added automated backend auth/session tests and verified they pass.

Author: SHRAVANIRANE

.env.example

@@ -2,6 +2,7 @@ APP_ENV=development
 SECRET_KEY=replace-with-a-long-random-string
 FRONTEND_URL=http://localhost:5173
 SESSION_TTL_SECONDS=3600
+SESSIONS_DB_PATH=sessions.db
 GITHUB_CLIENT_ID=your_github_client_id
 GITHUB_CLIENT_SECRET=your_github_client_secret
 GITHUB_TOKEN=your_github_token

.gitignore

@@ -14,3 +14,6 @@ venv/
 # Logs
 *.log
 sessions.json
+sessions.db
+sessions.db-shm
+sessions.db-wal

PRODUCTION_READINESS.md

@@ -11,8 +11,9 @@
 ## 2. Auth & Sessions
 - [x] Session cookie uses environment-based `secure` and `samesite`.
 - [x] Session TTL configurable (`SESSION_TTL_SECONDS`).
-- [ ] Replace `sessions.json` with Redis/DB-backed session store.
+- [x] Replace `sessions.json` with SQLite-backed session store (`sessions.db`).
 - [ ] Add CSRF protections for state-changing endpoints.
+- [ ] Optional: move sessions from SQLite to Redis for multi-instance horizontal scaling.
 
 ## 3. Reliability
 - [x] AI model fallback and status endpoint (`/api/ai-status`) added.
@@ -28,7 +29,8 @@
 
 ## 5. Quality Gates
 - [x] Static checks currently passing (`py_compile`, frontend lint).
-- [ ] Add backend API tests (auth, files, chat).
+- [x] Add backend API tests for auth/session lifecycle (`tests/test_auth_sessions.py`).
+- [ ] Extend backend API tests to files/chat endpoints.
 - [ ] Add frontend integration tests (repo tree + file preview + chat).
 - [ ] CI pipeline enforcing lint/tests before merge.
 

main.py

@@ -2,6 +2,7 @@
 import os
 import asyncio
 import logging
+import sqlite3
 from fastapi import FastAPI, Depends, HTTPException, Response, Request
 from fastapi.responses import RedirectResponse, JSONResponse
 from fastapi.middleware.cors import CORSMiddleware
@@ -40,7 +41,8 @@
     logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
 
 # ---- Session persistence ----
-SESSIONS_FILE = "sessions.json"
+SESSIONS_FILE = "sessions.json"  # legacy migration source
+SESSIONS_DB_PATH = os.getenv("SESSIONS_DB_PATH", "sessions.db")
 
 # ---- GitHub API URL ----
 GITHUB_API_URL = "https://api.github.com/users"
@@ -59,21 +61,81 @@ class ChatResponse(BaseModel):
     meta: dict = {}
 
 
-def load_sessions():
-    if os.path.exists(SESSIONS_FILE):
-        with open(SESSIONS_FILE, "r") as f:
-            try:
-                return json.load(f)
-            except json.JSONDecodeError:
-                return {}
-    return {}
+def _db_connect():
+    conn = sqlite3.connect(SESSIONS_DB_PATH)
+    conn.row_factory = sqlite3.Row
+    return conn
+
+
+def init_session_store():
+    with _db_connect() as conn:
+        conn.execute(
+            """
+            CREATE TABLE IF NOT EXISTS sessions (
+                session_id TEXT PRIMARY KEY,
+                data TEXT NOT NULL,
+                expires REAL NOT NULL
+            )
+            """
+        )
+        conn.execute("CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires)")
+
+
+def session_store_set(session_id: str, data: dict):
+    expires = float(data.get("expires", 0))
+    with _db_connect() as conn:
+        conn.execute(
+            "INSERT OR REPLACE INTO sessions (session_id, data, expires) VALUES (?, ?, ?)",
+            (session_id, json.dumps(data), expires),
+        )
+
+
+def session_store_get(session_id: str) -> Optional[dict]:
+    with _db_connect() as conn:
+        row = conn.execute(
+            "SELECT data, expires FROM sessions WHERE session_id = ?",
+            (session_id,),
+        ).fetchone()
+        if not row:
+            return None
+        if float(row["expires"]) < time.time():
+            conn.execute("DELETE FROM sessions WHERE session_id = ?", (session_id,))
+            return None
+        try:
+            return json.loads(row["data"])
+        except Exception:
+            conn.execute("DELETE FROM sessions WHERE session_id = ?", (session_id,))
+            return None
 
-def save_sessions():
-    with open(SESSIONS_FILE, "w") as f:
-        json.dump(sessions, f)
 
-sessions = load_sessions()
+def session_store_delete(session_id: str):
+    with _db_connect() as conn:
+        conn.execute("DELETE FROM sessions WHERE session_id = ?", (session_id,))
 
+
+def session_store_cleanup_expired():
+    with _db_connect() as conn:
+        conn.execute("DELETE FROM sessions WHERE expires < ?", (time.time(),))
+
+
+def migrate_legacy_sessions():
+    if not os.path.exists(SESSIONS_FILE):
+        return
+    try:
+        with open(SESSIONS_FILE, "r") as f:
+            legacy = json.load(f)
+    except Exception:
+        return
+    if not isinstance(legacy, dict):
+        return
+    for sid, data in legacy.items():
+        if isinstance(data, dict):
+            session_store_set(sid, data)
+
+
+init_session_store()
+migrate_legacy_sessions()
+session_store_cleanup_expired()
 # ---- Cookie signing ----
 SECRET_KEY = os.getenv("SECRET_KEY")
 if not SECRET_KEY:
@@ -207,7 +269,7 @@ def get_current_user(request: Request):
         raise HTTPException(status_code=401, detail="Not authenticated")
     try:
         session_id = serializer.loads(cookie)["session_id"]
-        session = sessions.get(session_id)
+        session = session_store_get(session_id)
         if not session or session["expires"] < time.time():
             raise HTTPException(status_code=401, detail="Session expired")
         return session
@@ -251,9 +313,6 @@ async def github_login():
 async def github_callback(request: Request, code: str, state: Optional[str] = None):
     ensure_github_oauth_config()
     validate_oauth_state(request, state)
-    ensure_github_oauth_config()
-    if not state:
-        raise HTTPException(status_code=400, detail="Missing state parameter")
 
     async with httpx.AsyncClient() as client:
         token_response = await client.post(
@@ -272,13 +331,13 @@ async def github_callback(request: Request, code: str, state: Optional[str] = No
         user_data = await get_github_user(token_data["access_token"])
 
         session_id = str(uuid4())
-        sessions[session_id] = {
+        session_data = {
             "access_token": token_data["access_token"],
             "user": user_data["login"],
             "user_id": user_data["id"],
             "expires": time.time() + SESSION_TTL_SECONDS
         }
-        save_sessions()
+        session_store_set(session_id, session_data)
 
         signed_cookie = serializer.dumps({"session_id": session_id})
         response = RedirectResponse(url=FRONTEND_URL)
@@ -908,10 +967,8 @@ async def logout(request: Request, user=Depends(get_current_user)):
     except Exception:
         pass
 
-    # Remove from sessions.json if exists
-    if session_id and session_id in sessions:
-        sessions.pop(session_id, None)
-        save_sessions()
+    if session_id:
+        session_store_delete(session_id)
 
     # Clear cookie
     response = JSONResponse({"message": "Logged out"})
@@ -1053,3 +1110,5 @@ async def get_task_status(task_id: str):
 
 
 
+
+

tests/test_auth_sessions.py

@@ -0,0 +1,117 @@
+import os
+import tempfile
+import unittest
+from unittest.mock import patch
+
+from fastapi.testclient import TestClient
+
+import main
+
+
+class _MockHTTPResponse:
+    def __init__(self, status_code=200, json_data=None):
+        self.status_code = status_code
+        self._json_data = json_data or {}
+        self.headers = {}
+        self.text = ""
+
+    def json(self):
+        return self._json_data
+
+    def raise_for_status(self):
+        if self.status_code >= 400:
+            raise RuntimeError(f"HTTP {self.status_code}")
+
+
+class _MockAsyncClient:
+    async def __aenter__(self):
+        return self
+
+    async def __aexit__(self, exc_type, exc, tb):
+        return False
+
+    async def post(self, url, params=None, headers=None):
+        if "login/oauth/access_token" in url:
+            return _MockHTTPResponse(
+                200,
+                {"access_token": "mock_access_token"},
+            )
+        return _MockHTTPResponse(404, {"message": "not found"})
+
+    async def get(self, url, headers=None):
+        if url == "https://api.github.com/user":
+            return _MockHTTPResponse(
+                200,
+                {"login": "mock-user", "id": 12345},
+            )
+        return _MockHTTPResponse(404, {"message": "not found"})
+
+
+class AuthSessionTests(unittest.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls._orig_db = main.SESSIONS_DB_PATH
+        cls._tmp_dir = tempfile.TemporaryDirectory()
+        main.SESSIONS_DB_PATH = os.path.join(cls._tmp_dir.name, "test_sessions.db")
+        main.init_session_store()
+
+    @classmethod
+    def tearDownClass(cls):
+        main.SESSIONS_DB_PATH = cls._orig_db
+        try:
+            cls._tmp_dir.cleanup()
+        except PermissionError:
+            # On Windows, sqlite may release file handles slightly later.
+            pass
+
+    def setUp(self):
+        main.session_store_cleanup_expired()
+        self.client = TestClient(main.app)
+
+    def tearDown(self):
+        self.client.close()
+
+    def test_login_sets_oauth_state_cookie(self):
+        res = self.client.get("/login/github", follow_redirects=False)
+        self.assertEqual(res.status_code, 307)
+        self.assertIn("oauth_state=", res.headers.get("set-cookie", ""))
+        self.assertIn("github.com/login/oauth/authorize", res.headers.get("location", ""))
+
+    def test_callback_rejects_missing_state_cookie(self):
+        res = self.client.get("/auth/github/callback?code=abc&state=s1", follow_redirects=False)
+        self.assertEqual(res.status_code, 400)
+        self.assertIn("OAuth state cookie", res.json().get("detail", ""))
+
+    def test_callback_rejects_state_mismatch(self):
+        self.client.get("/login/github", follow_redirects=False)
+        res = self.client.get("/auth/github/callback?code=abc&state=wrong", follow_redirects=False)
+        self.assertEqual(res.status_code, 400)
+        self.assertIn("state mismatch", res.json().get("detail", ""))
+
+    def test_callback_creates_session_and_auth_works_then_logout(self):
+        login_res = self.client.get("/login/github", follow_redirects=False)
+        self.assertEqual(login_res.status_code, 307)
+        location = login_res.headers["location"]
+        state = location.split("state=")[1].split("&")[0]
+
+        with patch("main.httpx.AsyncClient", _MockAsyncClient):
+            callback_res = self.client.get(
+                f"/auth/github/callback?code=abc123&state={state}",
+                follow_redirects=False,
+            )
+        self.assertEqual(callback_res.status_code, 307)
+        self.assertIn("session_id=", callback_res.headers.get("set-cookie", ""))
+
+        authed = self.client.get("/test-auth")
+        self.assertEqual(authed.status_code, 200)
+        self.assertIn("mock-user", authed.json().get("message", ""))
+
+        logout = self.client.post("/logout")
+        self.assertEqual(logout.status_code, 200)
+
+        authed_after = self.client.get("/test-auth")
+        self.assertEqual(authed_after.status_code, 401)
+
+
+if __name__ == "__main__":
+    unittest.main()