tailscalesd/tests/test_auth.py

from fastapi.testclient import TestClient
from tailscalesd.main import Settings, app, get_settings

client = TestClient(app)


def get_settings_override() -> Settings:
    return Settings(
        test_mode=True,
        tailnet="test",
        client_id="test",
        client_secret="test",
        bearer_token="test",
    )


app.dependency_overrides[get_settings] = get_settings_override


def test_auth_works():
    response = client.get("/", headers={"Authorization": "Bearer test"})
    assert response.status_code == 200
    assert response.json() == []


def test_unauthorized_wrong_token():
    response = client.get("/", headers={"Authorization": "Bearer incorrect_token"})
    assert response.status_code == 401
    assert response.json() == {"detail": "Invalid authentication credentials"}


def test_unauthorized_no_token():
    response = client.get("/")
    assert response.status_code == 403
    assert response.json() == {"detail": "Not authenticated"}


def test_settings_support_secret_files(tmp_path):
    bearer_token_file = tmp_path / "bearer_token"
    client_id_file = tmp_path / "client_id"
    client_secret_file = tmp_path / "client_secret"
    bearer_token_file.write_text("from-file-token\n", encoding="utf-8")
    client_id_file.write_text("from-file-client-id\n", encoding="utf-8")
    client_secret_file.write_text("from-file-client-secret\n", encoding="utf-8")

    settings = Settings(
        test_mode=True,
        tailnet="test",
        bearer_token_file=str(bearer_token_file),
        client_id_file=str(client_id_file),
        client_secret_file=str(client_secret_file),
    )

    assert settings.bearer_token is not None
    assert settings.client_id is not None
    assert settings.client_secret is not None
    assert settings.bearer_token.get_secret_value() == "from-file-token"
    assert settings.client_id.get_secret_value() == "from-file-client-id"
    assert settings.client_secret.get_secret_value() == "from-file-client-secret"
add required bearer auth token 2023-11-07 10:47:24 +01:00			`from fastapi.testclient import TestClient`
			`from tailscalesd.main import Settings, app, get_settings`

			`client = TestClient(app)`


			`def get_settings_override() -> Settings:`
Switch to using tailscale oauth api This removes the need to update the API key every 90 days. 2024-07-17 09:48:30 +02:00			`return Settings(`
			`test_mode=True,`
			`tailnet="test",`
			`client_id="test",`
			`client_secret="test",`
			`bearer_token="test",`
			`)`
add required bearer auth token 2023-11-07 10:47:24 +01:00

			`app.dependency_overrides[get_settings] = get_settings_override`


			`def test_auth_works():`
			`response = client.get("/", headers={"Authorization": "Bearer test"})`
			`assert response.status_code == 200`
			`assert response.json() == []`


			`def test_unauthorized_wrong_token():`
			`response = client.get("/", headers={"Authorization": "Bearer incorrect_token"})`
			`assert response.status_code == 401`
			`assert response.json() == {"detail": "Invalid authentication credentials"}`


			`def test_unauthorized_no_token():`
			`response = client.get("/")`
			`assert response.status_code == 403`
			`assert response.json() == {"detail": "Not authenticated"}`
Use LoadCredential secrets and DynamicUser for tailscalesd. 2026-03-05 15:56:06 +01:00

			`def test_settings_support_secret_files(tmp_path):`
			`bearer_token_file = tmp_path / "bearer_token"`
			`client_id_file = tmp_path / "client_id"`
			`client_secret_file = tmp_path / "client_secret"`
			`bearer_token_file.write_text("from-file-token\n", encoding="utf-8")`
			`client_id_file.write_text("from-file-client-id\n", encoding="utf-8")`
			`client_secret_file.write_text("from-file-client-secret\n", encoding="utf-8")`

			`settings = Settings(`
			`test_mode=True,`
			`tailnet="test",`
			`bearer_token_file=str(bearer_token_file),`
			`client_id_file=str(client_id_file),`
			`client_secret_file=str(client_secret_file),`
			`)`

			`assert settings.bearer_token is not None`
			`assert settings.client_id is not None`
			`assert settings.client_secret is not None`
			`assert settings.bearer_token.get_secret_value() == "from-file-token"`
			`assert settings.client_id.get_secret_value() == "from-file-client-id"`
			`assert settings.client_secret.get_secret_value() == "from-file-client-secret"`