# tests/test_security.py import pytest from fastapi import HTTPException from unittest.mock import patch class TestSecurity: def test_protected_endpoint_without_auth(self, client): """Test that protected endpoints reject unauthenticated requests""" protected_endpoints = [ "/api/v1/products", "/api/v1/stock", "/api/v1/shops", "/api/v1/stats", "/api/v1/admin/users" ] for endpoint in protected_endpoints: response = client.get(endpoint) assert response.status_code == 403 def test_protected_endpoint_with_invalid_token(self, client): """Test protected endpoints with invalid token""" headers = {"Authorization": "Bearer invalid_token_here"} response = client.get("/api/v1/products", headers=headers) assert response.status_code == 403 def test_admin_endpoint_requires_admin_role(self, client, auth_headers): """Test that admin endpoints require admin role""" response = client.get("/api/v1/admin/users", headers=auth_headers) assert response.status_code == 403 # Regular user should be denied def test_sql_injection_prevention(self, client, auth_headers): """Test SQL injection prevention in search parameters""" # Try SQL injection in search parameter malicious_search = "'; DROP TABLE products; --" response = client.get(f"/api/v1/products?search={malicious_search}", headers=auth_headers) # Should not crash and should return normal response assert response.status_code == 200 # Database should still be intact (no products dropped) def test_input_validation(self, client, auth_headers): """Test input validation and sanitization""" # Test XSS attempt in product creation xss_payload = "" product_data = { "product_id": "XSS_TEST", "title": xss_payload, "description": xss_payload } response = client.post("/api/v1/products", headers=auth_headers, json=product_data) if response.status_code == 200: # If creation succeeds, content should be escaped/sanitized data = response.json() assert "