#21: Add superuser routes (#30)

* Add CRU superuser routes * Add delete method on DB adapters * Add superuser delete route * Add superuser routes documentation * Pass black formatter
2025-11-01 01:48:46 +08:00 · 2019-10-29 13:32:44 +01:00
parent 919550ba74
commit 9b7ec58800
12 changed files with 379 additions and 12 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -75,6 +75,9 @@ def mock_user_db(user, inactive_user, superuser) -> BaseUserDatabase:
        async def update(self, user: BaseUserDB) -> BaseUserDB:
            return user

+        async def delete(self, user: BaseUserDB) -> None:
+            pass
+
    return MockUserDatabase()


--- a/tests/test_db_base.py
+++ b/tests/test_db_base.py
@ -31,6 +31,9 @@ async def test_not_implemented_methods(user):
    with pytest.raises(NotImplementedError):
        await base_user_db.update(user)

+    with pytest.raises(NotImplementedError):
+        await base_user_db.delete(user)
+

 class TestAuthenticate:
    @pytest.mark.asyncio
--- a/tests/test_db_mongodb.py
+++ b/tests/test_db_mongodb.py
@ -61,3 +61,8 @@ async def test_queries(mongodb_user_db):
    # Unknown user
    unknown_user = await mongodb_user_db.get_by_email("galahad@camelot.bt")
    assert unknown_user is None
+
+    # Delete user
+    await mongodb_user_db.delete(user)
+    deleted_user = await mongodb_user_db.get(user.id)
+    assert deleted_user is None
--- a/tests/test_db_sqlalchemy.py
+++ b/tests/test_db_sqlalchemy.py
@ -79,3 +79,8 @@ async def test_queries(sqlalchemy_user_db):
    # Unknown user
    unknown_user = await sqlalchemy_user_db.get_by_email("galahad@camelot.bt")
    assert unknown_user is None
+
+    # Delete user
+    await sqlalchemy_user_db.delete(user)
+    deleted_user = await sqlalchemy_user_db.get(user.id)
+    assert deleted_user is None
--- a/tests/test_fastapi_users.py
+++ b/tests/test_fastapi_users.py
@ -37,7 +37,7 @@ def fastapi_users(request, mock_user_db, mock_authentication) -> FastAPIUsers:
@pytest.fixture()
 def test_app_client(fastapi_users) -> TestClient:
    app = FastAPI()
-    app.include_router(fastapi_users.router)
+    app.include_router(fastapi_users.router, prefix="/users")

    @app.get("/current-user")
    def current_user(user=Depends(fastapi_users.get_current_user)):
@ -63,16 +63,25 @@ class TestFastAPIUsers:

 class TestRouter:
    def test_routes_exist(self, test_app_client: TestClient):
-        response = test_app_client.post("/register")
+        response = test_app_client.post("/users/register")
        assert response.status_code != status.HTTP_404_NOT_FOUND

-        response = test_app_client.post("/login")
+        response = test_app_client.post("/users/login")
        assert response.status_code != status.HTTP_404_NOT_FOUND

-        response = test_app_client.post("/forgot-password")
+        response = test_app_client.post("/users/forgot-password")
        assert response.status_code != status.HTTP_404_NOT_FOUND

-        response = test_app_client.post("/reset-password")
+        response = test_app_client.post("/users/reset-password")
+        assert response.status_code != status.HTTP_404_NOT_FOUND
+
+        response = test_app_client.get("/users")
+        assert response.status_code != status.HTTP_404_NOT_FOUND
+
+        response = test_app_client.get("/users/aaa")
+        assert response.status_code != status.HTTP_404_NOT_FOUND
+
+        response = test_app_client.patch("/users/aaa")
        assert response.status_code != status.HTTP_404_NOT_FOUND


--- a/tests/test_router.py
+++ b/tests/test_router.py
@ -357,3 +357,195 @@ class TestUpdateMe:

        updated_user = mock_user_db.update.call_args[0][0]
        assert updated_user.hashed_password != current_hashed_passord
+
+
+class TestListUsers:
+    def test_missing_token(self, test_app_client: TestClient):
+        response = test_app_client.get("/")
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_regular_user(self, test_app_client: TestClient, user: BaseUserDB):
+        response = test_app_client.get(
+            "/", headers={"Authorization": f"Bearer {user.id}"}
+        )
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_superuser(self, test_app_client: TestClient, superuser: BaseUserDB):
+        response = test_app_client.get(
+            "/", headers={"Authorization": f"Bearer {superuser.id}"}
+        )
+        assert response.status_code == status.HTTP_200_OK
+
+        response_json = response.json()
+        assert len(response_json) == 3
+        for user in response_json:
+            assert "id" in user
+            assert "hashed_password" not in user
+
+
+class TestGetUser:
+    def test_missing_token(self, test_app_client: TestClient):
+        response = test_app_client.get("/000")
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_regular_user(self, test_app_client: TestClient, user: BaseUserDB):
+        response = test_app_client.get(
+            "/000", headers={"Authorization": f"Bearer {user.id}"}
+        )
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_not_existing_user(
+        self, test_app_client: TestClient, superuser: BaseUserDB
+    ):
+        response = test_app_client.get(
+            "/000", headers={"Authorization": f"Bearer {superuser.id}"}
+        )
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+    def test_superuser(
+        self, test_app_client: TestClient, user: BaseUserDB, superuser: BaseUserDB
+    ):
+        response = test_app_client.get(
+            f"/{user.id}", headers={"Authorization": f"Bearer {superuser.id}"}
+        )
+        assert response.status_code == status.HTTP_200_OK
+
+        response_json = response.json()
+        assert response_json["id"] == user.id
+        assert "hashed_password" not in response_json
+
+
+class TestUpdateUser:
+    def test_missing_token(self, test_app_client: TestClient):
+        response = test_app_client.patch("/000")
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_regular_user(self, test_app_client: TestClient, user: BaseUserDB):
+        response = test_app_client.patch(
+            "/000", headers={"Authorization": f"Bearer {user.id}"}
+        )
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_not_existing_user(
+        self, test_app_client: TestClient, superuser: BaseUserDB
+    ):
+        response = test_app_client.patch(
+            "/000", json={}, headers={"Authorization": f"Bearer {superuser.id}"}
+        )
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+    def test_empty_body(
+        self, test_app_client: TestClient, user: BaseUserDB, superuser: BaseUserDB
+    ):
+        response = test_app_client.patch(
+            f"/{user.id}", json={}, headers={"Authorization": f"Bearer {superuser.id}"}
+        )
+        assert response.status_code == status.HTTP_200_OK
+
+        response_json = response.json()
+        assert response_json["email"] == user.email
+
+    def test_valid_body(
+        self, test_app_client: TestClient, user: BaseUserDB, superuser: BaseUserDB
+    ):
+        json = {"email": "king.arthur@tintagel.bt"}
+        response = test_app_client.patch(
+            f"/{user.id}",
+            json=json,
+            headers={"Authorization": f"Bearer {superuser.id}"},
+        )
+        assert response.status_code == status.HTTP_200_OK
+
+        response_json = response.json()
+        assert response_json["email"] == "king.arthur@tintagel.bt"
+
+    def test_valid_body_is_superuser(
+        self, test_app_client: TestClient, user: BaseUserDB, superuser: BaseUserDB
+    ):
+        json = {"is_superuser": True}
+        response = test_app_client.patch(
+            f"/{user.id}",
+            json=json,
+            headers={"Authorization": f"Bearer {superuser.id}"},
+        )
+        assert response.status_code == status.HTTP_200_OK
+
+        response_json = response.json()
+        assert response_json["is_superuser"] is True
+
+    def test_valid_body_is_active(
+        self, test_app_client: TestClient, user: BaseUserDB, superuser: BaseUserDB
+    ):
+        json = {"is_active": False}
+        response = test_app_client.patch(
+            f"/{user.id}",
+            json=json,
+            headers={"Authorization": f"Bearer {superuser.id}"},
+        )
+        assert response.status_code == status.HTTP_200_OK
+
+        response_json = response.json()
+        assert response_json["is_active"] is False
+
+    def test_valid_body_password(
+        self,
+        mocker,
+        mock_user_db,
+        test_app_client: TestClient,
+        user: BaseUserDB,
+        superuser: BaseUserDB,
+    ):
+        mocker.spy(mock_user_db, "update")
+        current_hashed_passord = user.hashed_password
+
+        json = {"password": "merlin"}
+        response = test_app_client.patch(
+            f"/{user.id}",
+            json=json,
+            headers={"Authorization": f"Bearer {superuser.id}"},
+        )
+        assert response.status_code == status.HTTP_200_OK
+        assert mock_user_db.update.called is True
+
+        updated_user = mock_user_db.update.call_args[0][0]
+        assert updated_user.hashed_password != current_hashed_passord
+
+
+class TestDeleteUser:
+    def test_missing_token(self, test_app_client: TestClient):
+        response = test_app_client.delete("/000")
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_regular_user(self, test_app_client: TestClient, user: BaseUserDB):
+        response = test_app_client.delete(
+            "/000", headers={"Authorization": f"Bearer {user.id}"}
+        )
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_not_existing_user(
+        self, test_app_client: TestClient, superuser: BaseUserDB
+    ):
+        response = test_app_client.delete(
+            "/000", headers={"Authorization": f"Bearer {superuser.id}"}
+        )
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+    def test_superuser(
+        self,
+        mocker,
+        mock_user_db,
+        test_app_client: TestClient,
+        user: BaseUserDB,
+        superuser: BaseUserDB,
+    ):
+        mocker.spy(mock_user_db, "delete")
+
+        response = test_app_client.delete(
+            f"/{user.id}", headers={"Authorization": f"Bearer {superuser.id}"}
+        )
+        assert response.status_code == status.HTTP_204_NO_CONTENT
+        assert response.json() is None
+        assert mock_user_db.delete.called is True
+
+        deleted_user = mock_user_db.delete.call_args[0][0]
+        assert deleted_user.id == user.id