feat: add account management, email verification, AI fixes, and user guides

- Profile settings, account transfer, delete/leave account flows - Email verification with JWT tokens and Resend integration - AI assistant/copilot fixes: markdown rendering, shared RAG helpers, token tracking, input refocus, model_validate usage - User guides hub + detail pages with 13 topic guides - Sidebar and top bar navigation for guides Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 19:18:06 -05:00
parent 1aa60dada2
commit 8d6accaf60
45 changed files with 2255 additions and 126 deletions
--- a/backend/tests/test_account_lifecycle.py
+++ b/backend/tests/test_account_lifecycle.py
@@ -0,0 +1,109 @@
+"""Tests for leave account and delete account endpoints."""
+
+import pytest
+from httpx import AsyncClient
+
+
+@pytest.mark.asyncio
+class TestLeaveAccount:
+    """Test POST /accounts/me/leave."""
+
+    async def test_leave_as_non_owner(self, client: AsyncClient, test_db):
+        """Non-owner can leave and gets a personal account."""
+        from sqlalchemy import select
+        from app.models.user import User
+
+        # Register owner
+        owner = await client.post("/api/v1/auth/register", json={
+            "email": "owner@example.com", "password": "TestPassword123!", "name": "Owner",
+        })
+        assert owner.status_code == 201
+        owner_data = owner.json()
+
+        # Login as owner
+        login = await client.post("/api/v1/auth/login/json", json={
+            "email": "owner@example.com", "password": "TestPassword123!",
+        })
+        owner_headers = {"Authorization": f"Bearer {login.json()['access_token']}"}
+
+        # Register member
+        member = await client.post("/api/v1/auth/register", json={
+            "email": "member@example.com", "password": "TestPassword123!", "name": "Member",
+        })
+        member_id = member.json()["id"]
+
+        # Move member to owner's account
+        result = await test_db.execute(select(User).where(User.id == member_id))
+        member_user = result.scalar_one()
+        member_user.account_id = owner_data["account_id"]
+        member_user.account_role = "engineer"
+        await test_db.commit()
+
+        # Login as member
+        login = await client.post("/api/v1/auth/login/json", json={
+            "email": "member@example.com", "password": "TestPassword123!",
+        })
+        member_headers = {"Authorization": f"Bearer {login.json()['access_token']}"}
+
+        # Leave
+        response = await client.post("/api/v1/accounts/me/leave", headers=member_headers)
+        assert response.status_code == 200
+
+    async def test_leave_as_owner_fails(self, client: AsyncClient, auth_headers: dict):
+        """Owner cannot leave their own account."""
+        response = await client.post("/api/v1/accounts/me/leave", headers=auth_headers)
+        assert response.status_code == 400
+
+
+@pytest.mark.asyncio
+class TestDeleteAccount:
+    """Test DELETE /accounts/me."""
+
+    async def test_delete_success(self, client: AsyncClient, auth_headers: dict):
+        """Owner with no other members can delete account."""
+        response = await client.request(
+            "DELETE",
+            "/api/v1/accounts/me",
+            json={"current_password": "TestPassword123!"},
+            headers=auth_headers,
+        )
+        assert response.status_code == 200
+
+    async def test_delete_wrong_password(self, client: AsyncClient, auth_headers: dict):
+        """Wrong password returns 401."""
+        response = await client.request(
+            "DELETE",
+            "/api/v1/accounts/me",
+            json={"current_password": "WrongPassword123!"},
+            headers=auth_headers,
+        )
+        assert response.status_code == 401
+
+    async def test_delete_with_members_fails(self, client: AsyncClient, auth_headers: dict, test_db):
+        """Cannot delete account that has other members."""
+        from sqlalchemy import select
+        from app.models.user import User
+
+        # Get owner's account_id
+        me = await client.get("/api/v1/auth/me", headers=auth_headers)
+        account_id = me.json()["account_id"]
+
+        # Register and add member
+        member = await client.post("/api/v1/auth/register", json={
+            "email": "member2@example.com", "password": "TestPassword123!", "name": "Member",
+        })
+        member_id = member.json()["id"]
+
+        result = await test_db.execute(select(User).where(User.id == member_id))
+        member_user = result.scalar_one()
+        member_user.account_id = account_id
+        member_user.account_role = "engineer"
+        await test_db.commit()
+
+        response = await client.request(
+            "DELETE",
+            "/api/v1/accounts/me",
+            json={"current_password": "TestPassword123!"},
+            headers=auth_headers,
+        )
+        assert response.status_code == 400
--- a/backend/tests/test_account_transfer.py
+++ b/backend/tests/test_account_transfer.py
@@ -0,0 +1,63 @@
+"""Tests for account ownership transfer."""
+
+import pytest
+from httpx import AsyncClient
+
+
+@pytest.mark.asyncio
+class TestOwnershipTransfer:
+    """Test POST /accounts/me/transfer-ownership."""
+
+    async def _create_member(self, client: AsyncClient, owner_headers: dict, test_db):
+        """Register a second user and add them to the owner's account."""
+        from sqlalchemy import select
+        from app.models.user import User
+
+        # Register second user (gets own account)
+        resp = await client.post("/api/v1/auth/register", json={
+            "email": "member@example.com",
+            "password": "TestPassword123!",
+            "name": "Member User",
+        })
+        assert resp.status_code == 201
+        member_id = resp.json()["id"]
+
+        # Get owner's account_id
+        me = await client.get("/api/v1/auth/me", headers=owner_headers)
+        owner_account_id = me.json()["account_id"]
+
+        # Move member to owner's account
+        result = await test_db.execute(select(User).where(User.id == member_id))
+        member = result.scalar_one()
+        member.account_id = owner_account_id
+        member.account_role = "engineer"
+        await test_db.commit()
+
+        return member_id
+
+    async def test_transfer_success(self, client: AsyncClient, auth_headers: dict, test_db):
+        member_id = await self._create_member(client, auth_headers, test_db)
+        response = await client.post(
+            "/api/v1/accounts/me/transfer-ownership",
+            json={"current_password": "TestPassword123!", "target_user_id": member_id},
+            headers=auth_headers,
+        )
+        assert response.status_code == 200
+        assert response.json()["owner_id"] == member_id
+
+    async def test_transfer_self(self, client: AsyncClient, auth_headers: dict, test_user):
+        response = await client.post(
+            "/api/v1/accounts/me/transfer-ownership",
+            json={"current_password": "TestPassword123!", "target_user_id": test_user["user_data"]["id"]},
+            headers=auth_headers,
+        )
+        assert response.status_code == 400
+
+    async def test_transfer_wrong_password(self, client: AsyncClient, auth_headers: dict, test_db):
+        member_id = await self._create_member(client, auth_headers, test_db)
+        response = await client.post(
+            "/api/v1/accounts/me/transfer-ownership",
+            json={"current_password": "WrongPassword123!", "target_user_id": member_id},
+            headers=auth_headers,
+        )
+        assert response.status_code == 401
--- a/backend/tests/test_auth_profile.py
+++ b/backend/tests/test_auth_profile.py
@@ -0,0 +1,90 @@
+"""Tests for PATCH /auth/me profile update endpoint."""
+
+import pytest
+from httpx import AsyncClient
+
+
+@pytest.mark.asyncio
+class TestProfileUpdate:
+    """Test profile update via PATCH /auth/me."""
+
+    async def test_update_name(self, client: AsyncClient, auth_headers: dict):
+        """Name update works without password."""
+        response = await client.patch(
+            "/api/v1/auth/me",
+            json={"name": "New Name"},
+            headers=auth_headers,
+        )
+        assert response.status_code == 200
+        assert response.json()["name"] == "New Name"
+
+    async def test_update_email_with_password(self, client: AsyncClient, auth_headers: dict):
+        """Email change with correct password succeeds."""
+        response = await client.patch(
+            "/api/v1/auth/me",
+            json={"email": "newemail@example.com", "current_password": "TestPassword123!"},
+            headers=auth_headers,
+        )
+        assert response.status_code == 200
+        assert response.json()["email"] == "newemail@example.com"
+
+    async def test_update_email_without_password(self, client: AsyncClient, auth_headers: dict):
+        """Email change without password returns 400."""
+        response = await client.patch(
+            "/api/v1/auth/me",
+            json={"email": "newemail@example.com"},
+            headers=auth_headers,
+        )
+        assert response.status_code == 400
+        assert "password" in response.json()["detail"].lower()
+
+    async def test_update_email_wrong_password(self, client: AsyncClient, auth_headers: dict):
+        """Email change with wrong password returns 401."""
+        response = await client.patch(
+            "/api/v1/auth/me",
+            json={"email": "newemail@example.com", "current_password": "WrongPassword123!"},
+            headers=auth_headers,
+        )
+        assert response.status_code == 401
+
+    async def test_update_email_duplicate(self, client: AsyncClient, auth_headers: dict):
+        """Email change to existing email returns 400."""
+        # Register second user
+        await client.post("/api/v1/auth/register", json={
+            "email": "other@example.com",
+            "password": "TestPassword123!",
+            "name": "Other User",
+        })
+
+        response = await client.patch(
+            "/api/v1/auth/me",
+            json={"email": "other@example.com", "current_password": "TestPassword123!"},
+            headers=auth_headers,
+        )
+        assert response.status_code == 400
+        assert "already registered" in response.json()["detail"].lower()
+
+    async def test_get_me_returns_updated_name(self, client: AsyncClient, auth_headers: dict):
+        """GET /me reflects the updated profile."""
+        await client.patch(
+            "/api/v1/auth/me",
+            json={"name": "Updated User"},
+            headers=auth_headers,
+        )
+        response = await client.get("/api/v1/auth/me", headers=auth_headers)
+        assert response.status_code == 200
+        assert response.json()["name"] == "Updated User"
+
+    async def test_no_changes_returns_current_user(self, client: AsyncClient, auth_headers: dict):
+        """Empty update returns current user without error."""
+        response = await client.patch(
+            "/api/v1/auth/me",
+            json={},
+            headers=auth_headers,
+        )
+        assert response.status_code == 200
+
+    async def test_unauthenticated(self, client: AsyncClient):
+        """Unauthenticated request returns 401."""
+        response = await client.patch("/api/v1/auth/me", json={"name": "X"})
+        assert response.status_code == 401
--- a/backend/tests/test_email_verification.py
+++ b/backend/tests/test_email_verification.py
@@ -0,0 +1,57 @@
+"""Tests for email verification endpoints."""
+
+import pytest
+from httpx import AsyncClient
+
+
+@pytest.mark.asyncio
+class TestEmailVerification:
+    """Test email verification send + verify flow."""
+
+    async def test_send_verification(self, client: AsyncClient, auth_headers: dict):
+        """Send verification email returns 200."""
+        response = await client.post(
+            "/api/v1/auth/email/send-verification",
+            headers=auth_headers,
+        )
+        assert response.status_code == 200
+        assert "sent" in response.json()["message"].lower()
+
+    async def test_send_verification_already_verified(
+        self, client: AsyncClient, auth_headers: dict, test_db
+    ):
+        """Returns 400 if email is already verified."""
+        from sqlalchemy import select, update
+        from datetime import datetime, timezone
+        from app.models.user import User
+
+        # Manually mark email as verified
+        await test_db.execute(
+            update(User).where(User.email == "test@example.com").values(
+                email_verified_at=datetime.now(timezone.utc)
+            )
+        )
+        await test_db.commit()
+
+        response = await client.post(
+            "/api/v1/auth/email/send-verification",
+            headers=auth_headers,
+        )
+        assert response.status_code == 400
+        assert "already verified" in response.json()["detail"].lower()
+
+    async def test_verify_invalid_token(self, client: AsyncClient):
+        """Invalid token returns 400."""
+        response = await client.post(
+            "/api/v1/auth/email/verify",
+            json={"token": "invalid-token"},
+        )
+        assert response.status_code == 400
+
+    async def test_verify_missing_token(self, client: AsyncClient):
+        """Missing token returns 400."""
+        response = await client.post(
+            "/api/v1/auth/email/verify",
+            json={},
+        )
+        assert response.status_code == 400