Add & fix tests, add cascading user deletion

Author: derjogi

.gitignore

@@ -8,3 +8,6 @@ helpers/.nltk_resources_cache
 .vscode/settings.json
 .python-version
 app/services/.nltk_resources_cache
+.cursor
+api_key.py
+supabase/*.sql

.vscode/launch.json

@@ -10,10 +10,17 @@
       "request": "launch",
       "module": "uvicorn",
       "args": [
-        "app:app",
-        "--reload"
+        "main:app",
+        "--reload",
+        "--host", "0.0.0.0",
+        "--port", "8000"
       ],
-      "jinja": true
+      "jinja": true,
+      "env": {
+        "ENVIRONMENT": "DEV",
+        "SKIP_EMAIL_VERIFICATION": "true",
+      },
+      "justMyCode": true  // Set to true if you only want to debug your code, not libraries
     }
   ]
 }

app/api/v1/routes/auth.py

@@ -51,10 +51,11 @@ async def signup(request: Request, credentials: UserCredentials) -> SignupRespon
         HTTPException: 400 if registration fails
     """
     try:
+        print(f"Signing up user: {credentials.email}")
         await backend.create_user(credentials.email, credentials.password)
         return SignupResponse(
             message="Registration successful. Please check your email to verify your account.",
-            email=credentials.email
+            email=credentials.email,
         )
     except Exception as e:
         print("Failed: ", str(e))
@@ -128,6 +129,7 @@ async def create_api_key(credentials: UserCredentials) -> ApiKeyResponse:
         return ApiKeyResponse(api_key=api_key)
     except Exception as e:
         print(f"API key creation error: {str(e)}")
+        print(f"last log line: {log}")
         if isinstance(e, HTTPException):
             raise e
         raise HTTPException(status_code=400, detail=log)
@@ -204,3 +206,37 @@ async def get_credits(current_user: dict = Depends(backend.verify_token)) -> Cre
         if isinstance(e, HTTPException):
             raise e
         raise HTTPException(status_code=400, detail=str(e))
+
+
+@router.post("/auth/remove_user", response_model=MessageResponse)
+async def remove_user(credentials: UserCredentials) -> MessageResponse:
+    """
+    Remove a user account and all associated data.
+    
+    Args:
+        credentials: User email and password
+        
+    Returns:
+        Confirmation message
+        
+    Raises:
+        HTTPException: 400 if removal fails, 401 if authentication fails
+    """
+    try:
+        print(f"Authenticating user for removal: {credentials.email}")
+        # First authenticate the user to ensure they have permission to delete
+        user = await backend.authenticate_user(credentials.email, credentials.password)
+        
+        # Get user ID for deletion operations
+        user_id = user.id
+        
+        print(f"Deleting user account: {user_id}")
+        # Delete the user from Supabase auth - cascading constraints will handle related data
+        await backend.delete_user(user_id)
+        
+        return MessageResponse(message="User account and all associated data successfully removed")
+    except Exception as e:
+        print(f"User removal error: {str(e)}")
+        if isinstance(e, HTTPException):
+            raise e
+        raise HTTPException(status_code=400, detail=str(e))

app/core/config.py

@@ -48,17 +48,18 @@ class Settings(BaseSettings):
         }
     }
 
-    GUEST_DAILY_CREDITS: int
-    GUEST_MAX_CREDITS: int
-    USER_DAILY_CREDITS: int
-    USER_MAX_CREDITS: int
+    GUEST_DAILY_CREDITS: int = 10
+    GUEST_MAX_CREDITS: int = 100
+    USER_DAILY_CREDITS: int = 100
+    USER_MAX_CREDITS: int = 1000
 
     # Environment
     ENVIRONMENT: str = "DEV"
 
     # Test Configuration
     SKIP_EMAIL_VERIFICATION: bool = False
-    
+    # Used in supabase config.toml for testing
+    REQUIRE_EMAIL_VERIFICATION: bool = False
     TEST_API_TOKEN: str = os.getenv("TEST_API_TOKEN", "test-api-token-for-unit-tests")
 
     model_config = SettingsConfigDict(env_file=".env")

app/core/security.py

@@ -23,9 +23,9 @@ async def authenticate_user(email: str, password: str):
       session = db.auth.sign_in_with_password({
         "email": email,
         "password": password
-      })  
+      })
     except Exception as e:
-      raise HTTPException(status_code=401, detail="This user or password does not exist.")
+      raise HTTPException(status_code=401, detail=f"This user or password does not exist. {str(e)}")
 
     print("Auth'ed")
     user = session.user
@@ -130,14 +130,9 @@ async def verify_token(request: Request, credentials: Optional[HTTPAuthorization
     try:
         # Skip email verification in test environment
         if settings.ENVIRONMENT == "TEST" and settings.SKIP_EMAIL_VERIFICATION:
-            print("Test environment detected - skipping email verification")
+            print("Test environment detected - skipping email verification and checking database for user details")
             is_guest = not credentials
-            if is_guest:
-                return generate_guest_id(request)
-                
-            # Fix: When in test environment, we need to use a safe way to get user_id
-            # If we have credentials, try to decode them, otherwise use a test value
-            user_id = "test_user"
+            user_id = f"test_user{'_guest' if is_guest else ''}"
             if credentials:
                 try:
                     decoded = jwt.decode(credentials.credentials, settings.SECRET_KEY, algorithms=["HS256"])
@@ -147,9 +142,9 @@ async def verify_token(request: Request, credentials: Optional[HTTPAuthorization
 
             return {
                 "user_id": user_id,
-                "is_guest": False,
+                "is_guest": is_guest,
                 "email_verified": True,  # Always verified in tests
-                "balance": settings.USER_MAX_CREDITS
+                "balance": settings.GUEST_MAX_CREDITS if is_guest else settings.USER_MAX_CREDITS
             }
 
         # Regular verification logic...
@@ -232,4 +227,23 @@ def generate_guest_id(request: Request) -> dict:
     ip = request.client.host
     # Hash the IP to get 32 hex chars
     hex_hash = hashlib.sha256(ip.encode()).hexdigest()[:32]
-    return {"id": f"{UUID(hex_hash)}"}
+    return {"id": f"{UUID(hex_hash)}"}
+
+async def delete_user(user_id: str):
+    """Delete a user from Supabase auth system
+    
+    Args:
+        user_id: The ID of the user to delete
+        
+    Raises:
+        HTTPException: If deletion fails
+    """
+    try:
+        # Use the Supabase admin auth client to delete the user
+        db.auth.sign_out()
+        db.auth.admin.delete_user(user_id)
+        print(f"User {user_id} successfully deleted")
+    except Exception as e:
+        print(f"Error deleting user {user_id}: {str(e)}")
+        traceback.print_exc()
+        raise HTTPException(status_code=400, detail=f"Failed to delete user: {str(e)}")

supabase/config.toml

@@ -44,7 +44,7 @@ max_client_conn = 100
 
 [db.seed]
 # If enabled, seeds the database after migrations during a db reset.
-enabled = false
+enabled = true
 # Specifies an ordered list of seed files to load during db reset.
 # Supports glob patterns relative to supabase directory: './seeds/*.sql'
 sql_paths = ['./seed.sql']
@@ -124,9 +124,9 @@ password_requirements = ""
 enable_signup = true
 # If enabled, a user will be required to confirm any email change on both the old, and new email
 # addresses. If disabled, only the new email is required to confirm.
-double_confirm_changes = true
+double_confirm_changes = false
 # If enabled, users need to confirm their email address before signing in.
-enable_confirmations = true
+enable_confirmations = "env(REQUIRE_EMAIL_VERIFICATION)"
 # If enabled, users will need to reauthenticate or have logged in recently to change their password.
 secure_password_change = false
 # Controls the minimum amount of time that must pass before sending another signup confirmation or password reset email.

supabase/migrations/005_cascade_user_deletion.sql

@@ -0,0 +1,17 @@
+-- For api_keys table
+ALTER TABLE public.api_keys
+DROP CONSTRAINT api_keys_user_id_fkey,
+ADD CONSTRAINT api_keys_user_id_fkey
+FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE;
+
+-- For credit_transactions table
+ALTER TABLE public.credit_transactions
+DROP CONSTRAINT credit_transactions_user_id_fkey,
+ADD CONSTRAINT credit_transactions_user_id_fkey
+FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE;
+
+-- For credits table
+ALTER TABLE public.credits
+DROP CONSTRAINT credits_user_id_fkey,
+ADD CONSTRAINT credits_user_id_fkey
+FOREIGN KEY (user_id) REFERENCES auth.users(id) ON DELETE CASCADE;

tests/api/v1/routes/test_auth.py

@@ -743,9 +743,9 @@ def test_get_credits_guest_user(mock_auth_flow, mock_db_query):
 
     # Patch the verify_token function to return a guest user
     with patch('app.core.security.verify_token', return_value=mock_user):
-        response = client.get("/auth/credits", headers={'Authorization': 'Bearer guest_token'})
+        response = client.get("/auth/credits")
         assert response.status_code == 200
-        assert response.json()["credits"] == settings.USER_MAX_CREDITS
+        assert response.json()["credits"] == settings.GUEST_MAX_CREDITS
 
 def test_get_credits_rate_limit():
     """Test rate limiting for credits endpoint"""

tests/api/v1/routes/test_rate_limit.py

@@ -56,7 +56,7 @@ async def create_api_key(request: Request):
     @app.get("/auth/credits")
     @limiter.limit("10/minute")
     async def get_credits(request: Request):
-        return {"credits": 1000}
+        return {"credits": 100}
 
     return TestClient(app)
 

tests/conftest.py

@@ -21,6 +21,13 @@ def pytest_configure(config):
     config.inicfg['asyncio_mode'] = 'auto'
     config.inicfg['asyncio_default_fixture_loop_scope'] = 'function'
 
+# Always use 'TEST' environment when running tests!
+@pytest.fixture(autouse=True)
+def test_settings(monkeypatch):
+    """Override settings for all tests"""
+    monkeypatch.setattr("app.core.config.settings.ENVIRONMENT", "TEST")
+    yield
+
 @pytest.fixture
 def mock_user_info():
     return {"user_id": "test_user"}
@@ -158,18 +165,26 @@ def _generate_realistic_similarity_matrix(size: int) -> List[List[float]]:
 
 @pytest.fixture
 def test_user():
-    """Generate unique test user credentials"""
-    timestamp = int(datetime.now(UTC).timestamp())
-    return {
-        "email": f"test_{timestamp}@example.com",
-        "password": "SecureTestPass123!"
-    }
+    """Generate unique test user credentials with optional identifier"""
+    def _create_user(identifier=None):
+        timestamp = int(datetime.now(UTC).timestamp())
+        email_prefix = "test_"
+        
+        if identifier:
+            email_prefix = f"{email_prefix}{identifier}_"
+        
+        return {
+            "email": f"{email_prefix}{timestamp}@example.com",
+            "password": "SecureTestPass123!"
+        }
+    return _create_user
+
 
 @pytest.fixture
 def client():
     """Create a test client that connects to the running server"""
     import httpx
-    with httpx.Client(base_url="http://localhost:8000", timeout=30.0) as client:
+    with httpx.Client(base_url="http://localhost:8000", timeout=50.0) as client:
         yield client
 
 @pytest.fixture