fix: webauthn stub in tests, timezone-aware datetimes, Pydantic v2 ConfigDict, add .gitignore

[Copilot]

Five auth router tests were crashing with ModuleNotFoundError: No module named 'webauthn', and datetime.utcnow() deprecation warnings were firing across auth code on Python 3.12+. No .gitignore existed, so __pycache__ artifacts had been committed.

Changes

• tests/test_auth_router_security.py – _load_auth_router() now stubs webauthn and webauthn.helpers.structs into sys.modules before importing backend.auth_router, matching the existing pattern for backend.database/backend.models
• backend/auth_router.py, backend/auth.py – Replace all datetime.utcnow() with datetime.now(timezone.utc); add timezone to imports. Comparison and creation are now both timezone-aware, eliminating mixed-aware/naive TypeError risk
• backend/auth_router.py – Replace deprecated Pydantic v1-style class Config: from_attributes = True on UserResponse with model_config = ConfigDict(from_attributes=True)
• .gitignore – Add standard Python .gitignore; remove previously tracked __pycache__/*.pyc entries from the git index

# before
fake_models.User = _StubUser
monkeypatch.setitem(sys.modules, "backend.database", fake_database)
monkeypatch.setitem(sys.modules, "backend.models", fake_models)

# after – webauthn stubbed so auth_router can be imported without the package
monkeypatch.setitem(sys.modules, "webauthn", _stub_webauthn)
monkeypatch.setitem(sys.modules, "webauthn.helpers", _stub_helpers)
monkeypatch.setitem(sys.modules, "webauthn.helpers.structs", _stub_structs)
monkeypatch.setitem(sys.modules, "backend.database", fake_database)
monkeypatch.setitem(sys.modules, "backend.models", fake_models)

Summary by Sourcery

Ensure authentication flows and tests use timezone-aware datetimes and work without the optional WebAuthn dependency, while aligning the auth router model with Pydantic v2 configuration and ignoring Python build artifacts in version control.

Bug Fixes:

• Stub the optional WebAuthn module and its helper structs in auth router tests so they run without the webauthn package installed.
• Replace uses of datetime.utcnow() in auth and auth router logic with timezone-aware UTC datetimes to avoid deprecation warnings and mixed-aware/naive datetime issues.

Enhancements:

• Update the UserResponse Pydantic model to use ConfigDict-based configuration compatible with Pydantic v2.

Build:

• Add a Python-focused .gitignore to exclude pycache and other generated artifacts from version control.

Tests:

• Adjust auth router tests to use timezone-aware expiration timestamps consistent with the application code.

[sourcery-ai]

Reviewer's Guide

Makes auth tests resilient to missing optional webauthn dependency, standardizes all auth-related datetime handling to timezone-aware usage, updates a Pydantic model to v2-style configuration, and adds a Python-focused .gitignore to stop tracking bytecode artifacts.

Sequence diagram for auth router import with webauthn stubs in tests

sequenceDiagram
    actor Pytest
    participant TestAuthRouterSecurity
    participant SysModules
    participant WebauthnStub
    participant BackendAuthRouter

    Pytest->>TestAuthRouterSecurity: run _load_auth_router
    TestAuthRouterSecurity->>WebauthnStub: create _stub_webauthn, _stub_helpers, _stub_structs
    TestAuthRouterSecurity->>SysModules: setitem webauthn = _stub_webauthn
    TestAuthRouterSecurity->>SysModules: setitem webauthn.helpers = _stub_helpers
    TestAuthRouterSecurity->>SysModules: setitem webauthn.helpers.structs = _stub_structs
    TestAuthRouterSecurity->>SysModules: setitem backend.database = fake_database
    TestAuthRouterSecurity->>SysModules: setitem backend.models = fake_models
    TestAuthRouterSecurity->>BackendAuthRouter: import backend.auth_router
    BackendAuthRouter->>SysModules: import webauthn and webauthn.helpers.structs
    SysModules-->>BackendAuthRouter: return stubbed modules
    BackendAuthRouter-->>TestAuthRouterSecurity: loaded auth router without real webauthn
    TestAuthRouterSecurity-->>Pytest: continue running auth tests

Loading

Updated class diagram for auth models using timezone-aware datetimes and Pydantic v2 ConfigDict

classDiagram
    class BaseModel

    class UserResponse {
        +int id
        +str email
        +Optional[str] name
        +Optional[str] business_registration_number
        +Optional[str] representative_name
        +ConfigDict model_config
    }

    class Token {
        +str access_token
        +str token_type
    }

    BaseModel <|-- UserResponse
    BaseModel <|-- Token

    class AuthRouterInternal {
        +tuple~str, datetime~ _issue_recovery_token(prefix)
        +None _purge_expired_password_recovery_sessions()
        +None start_passkey_registration(user, payload, db)
        +None finish_passkey_registration(payload, db)
        +None start_passkey_login(user)
        +None finish_passkey_login(payload, db)
        +None verify_password_recovery_identity(payload, db)
        +None reset_password_via_recovery(payload, db)
    }

    class AuthTokenService {
        +str create_access_token(data, expires_delta, no_expiry)
    }

    AuthRouterInternal --> UserResponse
    AuthTokenService --> Token

Loading

File-Level Changes

Change	Details	Files
Stub the optional webauthn package in auth router tests so they run without the dependency installed and align fixtures with timezone-aware datetime usage.	Extend the _load_auth_router test helper to inject stub webauthn, webauthn.helpers, and webauthn.helpers.structs modules into sys.modules when the real package is absent, wiring minimal attribute placeholders expected by auth_router. Keep the existing backend.database and backend.models monkeypatching but ensure it runs after the webauthn stubs are registered so imports succeed in a consistent environment. Update password recovery–related test fixtures to create expires_at and reset_expires_at values with datetime.now(timezone.utc) instead of datetime.utcnow() to match the production code changes.	tests/test_auth_router_security.py
Make all auth and password-recovery time calculations timezone-aware to avoid deprecated utcnow usage and naive/aware comparison issues.	Replace all datetime.utcnow() calls in password recovery helpers, passkey registration/login flows, and related expiry checks with datetime.now(timezone.utc). Ensure all expiry comparisons use timezone-aware now values to match how expiry timestamps are stored, preventing mixed naive/aware TypeErrors. Update the access-token creation helper to compute JWT exp using datetime.now(timezone.utc), keeping token expiry consistent with the rest of the auth subsystem.	backend/auth_router.py backend/auth.py
Align UserResponse Pydantic model configuration with Pydantic v2 conventions.	Remove the inner Config subclass on UserResponse and replace it with a model_config assignment using ConfigDict(from_attributes=True) so ORM instances can still be converted to response models under Pydantic v2.	backend/auth_router.py
Introduce a repository-level .gitignore tuned for Python artifacts.	Add a new .gitignore file configured to ignore standard Python build and cache outputs so bytecode caches like pycache/*.pyc are no longer tracked in git.	.gitignore

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[parkcheolhong]

수고했어요~

[parkcheolhong]

정말 편리한 서비스 이런 것이 개발자들에게 꼭 필요한 것입니다.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In the WebAuthn stubs, consider making the stubbed functions/classes callable objects (e.g., simple no-op functions that raise a clear exception) rather than setting them to None, so that any unexpected use in tests fails with a more explicit and predictable error.
• You repeat datetime.now(timezone.utc) many times across auth_router and tests; consider introducing a small helper (e.g., utcnow() or now_utc()) to centralize this behavior and make future changes to time handling easier.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the WebAuthn stubs, consider making the stubbed functions/classes callable objects (e.g., simple no-op functions that raise a clear exception) rather than setting them to None, so that any unexpected use in tests fails with a more explicit and predictable error.
- You repeat `datetime.now(timezone.utc)` many times across auth_router and tests; consider introducing a small helper (e.g., `utcnow()` or `now_utc()`) to centralize this behavior and make future changes to time handling easier.

## Individual Comments

### Comment 1
<location path="backend/auth_router.py" line_range="432" />
<code_context>
     user.passkey_device_label = str(state.get("device_label") or "이 기기 패스키")
     user.passkey_sign_count = int(verification.sign_count)
-    user.passkey_registered_at = datetime.utcnow()
+    user.passkey_registered_at = datetime.now(timezone.utc)
     db.add(user)
     db.commit()
</code_context>
<issue_to_address>
**issue (bug_risk):** Check that the ORM column type for `passkey_registered_at` is compatible with timezone-aware datetimes.

This field used to be set with a naive `datetime.utcnow()`, and is now using an aware `datetime.now(timezone.utc)`. If the column is declared as `DateTime(timezone=False)` or otherwise expects naive datetimes, some backends will strip the timezone or error. Please confirm the ORM column uses `timezone=True` (or equivalent) or that this field is consistently treated as timezone-aware across the codebase.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Check that the ORM column type for passkey_registered_at is compatible with timezone-aware datetimes.

This field used to be set with a naive datetime.utcnow(), and is now using an aware datetime.now(timezone.utc). If the column is declared as DateTime(timezone=False) or otherwise expects naive datetimes, some backends will strip the timezone or error. Please confirm the ORM column uses timezone=True (or equivalent) or that this field is consistently treated as timezone-aware across the codebase.

[Copilot]

Pull request overview

This PR aims to stabilize auth-related tests and runtime behavior by removing an optional webauthn import failure in tests, eliminating datetime.utcnow() deprecation warnings by switching to timezone-aware UTC datetimes, modernizing a Pydantic model config for v2, and adding a Python-focused .gitignore to prevent committing cache artifacts.

Changes:

• Stub webauthn modules in tests/test_auth_router_security.py so backend.auth_router can be imported in test runs without the optional dependency installed.
• Replace datetime.utcnow() usages with datetime.now(timezone.utc) in auth/token and auth router logic.
• Update UserResponse to use Pydantic v2 ConfigDict(from_attributes=True) and add a standard .gitignore.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File	Description
tests/test_auth_router_security.py	Adds webauthn stubbing for import safety and updates fixtures to timezone-aware UTC datetimes.
backend/auth.py	Makes JWT expiry generation timezone-aware (timezone.utc).
backend/auth_router.py	Makes recovery/passkey expiry logic timezone-aware and updates Pydantic config to ConfigDict.
.gitignore	Adds Python/venv/test/IDE/OS ignore rules to prevent cache artifacts from being committed.