✅(backend) drop JWT authentication in API tests

Force login to bypass authorization checks when necessary.

Note: Generating a session cookie through OIDC flow
is not supported while testing our API.

src/backend/core/tests/templates/test_api_templates_create.py

@@ -6,7 +6,6 @@ from rest_framework.test import APIClient
 
 from core import factories
 from core.models import Template
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -30,15 +29,16 @@ def test_api_templates_create_authenticated():
     as the owner of the newly created template.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
 
-    response = APIClient().post(
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.post(
         "/api/v1.0/templates/",
         {
             "title": "my template",
         },
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 201

src/backend/core/tests/templates/test_api_templates_delete.py

@@ -7,7 +7,6 @@ import pytest
 from rest_framework.test import APIClient
 
 from core import factories, models
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -30,14 +29,15 @@ def test_api_templates_delete_authenticated_unrelated():
     related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     is_public = random.choice([True, False])
     template = factories.TemplateFactory(is_public=is_public)
 
-    response = APIClient().delete(
+    response = client.delete(
         f"/api/v1.0/templates/{template.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403 if is_public else 404
@@ -51,12 +51,14 @@ def test_api_templates_delete_authenticated_member(role):
     only a member.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, role)])
 
-    response = APIClient().delete(
-        f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.delete(
+        f"/api/v1.0/templates/{template.id}/",
     )
 
     assert response.status_code == 403
@@ -72,12 +74,14 @@ def test_api_templates_delete_authenticated_owner():
     owner.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "owner")])
 
-    response = APIClient().delete(
-        f"/api/v1.0/templates/{template.id}/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.delete(
+        f"/api/v1.0/templates/{template.id}/",
     )
 
     assert response.status_code == 204

src/backend/core/tests/templates/test_api_templates_generate_document.py

@@ -5,7 +5,6 @@ import pytest
 from rest_framework.test import APIClient
 
 from core import factories
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -50,16 +49,17 @@ def test_api_templates_generate_document_anonymous_not_public():
 def test_api_templates_generate_document_authenticated_public():
     """Authenticated users can generate pdf document with public templates."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=True)
     data = {"body": "# Test markdown body"}
 
-    response = APIClient().post(
+    response = client.post(
         f"/api/v1.0/templates/{template.id!s}/generate-document/",
         data,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 200
@@ -72,16 +72,17 @@ def test_api_templates_generate_document_authenticated_not_public():
     that are not marked as public.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=False)
     data = {"body": "# Test markdown body"}
 
-    response = APIClient().post(
+    response = client.post(
         f"/api/v1.0/templates/{template.id!s}/generate-document/",
         data,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 404
@@ -91,16 +92,17 @@ def test_api_templates_generate_document_authenticated_not_public():
 def test_api_templates_generate_document_related():
     """Users related to a template can generate pdf document."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     access = factories.TemplateAccessFactory(user=user)
     data = {"body": "# Test markdown body"}
 
-    response = APIClient().post(
+    response = client.post(
         f"/api/v1.0/templates/{access.template.id!s}/generate-document/",
         data,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 200

src/backend/core/tests/templates/test_api_templates_list.py

@@ -9,7 +9,6 @@ from rest_framework.status import HTTP_200_OK
 from rest_framework.test import APIClient
 
 from core import factories
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -35,7 +34,9 @@ def test_api_templates_list_authenticated():
     an owner/administrator/member of.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     related_templates = [
         access.template
@@ -48,8 +49,8 @@ def test_api_templates_list_authenticated():
         str(template.id) for template in related_templates + public_templates
     }
 
-    response = APIClient().get(
-        "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/templates/",
     )
 
     assert response.status_code == HTTP_200_OK
@@ -65,7 +66,9 @@ def test_api_templates_list_pagination(
 ):
     """Pagination should work as expected."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template_ids = [
         str(access.template.id)
@@ -73,8 +76,8 @@ def test_api_templates_list_pagination(
     ]
 
     # Get page 1
-    response = APIClient().get(
-        "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/templates/",
     )
 
     assert response.status_code == HTTP_200_OK
@@ -89,8 +92,8 @@ def test_api_templates_list_pagination(
         template_ids.remove(item["id"])
 
     # Get page 2
-    response = APIClient().get(
-        "/api/v1.0/templates/?page=2", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/templates/?page=2",
     )
 
     assert response.status_code == HTTP_200_OK
@@ -108,14 +111,16 @@ def test_api_templates_list_pagination(
 def test_api_templates_list_authenticated_distinct():
     """A template with several related users should only be listed once."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     other_user = factories.UserFactory()
 
     template = factories.TemplateFactory(users=[user, other_user], is_public=True)
 
-    response = APIClient().get(
-        "/api/v1.0/templates/", HTTP_AUTHORIZATION=f"Bearer {jwt_token}"
+    response = client.get(
+        "/api/v1.0/templates/",
     )
 
     assert response.status_code == HTTP_200_OK

src/backend/core/tests/templates/test_api_templates_retrieve.py

@@ -5,7 +5,6 @@ import pytest
 from rest_framework.test import APIClient
 
 from core import factories
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -47,13 +46,14 @@ def test_api_templates_retrieve_authenticated_unrelated_public():
     not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=True)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 200
     assert response.json() == {
@@ -76,13 +76,14 @@ def test_api_templates_retrieve_authenticated_unrelated_not_public():
     to which they are not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=False)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 404
     assert response.json() == {"detail": "Not found."}
@@ -94,15 +95,16 @@ def test_api_templates_retrieve_authenticated_related():
     are related whatever the role.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory()
     access1 = factories.TemplateAccessFactory(template=template, user=user)
     access2 = factories.TemplateAccessFactory(template=template)
 
-    response = APIClient().get(
+    response = client.get(
         f"/api/v1.0/templates/{template.id!s}/",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 200
     content = response.json()

src/backend/core/tests/templates/test_api_templates_update.py

@@ -8,7 +8,6 @@ from rest_framework.test import APIClient
 
 from core import factories
 from core.api import serializers
-from core.tests.utils import OIDCToken
 
 pytestmark = pytest.mark.django_db
 
@@ -41,7 +40,9 @@ def test_api_templates_update_authenticated_unrelated():
     Authenticated users should not be allowed to update a template to which they are not related.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(is_public=False)
     old_template_values = serializers.TemplateSerializer(instance=template).data
@@ -49,11 +50,10 @@ def test_api_templates_update_authenticated_unrelated():
     new_template_values = serializers.TemplateSerializer(
         instance=factories.TemplateFactory()
     ).data
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/",
         new_template_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 404
@@ -70,7 +70,9 @@ def test_api_templates_update_authenticated_members():
     not be allowed to update it.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, "member")])
     old_template_values = serializers.TemplateSerializer(instance=template).data
@@ -78,11 +80,10 @@ def test_api_templates_update_authenticated_members():
     new_template_values = serializers.TemplateSerializer(
         instance=factories.TemplateFactory()
     ).data
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/",
         new_template_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403
@@ -99,7 +100,9 @@ def test_api_templates_update_authenticated_members():
 def test_api_templates_update_authenticated_administrators(role):
     """Administrators of a template should be allowed to update it."""
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     template = factories.TemplateFactory(users=[(user, role)])
     old_template_values = serializers.TemplateSerializer(instance=template).data
@@ -107,11 +110,10 @@ def test_api_templates_update_authenticated_administrators(role):
     new_template_values = serializers.TemplateSerializer(
         instance=factories.TemplateFactory()
     ).data
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/",
         new_template_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
     assert response.status_code == 200
 
@@ -130,7 +132,9 @@ def test_api_templates_update_administrator_or_owner_of_another():
     another template.
     """
     user = factories.UserFactory()
-    jwt_token = OIDCToken.for_user(user)
+
+    client = APIClient()
+    client.force_login(user)
 
     factories.TemplateFactory(users=[(user, random.choice(["administrator", "owner"]))])
     is_public = random.choice([True, False])
@@ -140,11 +144,10 @@ def test_api_templates_update_administrator_or_owner_of_another():
     new_template_values = serializers.TemplateSerializer(
         instance=factories.TemplateFactory()
     ).data
-    response = APIClient().put(
+    response = client.put(
         f"/api/v1.0/templates/{template.id!s}/",
         new_template_values,
         format="json",
-        HTTP_AUTHORIZATION=f"Bearer {jwt_token}",
     )
 
     assert response.status_code == 403 if is_public else 404