Testing
Test Kernia through mounted HTTP routes and real adapter behavior.
Kernia tests should prioritize public behavior: HTTP requests, cookies, database writes, OAuth callbacks, emails, webhooks, and route authorization. Helper unit tests are useful, but they do not prove the auth surface works.
Test layers
| Layer | Purpose |
|---|---|
| Unit | Hashing, token parsing, option normalization, small helpers. |
| Route | Mounted HTTP behavior, cookies, errors, sessions, and payloads. |
| Adapter | Real database behavior for each supported adapter. |
| Provider | Mock OAuth, SAML, Stripe, email, SMS, and passkey flows. |
| Browser | Demo login, settings, admin, billing, and session flows. |
ASGI driver
Use kernia_test_utils.ASGIDriver to call a mounted FastAPI or Starlette app without a live network port.
from kernia_test_utils import ASGIDriver
async def test_email_sign_in(app):
driver = ASGIDriver(app)
response = await driver.post("/api/auth/sign-in/email", json={
"email": "user@example.com",
"password": "correct-password",
})
assert response.status_code == 200
assert "set-cookie" in response.headersMock providers
Use deterministic provider fakes instead of live credentials in normal CI:
| Helper | Use |
|---|---|
MockIdP | OAuth/OIDC redirect and callback tests. |
MockSAMLIdP | Enterprise SSO tests. |
MockSMTP | Verification, reset, magic link, and OTP email tests. |
MockSMS | Phone verification tests. |
MockStripe | Catalog sync, portal, checkout, webhook, usage tests. |
SoftAuthenticator | Passkey registration and assertion tests. |
Adapter matrix
Run critical flows against memory, SQLAlchemy, Mongo, Redis-backed secondary storage, and containerized databases when the feature depends on storage semantics.
uv run pytest packages/ e2e/ -qBrowser tests
The SaaS demo should have Playwright tests for login, logout, settings/profile, linked accounts, sessions revoke, API key create/revoke, admin method toggles, email client config, Stripe import, billing checks, and usage display.
cd apps/demo-web
pnpm test:e2eAssertions that matter
- HTTP status and stable error code.
- Cookie name, flags, domain, path, and expiration.
- Database rows created, updated, or deleted.
- Secret redaction on reads.
- Webhook signature verification.
- Disabled or not-configured provider behavior.
- Browser-visible state after real route calls.
Test data
Keep test users and organizations explicit. Do not reuse provider secrets or production-like emails. For OAuth and SAML, generate deterministic keys in fixtures and keep them scoped to the test process.