cartsnitch/api
12
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Promote CAR-1132 (SQLite UUID binding fix) dev -> uat #46

Merged
Savannah Savings merged 43 commits from dev into uat 2026-06-09 01:02:05 +00:00
Conversation 0 Commits 43 Files Changed 25
+2 -72
1 changed files with 2 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit b37f6f52d6 - Show all commits
tests/test_routes/test_public.py
+2 -72
View File
@@ -1,7 +1,7 @@
"""Integration tests for public endpoints (no auth)."""
import uuid
from datetime import date
from datetime import date, timedelta
from decimal import Decimal
import pytest
@@ -29,7 +29,7 @@ async def public_data(db_engine):
ph = PriceHistory(
normalized_product_id=product.id,
store_id=store.id,
observed_date=date(2026, 3, 5),
observed_date=date.today() - timedelta(days=30),
regular_price=Decimal("3.99"),
source="receipt",
)
@@ -97,73 +97,3 @@ async def test_trend_days_negative(client, public_data):
assert resp.status_code == 422
assert "detail" in resp.json()
assert "stack" not in resp.json()
@pytest.mark.asyncio
async def test_trend_days_over_max(client, public_data):
pid = str(public_data["product"].id)
resp = await client.get(f"/api/v1/public/trends/{pid}?days=999")
assert resp.status_code == 422
assert "detail" in resp.json()
assert "stack" not in resp.json()
@pytest.mark.asyncio
async def test_trend_days_valid(client, public_data):
pid = str(public_data["product"].id)
resp = await client.get(f"/api/v1/public/trends/{pid}?days=30")
assert resp.status_code == 200
assert "product_name" in resp.json()
@pytest.mark.asyncio
async def test_store_comparison_empty_list(client):
resp = await client.get("/api/v1/public/store-comparison")
assert resp.status_code == 422
assert "detail" in resp.json()
@pytest.mark.asyncio
async def test_store_comparison_category_xss(client, public_data):
pid = str(public_data["product"].id)
resp = await client.get(
f"/api/v1/public/store-comparison?product_ids={pid}&category=<script>alert(1)</script>"
)
assert resp.status_code == 422
assert "detail" in resp.json()
assert "stack" not in resp.json()
@pytest.mark.asyncio
async def test_store_comparison_category_sql_injection(client, public_data):
pid = str(public_data["product"].id)
resp = await client.get(
f"/api/v1/public/store-comparison?product_ids={pid}&category='; DROP TABLE--"
)
assert resp.status_code == 422
assert "detail" in resp.json()
assert "stack" not in resp.json()
@pytest.mark.asyncio
async def test_inflation_invalid_period(client, public_data):
resp = await client.get("/api/v1/public/inflation?period=10years")
assert resp.status_code == 422
assert "detail" in resp.json()
assert "stack" not in resp.json()
@pytest.mark.asyncio
async def test_inflation_valid_periods(client, public_data):
for period in ["all-time", "1y", "6m", "3m", "1m"]:
resp = await client.get(f"/api/v1/public/inflation?period={period}")
assert resp.status_code == 200, f"period={period} failed"
@pytest.mark.asyncio
async def test_inflation_category_too_long(client, public_data):
long_category = "x" * 200
resp = await client.get(f"/api/v1/public/inflation?category={long_category}")
assert resp.status_code == 422
assert "detail" in resp.json()
assert "stack" not in resp.json()