✅ Add new tests to check password updating

tiangolo · tiangolo · commit a867515bf171 · 2026-01-22T16:17:22.000+01:00
diff --git a/backend/tests/api/routes/test_login.py b/backend/tests/api/routes/test_login.py
@@ -1,12 +1,13 @@
 from unittest.mock import patch
 
 from fastapi.testclient import TestClient
+from pwdlib.hashers.bcrypt import BcryptHasher
 from sqlmodel import Session
 
 from app.core.config import settings
-from app.core.security import verify_password
+from app.core.security import get_password_hash, verify_password
 from app.crud import create_user
-from app.models import UserCreate
+from app.models import User, UserCreate
 from app.utils import generate_password_reset_token
 from tests.utils.user import user_authentication_headers
 from tests.utils.utils import random_email, random_lower_string
@@ -117,3 +118,68 @@ def test_reset_password_invalid_token(
     assert "detail" in response
     assert r.status_code == 400
     assert response["detail"] == "Invalid token"
+
+
+def test_login_with_bcrypt_password_upgrades_to_argon2(
+    client: TestClient, db: Session
+) -> None:
+    """Test that logging in with a bcrypt password hash upgrades it to argon2."""
+    email = random_email()
+    password = random_lower_string()
+
+    # Create a bcrypt hash directly (simulating legacy password)
+    bcrypt_hasher = BcryptHasher()
+    bcrypt_hash = bcrypt_hasher.hash(password)
+    assert bcrypt_hash.startswith("$2")  # bcrypt hashes start with $2
+
+    user = User(email=email, hashed_password=bcrypt_hash, is_active=True)
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+
+    assert user.hashed_password.startswith("$2")
+
+    login_data = {"username": email, "password": password}
+    r = client.post(f"{settings.API_V1_STR}/login/access-token", data=login_data)
+    assert r.status_code == 200
+    tokens = r.json()
+    assert "access_token" in tokens
+
+    db.refresh(user)
+
+    # Verify the hash was upgraded to argon2
+    assert user.hashed_password.startswith("$argon2")
+
+    verified, updated_hash = verify_password(password, user.hashed_password)
+    assert verified
+    # Should not need another update since it's already argon2
+    assert updated_hash is None
+
+
+def test_login_with_argon2_password_keeps_hash(client: TestClient, db: Session) -> None:
+    """Test that logging in with an argon2 password hash does not update it."""
+    email = random_email()
+    password = random_lower_string()
+
+    # Create an argon2 hash (current default)
+    argon2_hash = get_password_hash(password)
+    assert argon2_hash.startswith("$argon2")
+
+    # Create user with argon2 hash
+    user = User(email=email, hashed_password=argon2_hash, is_active=True)
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+
+    original_hash = user.hashed_password
+
+    login_data = {"username": email, "password": password}
+    r = client.post(f"{settings.API_V1_STR}/login/access-token", data=login_data)
+    assert r.status_code == 200
+    tokens = r.json()
+    assert "access_token" in tokens
+
+    db.refresh(user)
+
+    assert user.hashed_password == original_hash
+    assert user.hashed_password.startswith("$argon2")
diff --git a/backend/tests/crud/test_user.py b/backend/tests/crud/test_user.py
@@ -1,8 +1,9 @@
 from fastapi.encoders import jsonable_encoder
+from pwdlib.hashers.bcrypt import BcryptHasher
 from sqlmodel import Session
 
 from app import crud
-from app.core.security import verify_password
+from app.core.security import get_password_hash, verify_password
 from app.models import User, UserCreate, UserUpdate
 from tests.utils.utils import random_email, random_lower_string
 
@@ -90,3 +91,40 @@ def test_update_user(db: Session) -> None:
     assert user.email == user_2.email
     verified, _ = verify_password(new_password, user_2.hashed_password)
     assert verified
+
+
+def test_authenticate_user_with_bcrypt_upgrades_to_argon2(db: Session) -> None:
+    """Test that a user with bcrypt password hash gets upgraded to argon2 on login."""
+    email = random_email()
+    password = random_lower_string()
+
+    # Create a bcrypt hash directly (simulating legacy password)
+    bcrypt_hasher = BcryptHasher()
+    bcrypt_hash = bcrypt_hasher.hash(password)
+    assert bcrypt_hash.startswith("$2")  # bcrypt hashes start with $2
+
+    # Create user with bcrypt hash directly in the database
+    user = User(email=email, hashed_password=bcrypt_hash)
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+
+    # Verify the hash is bcrypt before authentication
+    assert user.hashed_password.startswith("$2")
+
+    # Authenticate - this should upgrade the hash to argon2
+    authenticated_user = crud.authenticate(session=db, email=email, password=password)
+    assert authenticated_user
+    assert authenticated_user.email == email
+
+    db.refresh(authenticated_user)
+
+    # Verify the hash was upgraded to argon2
+    assert authenticated_user.hashed_password.startswith("$argon2")
+
+    verified, updated_hash = verify_password(
+        password, authenticated_user.hashed_password
+    )
+    assert verified
+    # Should not need another update since it's already argon2
+    assert updated_hash is None
