tests/security/test_analytics_auth.py

from fastapi.testclient import TestClient

from app.factory import create_app

app = create_app()
client = TestClient(app)

def test_analytics_cases_unauthenticated():
    """Verify that accessing /api/v1/analytics/cases without auth returns 401."""
    response = client.get("/api/v1/analytics/cases")
    # CURRENT VULNERABILITY: If this returns 200/500 instead of 401, it's vulnerable.
    # We assert 401 because that's the DESIRED state.
    # If the test FAILS with 200/500, we've confirmed the vulnerability.
    assert response.status_code == 401

def test_analytics_transactions_unauthenticated():
    """Verify that accessing /api/v1/analytics/transactions without auth returns 401."""
    response = client.get("/api/v1/analytics/transactions")
    assert response.status_code == 401

def test_analytics_temporal_flow_unauthenticated():
    """Verify that accessing /api/v1/analytics/temporal-flow without auth returns 401."""
    response = client.get("/api/v1/analytics/temporal-flow")
    assert response.status_code == 401