u3BB7.4 — POST /auth/reset-password returns 200 OK.z/auth/reset-passwordrrrr"rUrrrrrNrrs rtest_reset_password_returns_200z8TestAuthRouteStatusCodes.test_reset_password_returns_200s#QC{{ "-. &3&3&&&&3&&&&&&t&&&t&&&&&&3&&&&&&&rN) rzr{r|r}r~fixturerr r#r%r'rrrrrfs0? ^^##J''''rrceZdZdZdZdZy)TestSDKInitialisationu2WB1 — SDK instantiation with correct parameters.cVddlmcm}tt}|j}t |dd}d|_||_ ddlm}|dd }|jd}|dd}d} || k(} | sltjd | fd || ftj|tj| d z} d d| iz} ttj| dx}x} } |dd}d} || k(} | sltjd | fd || ftj|tj| d z} d d| iz} ttj| dx}x} } ||_| t|dy||_y#||_| t|dw||_wxYw)u6WB1.1 — create_client receives the URL and anon key.rNr*r.Tr7zhttps://myproject.supabase.coz anon-key-abcr9r:rUrWrXrZr[r)r<r=r>rr?getattrr.r8call_args_listr]r^r_rcrddelattr) rfrB mock_createoriginal_availableoriginal_creater8r first_callrgrkrhrlrms r2test_create_client_called_with_correct_url_and_keyzHTestSDKInitialisation.test_create_client_called_with_correct_url_and_keys^22Y[9 $77!&/4@%)"* 7 >3'A%33A6Ja=# F'F F#'FF F F F#'F F F F# F F F'F F F F F F F Fa=# 5~ 5#~5 5 5 5#~ 5 5 5# 5 5 5~ 5 5 5 5 5 5 5);F &&0'6$ *rr?r-r.r8r~rrr/)rfrBr0r1r2r8s r#test_missing_url_raises_value_errorz9TestSDKInitialisation.test_missing_url_raises_value_errors22Y[9 #77!&/4@%)"* 7 >z7 :j9 :*.mock_auth_client.._get_users*$)!)2 ""Bs)rr)r=r?r>s rmock_auth_clientz`TestMiddlewareBearerExtraction.test_bearer_token_forwarded_to_get_user..mock_auth_clients!;D &DMKs/testcK|Swrrrs rendpointzXTestMiddlewareBearerExtraction.test_bearer_token_forwarded_to_get_user..endpoint KrzBearer my-special-tokenrr=zmy-special-tokenrU)zI%(py6)s {%(py6)s = %(py2)s {%(py2)s = %(py0)s.get }(%(py4)s) } == %(py9)sr>)rrrYr[py9zassert %(py11)spy11)rr r rr=rrrrrr r]r^r`rarbr_rcrd)rfr r rrr@rCrDrrkr @py_assert8r @py_format10 @py_format12r>s @r'test_bearer_token_forwarded_to_get_userzFTestMiddlewareBearerExtraction.test_bearer_token_forwarded_to_get_users,))i 9I  !4!45   '(;(; <   C 7_6O$P Q||:G:|G$:(::$(:::::$(:::::::x:::x:::|:::G:::$:::(:::::::::rcXddlm}m}ddlmcm}|}|j d||jfd}t|d}|j ddd i }|j}d } || v} | stjd | fd || fdtjvstj|rtj|ndtj|tj| dz} dd| iz} t!tj"| dx}x} } y)uHWB2.2 — Request with non-Bearer auth scheme is rejected by HTTPBearer.rr NrAcK|Swrrrs rrCz]TestMiddlewareBearerExtraction.test_malformed_bearer_header_returns_non_200..endpointrDrEFrrzBasic dXNlcjpwYXNzr)rrirKrrrrrr) rfr r rrrCrDrrrrkrjrs r,test_malformed_bearer_header_returns_non_200zKTestMiddlewareBearerExtraction.test_malformed_bearer_header_returns_non_200s,))i   '(;(; <   C?zz'O=Q+RzS2?2?2222?222222t222t222222?2222222rN)rzr{r|r}rKrNrrrr9r9s:;<3rr9c*eZdZdZddZdZdZdZy)TestRequireAuthTierGatingu2WB3 — Tier-based access control in require_auth.c ddlm}m}ddlmcm}|}dd|iddd fd}||j |j<|jd ||j|g d }|S) z/Build a minimal app with a tier-gated endpoint.rr Nr r r r cKSwrr) user_profilesr mock_get_userz>TestRequireAuthTierGating._app_for_tier..mock_get_user<s  r/gated) dependenciescKddiSw)Naccessgrantedrrrrgatedz6TestRequireAuthTierGating._app_for_tier..gatedAs i( (s) rr r rr=rrrr require_auth) rf required_tier user_tierr r rrrTrZrSs @r _app_for_tierz'TestRequireAuthTierGating._app_for_tier0s,))i!*"B  9F  !4!45  !"//-"@AB   )   ) rc|jdd}t|}|jdddi}|j}d}||k(}|st j d|fd||fd t jvst j|rt j|nd t j|t j|d z}d d |iz}tt j|d x}x}}y )u/WB3.1 — User with matching tier receives 200. professionalrUr Bearer tokrr"rUrrrrrN r^r rrr]r^r`rarbr_rcrd rfrrDrrrrkrjrs r"test_sufficient_tier_grants_accessz{2LM /"       s!"A A A A AA N)rzr{r|r}rprrrrlrlns Krrl__main__z-mr~z-vz --tb=shortz --no-headerz/mnt/e/genesis-system)cwd)rTrrs)rrjrrjrrjreturnr)rr)rrjr rjrsr)rTrrsT) rrjrrjrrjr&boolrsr)7r} __future__rbuiltinsr`_pytest.assertion.rewrite assertionrewriter]r1typingrr unittest.mockrrrr r~pytest_asynciorr r fastapi.testclientr httpx_FASTAPI_AVAILABLErorr$r(r(r5rErGrrrrskipifrrrr*r9rPrlrz subprocessrun executable__file__rNexit returncoderrrrs!F# CC  (-#         )-    #          " " ".@@LFFF66@@@,**3JK4:4:L4:v**3JK..L.2**3JKO'O'LO'l0707n**3JK0303L03n**3JK:5:5L:5B  $ z Z^^ NND(       $ F CHHV  UsG;;HH