server/tests/test_auth_service.py

from __future__ import annotations

from sqlalchemy import create_engine
from sqlalchemy.orm import Session, sessionmaker
from sqlalchemy.pool import StaticPool

from app.db.base import Base
from app.schemas.auth import LoginRequest
from app.schemas.settings import SettingsWrite
from app.services.auth import AuthService, AuthenticatedUser
from app.services.employee import EmployeeService
from app.services.settings import SettingsService


def build_session() -> Session:
    engine = create_engine(
        "sqlite+pysqlite:///:memory:",
        connect_args={"check_same_thread": False},
        poolclass=StaticPool,
    )
    Base.metadata.create_all(bind=engine)
    session_factory = sessionmaker(bind=engine, autoflush=False, autocommit=False)
    return session_factory()


def test_employee_can_login_with_seed_default_password() -> None:
    with build_session() as db:
        employee = EmployeeService(db).list_employees()[0]
        result = AuthService(db).login(
            LoginRequest(username=employee.email, password="123456")
        )

        assert result.ok is True
        assert result.user.username == employee.email
        assert result.user.name == employee.name
        assert result.user.position == employee.position
        assert result.user.grade == employee.grade
        assert result.user.roleCodes
        assert result.user.isAdmin is False


def test_current_user_snapshot_refreshes_employee_position() -> None:
    with build_session() as db:
        employee = EmployeeService(db).list_employees()[0]
        result = AuthService(db).get_user_snapshot(employee.email)

        assert result is not None
        assert result.username == employee.email
        assert result.name == employee.name
        assert result.department == employee.department
        assert result.position == employee.position
        assert result.grade == employee.grade


def test_admin_can_login_with_database_password() -> None:
    with build_session() as db:
        settings_service = SettingsService(db)
        payload = settings_service.get_settings_snapshot().model_dump()
        payload["adminForm"]["adminAccount"] = "superadmin"
        payload["adminForm"]["newPassword"] = "admin123"
        payload["adminForm"]["confirmPassword"] = "admin123"
        settings_service.save_settings_snapshot(SettingsWrite(**payload))

        result = AuthService(db).login(
            LoginRequest(username="superadmin", password="admin123")
        )

        assert result.ok is True
        assert result.user.username == "superadmin"
        assert result.user.isAdmin is True
        assert result.user.position == "系统管理员"
        assert result.user.roleCodes == ["manager"]


def test_disabled_employee_cannot_login() -> None:
    with build_session() as db:
        service = EmployeeService(db)
        employee = service.list_employees()[0]
        service.disable_employee(employee.id)

        try:
            AuthService(db).login(LoginRequest(username=employee.email, password="123456"))
        except ValueError as exc:
            assert "账号或密码错误" in str(exc)
        else:
            raise AssertionError("disabled employee login should be rejected")


def test_reenabled_employee_can_login_again() -> None:
    with build_session() as db:
        service = EmployeeService(db)
        employee = service.list_employees()[0]
        service.disable_employee(employee.id)
        service.enable_employee(employee.id)

        result = AuthService(db).login(LoginRequest(username=employee.email, password="123456"))

        assert result.ok is True
        assert result.user.username == employee.email


def test_employee_login_skips_directory_bootstrap_when_employee_exists(monkeypatch) -> None:
    with build_session() as db:
        service = AuthService(db)
        calls: list[str] = []

        class ExistingEmployee:
            email = "demo@example.com"
            password_hash = "hash"
            employment_status = "在职"

        def fail_if_bootstrapped(self) -> None:
            calls.append("ensure_directory_ready")
            raise AssertionError("existing employee login should not run directory bootstrap")

        monkeypatch.setattr(AuthService, "_find_employee_by_email", lambda self, _: ExistingEmployee())
        monkeypatch.setattr("app.services.auth.verify_password", lambda password, password_hash: True)
        monkeypatch.setattr(
            AuthService,
            "_build_employee_user",
            lambda self, employee: AuthenticatedUser(
                username=employee.email,
                name="Demo",
                role="使用者",
                department="",
                position="",
                grade="",
                employee_no="",
                manager_name="",
                location="",
                cost_center="",
                finance_owner_name="",
                risk_profile={},
                role_codes=["user"],
                email=employee.email,
                avatar="D",
            ),
        )
        monkeypatch.setattr(EmployeeService, "ensure_directory_ready", fail_if_bootstrapped)

        user = service._authenticate_employee("demo@example.com", "123456")

        assert user is not None
        assert user.username == "demo@example.com"
        assert calls == []
feat: 完善系统配置、安全增强与知识库功能 - .env.example: API基础路径改为相对路径 /api/v1，支持代理转发 - README.md: 完善项目结构与启动说明文档 - docker-compose.yml: 新增Docker编排配置，支持容器化部署 - docker/: 新增Docker部署相关文档与配置 - server_start.sh: 重构启动脚本，添加容器环境检测、隔离虚拟环境路径、环境变量覆盖机制 - deps.py: 完善API依赖注入，增强权限验证逻辑 - admin_secret.py: 优化管理员密钥加密存储与验证 - config.py: 扩展配置管理，支持多环境变量绑定 - security.py: 增强安全模块，完善加密与认证机制 - db/base.py: 优化数据库基础架构与连接管理 - main.py: 更新应用入口，整合新模块路由 - models/: 完善系统模型配置，支持模型设置持久化 - repositories/settings.py: 优化设置仓储层，增强数据持久化 - services/settings.py: 重构设置服务，精简代码结构 - router.py: 更新API路由配置 - endpoints/knowledge.py: 新增知识库API端点 - schemas/knowledge.py: 新增知识库数据模型 - services/knowledge.py: 新增知识库业务逻辑 - storage/knowledge/.index.json: 知识库索引存储 - api.js: 完善API服务层，增强错误处理 - bootstrap.js: 优化前端初始化与引导流程 - useSetupView.js / useSystemState.js: 重构组合式函数 - TopBar.vue: 优化顶部导航栏组件 - SettingsView.vue: 重构设置页面UI，增强用户体验 - SetupView.vue / SetupRouteView.vue: 完善引导流程页面 - PoliciesView.vue: 优化策略视图组件 - vite.config.js: 更新Vite构建配置 - web_start.sh: 完善前端启动脚本 - views/scripts/: 优化各业务视图JS逻辑 - settings-view.css: 重构设置页面样式 - setup-view.css: 完善引导页样式 - policies-view.css: 优化策略页样式 - test_auth_service.py: 完善认证服务测试 - test_settings_persistence.py: 增强设置持久化测试 - document/: 新增开发文档与工作日志 2026-05-09 03:04:09 +00:00			`from __future__ import annotations`

			`from sqlalchemy import create_engine`
			`from sqlalchemy.orm import Session, sessionmaker`
			`from sqlalchemy.pool import StaticPool`

			`from app.db.base import Base`
			`from app.schemas.auth import LoginRequest`
			`from app.schemas.settings import SettingsWrite`
fix(auth): 登录目录就绪幂等化与并发控制 - employee/settings/user_session_metrics 的 ensure_*_ready 改为按 bind 缓存 + 锁，避免每次登录重复建表与并发场景下的竞态 - auth 登录链路先查员工再降级触发目录就绪，并吞掉查询期 SQLAlchemy 异常 - 默认管理员账号由 superadmin 迁移为 admin，兼容历史账号回填 - 补充登录降级与设置持久化相关测试 2026-06-18 22:11:53 +08:00			`from app.services.auth import AuthService, AuthenticatedUser`
feat: 完善系统配置、安全增强与知识库功能 - .env.example: API基础路径改为相对路径 /api/v1，支持代理转发 - README.md: 完善项目结构与启动说明文档 - docker-compose.yml: 新增Docker编排配置，支持容器化部署 - docker/: 新增Docker部署相关文档与配置 - server_start.sh: 重构启动脚本，添加容器环境检测、隔离虚拟环境路径、环境变量覆盖机制 - deps.py: 完善API依赖注入，增强权限验证逻辑 - admin_secret.py: 优化管理员密钥加密存储与验证 - config.py: 扩展配置管理，支持多环境变量绑定 - security.py: 增强安全模块，完善加密与认证机制 - db/base.py: 优化数据库基础架构与连接管理 - main.py: 更新应用入口，整合新模块路由 - models/: 完善系统模型配置，支持模型设置持久化 - repositories/settings.py: 优化设置仓储层，增强数据持久化 - services/settings.py: 重构设置服务，精简代码结构 - router.py: 更新API路由配置 - endpoints/knowledge.py: 新增知识库API端点 - schemas/knowledge.py: 新增知识库数据模型 - services/knowledge.py: 新增知识库业务逻辑 - storage/knowledge/.index.json: 知识库索引存储 - api.js: 完善API服务层，增强错误处理 - bootstrap.js: 优化前端初始化与引导流程 - useSetupView.js / useSystemState.js: 重构组合式函数 - TopBar.vue: 优化顶部导航栏组件 - SettingsView.vue: 重构设置页面UI，增强用户体验 - SetupView.vue / SetupRouteView.vue: 完善引导流程页面 - PoliciesView.vue: 优化策略视图组件 - vite.config.js: 更新Vite构建配置 - web_start.sh: 完善前端启动脚本 - views/scripts/: 优化各业务视图JS逻辑 - settings-view.css: 重构设置页面样式 - setup-view.css: 完善引导页样式 - policies-view.css: 优化策略页样式 - test_auth_service.py: 完善认证服务测试 - test_settings_persistence.py: 增强设置持久化测试 - document/: 新增开发文档与工作日志 2026-05-09 03:04:09 +00:00			`from app.services.employee import EmployeeService`
			`from app.services.settings import SettingsService`


			`def build_session() -> Session:`
			`engine = create_engine(`
			`"sqlite+pysqlite:///:memory:",`
			`connect_args={"check_same_thread": False},`
			`poolclass=StaticPool,`
			`)`
			`Base.metadata.create_all(bind=engine)`
			`session_factory = sessionmaker(bind=engine, autoflush=False, autocommit=False)`
			`return session_factory()`


feat: 扩展风险规则体系、审批动态路由与预算中心列表化改造 - 新增 25+ 条风险规则（预算/报销/申请/通用类），完善风险规则模拟与反馈发布机制 - 引入费用审批动态路由、平台风险分级、预审与风险阶段管理 - 预算中心列表化改造，优化票据夹仪表盘与数字员工工作看板 - 新增 Hermes 风险线索收集器、Agent 链路追踪中心 - 扩展数字员工能力库（18 个领域 Skill）与交通费用自动预估 - 完善报销申请快速预览、权限控制与前端测试覆盖 2026-06-01 17:07:14 +08:00			`def test_employee_can_login_with_seed_default_password() -> None:`
			`with build_session() as db:`
			`employee = EmployeeService(db).list_employees()[0]`
			`result = AuthService(db).login(`
			`LoginRequest(username=employee.email, password="123456")`
feat: 完善系统配置、安全增强与知识库功能 - .env.example: API基础路径改为相对路径 /api/v1，支持代理转发 - README.md: 完善项目结构与启动说明文档 - docker-compose.yml: 新增Docker编排配置，支持容器化部署 - docker/: 新增Docker部署相关文档与配置 - server_start.sh: 重构启动脚本，添加容器环境检测、隔离虚拟环境路径、环境变量覆盖机制 - deps.py: 完善API依赖注入，增强权限验证逻辑 - admin_secret.py: 优化管理员密钥加密存储与验证 - config.py: 扩展配置管理，支持多环境变量绑定 - security.py: 增强安全模块，完善加密与认证机制 - db/base.py: 优化数据库基础架构与连接管理 - main.py: 更新应用入口，整合新模块路由 - models/: 完善系统模型配置，支持模型设置持久化 - repositories/settings.py: 优化设置仓储层，增强数据持久化 - services/settings.py: 重构设置服务，精简代码结构 - router.py: 更新API路由配置 - endpoints/knowledge.py: 新增知识库API端点 - schemas/knowledge.py: 新增知识库数据模型 - services/knowledge.py: 新增知识库业务逻辑 - storage/knowledge/.index.json: 知识库索引存储 - api.js: 完善API服务层，增强错误处理 - bootstrap.js: 优化前端初始化与引导流程 - useSetupView.js / useSystemState.js: 重构组合式函数 - TopBar.vue: 优化顶部导航栏组件 - SettingsView.vue: 重构设置页面UI，增强用户体验 - SetupView.vue / SetupRouteView.vue: 完善引导流程页面 - PoliciesView.vue: 优化策略视图组件 - vite.config.js: 更新Vite构建配置 - web_start.sh: 完善前端启动脚本 - views/scripts/: 优化各业务视图JS逻辑 - settings-view.css: 重构设置页面样式 - setup-view.css: 完善引导页样式 - policies-view.css: 优化策略页样式 - test_auth_service.py: 完善认证服务测试 - test_settings_persistence.py: 增强设置持久化测试 - document/: 新增开发文档与工作日志 2026-05-09 03:04:09 +00:00			`)`

feat: 集成Hermes智能体系统，增强聊天和差旅报销功能 2026-05-16 06:14:08 +00:00			`assert result.ok is True`
			`assert result.user.username == employee.email`
			`assert result.user.name == employee.name`
			`assert result.user.position == employee.position`
			`assert result.user.grade == employee.grade`
			`assert result.user.roleCodes`
feat: 扩展风险规则体系、审批动态路由与预算中心列表化改造 - 新增 25+ 条风险规则（预算/报销/申请/通用类），完善风险规则模拟与反馈发布机制 - 引入费用审批动态路由、平台风险分级、预审与风险阶段管理 - 预算中心列表化改造，优化票据夹仪表盘与数字员工工作看板 - 新增 Hermes 风险线索收集器、Agent 链路追踪中心 - 扩展数字员工能力库（18 个领域 Skill）与交通费用自动预估 - 完善报销申请快速预览、权限控制与前端测试覆盖 2026-06-01 17:07:14 +08:00			`assert result.user.isAdmin is False`


			`def test_current_user_snapshot_refreshes_employee_position() -> None:`
			`with build_session() as db:`
			`employee = EmployeeService(db).list_employees()[0]`
			`result = AuthService(db).get_user_snapshot(employee.email)`

			`assert result is not None`
			`assert result.username == employee.email`
			`assert result.name == employee.name`
			`assert result.department == employee.department`
			`assert result.position == employee.position`
			`assert result.grade == employee.grade`


			`def test_admin_can_login_with_database_password() -> None:`
feat: 完善系统配置、安全增强与知识库功能 - .env.example: API基础路径改为相对路径 /api/v1，支持代理转发 - README.md: 完善项目结构与启动说明文档 - docker-compose.yml: 新增Docker编排配置，支持容器化部署 - docker/: 新增Docker部署相关文档与配置 - server_start.sh: 重构启动脚本，添加容器环境检测、隔离虚拟环境路径、环境变量覆盖机制 - deps.py: 完善API依赖注入，增强权限验证逻辑 - admin_secret.py: 优化管理员密钥加密存储与验证 - config.py: 扩展配置管理，支持多环境变量绑定 - security.py: 增强安全模块，完善加密与认证机制 - db/base.py: 优化数据库基础架构与连接管理 - main.py: 更新应用入口，整合新模块路由 - models/: 完善系统模型配置，支持模型设置持久化 - repositories/settings.py: 优化设置仓储层，增强数据持久化 - services/settings.py: 重构设置服务，精简代码结构 - router.py: 更新API路由配置 - endpoints/knowledge.py: 新增知识库API端点 - schemas/knowledge.py: 新增知识库数据模型 - services/knowledge.py: 新增知识库业务逻辑 - storage/knowledge/.index.json: 知识库索引存储 - api.js: 完善API服务层，增强错误处理 - bootstrap.js: 优化前端初始化与引导流程 - useSetupView.js / useSystemState.js: 重构组合式函数 - TopBar.vue: 优化顶部导航栏组件 - SettingsView.vue: 重构设置页面UI，增强用户体验 - SetupView.vue / SetupRouteView.vue: 完善引导流程页面 - PoliciesView.vue: 优化策略视图组件 - vite.config.js: 更新Vite构建配置 - web_start.sh: 完善前端启动脚本 - views/scripts/: 优化各业务视图JS逻辑 - settings-view.css: 重构设置页面样式 - setup-view.css: 完善引导页样式 - policies-view.css: 优化策略页样式 - test_auth_service.py: 完善认证服务测试 - test_settings_persistence.py: 增强设置持久化测试 - document/: 新增开发文档与工作日志 2026-05-09 03:04:09 +00:00			`with build_session() as db:`
			`settings_service = SettingsService(db)`
			`payload = settings_service.get_settings_snapshot().model_dump()`
			`payload["adminForm"]["adminAccount"] = "superadmin"`
			`payload["adminForm"]["newPassword"] = "admin123"`
			`payload["adminForm"]["confirmPassword"] = "admin123"`
			`settings_service.save_settings_snapshot(SettingsWrite(**payload))`

			`result = AuthService(db).login(`
			`LoginRequest(username="superadmin", password="admin123")`
			`)`

feat: 集成Hermes智能体系统，增强聊天和差旅报销功能 2026-05-16 06:14:08 +00:00			`assert result.ok is True`
			`assert result.user.username == "superadmin"`
			`assert result.user.isAdmin is True`
			`assert result.user.position == "系统管理员"`
			`assert result.user.roleCodes == ["manager"]`
feat: 完善系统配置、安全增强与知识库功能 - .env.example: API基础路径改为相对路径 /api/v1，支持代理转发 - README.md: 完善项目结构与启动说明文档 - docker-compose.yml: 新增Docker编排配置，支持容器化部署 - docker/: 新增Docker部署相关文档与配置 - server_start.sh: 重构启动脚本，添加容器环境检测、隔离虚拟环境路径、环境变量覆盖机制 - deps.py: 完善API依赖注入，增强权限验证逻辑 - admin_secret.py: 优化管理员密钥加密存储与验证 - config.py: 扩展配置管理，支持多环境变量绑定 - security.py: 增强安全模块，完善加密与认证机制 - db/base.py: 优化数据库基础架构与连接管理 - main.py: 更新应用入口，整合新模块路由 - models/: 完善系统模型配置，支持模型设置持久化 - repositories/settings.py: 优化设置仓储层，增强数据持久化 - services/settings.py: 重构设置服务，精简代码结构 - router.py: 更新API路由配置 - endpoints/knowledge.py: 新增知识库API端点 - schemas/knowledge.py: 新增知识库数据模型 - services/knowledge.py: 新增知识库业务逻辑 - storage/knowledge/.index.json: 知识库索引存储 - api.js: 完善API服务层，增强错误处理 - bootstrap.js: 优化前端初始化与引导流程 - useSetupView.js / useSystemState.js: 重构组合式函数 - TopBar.vue: 优化顶部导航栏组件 - SettingsView.vue: 重构设置页面UI，增强用户体验 - SetupView.vue / SetupRouteView.vue: 完善引导流程页面 - PoliciesView.vue: 优化策略视图组件 - vite.config.js: 更新Vite构建配置 - web_start.sh: 完善前端启动脚本 - views/scripts/: 优化各业务视图JS逻辑 - settings-view.css: 重构设置页面样式 - setup-view.css: 完善引导页样式 - policies-view.css: 优化策略页样式 - test_auth_service.py: 完善认证服务测试 - test_settings_persistence.py: 增强设置持久化测试 - document/: 新增开发文档与工作日志 2026-05-09 03:04:09 +00:00

test(backend): update auth and employee service tests - tests/test_auth_service.py: update auth service tests - tests/test_employee_service.py: update employee service tests 2026-05-14 02:57:00 +00:00			`def test_disabled_employee_cannot_login() -> None:`
			`with build_session() as db:`
			`service = EmployeeService(db)`
			`employee = service.list_employees()[0]`
			`service.disable_employee(employee.id)`
feat: 完善系统配置、安全增强与知识库功能 - .env.example: API基础路径改为相对路径 /api/v1，支持代理转发 - README.md: 完善项目结构与启动说明文档 - docker-compose.yml: 新增Docker编排配置，支持容器化部署 - docker/: 新增Docker部署相关文档与配置 - server_start.sh: 重构启动脚本，添加容器环境检测、隔离虚拟环境路径、环境变量覆盖机制 - deps.py: 完善API依赖注入，增强权限验证逻辑 - admin_secret.py: 优化管理员密钥加密存储与验证 - config.py: 扩展配置管理，支持多环境变量绑定 - security.py: 增强安全模块，完善加密与认证机制 - db/base.py: 优化数据库基础架构与连接管理 - main.py: 更新应用入口，整合新模块路由 - models/: 完善系统模型配置，支持模型设置持久化 - repositories/settings.py: 优化设置仓储层，增强数据持久化 - services/settings.py: 重构设置服务，精简代码结构 - router.py: 更新API路由配置 - endpoints/knowledge.py: 新增知识库API端点 - schemas/knowledge.py: 新增知识库数据模型 - services/knowledge.py: 新增知识库业务逻辑 - storage/knowledge/.index.json: 知识库索引存储 - api.js: 完善API服务层，增强错误处理 - bootstrap.js: 优化前端初始化与引导流程 - useSetupView.js / useSystemState.js: 重构组合式函数 - TopBar.vue: 优化顶部导航栏组件 - SettingsView.vue: 重构设置页面UI，增强用户体验 - SetupView.vue / SetupRouteView.vue: 完善引导流程页面 - PoliciesView.vue: 优化策略视图组件 - vite.config.js: 更新Vite构建配置 - web_start.sh: 完善前端启动脚本 - views/scripts/: 优化各业务视图JS逻辑 - settings-view.css: 重构设置页面样式 - setup-view.css: 完善引导页样式 - policies-view.css: 优化策略页样式 - test_auth_service.py: 完善认证服务测试 - test_settings_persistence.py: 增强设置持久化测试 - document/: 新增开发文档与工作日志 2026-05-09 03:04:09 +00:00
			`try:`
			`AuthService(db).login(LoginRequest(username=employee.email, password="123456"))`
test(backend): update auth and employee service tests - tests/test_auth_service.py: update auth service tests - tests/test_employee_service.py: update employee service tests 2026-05-14 02:57:00 +00:00			`except ValueError as exc:`
			`assert "账号或密码错误" in str(exc)`
			`else:`
			`raise AssertionError("disabled employee login should be rejected")`


			`def test_reenabled_employee_can_login_again() -> None:`
			`with build_session() as db:`
			`service = EmployeeService(db)`
			`employee = service.list_employees()[0]`
			`service.disable_employee(employee.id)`
			`service.enable_employee(employee.id)`

			`result = AuthService(db).login(LoginRequest(username=employee.email, password="123456"))`

			`assert result.ok is True`
			`assert result.user.username == employee.email`
fix(auth): 登录目录就绪幂等化与并发控制 - employee/settings/user_session_metrics 的 ensure_*_ready 改为按 bind 缓存 + 锁，避免每次登录重复建表与并发场景下的竞态 - auth 登录链路先查员工再降级触发目录就绪，并吞掉查询期 SQLAlchemy 异常 - 默认管理员账号由 superadmin 迁移为 admin，兼容历史账号回填 - 补充登录降级与设置持久化相关测试 2026-06-18 22:11:53 +08:00

			`def test_employee_login_skips_directory_bootstrap_when_employee_exists(monkeypatch) -> None:`
			`with build_session() as db:`
			`service = AuthService(db)`
			`calls: list[str] = []`

			`class ExistingEmployee:`
			`email = "demo@example.com"`
			`password_hash = "hash"`
			`employment_status = "在职"`

			`def fail_if_bootstrapped(self) -> None:`
			`calls.append("ensure_directory_ready")`
			`raise AssertionError("existing employee login should not run directory bootstrap")`

			`monkeypatch.setattr(AuthService, "_find_employee_by_email", lambda self, _: ExistingEmployee())`
			`monkeypatch.setattr("app.services.auth.verify_password", lambda password, password_hash: True)`
			`monkeypatch.setattr(`
			`AuthService,`
			`"_build_employee_user",`
			`lambda self, employee: AuthenticatedUser(`
			`username=employee.email,`
			`name="Demo",`
			`role="使用者",`
			`department="",`
			`position="",`
			`grade="",`
			`employee_no="",`
			`manager_name="",`
			`location="",`
			`cost_center="",`
			`finance_owner_name="",`
			`risk_profile={},`
			`role_codes=["user"],`
			`email=employee.email,`
			`avatar="D",`
			`),`
			`)`
			`monkeypatch.setattr(EmployeeService, "ensure_directory_ready", fail_if_bootstrapped)`

			`user = service._authenticate_employee("demo@example.com", "123456")`

			`assert user is not None`
			`assert user.username == "demo@example.com"`
			`assert calls == []`