test: cover joserfc migration paths (#1197)

MatthewJamisonJS · benoit-cty · commit 1f090367d30d · 2026-06-06T11:38:45.000+02:00
Address review follow-ups on the authlib.jose -&gt; joserfc migration:

- tests/cli/test_cli_auth.py: strengthen test_validate_access_token_valid
  with a realistic claims dict (exp/iat/sub) so JWTClaimsRegistry actually
  exercises its default validators instead of trivially passing on an
  empty payload. Add test_validate_access_token_expired_returns_false to
  pin down the expiry-rejection behaviour through the real registry.

- carbonserver/tests/api/service/test_auth_provider.py: add
  test_decode_token_falls_back_to_jwks_when_fief_fails covering the
  previously-untested JWKS fallback in OIDCAuthProvider._decode_token —
  the only joserfc-using path in carbonserver.
diff --git a/carbonserver/tests/api/service/test_auth_provider.py b/carbonserver/tests/api/service/test_auth_provider.py
@@ -2,6 +2,12 @@
 Unit tests for OIDC authentication provider.
 """
 
+import time
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import pytest
+
+from carbonserver.api.services.auth_providers import oidc_auth_provider
 from carbonserver.api.services.auth_providers.oidc_auth_provider import OIDCAuthProvider
 from carbonserver.config import settings
 
@@ -26,3 +32,52 @@ def test_oidc_provider_initialization(self):
             settings.oidc_client_id,
             settings.oidc_client_secret,
         )
+
+    @pytest.mark.asyncio
+    async def test_decode_token_falls_back_to_jwks_when_fief_fails(self):
+        """When fief.validate_access_token raises, _decode_token must fall back
+        to the joserfc JWKS verification path and return a plain dict."""
+        provider = OIDCAuthProvider(
+            base_url="https://auth.example.com",
+            client_id="test_client",
+            client_secret="test_secret",
+        )
+
+        now = int(time.time())
+        expected_claims = {
+            "sub": "user-456",
+            "iat": now - 5,
+            "exp": now + 600,
+            "email": "user@example.com",
+        }
+
+        jwks_payload = {"keys": [{"kty": "RSA", "kid": "k1"}]}
+        provider.client = MagicMock()
+        provider.client.fetch_jwk_set = AsyncMock(return_value=jwks_payload)
+
+        decoded_token = MagicMock()
+        decoded_token.claims = expected_claims
+
+        with (
+            patch.object(
+                oidc_auth_provider.fief,
+                "validate_access_token",
+                new=AsyncMock(side_effect=Exception("fief unavailable")),
+            ),
+            patch.object(
+                oidc_auth_provider.KeySet,
+                "import_key_set",
+                return_value="keyset",
+            ) as mock_import,
+            patch.object(
+                oidc_auth_provider.jose_jwt,
+                "decode",
+                return_value=decoded_token,
+            ) as mock_decode,
+        ):
+            result = await provider._decode_token("opaque-token")
+
+        assert result == expected_claims
+        assert isinstance(result, dict)
+        mock_import.assert_called_once_with(jwks_payload)
+        mock_decode.assert_called_once_with("opaque-token", "keyset")
diff --git a/tests/cli/test_cli_auth.py b/tests/cli/test_cli_auth.py
@@ -1,6 +1,7 @@
 import io
 import json
 import tempfile
+import time
 import unittest
 from pathlib import Path
 from unittest.mock import MagicMock, patch
@@ -98,12 +99,34 @@ def test_validate_access_token_valid(
         mock_get.return_value.json.return_value = {"jwks_uri": "jwks"}
         mock_get.return_value.raise_for_status.return_value = None
         mock_import_key_set.return_value = "keyset"
-        mock_decode.return_value.claims = {}
+        now = int(time.time())
+        mock_decode.return_value.claims = {
+            "iat": now - 10,
+            "exp": now + 300,
+            "sub": "user-123",
+        }
         with patch(
             "codecarbon.cli.auth._discover_endpoints", return_value={"jwks_uri": "jwks"}
         ):
             self.assertTrue(auth._validate_access_token("token"))
 
+    @patch("codecarbon.cli.auth.requests.get")
+    @patch("codecarbon.cli.auth.KeySet.import_key_set")
+    @patch("codecarbon.cli.auth.jose_jwt.decode")
+    def test_validate_access_token_expired_returns_false(
+        self, mock_decode, mock_import_key_set, mock_get
+    ):
+        # Expired exp must trip JWTClaimsRegistry validation
+        mock_get.return_value.json.return_value = {"jwks_uri": "jwks"}
+        mock_get.return_value.raise_for_status.return_value = None
+        mock_import_key_set.return_value = "keyset"
+        now = int(time.time())
+        mock_decode.return_value.claims = {"exp": now - 10}
+        with patch(
+            "codecarbon.cli.auth._discover_endpoints", return_value={"jwks_uri": "jwks"}
+        ):
+            self.assertFalse(auth._validate_access_token("token"))
+
     @patch("codecarbon.cli.auth._discover_endpoints", return_value={"jwks_uri": "jwks"})
     @patch(
         "codecarbon.cli.auth.requests.get",
