test(auth): cover single-session revoke behavior
Some checks are pending
CI / test (push) Has started running
Some checks are pending
CI / test (push) Has started running
This commit is contained in:
@@ -546,7 +546,8 @@ Note: list includes refresh sessions and a synthetic current access-token sessio
|
|||||||
### DELETE `/api/v1/auth/sessions/{jti}`
|
### DELETE `/api/v1/auth/sessions/{jti}`
|
||||||
|
|
||||||
Auth required.
|
Auth required.
|
||||||
Response: `204`
|
Response: `204`
|
||||||
|
Behavior: revokes only the specified refresh session token (`jti`); current access token remains valid.
|
||||||
|
|
||||||
### DELETE `/api/v1/auth/sessions`
|
### DELETE `/api/v1/auth/sessions`
|
||||||
|
|
||||||
|
|||||||
@@ -118,6 +118,52 @@ async def test_revoke_all_sessions_invalidates_access_and_refresh(client, db_ses
|
|||||||
assert refresh_response.status_code == 401
|
assert refresh_response.status_code == 401
|
||||||
|
|
||||||
|
|
||||||
|
async def test_revoke_single_session_invalidates_only_target_refresh_token(client, db_session):
|
||||||
|
payload = {
|
||||||
|
"email": "frank@example.com",
|
||||||
|
"name": "Frank",
|
||||||
|
"username": "frank",
|
||||||
|
"password": "strongpass123",
|
||||||
|
}
|
||||||
|
await client.post("/api/v1/auth/register", json=payload)
|
||||||
|
token_row = await db_session.execute(select(EmailVerificationToken).order_by(EmailVerificationToken.id.desc()))
|
||||||
|
verify_token = token_row.scalar_one().token
|
||||||
|
await client.post("/api/v1/auth/verify-email", json={"token": verify_token})
|
||||||
|
|
||||||
|
login_response = await client.post(
|
||||||
|
"/api/v1/auth/login",
|
||||||
|
json={"email": payload["email"], "password": payload["password"]},
|
||||||
|
)
|
||||||
|
assert login_response.status_code == 200
|
||||||
|
tokens = login_response.json()
|
||||||
|
access_token = tokens["access_token"]
|
||||||
|
refresh_token = tokens["refresh_token"]
|
||||||
|
|
||||||
|
sessions_response = await client.get(
|
||||||
|
"/api/v1/auth/sessions",
|
||||||
|
headers={"Authorization": f"Bearer {access_token}"},
|
||||||
|
)
|
||||||
|
assert sessions_response.status_code == 200
|
||||||
|
refresh_sessions = [item for item in sessions_response.json() if item.get("token_type") == "refresh"]
|
||||||
|
assert len(refresh_sessions) >= 1
|
||||||
|
target_jti = refresh_sessions[0]["jti"]
|
||||||
|
|
||||||
|
revoke_response = await client.delete(
|
||||||
|
f"/api/v1/auth/sessions/{target_jti}",
|
||||||
|
headers={"Authorization": f"Bearer {access_token}"},
|
||||||
|
)
|
||||||
|
assert revoke_response.status_code == 204
|
||||||
|
|
||||||
|
refresh_after_revoke = await client.post("/api/v1/auth/refresh", json={"refresh_token": refresh_token})
|
||||||
|
assert refresh_after_revoke.status_code == 401
|
||||||
|
|
||||||
|
me_after_revoke = await client.get(
|
||||||
|
"/api/v1/auth/me",
|
||||||
|
headers={"Authorization": f"Bearer {access_token}"},
|
||||||
|
)
|
||||||
|
assert me_after_revoke.status_code == 200
|
||||||
|
|
||||||
|
|
||||||
async def test_twofa_setup_is_blocked_when_already_enabled(client, db_session):
|
async def test_twofa_setup_is_blocked_when_already_enabled(client, db_session):
|
||||||
payload = {
|
payload = {
|
||||||
"email": "dana@example.com",
|
"email": "dana@example.com",
|
||||||
|
|||||||
Reference in New Issue
Block a user