Feat: Implement JWT bearer token authentication

Protects image upload, delete, and tag-update endpoints behind Bearer token auth. Public read endpoints remain open. Angular SPA gains a login page, auth interceptor, and route guard for /upload. - JWTAuthProvider (HS256, sub/iat/exp, secrets.compare_digest) - POST /api/v1/auth/token login endpoint - require_auth FastAPI dependency on all write routes - AuthService, LoginComponent, authInterceptor, authGuard - Detail page hides write controls for unauthenticated visitors - 43 unit tests passing; integration tests require Docker stack Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-03 19:12:38 +00:00
parent d91a65abe5
commit 5fbbc1e67f
36 changed files with 3998 additions and 42 deletions
--- a/ui/src/app/login/login.component.spec.ts
+++ b/ui/src/app/login/login.component.spec.ts
@@ -0,0 +1,63 @@
+import { TestBed, fakeAsync, tick } from '@angular/core/testing';
+import { ReactiveFormsModule } from '@angular/forms';
+import { Router } from '@angular/router';
+import { HttpErrorResponse } from '@angular/common/http';
+import { of, throwError } from 'rxjs';
+import { LoginComponent } from './login.component';
+import { AuthService } from '../auth/auth.service';
+
+describe('LoginComponent', () => {
+  let component: LoginComponent;
+  let authService: jasmine.SpyObj<AuthService>;
+  let router: jasmine.SpyObj<Router>;
+
+  beforeEach(async () => {
+    authService = jasmine.createSpyObj('AuthService', ['login']);
+    router = jasmine.createSpyObj('Router', ['navigate', 'navigateByUrl']);
+
+    await TestBed.configureTestingModule({
+      imports: [LoginComponent, ReactiveFormsModule],
+      providers: [
+        { provide: AuthService, useValue: authService },
+        { provide: Router, useValue: router },
+      ],
+    }).compileComponents();
+
+    const fixture = TestBed.createComponent(LoginComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('submit calls AuthService.login with username and password', fakeAsync(() => {
+    authService.login.and.returnValue(of(undefined));
+    component.form.setValue({ username: 'owner', password: 'hunter2' });
+    component.onSubmit();
+    tick();
+    expect(authService.login).toHaveBeenCalledWith('owner', 'hunter2');
+  }));
+
+  it('navigates to library on success', fakeAsync(() => {
+    authService.login.and.returnValue(of(undefined));
+    router.navigateByUrl.and.returnValue(Promise.resolve(true));
+    component.form.setValue({ username: 'owner', password: 'hunter2' });
+    component.onSubmit();
+    tick();
+    expect(router.navigateByUrl).toHaveBeenCalledWith('/');
+  }));
+
+  it('shows error message on 401', fakeAsync(() => {
+    const err = new HttpErrorResponse({ status: 401 });
+    authService.login.and.returnValue(throwError(() => err));
+    component.form.setValue({ username: 'owner', password: 'wrong' });
+    component.onSubmit();
+    tick();
+    expect(component.errorMessage).toBeTruthy();
+  }));
+
+  it('does not call login when fields are empty', fakeAsync(() => {
+    component.form.setValue({ username: '', password: '' });
+    component.onSubmit();
+    tick();
+    expect(authService.login).not.toHaveBeenCalled();
+  }));
+});