Samir Boulahtit
4ba911e263
When a session times out or user accesses pages with wrong role, redirect to login instead of showing error page. Changes: - Extend exception handler to redirect on 403 errors with auth codes - Add tests for HTML page auth redirect behavior Error codes that trigger redirect: - ADMIN_REQUIRED, INSUFFICIENT_PERMISSIONS, USER_NOT_ACTIVE - VENDOR_ACCESS_DENIED, UNAUTHORIZED_VENDOR_ACCESS - VENDOR_OWNER_ONLY, INSUFFICIENT_VENDOR_PERMISSIONS - CUSTOMER_NOT_AUTHORIZED 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
113 lines
4.5 KiB
Python
113 lines
4.5 KiB
Python
# tests/integration/security/test_authorization.py
|
|
"""
|
|
Authorization tests for the API.
|
|
|
|
Tests role-based access control:
|
|
- Admin endpoints require admin role
|
|
- Vendor endpoints require vendor context (vendor_id in token)
|
|
"""
|
|
|
|
import pytest
|
|
|
|
|
|
@pytest.mark.integration
|
|
@pytest.mark.security
|
|
@pytest.mark.auth
|
|
class TestAuthorization:
|
|
def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
|
|
"""Test that admin endpoints require admin role"""
|
|
response = client.get("/api/v1/admin/users", headers=auth_headers)
|
|
# Regular user should be denied access (401 not admin or 403 forbidden)
|
|
assert response.status_code in [401, 403]
|
|
|
|
def test_admin_endpoints_with_admin_access(self, client, admin_headers):
|
|
"""Test that admin users can access admin endpoints"""
|
|
admin_endpoints = [
|
|
"/api/v1/admin/users",
|
|
"/api/v1/admin/vendors",
|
|
"/api/v1/admin/marketplace-import-jobs",
|
|
]
|
|
|
|
for endpoint in admin_endpoints:
|
|
response = client.get(endpoint, headers=admin_headers)
|
|
assert response.status_code == 200, (
|
|
f"Admin should have access to {endpoint}"
|
|
)
|
|
|
|
def test_vendor_endpoint_requires_vendor_context(self, client, admin_headers):
|
|
"""Test that vendor endpoints require vendor context in token"""
|
|
# Admin token doesn't have vendor_id claim
|
|
response = client.get("/api/v1/vendor/products", headers=admin_headers)
|
|
# Should fail - admin token lacks vendor_id claim
|
|
assert response.status_code in [401, 403]
|
|
|
|
def test_vendor_owner_access_control(self, client, admin_headers, test_vendor):
|
|
"""Test admin can access vendor by vendor code"""
|
|
response = client.get(
|
|
f"/api/v1/admin/vendors/{test_vendor.vendor_code}", headers=admin_headers
|
|
)
|
|
# Admin should be able to view vendor
|
|
assert response.status_code == 200
|
|
|
|
|
|
@pytest.mark.integration
|
|
@pytest.mark.security
|
|
@pytest.mark.auth
|
|
class TestHTMLPageAuthRedirect:
|
|
"""
|
|
Test that authorization errors on HTML pages redirect to login.
|
|
|
|
For HTML page requests (Accept: text/html), both 401 and specific 403 errors
|
|
should redirect to the appropriate login page instead of showing error pages.
|
|
"""
|
|
|
|
def test_api_request_returns_json_on_auth_error(self, client, auth_headers):
|
|
"""Test that API requests return JSON error, not redirect."""
|
|
# Non-admin user trying to access admin API endpoint
|
|
response = client.get("/api/v1/admin/users", headers=auth_headers)
|
|
assert response.status_code == 403
|
|
# Should be JSON, not redirect
|
|
data = response.json()
|
|
assert data["error_code"] == "ADMIN_REQUIRED"
|
|
|
|
def test_html_page_redirects_on_no_token(self, client):
|
|
"""Test that HTML page requests without token redirect to login."""
|
|
# Request admin page without token, accepting HTML
|
|
response = client.get(
|
|
"/admin/dashboard",
|
|
headers={"Accept": "text/html"},
|
|
follow_redirects=False,
|
|
)
|
|
# Should redirect (302) to login page
|
|
assert response.status_code == 302
|
|
assert "/admin/login" in response.headers.get("location", "")
|
|
|
|
def test_html_page_redirects_on_invalid_token(self, client):
|
|
"""Test that HTML page requests with invalid token redirect to login."""
|
|
# Request admin page with invalid token cookie, accepting HTML
|
|
response = client.get(
|
|
"/admin/dashboard",
|
|
headers={"Accept": "text/html"},
|
|
cookies={"admin_token": "invalid.token.here"},
|
|
follow_redirects=False,
|
|
)
|
|
# Should redirect (302) to login page
|
|
assert response.status_code == 302
|
|
assert "/admin/login" in response.headers.get("location", "")
|
|
|
|
def test_html_page_redirects_on_admin_required(self, client, auth_headers):
|
|
"""Test that HTML page requests with wrong role redirect to login."""
|
|
# Regular user (not admin) trying to access admin HTML page
|
|
# We need to set both the cookie and Accept header for HTML behavior
|
|
response = client.get(
|
|
"/admin/dashboard",
|
|
headers={
|
|
"Accept": "text/html",
|
|
"Authorization": auth_headers["Authorization"],
|
|
},
|
|
follow_redirects=False,
|
|
)
|
|
# Should redirect (302) to login page when user lacks admin role
|
|
assert response.status_code == 302
|
|
assert "/admin/login" in response.headers.get("location", "")
|