Set follow_redirects=False session-wide on TestClient and add redirect location assertions

Closes #101

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: chriscarrollsmith

tests/conftest.py

@@ -29,7 +29,7 @@ def env_vars(monkeypatch):
         m.setenv("DB_PORT", os.getenv("DB_PORT", "5432"))
         m.setenv("DB_USER", os.getenv("DB_USER", "postgres"))
         m.setenv("DB_PASSWORD", os.getenv("DB_PASSWORD", "postgres"))
-        m.setenv("SECRET_KEY", "testsecretkey")
+        m.setenv("SECRET_KEY", "testsecretkey-that-is-at-least-32-bytes-long")
         m.setenv("HOST_NAME", "Test Organization")
         m.setenv("DB_NAME", "webapp-test-db")
         m.setenv("RESEND_API_KEY", "test")
@@ -102,7 +102,7 @@ def unauth_client(session: Session) -> Generator[TestClient, None, None]:
     """
     Provides a TestClient instance without authentication.
     """
-    client = TestClient(app)
+    client = TestClient(app, follow_redirects=False)
     yield client
 
 
@@ -111,7 +111,7 @@ def auth_client(session: Session, test_account: Account, test_user: User) -> Gen
     """
     Provides a TestClient instance with valid authentication tokens.
     """
-    client = TestClient(app)
+    client = TestClient(app, follow_redirects=False)
 
     # Create and set valid tokens
     access_token = create_access_token({"sub": test_account.email})
@@ -275,8 +275,8 @@ def non_member_user(session: Session) -> User:
 @pytest.fixture
 def auth_client_owner(session: Session, org_owner: User) -> Generator[TestClient, None, None]:
     """Provides a TestClient authenticated as the organization owner"""
-    client = TestClient(app)
-    
+    client = TestClient(app, follow_redirects=False)
+
     # Initialize tokens
     access_token = ""
     refresh_token = ""
@@ -295,8 +295,8 @@ def auth_client_owner(session: Session, org_owner: User) -> Generator[TestClient
 @pytest.fixture
 def auth_client_admin(session: Session, org_admin_user: User) -> Generator[TestClient, None, None]:
     """Provides a TestClient authenticated as an organization administrator"""
-    client = TestClient(app)
-    
+    client = TestClient(app, follow_redirects=False)
+
     # Initialize tokens
     access_token = ""
     refresh_token = ""
@@ -315,8 +315,8 @@ def auth_client_admin(session: Session, org_admin_user: User) -> Generator[TestC
 @pytest.fixture
 def auth_client_member(session: Session, org_member_user: User) -> Generator[TestClient, None, None]:
     """Provides a TestClient authenticated as the organization member"""
-    client = TestClient(app)
-    
+    client = TestClient(app, follow_redirects=False)
+
     # Initialize tokens
     access_token = ""
     refresh_token = ""
@@ -335,8 +335,8 @@ def auth_client_member(session: Session, org_member_user: User) -> Generator[Tes
 @pytest.fixture
 def auth_client_non_member(session: Session, non_member_user: User) -> Generator[TestClient, None, None]:
     """Provides a TestClient authenticated as a non-member"""
-    client = TestClient(app)
-    
+    client = TestClient(app, follow_redirects=False)
+
     # Initialize tokens
     access_token = ""
     refresh_token = ""
@@ -469,8 +469,8 @@ def existing_invitee_user(session: Session, existing_invitee_account: Account) -
 @pytest.fixture
 def auth_client_invitee(session: Session, existing_invitee_user: User) -> Generator[TestClient, None, None]:
     """Provides a TestClient authenticated as the existing_invitee_user."""
-    client = TestClient(app)
-    
+    client = TestClient(app, follow_redirects=False)
+
     # Initialize tokens
     access_token = ""
     refresh_token = ""

tests/routers/core/test_account.py

@@ -55,11 +55,11 @@ def test_register_endpoint(unauth_client: TestClient, session: Session):
             "password": "NewPass123!@#",
             "confirm_password": "NewPass123!@#"
         },
-        follow_redirects=False
     )
-    
+
     # Just check the response status code
     assert response.status_code == 303
+    assert response.headers["location"] == str(app.url_path_for("read_dashboard"))
 
     # Verify the account was created
     account = session.exec(select(Account).where(Account.email == "new@example.com")).first()
@@ -79,9 +79,9 @@ def test_login_endpoint(unauth_client: TestClient, test_account: Account):
             "email": test_account.email,
             "password": "Test123!@#"
         },
-        follow_redirects=False
     )
     assert response.status_code == 303
+    assert response.headers["location"] == str(app.url_path_for("read_dashboard"))
 
     # Check if cookies are set
     cookies = response.cookies
@@ -99,9 +99,9 @@ def test_refresh_token_endpoint(auth_client: TestClient, test_account: Account):
 
     response = auth_client.post(
         app.url_path_for("refresh_token"),
-        follow_redirects=False
     )
     assert response.status_code == 303
+    assert response.headers["location"] == str(app.url_path_for("read_dashboard"))
 
     # Check for new tokens in headers
     cookie_headers = response.headers.get_list("set-cookie")
@@ -125,9 +125,9 @@ def test_password_reset_flow(unauth_client: TestClient, session: Session, test_a
     response = unauth_client.post(
         app.url_path_for("forgot_password"),
         data={"email": test_account.email},
-        follow_redirects=False
     )
     assert response.status_code == 303
+    assert response.headers["location"] == "/forgot_password?show_form=false"
 
     # Verify the email was "sent" with correct parameters
     mock_resend_send.assert_called_once()
@@ -167,9 +167,9 @@ def test_password_reset_flow(unauth_client: TestClient, session: Session, test_a
 def test_logout_endpoint(auth_client: TestClient):
     response = auth_client.get(
         app.url_path_for("logout"),
-        follow_redirects=False
     )
     assert response.status_code == 303
+    assert response.headers["location"] == "/"
 
     # Check for cookie deletion in headers
     cookie_headers = response.headers.get_list("set-cookie")
@@ -227,9 +227,9 @@ def test_password_reset_email_url(unauth_client: TestClient, session: Session, t
     response = unauth_client.post(
         app.url_path_for("forgot_password"),
         data={"email": test_account.email},
-        follow_redirects=False
     )
     assert response.status_code == 303
+    assert response.headers["location"] == "/forgot_password?show_form=false"
 
     # Get the reset token from the database
     reset_token = session.exec(select(PasswordResetToken)
@@ -269,16 +269,16 @@ def test_forgot_password_does_not_send_second_email_while_token_is_active(
     first_response = unauth_client.post(
         app.url_path_for("forgot_password"),
         data={"email": test_account.email},
-        follow_redirects=False,
     )
     assert first_response.status_code == 303
+    assert first_response.headers["location"] == "/forgot_password?show_form=false"
 
     second_response = unauth_client.post(
         app.url_path_for("forgot_password"),
         data={"email": test_account.email},
-        follow_redirects=False,
     )
     assert second_response.status_code == 303
+    assert second_response.headers["location"] == "/forgot_password?show_form=false"
 
     tokens = session.exec(
         select(PasswordResetToken).where(PasswordResetToken.account_id == test_account.id)
@@ -294,9 +294,8 @@ def test_request_email_update_success(auth_client: TestClient, test_account: Acc
     response = auth_client.post(
         app.url_path_for("request_email_update"),
         data={"email": test_account.email, "new_email": new_email},
-        follow_redirects=False
     )
-    
+
     assert response.status_code == 303
     assert f"{app.url_path_for('read_profile')}?email_update_requested=true" in response.headers["location"]
 
@@ -316,7 +315,6 @@ def test_request_email_update_same_email_returns_error_page(auth_client: TestCli
     response = auth_client.post(
         app.url_path_for("request_email_update"),
         data={"email": test_account.email, "new_email": test_account.email},
-        follow_redirects=False,
     )
 
     assert response.status_code == 401
@@ -349,10 +347,10 @@ def test_request_email_update_unauthenticated(unauth_client: TestClient):
     response = unauth_client.post(
         app.url_path_for("request_email_update"),
         data={"email": "test@example.com", "new_email": "new@example.com"},
-        follow_redirects=False
     )
-    
+
     assert response.status_code == 303  # Redirect to login
+    assert response.headers["location"] == str(app.url_path_for("read_login"))
 
 
 def test_confirm_email_update_success(unauth_client: TestClient, session: Session, test_account: Account):
@@ -371,7 +369,6 @@ def test_confirm_email_update_success(unauth_client: TestClient, session: Sessio
             "token": update_token.token,
             "new_email": new_email
         },
-        follow_redirects=False
     )
 
     assert response.status_code == 303
@@ -486,9 +483,9 @@ def test_login_success_resets_email_limiter(unauth_client: TestClient, test_acco
     response = unauth_client.post(
         app.url_path_for("login"),
         data={"email": test_account.email, "password": "Test123!@#"},
-        follow_redirects=False,
     )
     assert response.status_code == 303
+    assert response.headers["location"] == str(app.url_path_for("read_dashboard"))
 
     # Verify the limiter was reset — full allowance available
     assert login_email_limiter.remaining(f"email:{test_account.email.lower().strip()}") == login_email_limiter.max_attempts
@@ -505,7 +502,6 @@ def test_register_ip_rate_limit(unauth_client: TestClient, session: Session):
                 "password": "Test123!@#",
                 "confirm_password": "Test123!@#",
             },
-            follow_redirects=False,
         )
 
     response = unauth_client.post(
@@ -526,13 +522,11 @@ def test_forgot_password_ip_rate_limit(unauth_client: TestClient):
         unauth_client.post(
             app.url_path_for("forgot_password"),
             data={"email": f"user{i}@example.com"},
-            follow_redirects=False,
         )
 
     response = unauth_client.post(
         app.url_path_for("forgot_password"),
         data={"email": "extra@example.com"},
-        follow_redirects=False,
     )
     assert response.status_code == 429
 
@@ -543,7 +537,6 @@ def test_forgot_password_email_rate_limit(unauth_client: TestClient, test_accoun
         unauth_client.post(
             app.url_path_for("forgot_password"),
             data={"email": test_account.email},
-            follow_redirects=False,
         )
 
     response = unauth_client.post(

tests/routers/core/test_invitation.py

@@ -277,7 +277,6 @@ def test_create_invitation_success(auth_client, inviter_user: User, test_organiz
             "role_id": str(member_role_id), # Form data is usually string
             "organization_id": str(test_organization.id) # Form data is usually string
         },
-        follow_redirects=False # Important for checking redirect
     )
 
     assert response.status_code == 303, f"Expected 303 redirect, got {response.status_code}. Response: {response.text}" # See Other redirect
@@ -327,7 +326,6 @@ def test_create_invitation_unauthorized(auth_client_member, test_user: User, tes
             "role_id": str(member_role.id),
             "organization_id": str(test_organization.id)
         },
-        follow_redirects=False
     )
 
     assert response.status_code == 403, f"Expected 403 Forbidden, got {response.status_code}. Response: {response.text}" # Forbidden
@@ -388,7 +386,6 @@ def test_create_invitation_for_existing_member(auth_client, inviter_user: User,
             "role_id": str(member_role.id),
             "organization_id": str(test_organization.id)
         },
-        follow_redirects=False
     )
 
     # Expecting a 409 Conflict based on the plan
@@ -405,7 +402,6 @@ def test_create_invitation_duplicate_active(auth_client, inviter_user: User, exi
             "role_id": str(existing_invitation.role_id),
             "organization_id": str(existing_invitation.organization_id)
         },
-        follow_redirects=False
     )
 
     assert response.status_code == 409, f"Expected 409 Conflict, got {response.status_code}. Response: {response.text}" # Conflict - ActiveInvitationExistsError
@@ -421,7 +417,6 @@ def test_create_invitation_role_not_found(auth_client, inviter_user: User, test_
             "role_id": str(non_existent_role_id),
             "organization_id": str(test_organization.id)
         },
-        follow_redirects=False
     )
 
     # Depending on implementation, this might be 404 (Role Not Found) or 400 (Invalid Role for Org)
@@ -448,7 +443,6 @@ def test_create_invitation_role_wrong_organization(auth_client, inviter_user: Us
             "role_id": str(other_role.id),  # Role from the wrong org
             "organization_id": str(test_organization.id) # Target the main test org
         },
-        follow_redirects=False
     )
 
     # Plan suggests 400 Bad Request
@@ -473,12 +467,10 @@ def test_create_invitation_unauthenticated(unauth_client, test_organization: Org
             "role_id": str(member_role.id),
             "organization_id": str(test_organization.id)
         },
-        follow_redirects=False # Check for redirect explicitly
     )
 
     assert response.status_code == 303, f"Expected 303 redirect to login, got {response.status_code}" # Redirect to login
-    # Optionally check that the redirect location is the login page
-    # assert "/login" in response.headers.get("location", "")
+    assert response.headers["location"] == app.url_path_for("read_login")
 
 def test_create_invitation_email_send_failure(auth_client, inviter_user: User, test_organization: Organization, session: Session, mock_resend_send: MagicMock):
     """Test that invitation creation fails and rolls back if email sending fails."""
@@ -501,7 +493,6 @@ def test_create_invitation_email_send_failure(auth_client, inviter_user: User, t
             "role_id": str(member_role_id),
             "organization_id": str(test_organization.id)
         },
-        follow_redirects=False
     )
 
     assert response.status_code == 500, f"Expected 500 Internal Server Error, got {response.status_code}. Response: {response.text}"
@@ -523,7 +514,6 @@ def test_organization_page_shows_active_invitations(auth_client_owner, test_orga
     assert test_organization.id is not None
     response = auth_client_owner.get(
         app.url_path_for("read_organization", org_id=test_organization.id),
-        follow_redirects=False
     )
 
     assert response.status_code == 200
@@ -542,7 +532,6 @@ def test_organization_page_invite_form_visibility(auth_client_owner, auth_client
     # Owner should see invitation form (has INVITE_USER permission via Owner role -> permission fixture)
     owner_response = auth_client_owner.get(
         app.url_path_for("read_organization", org_id=test_organization.id),
-        follow_redirects=False
     )
     assert owner_response.status_code == 200
     assert '<form' in owner_response.text
@@ -553,7 +542,6 @@ def test_organization_page_invite_form_visibility(auth_client_owner, auth_client
     # Admin should also see invitation form (has INVITE_USER permission via Admin role -> permission fixture)
     admin_response = auth_client_admin.get(
         app.url_path_for("read_organization", org_id=test_organization.id),
-        follow_redirects=False
     )
     assert admin_response.status_code == 200
     assert '<form' in admin_response.text
@@ -562,7 +550,6 @@ def test_organization_page_invite_form_visibility(auth_client_owner, auth_client
     # Regular member should not see invitation form (lacks INVITE_USER permission)
     member_response = auth_client_member.get(
         app.url_path_for("read_organization", org_id=test_organization.id),
-        follow_redirects=False
     )
     assert member_response.status_code == 200