feat: multi-user auth — per-user spaces, pbkdf2 passwords, session tokens, login page

2026-04-01 08:39:16 +02:00
parent 94dd871031
commit 1466a1529f
7 changed files with 468 additions and 24 deletions
@@ -1,10 +1,14 @@
 from fastapi.testclient import TestClient

+_TEST_USER = {"username": "testuser", "output_dir": "/tmp", "is_admin": False}
+

 def make_app():
    from fastapi import FastAPI
-    from api.router import router
+    from api.router import router, current_user
    app = FastAPI()
+    # Override auth for tests — no real credentials needed
+    app.dependency_overrides[current_user] = lambda: _TEST_USER
    app.include_router(router)
    return app

@@ -14,6 +18,7 @@ def test_status_returns_idle():
    r = client.get("/status")
    assert r.status_code == 200
    assert r.json()["status"] == "idle"
+    assert r.json()["username"] == "testuser"


 def test_config_get_returns_dict():
@@ -28,3 +33,28 @@ def test_transcripts_returns_list():
    r = client.get("/transcripts")
    assert r.status_code == 200
    assert isinstance(r.json(), list)
+
+
+def test_status_requires_auth():
+    from fastapi import FastAPI
+    from api.router import router
+    app = FastAPI()
+    app.include_router(router)
+    client = TestClient(app, raise_server_exceptions=False)
+    r = client.get("/status")
+    assert r.status_code == 401
+
+
+def test_login_rejects_wrong_credentials():
+    import tempfile, os
+    from unittest.mock import patch
+    from fastapi import FastAPI
+    from api.router import router
+    app = FastAPI()
+    app.include_router(router)
+    client = TestClient(app, raise_server_exceptions=False)
+    with tempfile.TemporaryDirectory() as tmpdir:
+        users_path = os.path.join(tmpdir, "users.toml")
+        with patch("auth.USERS_PATH", users_path):
+            r = client.post("/login", json={"username": "nobody", "password": "wrong"})
+            assert r.status_code == 401