Context
The authorization redesign (Gate hierarchy + repo decorators) has good foundational tests but several gaps remain. These are important to close since authorization is security-critical.
Missing coverage
1. QueryHandler gate tests
test_auth_gate.py only tests CommandHandler with at_least(). We verify unprotected QueryHandler raises ConfigurationError, but never test a QueryHandler with at_least() actually allowing/denying a principal. Same metaclass pattern, but not explicitly covered.
2. Error code assertions (401 vs 403)
Tests match on exception messages but never assert error.code == "missing_token" vs error.code == "access_denied". These codes drive the 401/403 HTTP mapping in errors.py, so they should be pinned down explicitly.
3. DI provider identity resolution
No unit tests for get_identity() / get_principal() in AuthProvider:
- Valid JWT → Principal with roles
- Expired/invalid JWT → Anonymous
- No Authorization header → Anonymous
get_principal(Anonymous()) → raises AuthorizationError with code="missing_token"
4. Concrete handler auth configurations
No tests verifying specific handler configurations work end-to-end, e.g.:
CreateDepositionHandler with DEPOSITOR principal succeedsAssignRoleHandler with non-SUPERADMIN principal fails- Public handlers (login, refresh) work without any principal
5. Deposition repo decorator integration
We test @reads/@writes on a fake repo but don't test PostgresDepositionRepository's actual decorator wiring:
- Owner can read own deposition
- Curator can read any deposition
- Non-owner depositor denied read
- System (worker) bypasses all checks
The old test_deposition_service_auth.py covered this via Guarded[T] but was deleted in the redesign.
6. Multiple roles on a principal
All current tests use single-role principals. Should verify behavior when a principal has multiple roles (e.g. both DEPOSITOR and CURATOR).
Context
The authorization redesign (Gate hierarchy + repo decorators) has good foundational tests but several gaps remain. These are important to close since authorization is security-critical.
Missing coverage
1. QueryHandler gate tests
test_auth_gate.pyonly tests CommandHandler withat_least(). We verify unprotected QueryHandler raises ConfigurationError, but never test a QueryHandler withat_least()actually allowing/denying a principal. Same metaclass pattern, but not explicitly covered.2. Error code assertions (401 vs 403)
Tests match on exception messages but never assert
error.code == "missing_token"vserror.code == "access_denied". These codes drive the 401/403 HTTP mapping inerrors.py, so they should be pinned down explicitly.3. DI provider identity resolution
No unit tests for
get_identity()/get_principal()inAuthProvider:get_principal(Anonymous())→ raises AuthorizationError withcode="missing_token"4. Concrete handler auth configurations
No tests verifying specific handler configurations work end-to-end, e.g.:
CreateDepositionHandlerwith DEPOSITOR principal succeedsAssignRoleHandlerwith non-SUPERADMIN principal fails5. Deposition repo decorator integration
We test
@reads/@writeson a fake repo but don't testPostgresDepositionRepository's actual decorator wiring:The old
test_deposition_service_auth.pycovered this viaGuarded[T]but was deleted in the redesign.6. Multiple roles on a principal
All current tests use single-role principals. Should verify behavior when a principal has multiple roles (e.g. both DEPOSITOR and CURATOR).