feat(api): enforce ownership across health routines and profile flows

2026-03-12 15:48:13 +01:00 · 2026-03-12 15:48:13 +01:00 · ffa3b71309
commit ffa3b71309
parent cd8e39939a
14 changed files with 1225 additions and 206 deletions
--- a/backend/tests/conftest.py
+++ b/backend/tests/conftest.py
@ -37,27 +37,32 @@ def session(monkeypatch):


@pytest.fixture()
-def client(session, monkeypatch):
+def current_user() -> CurrentUser:
+    claims = TokenClaims(
+        issuer="https://auth.test",
+        subject="test-user",
+        audience=("innercontext-web",),
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        groups=("innercontext-admin",),
+        raw_claims={"iss": "https://auth.test", "sub": "test-user"},
+    )
+    return CurrentUser(
+        user_id=uuid4(),
+        role=Role.ADMIN,
+        identity=IdentityData.from_claims(claims),
+        claims=claims,
+    )
+
+
+@pytest.fixture()
+def client(session, monkeypatch, current_user):
    """TestClient using the per-test session for every request."""

    def _override():
        yield session

    def _current_user_override():
-        claims = TokenClaims(
-            issuer="https://auth.test",
-            subject="test-user",
-            audience=("innercontext-web",),
-            expires_at=datetime.now(UTC) + timedelta(hours=1),
-            groups=("innercontext-admin",),
-            raw_claims={"iss": "https://auth.test", "sub": "test-user"},
-        )
-        return CurrentUser(
-            user_id=uuid4(),
-            role=Role.ADMIN,
-            identity=IdentityData.from_claims(claims),
-            claims=claims,
-        )
+        return current_user

    app.dependency_overrides[get_session] = _override
    app.dependency_overrides[get_current_user] = _current_user_override