 curo1305
|
43e1d0145e
|
feat(02-03): add TOTP setup/enable/disable, password reset, and frontend_url to config
- GET /api/auth/totp/setup: returns provisioning_uri + secret (400 if already enabled)
- POST /api/auth/totp/enable: rate-limited 10/min, verifies TOTP code with Redis replay prevention, returns 10 backup codes
- DELETE /api/auth/totp: disables TOTP, clears secret, deletes backup codes
- POST /api/auth/password-reset: always returns 202 (anti-enumeration), enqueues Celery email task
- POST /api/auth/password-reset/confirm: validates token, strength, HIBP; updates password; no auto-login (AUTH-05)
- config.py: added frontend_url setting for password reset link construction
- test_auth_totp.py: all 11 tests passing (GREEN)
|
2026-05-22 19:52:36 +02:00 |
|
|
curo1305
|
d7831e9382
|
test(02-03): add failing tests for TOTP endpoints, password reset, logout-all
- test_totp_setup_returns_uri: GET /api/auth/totp/setup returns provisioning_uri + secret
- test_totp_setup_already_enabled: returns 400 when totp_enabled=True
- test_totp_setup_requires_auth: returns 401/403 without Bearer
- test_password_reset_always_202_nonexistent: anti-enumeration for non-existent email
- test_password_reset_always_202_existing: anti-enumeration for existing email
- test_password_reset_confirm_invalid_token: returns 400 for bad token
- test_password_reset_confirm_weak_password: returns 422 for weak password
- test_password_reset_confirm_valid_no_autologin: returns 200 with no access_token (AUTH-05)
- test_logout_all_revokes_tokens: returns 200 with revoked message
- test_logout_all_requires_auth: returns 401/403 without Bearer
- test_totp_enable_rate_limit: 11th call returns 429
|
2026-05-22 19:50:51 +02:00 |
|