""" Tests for login_utils module. This module tests the refactored login logic that was moved from proxy_server.py to login_utils.py for better reusability. """ import os from unittest.mock import AsyncMock, MagicMock, patch import pytest from litellm.constants import LITELLM_PROXY_ADMIN_NAME from litellm.proxy._types import ( LiteLLM_UserTable, LitellmUserRoles, ProxyErrorTypes, ProxyException, hash_token, ) from litellm.proxy.auth.login_utils import ( LoginResult, authenticate_user, get_ui_credentials, ) def test_get_ui_credentials_prefers_explicit_password(): """The configured UI password should be returned when available.""" with patch.dict( os.environ, {"UI_USERNAME": "test-admin", "UI_PASSWORD": "secure-pass"}, clear=True, ): username, password = get_ui_credentials(master_key="sk-123") assert username == "test-admin" assert password == "secure-pass" def test_get_ui_credentials_can_use_master_key(): """Master key should be used as password when UI_PASSWORD is missing.""" with patch.dict(os.environ, {"UI_USERNAME": "fallback-admin"}, clear=True): username, password = get_ui_credentials(master_key="fallback-key") assert username == "fallback-admin" assert password == "fallback-key" def test_get_ui_credentials_requires_password(): """Missing UI password and master key results in error.""" with patch.dict(os.environ, {}, clear=True): with pytest.raises(ProxyException) as exc_info: get_ui_credentials(master_key=None) assert exc_info.value.type == ProxyErrorTypes.auth_error assert exc_info.value.code == "500" @pytest.mark.asyncio async def test_authenticate_user_admin_login_with_ui_credentials(): """Test admin login using UI_USERNAME and UI_PASSWORD""" master_key = "sk-1234" ui_username = "admin" ui_password = "sk-1234" mock_prisma_client = MagicMock() mock_prisma_client.db.litellm_usertable.find_first = AsyncMock(return_value=None) with patch.dict( os.environ, { "UI_USERNAME": ui_username, "UI_PASSWORD": ui_password, "DATABASE_URL": "postgresql://test:test@localhost/test", }, ): with patch( "litellm.proxy.auth.login_utils.generate_key_helper_fn", new_callable=AsyncMock, ) as mock_generate_key: mock_generate_key.return_value = { "token": "test-token-123", "user_id": LITELLM_PROXY_ADMIN_NAME, } with patch( "litellm.proxy.auth.login_utils.user_update", new_callable=AsyncMock, return_value=None, ) as mock_user_update: with patch( "litellm.proxy.auth.login_utils.get_secret_bool", return_value=False, ): result = await authenticate_user( username=ui_username, password=ui_password, master_key=master_key, prisma_client=mock_prisma_client, ) assert isinstance(result, LoginResult) assert result.user_id == LITELLM_PROXY_ADMIN_NAME assert result.key == "test-token-123" assert result.user_email is None assert result.user_role == LitellmUserRoles.PROXY_ADMIN assert result.login_method == "username_password" @pytest.mark.asyncio async def test_authenticate_user_admin_login_with_master_key_as_password(): """Test admin login when UI_PASSWORD is not set, should use master_key""" master_key = "sk-1234" ui_username = "admin" mock_prisma_client = MagicMock() mock_prisma_client.db.litellm_usertable.find_first = AsyncMock(return_value=None) env_vars = {"UI_USERNAME": ui_username, "DATABASE_URL": "postgresql://test:test@localhost/test"} # Remove UI_PASSWORD to test fallback to master_key if "UI_PASSWORD" in os.environ: # Keep other env vars but don't set UI_PASSWORD pass else: # Ensure UI_PASSWORD is not in the patched env pass with patch.dict(os.environ, env_vars, clear=False): # Explicitly remove UI_PASSWORD if it exists original_ui_password = os.environ.pop("UI_PASSWORD", None) try: with patch( "litellm.proxy.auth.login_utils.generate_key_helper_fn", new_callable=AsyncMock, ) as mock_generate_key: mock_generate_key.return_value = { "token": "test-token-123", "user_id": LITELLM_PROXY_ADMIN_NAME, } with patch( "litellm.proxy.auth.login_utils.user_update", new_callable=AsyncMock, return_value=None, ) as mock_user_update: with patch( "litellm.proxy.auth.login_utils.get_secret_bool", return_value=False, ): result = await authenticate_user( username=ui_username, password=master_key, master_key=master_key, prisma_client=mock_prisma_client, ) assert isinstance(result, LoginResult) assert result.user_id == LITELLM_PROXY_ADMIN_NAME assert result.user_role == LitellmUserRoles.PROXY_ADMIN finally: if original_ui_password: os.environ["UI_PASSWORD"] = original_ui_password @pytest.mark.asyncio async def test_authenticate_user_invalid_credentials(): """Test authentication failure with invalid credentials""" master_key = "sk-1234" ui_username = "admin" wrong_password = "wrong-password" mock_prisma_client = MagicMock() mock_prisma_client.db.litellm_usertable.find_first = AsyncMock(return_value=None) with patch.dict(os.environ, {"UI_USERNAME": ui_username, "UI_PASSWORD": "correct-password"}): with pytest.raises(ProxyException) as exc_info: await authenticate_user( username=ui_username, password=wrong_password, master_key=master_key, prisma_client=mock_prisma_client, ) assert exc_info.value.type == ProxyErrorTypes.auth_error assert exc_info.value.code == "401" assert "Invalid credentials" in exc_info.value.message @pytest.mark.asyncio async def test_authenticate_user_missing_master_key(): """Test authentication failure when master_key is None""" mock_prisma_client = MagicMock() with pytest.raises(ProxyException) as exc_info: await authenticate_user( username="admin", password="password", master_key=None, prisma_client=mock_prisma_client, ) assert exc_info.value.type == ProxyErrorTypes.auth_error assert exc_info.value.code == "500" assert "Master Key not set" in exc_info.value.message @pytest.mark.asyncio async def test_authenticate_user_wrong_password(): """Test authentication failure with wrong password for database user""" master_key = "sk-1234" user_email = "test@example.com" correct_password = "correct-password" wrong_password = "wrong-password" hashed_password = hash_token(token=correct_password) mock_user = LiteLLM_UserTable( user_id="test-user-123", user_email=user_email, password=hashed_password, user_role=LitellmUserRoles.INTERNAL_USER, ) mock_prisma_client = MagicMock() mock_prisma_client.db.litellm_usertable.find_first = AsyncMock( return_value=mock_user ) with patch.dict( os.environ, { "DATABASE_URL": "postgresql://test:test@localhost/test", "UI_USERNAME": "admin", "UI_PASSWORD": "admin-password", }, ): with pytest.raises(ProxyException) as exc_info: await authenticate_user( username=user_email, password=wrong_password, master_key=master_key, prisma_client=mock_prisma_client, ) assert exc_info.value.type == ProxyErrorTypes.auth_error assert exc_info.value.code == "401" assert "Invalid credentials" in exc_info.value.message @pytest.mark.asyncio async def test_authenticate_user_email_case_insensitive_login(): """Test that email lookup is case-insensitive during login""" master_key = "sk-1234" stored_email = "testemail@test.com" login_email_mixed_case = "testEmail@test.com" correct_password = "correct-password" hashed_password = hash_token(token=correct_password) # `LiteLLM_UserTable` does not define a `password` field, but `authenticate_user()` # expects `user_row.password` to exist (invite-link login). Use a simple object. mock_user = MagicMock() mock_user.user_id = "test-user-123" mock_user.user_email = stored_email mock_user.password = hashed_password mock_user.user_role = LitellmUserRoles.INTERNAL_USER def mock_find_first(**kwargs): where = kwargs.get("where", {}) user_email = where.get("user_email", {}) if user_email.get("mode") != "insensitive": return None if str(user_email.get("equals", "")).lower() == stored_email.lower(): return mock_user return None mock_prisma_client = MagicMock() mock_prisma_client.db.litellm_usertable.find_first = AsyncMock( side_effect=mock_find_first ) with patch.dict( os.environ, { "DATABASE_URL": "postgresql://test:test@localhost/test", "UI_USERNAME": "admin", "UI_PASSWORD": "admin-password", }, ): with patch( "litellm.proxy.auth.login_utils.generate_key_helper_fn", new_callable=AsyncMock, ) as mock_generate_key: mock_generate_key.side_effect = [ {"token": "token-1"}, {"token": "token-2"}, ] result_mixed = await authenticate_user( username=login_email_mixed_case, password=correct_password, master_key=master_key, prisma_client=mock_prisma_client, ) result_lower = await authenticate_user( username=stored_email, password=correct_password, master_key=master_key, prisma_client=mock_prisma_client, ) assert result_mixed.user_id == result_lower.user_id == "test-user-123" assert result_mixed.user_email == result_lower.user_email == stored_email calls = mock_prisma_client.db.litellm_usertable.find_first.await_args_list assert len(calls) == 2 for call, expected_username in zip(calls, [login_email_mixed_case, stored_email]): where = call.kwargs["where"] assert where["user_email"]["equals"] == expected_username assert where["user_email"]["mode"] == "insensitive" @pytest.mark.asyncio async def test_authenticate_user_database_required_for_admin(): """Test that database is required for admin login""" master_key = "sk-1234" ui_username = "admin" ui_password = "sk-1234" mock_prisma_client = MagicMock() mock_prisma_client.db.litellm_usertable.find_first = AsyncMock(return_value=None) with patch.dict(os.environ, {"UI_USERNAME": ui_username, "UI_PASSWORD": ui_password}): with patch( "litellm.proxy.auth.login_utils.user_update", new_callable=AsyncMock, return_value=None, ): # Remove DATABASE_URL to simulate no database original_db_url = os.environ.get("DATABASE_URL") if "DATABASE_URL" in os.environ: del os.environ["DATABASE_URL"] try: with pytest.raises(ProxyException) as exc_info: await authenticate_user( username=ui_username, password=ui_password, master_key=master_key, prisma_client=mock_prisma_client, ) assert exc_info.value.type == ProxyErrorTypes.auth_error assert exc_info.value.code == "500" assert "No Database connected" in exc_info.value.message finally: if original_db_url: os.environ["DATABASE_URL"] = original_db_url @pytest.mark.asyncio async def test_authenticate_user_admin_login_with_non_ascii_characters(): """Test admin login with non-ASCII characters in password (issue #19559)""" master_key = "sk-1234" ui_username = "admin£test" ui_password = "sk-1234£pass" mock_prisma_client = MagicMock() mock_prisma_client.db.litellm_usertable.find_first = AsyncMock(return_value=None) with patch.dict( os.environ, { "UI_USERNAME": ui_username, "UI_PASSWORD": ui_password, "DATABASE_URL": "postgresql://test:test@localhost/test", }, ): with patch( "litellm.proxy.auth.login_utils.generate_key_helper_fn", new_callable=AsyncMock, ) as mock_generate_key: mock_generate_key.return_value = { "token": "test-token-123", "user_id": LITELLM_PROXY_ADMIN_NAME, } with patch( "litellm.proxy.auth.login_utils.user_update", new_callable=AsyncMock, return_value=None, ) as mock_user_update: with patch( "litellm.proxy.auth.login_utils.get_secret_bool", return_value=False, ): result = await authenticate_user( username=ui_username, password=ui_password, master_key=master_key, prisma_client=mock_prisma_client, ) assert isinstance(result, LoginResult) assert result.user_id == LITELLM_PROXY_ADMIN_NAME assert result.key == "test-token-123" assert result.user_role == LitellmUserRoles.PROXY_ADMIN def test_authenticate_user_non_ascii_direct_comparison(): """Test that non-ASCII characters can be compared directly (unit test for fix)""" import secrets # This test verifies the fix handles non-ASCII by encoding to bytes username = "admin£test" password = "pass£word" # This would fail without encoding: # secrets.compare_digest(username, username) # TypeError! # But works with the fix: result = secrets.compare_digest( username.encode("utf-8"), username.encode("utf-8") ) assert result is True # And correctly returns False for different passwords result = secrets.compare_digest( password.encode("utf-8"), "different£pass".encode("utf-8") ) assert result is False @pytest.mark.asyncio async def test_authenticate_user_multiple_logins_generate_unique_tokens(): """Test that multiple logins for the same user each generate unique tokens. This test verifies that users can have multiple concurrent UI sessions. Previous UI session tokens should NOT be expired/blocked when a new session is created. """ master_key = "sk-1234" ui_username = "admin" ui_password = "sk-1234" mock_prisma_client = MagicMock() mock_prisma_client.db.litellm_usertable.find_first = AsyncMock(return_value=None) with patch.dict( os.environ, { "UI_USERNAME": ui_username, "UI_PASSWORD": ui_password, "DATABASE_URL": "postgresql://test:test@localhost/test", }, ): with patch( "litellm.proxy.auth.login_utils.generate_key_helper_fn", new_callable=AsyncMock, ) as mock_generate_key: # Each login should generate a unique token mock_generate_key.side_effect = [ {"token": "session-token-1", "user_id": LITELLM_PROXY_ADMIN_NAME}, {"token": "session-token-2", "user_id": LITELLM_PROXY_ADMIN_NAME}, {"token": "session-token-3", "user_id": LITELLM_PROXY_ADMIN_NAME}, ] with patch( "litellm.proxy.auth.login_utils.user_update", new_callable=AsyncMock, return_value=None, ): with patch( "litellm.proxy.auth.login_utils.get_secret_bool", return_value=False, ): # Simulate multiple logins from the same user result1 = await authenticate_user( username=ui_username, password=ui_password, master_key=master_key, prisma_client=mock_prisma_client, ) result2 = await authenticate_user( username=ui_username, password=ui_password, master_key=master_key, prisma_client=mock_prisma_client, ) result3 = await authenticate_user( username=ui_username, password=ui_password, master_key=master_key, prisma_client=mock_prisma_client, ) # Each login should return a unique token assert result1.key == "session-token-1" assert result2.key == "session-token-2" assert result3.key == "session-token-3" # All tokens should be different (concurrent sessions allowed) assert len({result1.key, result2.key, result3.key}) == 3 # generate_key_helper_fn should be called 3 times (once per login) assert mock_generate_key.call_count == 3 @pytest.mark.asyncio async def test_authenticate_user_database_login_with_non_ascii_password(): """Test database user login with non-ASCII characters in password (issue #19559)""" master_key = "sk-1234" user_email = "test@example.com" password_with_special_char = "correct£password" hashed_password = hash_token(token=password_with_special_char) mock_user = MagicMock() mock_user.user_id = "test-user-123" mock_user.user_email = user_email mock_user.password = hashed_password mock_user.user_role = LitellmUserRoles.INTERNAL_USER def mock_find_first(**kwargs): where = kwargs.get("where", {}) user_email_filter = where.get("user_email", {}) if str(user_email_filter.get("equals", "")).lower() == user_email.lower(): return mock_user return None mock_prisma_client = MagicMock() mock_prisma_client.db.litellm_usertable.find_first = AsyncMock( side_effect=mock_find_first ) with patch.dict( os.environ, { "DATABASE_URL": "postgresql://test:test@localhost/test", "UI_USERNAME": "admin", "UI_PASSWORD": "admin-password", }, ): with patch( "litellm.proxy.auth.login_utils.generate_key_helper_fn", new_callable=AsyncMock, ) as mock_generate_key: mock_generate_key.return_value = {"token": "token-123"} result = await authenticate_user( username=user_email, password=password_with_special_char, master_key=master_key, prisma_client=mock_prisma_client, ) assert isinstance(result, LoginResult) assert result.user_id == "test-user-123" assert result.user_email == user_email