From a93c93faa471f8ec2d0e877c01a8a89e163636a3 Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Fri, 16 Jan 2026 21:04:31 +0000
Subject: [PATCH] Fix integration tests authentication for CI environments

- Make integration_client fixture session-scoped (single login per test run)
- Add configurable credentials via ORCHARD_TEST_USERNAME/PASSWORD env vars
- Fail fast with clear error message if authentication fails
- Add cookie verification after login
- Remove silent failure mode that hid auth issues
---
 CHANGELOG.md              |  1 +
 backend/tests/conftest.py | 35 +++++++++++++++++++++++++----------
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cdf8da3..3725393 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -81,6 +81,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Improved pod naming: Orchard pods now named `orchard-{env}-server-*` for clarity (#51)
 
 ### Fixed
+- Fixed integration tests auth: session-scoped client, configurable credentials via env vars, fail-fast on auth errors
 - Fixed Content-Disposition header encoding for non-ASCII filenames using RFC 5987 (#38)
 - Fixed deploy jobs running even when tests or security scans fail (changed rules from `when: always` to `when: on_success`) (#63)
 - Fixed python_tests job not using internal PyPI proxy (#63)
diff --git a/backend/tests/conftest.py b/backend/tests/conftest.py
index abfaa3f..3e04096 100644
--- a/backend/tests/conftest.py
+++ b/backend/tests/conftest.py
@@ -181,29 +181,44 @@ def test_app():
 # =============================================================================
 
 
-@pytest.fixture
+@pytest.fixture(scope="session")
 def integration_client():
     """
     Create an authenticated test client for integration tests.
 
-    Uses the real database and MinIO from docker-compose.local.yml.
-    Authenticates as admin for write operations.
+    Uses the real database and MinIO from docker-compose.local.yml or deployed environment.
+    Authenticates as admin for write operations. Session-scoped to reuse login across tests.
+
+    Environment variables:
+        ORCHARD_TEST_URL: Base URL of the Orchard server (default: http://localhost:8080)
+        ORCHARD_TEST_USERNAME: Admin username for authentication (default: admin)
+        ORCHARD_TEST_PASSWORD: Admin password for authentication (default: changeme123)
     """
-    from httpx import Client
+    import httpx
 
-    # Connect to the running orchard-server container
+    # Connect to the running orchard-server container or deployed environment
     base_url = os.environ.get("ORCHARD_TEST_URL", "http://localhost:8080")
+    username = os.environ.get("ORCHARD_TEST_USERNAME", "admin")
+    password = os.environ.get("ORCHARD_TEST_PASSWORD", "changeme123")
 
-    with Client(base_url=base_url, timeout=30.0) as client:
+    with httpx.Client(base_url=base_url, timeout=30.0) as client:
         # Login as admin to enable write operations
         login_response = client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": username, "password": password},
         )
-        # If login fails, tests will fail - that's expected if auth is broken
         if login_response.status_code != 200:
-            # Try to continue without auth for backward compatibility
-            pass
+            pytest.fail(
+                f"Authentication failed against {base_url}: {login_response.status_code} - {login_response.text}. "
+                f"Set ORCHARD_TEST_USERNAME and ORCHARD_TEST_PASSWORD environment variables if using non-default credentials."
+            )
+
+        # Verify cookie was set
+        if not client.cookies:
+            pytest.fail(
+                f"Login succeeded but no session cookie was set. Response headers: {login_response.headers}"
+            )
+
         yield client