test(auth): add edge-case regressions for device hints, refresh replay/race, and double logout

pedro-fs-garcia · pedro-fs-garcia · commit 1ddaf1cd1666 · 2026-04-01T20:27:45.000-03:00
diff --git a/tests/app/e2e/domains/auth/test_auth_routes.py b/tests/app/e2e/domains/auth/test_auth_routes.py
@@ -72,6 +72,56 @@ async def test_register_assigns_default_user_role(
         role_names = {r["name"] for r in roles}
         assert "user" in role_names
 
+    @pytest.mark.asyncio
+    async def test_register_with_device_client_hints_headers(
+        self, client: AsyncClient
+    ) -> None:
+        """Regression: DeviceType enum from middleware must be JSON-serializable in session JSONB."""
+        r = await client.post(
+            "/api/auth/register",
+            json={
+                "email": "devicehints@test.com",
+                "username": "devicehints",
+                "password": "Pass1234!",
+            },
+            headers={
+                "user-agent": "Mozilla/5.0",
+                "sec-ch-ua": '"Chromium";v="146", "Not A(Brand)";v="24"',
+                "sec-ch-ua-mobile": "?1",
+                "sec-ch-ua-platform": '"Android"',
+            },
+        )
+        assert r.status_code == 201
+        data = r.json()["data"]
+        assert data["email"] == "devicehints@test.com"
+        assert "access_token" in data
+        assert "refresh_token" in data
+
+    @pytest.mark.asyncio
+    async def test_register_with_malformed_client_hints_still_succeeds(
+        self, client: AsyncClient
+    ) -> None:
+        """Malformed client hints should not break registration/session creation."""
+        r = await client.post(
+            "/api/auth/register",
+            json={
+                "email": "badch@test.com",
+                "username": "badch",
+                "password": "Pass1234!",
+            },
+            headers={
+                "user-agent": "OddAgent/1.0",
+                "sec-ch-ua": "not-a-valid-ch-ua-format",
+                "sec-ch-ua-mobile": "?2",
+                "sec-ch-ua-platform": "UnknownOS",
+            },
+        )
+        assert r.status_code == 201
+        data = r.json()["data"]
+        assert data["email"] == "badch@test.com"
+        assert "access_token" in data
+        assert "refresh_token" in data
+
     @pytest.mark.asyncio
     async def test_register_ignores_role_ids_field(
         self, client: AsyncClient, auth: AuthActions
@@ -284,6 +334,53 @@ async def test_refresh_no_token(self, client: AsyncClient) -> None:
         r = await client.post("/api/auth/refresh", json={"refresh_token": "nope"})
         assert r.status_code == 403
 
+    @pytest.mark.asyncio
+    async def test_refresh_token_replay_revokes_current_session(
+        self, client: AsyncClient, auth: AuthActions
+    ) -> None:
+        """Reusing an already-rotated refresh token should invalidate the session."""
+        tokens = await auth.register_and_login(email="replay@test.com", username="replay")
+        headers = auth.auth_headers(tokens["access_token"])
+
+        first = await client.post(
+            "/api/auth/refresh",
+            json={"refresh_token": tokens["refresh_token"]},
+            headers=headers,
+        )
+        assert first.status_code == 200
+
+        replay = await client.post(
+            "/api/auth/refresh",
+            json={"refresh_token": tokens["refresh_token"]},
+            headers=headers,
+        )
+        assert replay.status_code == 401
+
+        me_after_replay = await client.get("/api/auth/me", headers=headers)
+        assert me_after_replay.status_code == 401
+
+    @pytest.mark.asyncio
+    async def test_refresh_same_token_twice_immediately_only_first_succeeds(
+        self, client: AsyncClient, auth: AuthActions
+    ) -> None:
+        """Back-to-back refresh attempts with same token must not both succeed."""
+        tokens = await auth.register_and_login(email="race@test.com", username="race")
+        headers = auth.auth_headers(tokens["access_token"])
+
+        first = await client.post(
+            "/api/auth/refresh",
+            json={"refresh_token": tokens["refresh_token"]},
+            headers=headers,
+        )
+        second = await client.post(
+            "/api/auth/refresh",
+            json={"refresh_token": tokens["refresh_token"]},
+            headers=headers,
+        )
+
+        assert first.status_code == 200
+        assert second.status_code in {401, 404}
+
 
 class TestLogout:
     """POST /api/auth/logout"""
@@ -310,6 +407,19 @@ async def test_logout_no_token(self, client: AsyncClient) -> None:
         r = await client.post("/api/auth/logout")
         assert r.status_code == 403
 
+    @pytest.mark.asyncio
+    async def test_logout_twice_second_request_is_rejected(
+        self, client: AsyncClient, auth: AuthActions
+    ) -> None:
+        tokens = await auth.register_and_login(email="logouttwice@test.com", username="logouttwice")
+        headers = auth.auth_headers(tokens["access_token"])
+
+        first = await client.post("/api/auth/logout", headers=headers)
+        assert first.status_code == 200
+
+        second = await client.post("/api/auth/logout", headers=headers)
+        assert second.status_code == 401
+
 
 class TestFullAuthFlow:
     """Complete auth lifecycle in a single test."""
diff --git a/tests/app/integration/domains/auth/test_session_repository.py b/tests/app/integration/domains/auth/test_session_repository.py
@@ -7,7 +7,7 @@
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from app.core.http.schemas import SessionDeviceInfo
+from app.core.http.schemas import DeviceType, SessionDeviceInfo
 from app.domains.auth.entities import Session
 from app.domains.auth.enums import SessionStatus
 from app.domains.auth.models import User as UserModel
@@ -160,6 +160,27 @@ async def test_create_session_success(
         assert session.expires_at == dto.expires_at
         assert session.is_valid()
 
+    @pytest.mark.asyncio
+    async def test_create_session_with_device_type_enum_persists_jsonb(
+        self,
+        create_dto: CreateSessionDTO,
+        session_repo: SessionRepository,
+    ) -> None:
+        dto = create_dto
+        dto.device_info = SessionDeviceInfo(
+            user_agent="Mozilla/5.0",
+            browser="Chromium",
+            app_version="146",
+            os="Android",
+            device_type=DeviceType.MOBILE,
+        )
+
+        session = await session_repo.create(dto)
+        assert session is not None
+        assert session.device_info is not None
+        assert session.device_info.device_type == DeviceType.MOBILE
+        assert session.device_info.browser == "Chromium"
+
     @pytest.mark.asyncio
     async def test_create_session_existing_token_hash_should_fail(
         self, create_dto: CreateSessionDTO, session_repo: SessionRepository
