feat: add admin router with admin group guard

2026-02-19 11:18:50 +01:00 · 2026-02-19 11:18:50 +01:00 · dd1f85d8d3
commit dd1f85d8d3
parent 7e9eeb1339
5 changed files with 89 additions and 0 deletions
--- a/tests/test_admin/init.py
+++ b/tests/test_admin/init.py
--- a/tests/test_admin/test_admin_guard.py
+++ b/tests/test_admin/test_admin_guard.py
@ -0,0 +1,53 @@
+from datetime import UTC, datetime
+
+import pytest
+from argon2 import PasswordHasher
+from httpx import AsyncClient
+
+from porchlight.authn.password import PasswordService
+from porchlight.models import PasswordCredential, User
+
+
+async def _login(
+    client: AsyncClient, username: str = "alice", password: str = "testpass", *, groups: list[str] | None = None
+) -> None:
+    """Helper: create user + password credential and log in via POST /login/password."""
+    app = client._transport.app  # type: ignore[union-attr]
+    user_repo = app.state.user_repo
+    cred_repo = app.state.credential_repo
+
+    user = await user_repo.get_by_username(username)
+    if user is None:
+        user = User(
+            userid="test-user-01",
+            username=username,
+            groups=groups or [],
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        await user_repo.create(user)
+
+    svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+    existing = await cred_repo.get_password_by_user(user.userid)
+    if existing is None:
+        await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash(password)))
+
+    await client.post(
+        "/login/password",
+        data={"username": username, "password": password},
+        headers={"HX-Request": "true"},
+    )
+
+
+@pytest.mark.asyncio
+async def test_admin_users_redirects_unauthenticated(client: AsyncClient) -> None:
+    response = await client.get("/admin/users", follow_redirects=False)
+    assert response.status_code == 303
+    assert response.headers["location"] == "/login"
+
+
+@pytest.mark.asyncio
+async def test_admin_users_403_for_non_admin(client: AsyncClient) -> None:
+    await _login(client, username="regularuser", password="password123", groups=["users"])
+    response = await client.get("/admin/users", follow_redirects=False)
+    assert response.status_code == 403