From cd1c59a727283941da903adb545f014eacf1fdc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1s=20Gr=C3=BCner?=
 <47506558+MegaRedHand@users.noreply.github.com>
Date: Mon, 3 Jun 2024 23:07:39 -0300
Subject: [PATCH] fix: fetch user from DB instead of jwt

---
 src/main.py      | 19 ++++++++++++-------
 src/test_main.py | 19 ++++++++-----------
 2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/src/main.py b/src/main.py
index ef93bfd..dac763b 100755
--- a/src/main.py
+++ b/src/main.py
@@ -26,14 +26,19 @@ def get_db():
 DbDependency = Annotated[Session, Depends(get_db)]
 
 
-def ensure_user(x_user: Annotated[str, Header()]) -> models.User:
+def ensure_user(db: DbDependency, x_user: Annotated[str, Header()]) -> models.User:
     jwt_claims = auth.parse_jwt(x_user)
     if jwt_claims is None:
         raise HTTPException(
             status_code=HTTPStatus.UNAUTHORIZED,
             detail="Necesita loguearse para continuar",
         )
-    user = models.User(id=jwt_claims["id"], email=jwt_claims["email"])
+    user = crud.get_user_by_id(db, jwt_claims["id"])
+    if user is None:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN,
+            detail="Usuario no encontrado",
+        )
     return user
 
 
@@ -72,7 +77,7 @@ def login(user: schemas.UserLogin, db: DbDependency) -> schemas.UserCredentials:
 
     if not auth.valid_password(user.password, db_user.hashed_password):
         raise HTTPException(
-            status_code=HTTPStatus.UNAUTHORIZED, detail="Contraseña incorrecta"
+            status_code=HTTPStatus.FORBIDDEN, detail="Contraseña incorrecta"
         )
 
     credentials = auth.login_user(db_user)
@@ -116,7 +121,7 @@ def check_group_exists_and_user_is_owner(user_id: int, group: models.Group):
     # If user is in group, but is not the owner
     if group.owner_id != user_id:
         raise HTTPException(
-            status_code=HTTPStatus.UNAUTHORIZED,
+            status_code=HTTPStatus.FORBIDDEN,
             detail="No tiene permisos para modificar este grupo",
         )
 
@@ -163,17 +168,17 @@ def add_user_to_group(
         user_to_add = crud.get_user_by_email(db, req.user_identifier)
     else:
         user_to_add = crud.get_user_by_id(db, req.user_identifier)
-    
+
     if user_to_add is None:
         raise HTTPException(
             status_code=HTTPStatus.NOT_FOUND, detail="Usuario no existe"
         )
-    
+
     group = crud.get_group_by_id(db, group_id)
 
     check_group_exists_and_user_is_owner(user.id, group)
     check_group_is_unarchived(group)
-    if user_id_in_group(user.id, group):
+    if user_id_in_group(user_to_add.id, group):
         raise HTTPException(
             status_code=HTTPStatus.BAD_REQUEST,
             detail=f"El usuario ya es miembro del grupo {group.name}",
diff --git a/src/test_main.py b/src/test_main.py
index 6ba4d8c..2755523 100755
--- a/src/test_main.py
+++ b/src/test_main.py
@@ -91,7 +91,7 @@ def some_group_members(
         response = client.post(
             url=f"/group/{some_group.id}/member",
             headers={"x-user": some_credentials.jwt},
-            json={"user_id": credentials.id},
+            json={"user_identifier": credentials.id},
         )
         assert response.status_code == HTTPStatus.CREATED
 
@@ -168,7 +168,7 @@ def test_login_with_wrong_password(client: TestClient):
         json={"email": "example@example.com", "password": "a_wrong_password"},
     )
 
-    assert second_response.status_code == HTTPStatus.UNAUTHORIZED
+    assert second_response.status_code == HTTPStatus.FORBIDDEN
     assert "jwt" not in second_response.json()
 
 
@@ -332,21 +332,19 @@ def test_add_user_to_group(
     some_group: schemas.Group,
 ):
     # Create new user
-    body = {"email": "some_email@example.com", "password": "some_password"}
-    response = client.post(url="/user/register", json=body)
-    assert response.status_code == HTTPStatus.CREATED
-    user = response.json()
+    new_user = make_user_credentials(client, "some_random_email@email.com")
 
     # Add new user to group
     response = client.post(
         url=f"/group/{some_group.id}/member",
         headers={"x-user": some_credentials.jwt},
-        json={"user_id": user["id"]},
+        json={"user_identifier": new_user.id},
     )
+    expected_members = sorted([some_credentials.id, new_user.id])
     body = response.json()
-    assert response.status_code == HTTPStatus.CREATED
+    assert response.status_code == HTTPStatus.CREATED, str(body)
     assert len(body) == 2
-    assert sorted([u["id"] for u in body]) == sorted([some_credentials.id, user["id"]])
+    assert sorted([u["id"] for u in body]) == expected_members
 
     # GET group members
     response = client.get(
@@ -358,7 +356,7 @@ def test_add_user_to_group(
 
     assert response.status_code == HTTPStatus.OK
     assert len(body) == 2
-    assert sorted([u["id"] for u in body]) == sorted([some_credentials.id, user["id"]])
+    assert sorted([u["id"] for u in body]) == expected_members
 
 
 ################################################
@@ -690,7 +688,6 @@ def some_invite(
     some_other_credentials: schemas.UserCredentials,
     some_group: schemas.Group,
 ):
-
     # Create Invite
     response = client.post(
         url="/invite",