From b8d3cc1919f48272d6a88228c77a00101c96349e Mon Sep 17 00:00:00 2001
From: Claude Sonnet 4.6
Date: Mon, 15 Jun 2026 17:39:00 +0000
Subject: tests: add TestUserProfileWithToken and TestUserProfileWithoutToken

Test that GET /auth/user/ returns 200 with user fields when a valid
Bearer token is present, and 401 when no token or a garbage token is
supplied.
---
 tests/test_gn_auth_auth_flow.py | 68 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/tests/test_gn_auth_auth_flow.py b/tests/test_gn_auth_auth_flow.py
index 6019443..cb164cd 100644
--- a/tests/test_gn_auth_auth_flow.py
+++ b/tests/test_gn_auth_auth_flow.py
@@ -123,3 +123,71 @@ class TestTokenGrantRejection:
         assert resp.status_code == 401, (
             f"Expected 401 for unknown email, got {resp.status_code}: {resp.text}"
         )
+
+
+# ---------------------------------------------------------------------------
+# GET /auth/user/ — protected endpoint
+# ---------------------------------------------------------------------------
+
+class TestUserProfileWithToken:
+    """GET /auth/user/ with a valid Bearer token returns the user's profile."""
+
+    def test_returns_200_with_valid_token(
+            self, gn_auth_url, http, access_token):
+        resp = http.get(
+            f"{gn_auth_url}/auth/user/",
+            headers={"Authorization": f"Bearer {access_token}"},
+            timeout=30,
+        )
+        assert resp.status_code == 200, (
+            f"Expected 200 from /auth/user/ with token, "
+            f"got {resp.status_code}: {resp.text}"
+        )
+
+    def test_response_contains_user_fields(
+            self, gn_auth_url, http, access_token):
+        resp = http.get(
+            f"{gn_auth_url}/auth/user/",
+            headers={"Authorization": f"Bearer {access_token}"},
+            timeout=30,
+        )
+        data = resp.json()
+        for field in ("user_id", "email", "name"):
+            assert field in data, (
+                f"Missing field '{field}' in user profile response: {data}"
+            )
+
+    def test_response_email_matches_credentials(
+            self, gn_auth_url, http, access_token, oauth2_credentials):
+        expected_email, *_ = oauth2_credentials
+        resp = http.get(
+            f"{gn_auth_url}/auth/user/",
+            headers={"Authorization": f"Bearer {access_token}"},
+            timeout=30,
+        )
+        assert resp.json().get("email") == expected_email, (
+            f"Profile email {resp.json().get('email')!r} does not match "
+            f"credentials email {expected_email!r}"
+        )
+
+
+class TestUserProfileWithoutToken:
+    """GET /auth/user/ without a token must be rejected."""
+
+    def test_returns_401_without_token(self, gn_auth_url, http):
+        resp = http.get(f"{gn_auth_url}/auth/user/", timeout=30)
+        assert resp.status_code == 401, (
+            f"Expected 401 from /auth/user/ without token, "
+            f"got {resp.status_code}: {resp.text}"
+        )
+
+    def test_returns_401_with_invalid_token(self, gn_auth_url, http):
+        resp = http.get(
+            f"{gn_auth_url}/auth/user/",
+            headers={"Authorization": "Bearer this-is-not-a-valid-token"},
+            timeout=30,
+        )
+        assert resp.status_code == 401, (
+            f"Expected 401 from /auth/user/ with garbage token, "
+            f"got {resp.status_code}: {resp.text}"
+        )
-- 
cgit 1.4.1