From 10dc7957a2a6841ed2303f346db728ae2192b3e6 Mon Sep 17 00:00:00 2001
From: dogeystamp <dogeystamp@disroot.org>
Date: Fri, 10 Mar 2023 18:32:07 -0500
Subject: [PATCH] tests: improved coverage

---
 sachet/server/models.py |  2 +-
 tests/test_auth.py      | 26 ++++++++++++++++++++++++--
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/sachet/server/models.py b/sachet/server/models.py
index 7ba4633..c251b77 100644
--- a/sachet/server/models.py
+++ b/sachet/server/models.py
@@ -48,7 +48,7 @@ def _token_decorator(require_admin, f, *args, **kwargs):
                 "status": "fail",
                 "message": "Malformed Authorization header."
             }
-            return jsonify(resp)
+            return jsonify(resp), 401
 
     if not token:
         return jsonify({"status": "fail", "message": "Missing auth token"}), 401
diff --git a/tests/test_auth.py b/tests/test_auth.py
index acd393b..479729d 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -3,6 +3,12 @@ import jwt
 from sachet.server import db
 from sachet.server.users import manage
 
+def test_reserved_users(client):
+    """Test that the server prevents reserved endpoints from being registered as usernames."""
+    for user in ["login", "logout", "extend"]:
+        with pytest.raises(KeyError):
+            manage.create_user(False, user, "")
+
 def test_unauth_perms(client):
     """Test endpoints to see if they allow unauthenticated users."""
     resp = client.get("/users/jeff")
@@ -21,6 +27,16 @@ def test_malformed_authorization(client):
     )
     assert resp.status_code == 401
 
+    # token for incorrect user (but properly signed)
+    token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.nZ86hUWPdG43W6HVSGFy6DJnDVOZhx8a73LhQ3gIxY8"
+    resp = client.get(
+        "/users/jeff",
+        headers={
+            "Authorization": f"bearer {token}"
+        }
+    )
+    assert resp.status_code == 401
+
     # invalid token
     token = "not a.real JWT.token"
     resp = client.get(
@@ -32,11 +48,10 @@ def test_malformed_authorization(client):
     assert resp.status_code == 401
 
     # missing token
-    token = "not a.real JWT.token"
     resp = client.get(
         "/users/jeff",
         headers={
-            "Authorization": ""
+            "Authorization": "bearer"
         }
     )
     assert resp.status_code == 401
@@ -51,6 +66,13 @@ def test_login(client, users):
     })
     assert resp.status_code == 401
 
+    # wrong user
+    resp = client.post("/users/login", json={
+        "username": "jeffery",
+        "password": users["jeff"]["password"] + "garbage"
+    })
+    assert resp.status_code == 401
+
     # logging in correctly
     resp = client.post("/users/login", json={
         "username": "jeff",