feat(main): main

api/tests/test_auth.py

@@ -0,0 +1,53 @@
+import json
+
+import pytest
+
+from core.models import AppUser
+
+
+@pytest.mark.django_db
+def test_login_sets_bounded_session_expiry(client, settings):
+    settings.SESSION_COOKIE_AGE = 3600
+
+    AppUser.objects.create_user(
+        username="auth_user",
+        email="auth@example.com",
+        password="secret-pass-123",
+    )
+
+    response = client.post(
+        "/api/auth/login",
+        data=json.dumps({"username": "auth_user", "password": "secret-pass-123"}),
+        content_type="application/json",
+    )
+
+    assert response.status_code == 200
+    assert response.json()["success"] is True
+
+    # Session should be persisted, but bounded to SESSION_COOKIE_AGE.
+    assert 0 < client.session.get_expiry_age() <= settings.SESSION_COOKIE_AGE
+
+
+@pytest.mark.django_db
+def test_logout_forces_session_logout(client):
+    AppUser.objects.create_user(
+        username="logout_user",
+        email="logout@example.com",
+        password="secret-pass-123",
+    )
+
+    login_response = client.post(
+        "/api/auth/login",
+        data=json.dumps({"username": "logout_user", "password": "secret-pass-123"}),
+        content_type="application/json",
+    )
+    assert login_response.status_code == 200
+
+    assert client.get("/api/auth/me").status_code == 200
+
+    logout_response = client.post("/api/auth/logout")
+    assert logout_response.status_code == 200
+
+    # Session is no longer authenticated after explicit logout.
+    assert client.get("/api/auth/me").status_code == 401
+