Write auth integration tests — verify 401/403 on every protected route #20

New Issue

Open

opened 2026-04-20 09:37:12 +00:00 by sharang · 0 comments

sharang commented 2026-04-20 09:37:12 +00:00

Owner

Copy Link

Copy Source

Problem

No tests verify that routes reject unauthenticated requests. After #4 (JWT middleware) is merged, it must be continuously tested or it will regress silently.

Required Actions

1. Add backend-compliance/compliance/tests/test_auth.py
2. For every route group, test:
   • No token → 401
   • Expired token → 401
   • Valid token, wrong scope → 403
   • Valid token, correct scope → 200/201
3. Use a test fixture that issues mock JWTs signed with a test key (no Keycloak dependency in CI)
4. Add parametrized test that iterates over all registered routes and asserts none returns 200 without auth

Acceptance Criteria

• Every registered FastAPI route has at least one auth test
• Runs in CI without requiring a live Keycloak instance
• Depends on: Wire JWT middleware to all FastAPI routes (#4)

## Problem No tests verify that routes reject unauthenticated requests. After #4 (JWT middleware) is merged, it must be continuously tested or it will regress silently. ## Required Actions 1. Add `backend-compliance/compliance/tests/test_auth.py` 2. For every route group, test: - No token → 401 - Expired token → 401 - Valid token, wrong scope → 403 - Valid token, correct scope → 200/201 3. Use a test fixture that issues mock JWTs signed with a test key (no Keycloak dependency in CI) 4. Add parametrized test that iterates over all registered routes and asserts none returns 200 without auth ## Acceptance Criteria - Every registered FastAPI route has at least one auth test - Runs in CI without requiring a live Keycloak instance - Depends on: #4

sharang added this to the M4: Testing & Contract Stability milestone 2026-04-20 09:37:12 +00:00

sharang added the testingseverity: highsecurity labels 2026-04-20 09:37:12 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/fisa-702-drittland-risiko

feat/dead-code-cleanup

feature/payment-compliance-module

feature/betriebsrat-compliance-module

last-build/main

Labels

Clear labels

config

Env vars, secrets management, startup validation

data-integrity

Transactions, indexes, pagination

frontend

Next.js, client-side concerns

observability

Logging, audit trails, health checks

reliability

Error handling, retries, circuit breakers

security

Auth, secrets, injection, tenant isolation

severity: critical

System-level risk, data breach or full outage

severity: high

Significant risk, must fix before go-live

severity: medium

Important but not blocking go-live

testing

Test coverage, integration tests

No Label security severity: high testing

Milestone

No items

No Milestone M4: Testing & Contract Stability

Projects

Clear projects

No project

Assignees

Clear assignees

sharang (Sharang Parnerkar) Benjamin_Boenisch

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Benjamin_Boenisch/breakpilot-compliance#20