Update error message if API key is wrong

+ fix tests some more

Author: derjogi

app/core/security.py

@@ -128,34 +128,18 @@ async def verify_token(request: Request, credentials: Optional[HTTPAuthorization
 
     # Now we can do the rest of the logic. run test routines first, then check guest or proper user.           
     try:
-        # Skip email verification in test environment
-        if settings.ENVIRONMENT == "TEST" and settings.SKIP_EMAIL_VERIFICATION:
-            print("Test environment detected - skipping email verification and checking database for user details")
-            is_guest = not credentials
-            user_id = f"test_user{'_guest' if is_guest else ''}"
-            if credentials:
-                try:
-                    decoded = jwt.decode(credentials.credentials, settings.SECRET_KEY, algorithms=["HS256"])
-                    user_id = decoded.get("user_id", "test_user")
-                except:
-                    pass
-                
-            return {
-                "user_id": user_id,
-                "is_guest": is_guest,
-                "email_verified": True,  # Always verified in tests
-                "balance": settings.GUEST_MAX_CREDITS if is_guest else settings.USER_MAX_CREDITS
-            }
-            
-        # Regular verification logic...
         is_guest = not credentials
         if is_guest:
           print("No credentials supplied, continuing as guest...")
           user = generate_guest_id(request)
           user["email_verified"] = True
         else:
           print("Credentials supplied, decoding token...")
-          decoded = jwt.decode(credentials.credentials, settings.SECRET_KEY, algorithms=["HS256"])
+          try:
+            decoded = jwt.decode(credentials.credentials, settings.SECRET_KEY, algorithms=["HS256"])
+          except jwt.JWTError as e:
+            print("JWT decoding error:", str(e))
+            raise HTTPException(status_code=401, detail="Your API key is invalid. Please make sure you have set the API key correctly.")
           # Check if token is API key
           if decoded.get("token_type") == "api_key":
               print("Got API key, verifying...")

tests/api/v1/routes/test_auth.py

@@ -22,6 +22,7 @@
 import warnings
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 import app.core.security as backend
+from typing import Optional
 
 # Add warning filter for the jose library
 warnings.filterwarnings(
@@ -707,29 +708,21 @@ def test_get_credits_success(mock_auth_flow, mock_db_query, auth_header):
 
 def test_get_credits_unauthorized():
     """Test credits retrieval without auth"""
-    with patch('app.core.security.verify_token') as mock_verify, \
-         patch('app.core.security.generate_guest_id') as mock_guest, \
-         patch('app.core.security.db') as mock_db:
-        
-        # Make verify_token raise unauthorized
-        mock_verify.side_effect = HTTPException(
-            status_code=401,
-            detail="Unauthorized"
-        )
-        
-        # Prevent guest user creation
-        mock_guest.side_effect = HTTPException(
-            status_code=401,
-            detail="Unauthorized"
-        )
-        
-        # Mock db to prevent connection errors
-        mock_db.table.return_value = MagicMock()
-        
+    # Create a function with the same signature asverify_token
+    async def mock_verify_token(request: Request, credentials: Optional[HTTPAuthorizationCredentials] = None):
+        raise HTTPException(status_code=401, detail="Unauthorized")
+    
+    # Use dependency_overrides to replace the verify_token dependency
+    app.dependency_overrides[backend.verify_token] = mock_verify_token
+    
+    try:
         response = client.get("/auth/credits")
 
         assert response.status_code == 401
         assert "unauthorized" in response.json()["detail"].lower()
+    finally:
+        # Clean up the override after the test
+        app.dependency_overrides.pop(backend.verify_token, None)
 
 def test_get_credits_guest_user(mock_auth_flow, mock_db_query):
     """Test credits retrieval for guest user"""

tests/conftest.py

@@ -181,12 +181,14 @@ def _create_user(identifier=None):
 
 
 @pytest.fixture
-def client():
+def locally_running_client():
     """Create a test client that connects to the running server"""
     import httpx
     with httpx.Client(base_url="http://localhost:8000", timeout=50.0) as client:
         yield client
 
+
+
 @pytest.fixture
 def auth_headers(test_user):
     """Fixture for authentication headers"""

tests/integration/test_auth_basic.py

@@ -1,12 +1,17 @@
+from fastapi import FastAPI
+from fastapi.testclient import TestClient
 import pytest
-import httpx
 from datetime import datetime, UTC
 import time
-from app.core.config import settings
-from jose import jwt
+from app.api.v1.routes.auth import router
+ 
+# Set up the FastAPI app and TestClient
+app = FastAPI()
+app.include_router(router)  # Include the authentication router
+client = TestClient(app)
 
 @pytest.fixture
-def test_user_cleanup(client):    
+def test_user_cleanup():    
     # Store created resources for cleanup
     created_resources = {
         "users": [],
@@ -19,15 +24,15 @@ def test_user_cleanup(client):
     for user in created_resources["users"]:
         print(f"Cleaning up test user: {user['email']}")
         log = user
-        response = client.post(f"/v1/auth/remove_user", json=user)
+        response = client.post(f"/auth/remove_user", json=user)
         if response.status_code >= 400:
             print(f"Error cleaning up user {log}: {response.text}")
             raise Exception(f"Error cleaning up user {log}: {response.text}")
 
 @pytest.mark.order(2)
-def test_signup_flow(client, test_user):
+def test_signup_flow(test_user):
     """Test basic signup without verification"""
-    response = client.post("/v1/auth/sign_up", json=test_user())
+    response = client.post("/auth/sign_up", json=test_user())
 
     # Print detailed debug information
     print(f"\nTest user: {test_user}")
@@ -47,35 +52,9 @@ def test_signup_flow(client, test_user):
     assert response.status_code == 200
     assert "message" in response.json()
     assert "email" in response.json()
-
-@pytest.mark.order(3)
-@pytest.mark.rate_limited
-def test_rate_limiting_flow(client):
-    """Test rate limiting on signup"""
-    print("\nTesting rate limiting on signup...")
-    # First create a test user that we'll use for other endpoints
-    test_email = f"test_{datetime.now(UTC).timestamp()}@example.com"
-    test_user = {
-        "email": test_email,
-        "password": "TestPass123!"
-    }
 
-    signup_responses = []
-    for i in range(7):  # Try more than the limit (5/minute)
-        response = client.post("/v1/auth/sign_up", json={
-            "email": f"test_{datetime.now(UTC).timestamp()}_{i}@example.com",
-            "password": "TestPass123!"
-        })
-        print(f"Signup request {i+1}: {response.status_code} - {response.text}")
-        signup_responses.append(response.status_code)
-        time.sleep(0.1)
-    
-    # Check rate limiting was triggered
-    assert 429 in signup_responses, "Rate limiting not triggered"
-    assert signup_responses.count(429) > 0, "No requests were rate limited" 
-    
-@pytest.mark.order(4)
-def test_multiple_users_flow(client, test_user, test_user_cleanup):
+@pytest.mark.order(3)
+def test_multiple_users_flow(test_user, test_user_cleanup):
     """
     Test multiple users creating and using API keys:
     1. User 1 signs up and creates an API key
@@ -92,14 +71,14 @@ def test_multiple_users_flow(client, test_user, test_user_cleanup):
 
     # Step 1: User 1 signs up
     signup_response1 = client.post(
-        "/v1/auth/sign_up",
+        "/auth/sign_up",
         json=user1
     )
     assert signup_response1.status_code == 200, f"User 1 signup failed: {signup_response1.text}"  
 
     # ... and User 1 creates an API key
     api_key_response1 = client.post(
-        "/v1/auth/create_api_key",
+        "/auth/create_api_key",
         json=user1
     )
     assert api_key_response1.status_code == 200, f"User 1 API key creation failed: {api_key_response1.text}"
@@ -108,15 +87,15 @@ def test_multiple_users_flow(client, test_user, test_user_cleanup):
 
     # Step 2: User 2 signs up
     signup_response2 = client.post(
-        "/v1/auth/sign_up",
+        "/auth/sign_up",
         json=user2
     )
     assert signup_response2.status_code == 200, f"User 2 signup failed: {signup_response2.text}"
     assert signup_response2.json()["email"] == user2["email"]
 
     # ... and User 2 creates an API key
     api_key_response2 = client.post(
-        "/v1/auth/create_api_key",
+        "/auth/create_api_key",
         json=user2
     )
     assert api_key_response2.status_code == 200, f"User 2 API key creation failed: {api_key_response2.text}"
@@ -131,7 +110,7 @@ def test_multiple_users_flow(client, test_user, test_user_cleanup):
     # Due to row-level security, and User 2 being still authenticated, it should sign out User 2 and use the service_role to check whether the API key is valid.
     # For this example, we'll use the credits endpoint which uses API keys and verification.
     credits_response = client.get(
-        "/v1/auth/credits",
+        "/auth/credits",
         headers={"Authorization": f"Bearer {user1_api_key}"}
     )
     assert credits_response.status_code == 200, f"User 1 authenticated request failed: {credits_response.text}"
@@ -142,7 +121,7 @@ def test_multiple_users_flow(client, test_user, test_user_cleanup):
 
     # Step 4: List API keys for User 1
     list_keys_response = client.post(
-        "/v1/auth/api_keys",
+        "/auth/api_keys",
         json=user1
     )
     assert list_keys_response.status_code == 200
@@ -151,14 +130,14 @@ def test_multiple_users_flow(client, test_user, test_user_cleanup):
 
     # Step 5: Revoke User 1's API key
     revoke_response = client.delete(
-        f"/v1/auth/revoke_api_key/{user1_api_key}",
+        f"/auth/revoke_api_key/{user1_api_key}",
         headers={"Authorization": f"Bearer {user1_api_key}"}
     )
     assert revoke_response.status_code == 200
 
     # Step 6: Verify the key no longer works
     invalid_key_response = client.get(
-        "/v1/auth/credits",
+        "/auth/credits",
         headers={"Authorization": f"Bearer {user1_api_key}"}
     )
-    assert invalid_key_response.status_code == 401, "Revoked API key still works"
+    assert invalid_key_response.status_code == 401, "Revoked API key still works"

tests/integration/test_auth_guest.py

@@ -3,6 +3,6 @@
 
 @pytest.mark.order(2)  # Run guest tests second
 @pytest.mark.guest
-def test_guest_user_flow(client):
+def test_guest_user_flow(locally_running_client):
     """Test guest user functionality"""
     # Guest user specific tests...