Feat: Implement JWT bearer token authentication

Protects image upload, delete, and tag-update endpoints behind Bearer token auth. Public read endpoints remain open. Angular SPA gains a login page, auth interceptor, and route guard for /upload. - JWTAuthProvider (HS256, sub/iat/exp, secrets.compare_digest) - POST /api/v1/auth/token login endpoint - require_auth FastAPI dependency on all write routes - AuthService, LoginComponent, authInterceptor, authGuard - Detail page hides write controls for unauthenticated visitors - 43 unit tests passing; integration tests require Docker stack Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-03 19:12:38 +00:00
parent d91a65abe5
commit 5fbbc1e67f
36 changed files with 3998 additions and 42 deletions
--- a/api/tests/integration/test_protected.py
+++ b/api/tests/integration/test_protected.py
@@ -0,0 +1,95 @@
+"""
+Tests that write endpoints require authentication (US2).
+These use the authed_client fixture which wires JWTAuthProvider.
+"""
+import io
+import uuid
+
+import pytest
+
+
+def _minimal_jpeg() -> bytes:
+    return (
+        b"\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x02"
+        b"\xff\xd9"
+    )
+
+
+@pytest.mark.asyncio
+async def test_upload_without_token_returns_401(authed_client):
+    client, _ = authed_client
+    data = _minimal_jpeg()
+    response = await client.post(
+        "/api/v1/images",
+        files={"file": ("test.jpg", io.BytesIO(data), "image/jpeg")},
+    )
+    assert response.status_code == 401
+    assert response.json().get("code") == "unauthorized"
+
+
+@pytest.mark.asyncio
+async def test_upload_with_valid_token_succeeds(authed_client):
+    client, token = authed_client
+    data = _minimal_jpeg()
+    response = await client.post(
+        "/api/v1/images",
+        files={"file": ("test.jpg", io.BytesIO(data), "image/jpeg")},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    assert response.status_code in (200, 201)
+
+
+@pytest.mark.asyncio
+async def test_delete_without_token_returns_401(authed_client):
+    client, _ = authed_client
+    fake_id = uuid.uuid4()
+    response = await client.delete(f"/api/v1/images/{fake_id}")
+    assert response.status_code == 401
+    assert response.json().get("code") == "unauthorized"
+
+
+@pytest.mark.asyncio
+async def test_delete_with_valid_token_succeeds(authed_client):
+    client, token = authed_client
+    data = _minimal_jpeg()
+    upload = await client.post(
+        "/api/v1/images",
+        files={"file": ("del-protected.jpg", io.BytesIO(data), "image/jpeg")},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    image_id = upload.json()["id"]
+    response = await client.delete(
+        f"/api/v1/images/{image_id}",
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    assert response.status_code == 204
+
+
+@pytest.mark.asyncio
+async def test_patch_tags_without_token_returns_401(authed_client):
+    client, _ = authed_client
+    fake_id = uuid.uuid4()
+    response = await client.patch(
+        f"/api/v1/images/{fake_id}/tags",
+        json={"tags": ["a"]},
+    )
+    assert response.status_code == 401
+    assert response.json().get("code") == "unauthorized"
+
+
+@pytest.mark.asyncio
+async def test_patch_tags_with_valid_token_succeeds(authed_client):
+    client, token = authed_client
+    data = _minimal_jpeg()
+    upload = await client.post(
+        "/api/v1/images",
+        files={"file": ("tag-protected.jpg", io.BytesIO(data), "image/jpeg")},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    image_id = upload.json()["id"]
+    response = await client.patch(
+        f"/api/v1/images/{image_id}/tags",
+        json={"tags": ["protected-tag"]},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    assert response.status_code == 200