wip

2026-02-16 23:30:37 -05:00
parent 3e1715e487 d600dde97f
commit df832e2238
15 changed files with 724 additions and 35 deletions
--- a/backend/tests/test_user_api.py
+++ b/backend/tests/test_user_api.py
@@ -138,11 +138,12 @@ def test_login_succeeds_for_unmarked_user(client):
    assert 'message' in data

 def test_password_reset_ignored_for_marked_user(client):
-    """Test that password reset requests are silently ignored for marked users."""
+    """Test that password reset requests return 403 for marked users."""
    response = client.post('/request-password-reset', json={"email": MARKED_EMAIL})
-    assert response.status_code == 200
+    assert response.status_code == 403
    data = response.get_json()
-    assert 'message' in data
+    assert 'error' in data
+    assert data['code'] == 'ACCOUNT_MARKED_FOR_DELETION'

 def test_password_reset_works_for_unmarked_user(client):
    """Test that password reset works normally for unmarked users."""
@@ -167,6 +168,35 @@ def test_mark_for_deletion_updates_timestamp(authenticated_client):
    
    assert before_time <= marked_at <= after_time

+
+def test_mark_for_deletion_clears_tokens(authenticated_client):
+    """When an account is marked for deletion, verify/reset tokens must be cleared."""
+    # Seed verify/reset tokens for the user
+    UserQuery = Query()
+    now_iso = datetime.utcnow().isoformat()
+    users_db.update({
+        'verify_token': 'verify-abc',
+        'verify_token_created': now_iso,
+        'reset_token': 'reset-xyz',
+        'reset_token_created': now_iso
+    }, UserQuery.email == TEST_EMAIL)
+
+    # Ensure tokens are present before marking
+    user_before = users_db.search(UserQuery.email == TEST_EMAIL)[0]
+    assert user_before['verify_token'] is not None
+    assert user_before['reset_token'] is not None
+
+    # Mark account for deletion
+    response = authenticated_client.post('/user/mark-for-deletion', json={"email": TEST_EMAIL})
+    assert response.status_code == 200
+
+    # Verify tokens were cleared in the DB
+    user_after = users_db.search(UserQuery.email == TEST_EMAIL)[0]
+    assert user_after.get('verify_token') is None
+    assert user_after.get('verify_token_created') is None
+    assert user_after.get('reset_token') is None
+    assert user_after.get('reset_token_created') is None
+
 def test_mark_for_deletion_with_invalid_jwt(client):
    """Test marking for deletion with invalid JWT token."""
    # Set invalid cookie manually