test: update existing tests to handle consent step

tests/test_oidc/test_e2e_flow.py

@@ -87,13 +87,22 @@ async def test_full_authorization_code_flow(client: AsyncClient) -> None:
         f"Expected HX-Redirect to /authorization/complete, got '{hx_redirect}'"
     )
 
-    # -- Step 3: Complete authorization → redirect to callback with code + state --
+    # -- Step 3: Complete authorization → redirect to consent --
     complete_res = await client.get("/authorization/complete", follow_redirects=False)
     assert complete_res.status_code in (302, 303), (
-        f"Expected redirect to callback, got {complete_res.status_code}: {complete_res.text}"
+        f"Expected redirect to /consent, got {complete_res.status_code}: {complete_res.text}"
     )
+    assert "/consent" in complete_res.headers["location"]
 
-    location = complete_res.headers["location"]
+    # -- Step 3b: Approve consent → redirect to callback with code + state --
+    consent_res = await client.post(
+        "/consent",
+        data={"action": "allow", "scope": ["openid", "profile", "email"]},
+        follow_redirects=False,
+    )
+    assert consent_res.status_code in (302, 303)
+
+    location = consent_res.headers["location"]
     parsed = urlparse(location)
     assert parsed.netloc == "localhost:9000"
     assert parsed.path == "/callback"

tests/test_oidc/test_token.py

@@ -59,6 +59,8 @@ async def _get_authorization_code(client: AsyncClient) -> str:
     """Run full auth flow and extract the authorization code."""
     _register_test_client(client)
 
+    app = client._transport.app  # type: ignore[union-attr]
+
     # Start authorization (unauthenticated — stores in session)
     await client.get(
         "/authorization",
@@ -74,9 +76,13 @@ async def _get_authorization_code(client: AsyncClient) -> str:
     )
 
     # Create user and log in
-    await _create_user_and_login(client)
+    userid = await _create_user_and_login(client)
 
-    # Complete authorization (now authenticated, session has oidc_auth_request)
+    # Pre-seed consent so the consent screen is skipped
+    consent_repo = app.state.consent_repo
+    await consent_repo.set_consent(userid, "test-rp", ["openid", "profile", "email"])
+
+    # Complete authorization (now authenticated, consent exists → redirects to callback)
     complete_res = await client.get("/authorization/complete", follow_redirects=False)
     assert complete_res.status_code in (302, 303), (
         f"Expected redirect, got {complete_res.status_code}: {complete_res.text}"

tests/test_oidc/test_userinfo.py

@@ -61,6 +61,8 @@ async def _get_access_token(client: AsyncClient) -> str:
     """Run full auth + token flow and return the access_token."""
     client_secret = _register_test_client(client)
 
+    app = client._transport.app  # type: ignore[union-attr]
+
     # Start authorization (unauthenticated — stores in session)
     await client.get(
         "/authorization",
@@ -76,9 +78,13 @@ async def _get_access_token(client: AsyncClient) -> str:
     )
 
     # Create user and log in
-    await _create_user_and_login(client)
+    userid = await _create_user_and_login(client)
 
-    # Complete authorization (now authenticated, session has oidc_auth_request)
+    # Pre-seed consent so the consent screen is skipped
+    consent_repo = app.state.consent_repo
+    await consent_repo.set_consent(userid, "test-rp", ["openid", "profile", "email"])
+
+    # Complete authorization (now authenticated, consent exists → redirects to callback)
     complete_res = await client.get("/authorization/complete", follow_redirects=False)
     assert complete_res.status_code in (302, 303), (
         f"Expected redirect, got {complete_res.status_code}: {complete_res.text}"