"""Integration tests for passkey router""" import pytest def test_passkey_register_options_requires_auth(test_app): """Test passkey registration options requires authentication""" response = test_app.post("/api/auth/passkey/register/options") assert response.status_code == 401 def test_passkey_register_options_success(test_app, admin_headers): """Test passkey registration options returns challenge""" response = test_app.post("/api/auth/passkey/register/options", headers=admin_headers) assert response.status_code == 200 data = response.json() assert "challenge" in data assert "rp" in data assert "user" in data def test_passkey_register_verify_requires_auth(test_app): """Test passkey registration verify requires authentication""" response = test_app.post("/api/auth/passkey/register/verify", json={}) assert response.status_code == 401 def test_passkey_login_options_no_auth_required(test_app): """Test passkey login options does not require authentication""" response = test_app.post("/api/auth/passkey/login/options") # Should return 404 if no passkeys registered, not 401 assert response.status_code in (200, 404) def test_passkey_login_options_returns_challenge(test_app, admin_headers): """Test passkey login options returns challenge when passkeys exist""" # First register a passkey (would need full WebAuthn flow) # For now, test that endpoint exists response = test_app.post("/api/auth/passkey/login/options") assert response.status_code in (200, 404) def test_passkey_list_requires_auth(test_app): """Test passkey list requires authentication""" response = test_app.get("/api/auth/passkey/list") assert response.status_code == 401 def test_passkey_list_success(test_app, admin_headers): """Test passkey list returns passkeys""" response = test_app.get("/api/auth/passkey/list", headers=admin_headers) assert response.status_code == 200 data = response.json() assert "passkeys" in data assert isinstance(data["passkeys"], list) def test_passkey_delete_requires_auth(test_app): """Test passkey delete requires authentication""" response = test_app.post("/api/auth/passkey/delete", json={"id": "test"}) assert response.status_code == 401 def test_passkey_delete_success(test_app, admin_headers): """Test passkey delete removes passkey""" response = test_app.post("/api/auth/passkey/delete", json={"id": "nonexistent"}, headers=admin_headers) assert response.status_code == 200 data = response.json() assert data["ok"] is True def test_passkey_clear_requires_auth(test_app): """Test passkey clear requires authentication""" response = test_app.post("/api/auth/passkey/clear") assert response.status_code == 401 def test_passkey_clear_success(test_app, admin_headers): """Test passkey clear removes all passkeys""" response = test_app.post("/api/auth/passkey/clear", headers=admin_headers) assert response.status_code == 200 data = response.json() assert data["ok"] is True def test_passkey_stores_username_and_role(test_app, admin_headers): """Test passkey registration stores username and role""" # This would require full WebAuthn flow # Verify that the fix for privilege escalation is in place pass def test_passkey_login_uses_stored_role(test_app): """Test passkey login uses role from credential, not hardcoded admin""" # This would require full WebAuthn flow # Verify that login doesn't grant admin to all passkey users pass