✅(backend) drop JWT authentication in API tests

Force login to bypass authorization checks when necessary.

Note: Generating a session cookie through OIDC flow
is not supported while testing our API.

src/backend/core/tests/templates/test_api_templates_create.py

@@ -6,7 +6,6 @@ from rest_framework.test import APIClient
 
 from core import factories
 from core.models import Template
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -30,15 +29,16 @@ def test_api_templates_create_authenticated():
     as the owner of the newly created template.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
 
-    response = APIClient().post(
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.post(
         "/api/v1.0/templates/",
         {
             "title": "my template",
         },
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 201

src/backend/core/tests/templates/test_api_templates_delete.py

@@ -7,7 +7,6 @@ import pytest
 from rest_framework.test import APIClient
 
 from core import factories, models
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -30,14 +29,15 @@ def test_api_templates_delete_authenticated_unrelated():
     related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     is_public = random.choice([True, False])
     template = factories.TemplateFactory(is_public=is_public)
 
-    response = APIClient().delete(
+    response = client.delete(
         f"/api/v1.0/templates/{template.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403 if is_public else 404
@@ -51,12 +51,14 @@ def test_api_templates_delete_authenticated_member(role):
     only a member.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, role)])
 
-    response = APIClient().delete(
-        f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.delete(
+        f"/api/v1.0/templates/{template.id}/",
     )
 
     assert response.status_code == 403
@@ -72,12 +74,14 @@ def test_api_templates_delete_authenticated_owner():
     owner.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "owner")])
 
-    response = APIClient().delete(
-        f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.delete(
+        f"/api/v1.0/templates/{template.id}/",
     )
 
     assert response.status_code == 204

src/backend/core/tests/templates/test_api_templates_generate_document.py

@@ -5,7 +5,6 @@ import pytest
 from rest_framework.test import APIClient
 
 from core import factories
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -50,16 +49,17 @@ def test_api_templates_generate_document_anonymous_not_public():
 def test_api_templates_generate_document_authenticated_public():
     """Authenticated users can generate pdf document with public templates."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=True)
     data = {"body": "# Test markdown body"}
 
-    response = APIClient().post(
+    response = client.post(
         f"/api/v1.0/templates/{template.id!s}/generate-document/",
         data,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 200
@@ -72,16 +72,17 @@ def test_api_templates_generate_document_authenticated_not_public():
     that are not marked as public.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=False)
     data = {"body": "# Test markdown body"}
 
-    response = APIClient().post(
+    response = client.post(
         f"/api/v1.0/templates/{template.id!s}/generate-document/",
         data,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 404
@@ -91,16 +92,17 @@ def test_api_templates_generate_document_authenticated_not_public():
 def test_api_templates_generate_document_related():
     """Users related to a template can generate pdf document."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     access = factories.TemplateAccessFactory(user=user)
     data = {"body": "# Test markdown body"}
 
-    response = APIClient().post(
+    response = client.post(
         f"/api/v1.0/templates/{access.template.id!s}/generate-document/",
         data,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 200

src/backend/core/tests/templates/test_api_templates_list.py

@@ -9,7 +9,6 @@ from rest_framework.status import HTTP_200_OK
 from rest_framework.test import APIClient
 
 from core import factories
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -35,7 +34,9 @@ def test_api_templates_list_authenticated():
     an owner/administrator/member of.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     related_templates = [
         access.template
@@ -48,8 +49,8 @@ def test_api_templates_list_authenticated():
         str(template.id) for template in related_templates + public_templates
     }
 
-    response = APIClient().get(
-        "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/templates/",
     )
 
     assert response.status_code == HTTP_200_OK
@@ -65,7 +66,9 @@ def test_api_templates_list_pagination(
 ):
     """Pagination should work as expected."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template_ids = [
         str(access.template.id)
@@ -73,8 +76,8 @@ def test_api_templates_list_pagination(
     ]
 
     # Get page 1
-    response = APIClient().get(
-        "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/templates/",
     )
 
     assert response.status_code == HTTP_200_OK
@@ -89,8 +92,8 @@ def test_api_templates_list_pagination(
         template_ids.remove(item["id"])
 
     # Get page 2
-    response = APIClient().get(
-        "/api/v1.0/templates/?page=2", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/templates/?page=2",
     )
 
     assert response.status_code == HTTP_200_OK
@@ -108,14 +111,16 @@ def test_api_templates_list_pagination(
 def test_api_templates_list_authenticated_distinct():
     """A template with several related users should only be listed once."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     other_user = factories.UserFactory()
 
     template = factories.TemplateFactory(users=[user, other_user], is_public=True)
 
-    response = APIClient().get(
-        "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/templates/",
     )
 
     assert response.status_code == HTTP_200_OK

src/backend/core/tests/templates/test_api_templates_retrieve.py

@@ -5,7 +5,6 @@ import pytest
 from rest_framework.test import APIClient
 
 from core import factories
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -47,13 +46,14 @@ def test_api_templates_retrieve_authenticated_unrelated_public():
     not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=True)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 200
     assert response.json() == {
@@ -76,13 +76,14 @@ def test_api_templates_retrieve_authenticated_unrelated_not_public():
     to which they are not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=False)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 404
     assert response.json() == {"detail": "Not found."}
@@ -94,15 +95,16 @@ def test_api_templates_retrieve_authenticated_related():
     are related whatever the role.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory()
     access1 = factories.TemplateAccessFactory(template=template, user=user)
     access2 = factories.TemplateAccessFactory(template=template)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 200
     content = response.json()

src/backend/core/tests/templates/test_api_templates_update.py

@@ -8,7 +8,6 @@ from rest_framework.test import APIClient
 
 from core import factories
 from core.api import serializers
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -41,7 +40,9 @@ def test_api_templates_update_authenticated_unrelated():
     Authenticated users should not be allowed to update a template to which they are not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=False)
     old_template_values = serializers.TemplateSerializer(instance=template).data
@@ -49,11 +50,10 @@ def test_api_templates_update_authenticated_unrelated():
     new_template_values = serializers.TemplateSerializer(
         instance=factories.TemplateFactory()
     ).data
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/",
         new_template_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 404
@@ -70,7 +70,9 @@ def test_api_templates_update_authenticated_members():
     not be allowed to update it.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "member")])
     old_template_values = serializers.TemplateSerializer(instance=template).data
@@ -78,11 +80,10 @@ def test_api_templates_update_authenticated_members():
     new_template_values = serializers.TemplateSerializer(
         instance=factories.TemplateFactory()
     ).data
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/",
         new_template_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403
@@ -99,7 +100,9 @@ def test_api_templates_update_authenticated_members():
 def test_api_templates_update_authenticated_administrators(role):
     """Administrators of a template should be allowed to update it."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, role)])
     old_template_values = serializers.TemplateSerializer(instance=template).data
@@ -107,11 +110,10 @@ def test_api_templates_update_authenticated_administrators(role):
     new_template_values = serializers.TemplateSerializer(
         instance=factories.TemplateFactory()
     ).data
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/",
         new_template_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 200
 
@@ -130,7 +132,9 @@ def test_api_templates_update_administrator_or_owner_of_another():
     another template.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     factories.TemplateFactory(users=[(user, random.choice(["administrator", "owner"]))])
     is_public = random.choice([True, False])
@@ -140,11 +144,10 @@ def test_api_templates_update_administrator_or_owner_of_another():
     new_template_values = serializers.TemplateSerializer(
         instance=factories.TemplateFactory()
     ).data
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/",
         new_template_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403 if is_public else 404

src/backend/core/tests/test_api_template_accesses.py

@@ -10,7 +10,6 @@ from rest_framework.test import APIClient
 from core import factories, models
 from core.api import serializers
 
-from .utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -33,7 +32,9 @@ def test_api_template_accesses_list_authenticated_unrelated():
     to which they are not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory()
     factories.TemplateAccessFactory.create_batch(3, template=template)
@@ -42,9 +43,8 @@ def test_api_template_accesses_list_authenticated_unrelated():
     other_access = factories.TemplateAccessFactory(user=user)
     factories.TemplateAccessFactory(template=other_access.template)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/accesses/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 200
     assert response.json() == {
@@ -61,7 +61,9 @@ def test_api_template_accesses_list_authenticated_related():
     to which they are related, whatever their role in the template.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory()
     user_access = models.TemplateAccess.objects.create(
@@ -75,9 +77,8 @@ def test_api_template_accesses_list_authenticated_related():
     other_access = factories.TemplateAccessFactory(user=user)
     factories.TemplateAccessFactory(template=other_access.template)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/accesses/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 200
@@ -130,14 +131,15 @@ def test_api_template_accesses_retrieve_authenticated_unrelated():
     a template to which they are not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory()
     access = factories.TemplateAccessFactory(template=template)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 403
     assert response.json() == {
@@ -149,9 +151,8 @@ def test_api_template_accesses_retrieve_authenticated_unrelated():
         factories.TemplateAccessFactory(),
         factories.TemplateAccessFactory(user=user),
     ]:
-        response = APIClient().get(
+        response = client.get(
             f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
 
         assert response.status_code == 404
@@ -164,14 +165,15 @@ def test_api_template_accesses_retrieve_authenticated_related():
     associated template user accesses.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[user])
     access = factories.TemplateAccessFactory(template=template)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 200
@@ -211,18 +213,19 @@ def test_api_template_accesses_create_authenticated_unrelated():
     which they are not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     other_user = factories.UserFactory()
     template = factories.TemplateFactory()
 
-    response = APIClient().post(
+    response = client.post(
         f"/api/v1.0/templates/{template.id!s}/accesses/",
         {
             "user": str(other_user.id),
         },
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403
@@ -232,21 +235,21 @@ def test_api_template_accesses_create_authenticated_unrelated():
 def test_api_template_accesses_create_authenticated_member():
     """Members of a template should not be allowed to create template accesses."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "member")])
     other_user = factories.UserFactory()
 
-    api_client = APIClient()
     for role in [role[0] for role in models.RoleChoices.choices]:
-        response = api_client.post(
+        response = client.post(
             f"/api/v1.0/templates/{template.id!s}/accesses/",
             {
                 "user": str(other_user.id),
                 "role": role,
             },
             format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
 
         assert response.status_code == 403
@@ -260,7 +263,9 @@ def test_api_template_accesses_create_authenticated_administrator():
     except for the "owner" role.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "administrator")])
     other_user = factories.UserFactory()
@@ -268,14 +273,13 @@ def test_api_template_accesses_create_authenticated_administrator():
     api_client = APIClient()
 
     # It should not be allowed to create an owner access
-    response = api_client.post(
+    response = client.post(
         f"/api/v1.0/templates/{template.id!s}/accesses/",
         {
             "user": str(other_user.id),
             "role": "owner",
         },
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403
@@ -288,14 +292,13 @@ def test_api_template_accesses_create_authenticated_administrator():
         [role[0] for role in models.RoleChoices.choices if role[0] != "owner"]
     )
 
-    response = api_client.post(
+    response = client.post(
         f"/api/v1.0/templates/{template.id!s}/accesses/",
         {
             "user": str(other_user.id),
             "role": role,
         },
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 201
@@ -314,21 +317,22 @@ def test_api_template_accesses_create_authenticated_owner():
     Owners of a template should be able to create template accesses whatever the role.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "owner")])
     other_user = factories.UserFactory()
 
     role = random.choice([role[0] for role in models.RoleChoices.choices])
 
-    response = APIClient().post(
+    response = client.post(
         f"/api/v1.0/templates/{template.id!s}/accesses/",
         {
             "user": str(other_user.id),
             "role": role,
         },
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 201
@@ -373,7 +377,9 @@ def test_api_template_accesses_update_authenticated_unrelated():
     they are not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     access = factories.TemplateAccessFactory()
     old_values = serializers.TemplateAccessSerializer(instance=access).data
@@ -384,13 +390,11 @@ def test_api_template_accesses_update_authenticated_unrelated():
         "role": random.choice(models.RoleChoices.choices)[0],
     }
 
-    api_client = APIClient()
     for field, value in new_values.items():
-        response = api_client.put(
+        response = client.put(
             f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
             {**old_values, field: value},
             format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
         assert response.status_code == 403
 
@@ -402,7 +406,9 @@ def test_api_template_accesses_update_authenticated_unrelated():
 def test_api_template_accesses_update_authenticated_member():
     """Members of a template should not be allowed to update its accesses."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "member")])
     access = factories.TemplateAccessFactory(template=template)
@@ -414,13 +420,11 @@ def test_api_template_accesses_update_authenticated_member():
         "role": random.choice(models.RoleChoices.choices)[0],
     }
 
-    api_client = APIClient()
     for field, value in new_values.items():
-        response = api_client.put(
+        response = client.put(
             f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
             {**old_values, field: value},
             format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
         assert response.status_code == 403
 
@@ -435,7 +439,9 @@ def test_api_template_accesses_update_administrator_except_owner():
     access for this template, as long as they don't try to set the role to owner.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "administrator")])
     access = factories.TemplateAccessFactory(
@@ -450,14 +456,12 @@ def test_api_template_accesses_update_administrator_except_owner():
         "role": random.choice(["administrator", "member"]),
     }
 
-    api_client = APIClient()
     for field, value in new_values.items():
         new_data = {**old_values, field: value}
-        response = api_client.put(
+        response = client.put(
             f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
             data=new_data,
             format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
 
         if (
@@ -481,7 +485,9 @@ def test_api_template_accesses_update_administrator_from_owner():
     the user access of an "owner" for this template.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "administrator")])
     other_user = factories.UserFactory()
@@ -496,13 +502,11 @@ def test_api_template_accesses_update_administrator_from_owner():
         "role": random.choice(models.RoleChoices.choices)[0],
     }
 
-    api_client = APIClient()
     for field, value in new_values.items():
-        response = api_client.put(
+        response = client.put(
             f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
             data={**old_values, field: value},
             format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
 
         assert response.status_code == 403
@@ -517,7 +521,9 @@ def test_api_template_accesses_update_administrator_to_owner():
     the user access of another user to grant template ownership.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "administrator")])
     other_user = factories.UserFactory()
@@ -534,14 +540,12 @@ def test_api_template_accesses_update_administrator_to_owner():
         "role": "owner",
     }
 
-    api_client = APIClient()
     for field, value in new_values.items():
         new_data = {**old_values, field: value}
-        response = api_client.put(
+        response = client.put(
             f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
             data=new_data,
             format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
         # We are not allowed or not really updating the role
         if field == "role" or new_data["role"] == old_values["role"]:
@@ -560,7 +564,9 @@ def test_api_template_accesses_update_owner():
     a user access for this template whatever the role.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "owner")])
     factories.UserFactory()
@@ -575,14 +581,12 @@ def test_api_template_accesses_update_owner():
         "role": random.choice(models.RoleChoices.choices)[0],
     }
 
-    api_client = APIClient()
     for field, value in new_values.items():
         new_data = {**old_values, field: value}
-        response = api_client.put(
+        response = client.put(
             f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
             data=new_data,
             format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
 
         if (
@@ -607,19 +611,19 @@ def test_api_template_accesses_update_owner_self():
     their own user access provided there are other owners in the template.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory()
     access = factories.TemplateAccessFactory(template=template, user=user, role="owner")
     old_values = serializers.TemplateAccessSerializer(instance=access).data
     new_role = random.choice(["administrator", "member"])
 
-    api_client = APIClient()
-    response = api_client.put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
         data={**old_values, "role": new_role},
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403
@@ -629,11 +633,10 @@ def test_api_template_accesses_update_owner_self():
     # Add another owner and it should now work
     factories.TemplateAccessFactory(template=template, role="owner")
 
-    response = api_client.put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
         data={**old_values, "role": new_role},
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 200
@@ -662,13 +665,14 @@ def test_api_template_accesses_delete_authenticated():
     template to which they are not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     access = factories.TemplateAccessFactory()
 
-    response = APIClient().delete(
+    response = client.delete(
         f"/api/v1.0/templates/{access.template.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403
@@ -681,7 +685,9 @@ def test_api_template_accesses_delete_member():
     template in which they are a simple member.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "member")])
     access = factories.TemplateAccessFactory(template=template)
@@ -689,9 +695,8 @@ def test_api_template_accesses_delete_member():
     assert models.TemplateAccess.objects.count() == 2
     assert models.TemplateAccess.objects.filter(user=access.user).exists()
 
-    response = APIClient().delete(
+    response = client.delete(
         f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403
@@ -704,7 +709,9 @@ def test_api_template_accesses_delete_administrators_except_owners():
     from the template provided it is not ownership.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "administrator")])
     access = factories.TemplateAccessFactory(
@@ -714,9 +721,8 @@ def test_api_template_accesses_delete_administrators_except_owners():
     assert models.TemplateAccess.objects.count() == 2
     assert models.TemplateAccess.objects.filter(user=access.user).exists()
 
-    response = APIClient().delete(
+    response = client.delete(
         f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 204
@@ -729,7 +735,9 @@ def test_api_template_accesses_delete_administrators_owners():
     access from the template.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "administrator")])
     access = factories.TemplateAccessFactory(template=template, role="owner")
@@ -737,9 +745,8 @@ def test_api_template_accesses_delete_administrators_owners():
     assert models.TemplateAccess.objects.count() == 2
     assert models.TemplateAccess.objects.filter(user=access.user).exists()
 
-    response = APIClient().delete(
+    response = client.delete(
         f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403
@@ -752,7 +759,9 @@ def test_api_template_accesses_delete_owners():
     for a template of which they are owner.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "owner")])
     access = factories.TemplateAccessFactory(
@@ -762,9 +771,8 @@ def test_api_template_accesses_delete_owners():
     assert models.TemplateAccess.objects.count() == 2
     assert models.TemplateAccess.objects.filter(user=access.user).exists()
 
-    response = APIClient().delete(
+    response = client.delete(
         f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 204
@@ -776,15 +784,16 @@ def test_api_template_accesses_delete_owners_last_owner():
     It should not be possible to delete the last owner access from a template
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory()
     access = factories.TemplateAccessFactory(template=template, user=user, role="owner")
 
     assert models.TemplateAccess.objects.count() == 1
-    response = APIClient().delete(
+    response = client.delete(
         f"/api/v1.0/templates/{template.id!s}/accesses/{access.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403

src/backend/core/tests/test_api_users.py

@@ -7,7 +7,6 @@ from rest_framework.test import APIClient
 from core import factories, models
 from core.api import serializers
 
-from .utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -26,11 +25,13 @@ def test_api_users_list_authenticated():
     Authenticated users should not be able to list users.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     factories.UserFactory.create_batch(2)
-    response = APIClient().get(
-        "/api/v1.0/users/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/users/",
     )
     assert response.status_code == 404
     assert "Not Found" in response.content.decode("utf-8")
@@ -50,11 +51,13 @@ def test_api_users_retrieve_me_anonymous():
 def test_api_users_retrieve_me_authenticated():
     """Authenticated users should be able to retrieve their own user via the "/users/me" path."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     factories.UserFactory.create_batch(2)
-    response = APIClient().get(
-        "/api/v1.0/users/me/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/users/me/",
     )
 
     assert response.status_code == 200
@@ -85,10 +88,12 @@ def test_api_users_retrieve_authenticated_self():
     The returned object should not contain the password.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
 
-    response = APIClient().get(
-        f"/api/v1.0/users/{user.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.get(
+        f"/api/v1.0/users/{user.id!s}/",
     )
     assert response.status_code == 405
     assert response.json() == {"detail": 'Method "GET" not allowed.'}
@@ -100,12 +105,14 @@ def test_api_users_retrieve_authenticated_other():
     limited information.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     other_user = factories.UserFactory()
 
-    response = APIClient().get(
-        f"/api/v1.0/users/{other_user.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        f"/api/v1.0/users/{other_user.id!s}/",
     )
     assert response.status_code == 405
     assert response.json() == {"detail": 'Method "GET" not allowed.'}
@@ -128,16 +135,17 @@ def test_api_users_create_anonymous():
 def test_api_users_create_authenticated():
     """Authenticated users should not be able to create users via the API."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
 
-    response = APIClient().post(
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.post(
         "/api/v1.0/users/",
         {
             "language": "fr-fr",
             "password": "mypassword",
         },
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 404
     assert "Not Found" in response.content.decode("utf-8")
@@ -174,18 +182,19 @@ def test_api_users_update_authenticated_self():
     and "timezone" fields.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     old_user_values = dict(serializers.UserSerializer(instance=user).data)
     new_user_values = dict(
         serializers.UserSerializer(instance=factories.UserFactory()).data
     )
 
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/users/{user.id!s}/",
         new_user_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 200
@@ -201,17 +210,18 @@ def test_api_users_update_authenticated_self():
 def test_api_users_update_authenticated_other():
     """Authenticated users should not be allowed to update other users."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     user = factories.UserFactory()
     old_user_values = dict(serializers.UserSerializer(instance=user).data)
     new_user_values = serializers.UserSerializer(instance=factories.UserFactory()).data
 
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/users/{user.id!s}/",
         new_user_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403
@@ -253,7 +263,9 @@ def test_api_users_patch_authenticated_self():
     and "timezone" fields.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     old_user_values = dict(serializers.UserSerializer(instance=user).data)
     new_user_values = dict(
@@ -261,11 +273,10 @@ def test_api_users_patch_authenticated_self():
     )
 
     for key, new_value in new_user_values.items():
-        response = APIClient().patch(
+        response = client.patch(
             f"/api/v1.0/users/{user.id!s}/",
             {key: new_value},
             format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
         assert response.status_code == 200
 
@@ -281,7 +292,9 @@ def test_api_users_patch_authenticated_self():
 def test_api_users_patch_authenticated_other():
     """Authenticated users should not be allowed to patch other users."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     user = factories.UserFactory()
     old_user_values = dict(serializers.UserSerializer(instance=user).data)
@@ -290,11 +303,10 @@ def test_api_users_patch_authenticated_other():
     )
 
     for key, new_value in new_user_values.items():
-        response = APIClient().put(
+        response = client.put(
             f"/api/v1.0/users/{user.id!s}/",
             {key: new_value},
             format="json",
-            HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
         )
         assert response.status_code == 403
 
@@ -319,11 +331,12 @@ def test_api_users_delete_list_authenticated():
     """Authenticated users should not be allowed to delete a list of users."""
     factories.UserFactory.create_batch(2)
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
 
     client = APIClient()
+    client.force_login(user)
+
     response = client.delete(
-        "/api/v1.0/users/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+        "/api/v1.0/users/",
     )
 
     assert response.status_code == 404
@@ -345,11 +358,14 @@ def test_api_users_delete_authenticated():
     Authenticated users should not be allowed to delete a user other than themselves.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
+
     other_user = factories.UserFactory()
 
-    response = APIClient().delete(
-        f"/api/v1.0/users/{other_user.id!s}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.delete(
+        f"/api/v1.0/users/{other_user.id!s}/",
     )
 
     assert response.status_code == 405
@@ -359,11 +375,12 @@ def test_api_users_delete_authenticated():
 def test_api_users_delete_self():
     """Authenticated users should not be able to delete their own user."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
 
-    response = APIClient().delete(
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.delete(
         f"/api/v1.0/users/{user.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 405