api/tests/test_auth.py

import json

import pytest

from core.models import AppUser


@pytest.mark.django_db
def test_login_sets_bounded_session_expiry(client, settings):
    settings.SESSION_COOKIE_AGE = 3600

    AppUser.objects.create_user(
        username="auth_user",
        email="auth@example.com",
        password="secret-pass-123",
    )

    response = client.post(
        "/api/auth/login",
        data=json.dumps({"username": "auth_user", "password": "secret-pass-123"}),
        content_type="application/json",
    )

    assert response.status_code == 200
    assert response.json()["success"] is True

    # Session should be persisted, but bounded to SESSION_COOKIE_AGE.
    assert 0 < client.session.get_expiry_age() <= settings.SESSION_COOKIE_AGE


@pytest.mark.django_db
def test_logout_forces_session_logout(client):
    AppUser.objects.create_user(
        username="logout_user",
        email="logout@example.com",
        password="secret-pass-123",
    )

    login_response = client.post(
        "/api/auth/login",
        data=json.dumps({"username": "logout_user", "password": "secret-pass-123"}),
        content_type="application/json",
    )
    assert login_response.status_code == 200

    assert client.get("/api/auth/me").status_code == 200

    logout_response = client.post("/api/auth/logout")
    assert logout_response.status_code == 200

    # Session is no longer authenticated after explicit logout.
    assert client.get("/api/auth/me").status_code == 401
feat(main): main 2026-03-20 15:00:24 -04:00			`import json`

			`import pytest`

			`from core.models import AppUser`


			`@pytest.mark.django_db`
			`def test_login_sets_bounded_session_expiry(client, settings):`
			`settings.SESSION_COOKIE_AGE = 3600`

			`AppUser.objects.create_user(`
			`username="auth_user",`
			`email="auth@example.com",`
			`password="secret-pass-123",`
			`)`

			`response = client.post(`
			`"/api/auth/login",`
			`data=json.dumps({"username": "auth_user", "password": "secret-pass-123"}),`
			`content_type="application/json",`
			`)`

			`assert response.status_code == 200`
			`assert response.json()["success"] is True`

			`# Session should be persisted, but bounded to SESSION_COOKIE_AGE.`
			`assert 0 < client.session.get_expiry_age() <= settings.SESSION_COOKIE_AGE`


			`@pytest.mark.django_db`
			`def test_logout_forces_session_logout(client):`
			`AppUser.objects.create_user(`
			`username="logout_user",`
			`email="logout@example.com",`
			`password="secret-pass-123",`
			`)`

			`login_response = client.post(`
			`"/api/auth/login",`
			`data=json.dumps({"username": "logout_user", "password": "secret-pass-123"}),`
			`content_type="application/json",`
			`)`
			`assert login_response.status_code == 200`

			`assert client.get("/api/auth/me").status_code == 200`

			`logout_response = client.post("/api/auth/logout")`
			`assert logout_response.status_code == 200`

			`# Session is no longer authenticated after explicit logout.`
			`assert client.get("/api/auth/me").status_code == 401`