from datetime import UTC, datetime import pytest from httpx import AsyncClient from porchlight.authn.password import PasswordHasher, PasswordService from porchlight.models import PasswordCredential, User from tests.conftest import get_csrf_token async def _login_user_with_password(client: AsyncClient) -> str: """Create user with password, login, return CSRF token.""" app = client._transport.app user_repo = app.state.user_repo cred_repo = app.state.credential_repo user = User( userid="pw-user-01", username="pwuser", created_at=datetime.now(UTC), updated_at=datetime.now(UTC), ) await user_repo.create(user) svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192)) await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("OldPass123!ok"))) token = await get_csrf_token(client) await client.post( "/login/password", data={"username": "pwuser", "password": "OldPass123!ok"}, headers={"HX-Request": "true", "X-CSRF-Token": token}, ) return token async def _login_user_without_password(client: AsyncClient) -> str: """Create user without password, simulate session login, return CSRF token.""" app = client._transport.app user_repo = app.state.user_repo user = User( userid="pw-user-02", username="newuser", created_at=datetime.now(UTC), updated_at=datetime.now(UTC), ) await user_repo.create(user) # Simulate session login via magic link token = await get_csrf_token(client) magic_link_service = app.state.magic_link_service link = await magic_link_service.create(username="newuser", created_by="admin", note="test") await client.get(f"/register/{link.token}", follow_redirects=False) # Re-fetch CSRF token after session change token = await get_csrf_token(client) return token @pytest.mark.asyncio async def test_change_password_requires_current(client: AsyncClient) -> None: token = await _login_user_with_password(client) response = await client.post( "/manage/credentials/password", data={ "password": "NewStrong!Pass99", "confirm": "NewStrong!Pass99", }, headers={"X-CSRF-Token": token}, ) assert "alert" in response.text assert "urrent password" in response.text @pytest.mark.asyncio async def test_change_password_wrong_current_rejected(client: AsyncClient) -> None: token = await _login_user_with_password(client) response = await client.post( "/manage/credentials/password", data={ "current_password": "WrongPassword", "password": "NewStrong!Pass99", "confirm": "NewStrong!Pass99", }, headers={"X-CSRF-Token": token}, ) assert "alert" in response.text assert "incorrect" in response.text.lower() or "Invalid" in response.text or "current" in response.text.lower() @pytest.mark.asyncio async def test_change_password_correct_current_succeeds(client: AsyncClient) -> None: token = await _login_user_with_password(client) response = await client.post( "/manage/credentials/password", data={ "current_password": "OldPass123!ok", "password": "NewStrong!Pass99", "confirm": "NewStrong!Pass99", }, headers={"X-CSRF-Token": token}, ) assert "updated" in response.text.lower() or "status" in response.text @pytest.mark.asyncio async def test_set_password_no_current_needed(client: AsyncClient) -> None: """First-time password setup should not require current password.""" token = await _login_user_without_password(client) response = await client.post( "/manage/credentials/password", data={ "password": "FirstPass!Strong99", "confirm": "FirstPass!Strong99", }, headers={"X-CSRF-Token": token}, ) assert "updated" in response.text.lower() or "status" in response.text