From 1c21d6d199989ef698557e88ca95200bdf48e38b Mon Sep 17 00:00:00 2001
From: Johan Lundberg <lundberg@sunet.se>
Date: Tue, 17 Feb 2026 14:09:00 +0100
Subject: [PATCH] test: add failing test for registering pre-existing users

Part of CLI module work (fastapi-oidc-op-9lb.1). The test verifies that
/register/{token} handles users already created by initial-admin.
---
 .../test_register_magic_link.py               | 38 ++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/tests/test_auth_routes/test_register_magic_link.py b/tests/test_auth_routes/test_register_magic_link.py
index 6a0cbd6..1a03fed 100644
--- a/tests/test_auth_routes/test_register_magic_link.py
+++ b/tests/test_auth_routes/test_register_magic_link.py
@@ -2,7 +2,7 @@ from datetime import UTC, datetime, timedelta
 
 from httpx import AsyncClient
 
-from porchlight.models import MagicLink
+from porchlight.models import MagicLink, User
 
 
 async def test_register_invalid_token_returns_error_page(client: AsyncClient) -> None:
@@ -70,3 +70,39 @@ async def test_register_used_token_returns_error(client: AsyncClient) -> None:
 
     res = await client.get("/register/used", follow_redirects=False)
     assert res.status_code == 400
+
+
+async def test_register_existing_user_logs_in_and_redirects(client: AsyncClient) -> None:
+    """When initial-admin creates a user, the invite link should log them in."""
+    app = client._transport.app  # type: ignore[union-attr]
+    magic_link_repo = app.state.magic_link_repo
+    user_repo = app.state.user_repo
+
+    # Pre-create the user (as initial-admin would)
+    user = User(userid="lusab-bansen", username="admin", groups=["admin", "users"])
+    await user_repo.create(user)
+
+    # Create invite for the same username
+    await magic_link_repo.create(
+        MagicLink(
+            token="admin-setup",
+            username="admin",
+            expires_at=datetime.now(UTC) + timedelta(hours=1),
+        )
+    )
+
+    res = await client.get("/register/admin-setup", follow_redirects=False)
+    assert res.status_code in (302, 303)
+    assert "/manage/credentials" in res.headers["location"]
+    assert "setup=1" in res.headers["location"]
+
+    # Token should be marked used
+    link = await magic_link_repo.get_by_token("admin-setup")
+    assert link is not None
+    assert link.used is True
+
+    # Original user should still exist with original groups
+    existing = await user_repo.get_by_username("admin")
+    assert existing is not None
+    assert existing.userid == "lusab-bansen"
+    assert "admin" in existing.groups