def test_auth_cookie_settings(monkeypatch, user, call_auth_endpoint):
auth_cookie = "jwt-auth"
monkeypatch.setattr(api_settings, "JWT_AUTH_COOKIE", auth_cookie)
monkeypatch.setattr(api_settings, "JWT_AUTH_COOKIE_DOMAIN", '.do.main')
monkeypatch.setattr(api_settings, "JWT_AUTH_COOKIE_PATH", '/pa/th')
monkeypatch.setattr(api_settings, "JWT_AUTH_COOKIE_SECURE", False)
monkeypatch.setattr(api_settings, "JWT_AUTH_COOKIE_SAMESITE", 'Strict')
response = call_auth_endpoint("username", "password")
assert auth_cookie in response.cookies
setcookie = response.cookies[auth_cookie]
assert setcookie['domain'] == '.do.main'
assert setcookie['path'] == '/pa/th'
assert 'secure' not in setcookie.items()
assert setcookie['httponly'] is True # hardcoded
if has_set_cookie_samesite():
assert setcookie['samesite'] == 'Strict'
def test_valid_credentials_with_auth_cookie_enabled_returns_jwt_and_cookie(
monkeypatch, user, call_auth_endpoint):
auth_cookie = "jwt-auth"
monkeypatch.setattr(api_settings, "JWT_AUTH_COOKIE", auth_cookie)
response = call_auth_endpoint("username", "password")
assert auth_cookie in response.cookies
setcookie = response.cookies[auth_cookie]
assert 'domain' not in setcookie.items()
assert setcookie['path'] == '/'
assert setcookie['secure'] is True
assert setcookie['httponly'] is True # hardcoded
if has_set_cookie_samesite():
assert setcookie['samesite'] == 'Lax'
assert response.status_code == status.HTTP_200_OK
assert "token" in force_text(response.content)
assert auth_cookie in response.client.cookies
