Refactor session tests and add test cases for invalid token payloads

.github/workflows/tests.yml

@@ -8,7 +8,7 @@ jobs:
       fail-fast: false
       matrix:
         python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
-        os: [ubuntu-latest, macos-latest, windows-latest]
+        os: [ubuntu-latest, windows-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

TODO.md

@@ -1,22 +1,21 @@
 # TODO List
 ## General
 - [x] add code coverage to SonarQube
-- [x] add SonarQube quality gate badge
-- [x] add code coverage score badge
-- [ ] add pylint score badge in Github
+- [x] add SonarQube quality gate & code coverage score badge at README.md
+- [x] add pylint & pytest Github workflows
 
 ## Auth
 - [ ] when login, allow "Remember me"
-    - No remember me, access token expiry in 15mins, refresh token expiry in 1 hour
-    - Remember me, access token expiry in 1 day, refresh token expiry in 2 weeks
+    - No remember me, access token expiry in `15mins`, refresh token expiry in `1 hour`
+    - Remember me, access token expiry in `1 day`, refresh token expiry in `2 weeks`
 - [ ] Token revocation
     - when user logged out, session will be revoked. Tokens of same session will be denied access.
     - active session info will be store in cache & database (same expiry time as the refresh token)
         - session cache
-        - key: {user_id}{session_id}, value: SessionInfo
+        - key: `{user_id}{session_id}`, value: `SessionInfo`
     - valid tokens (whitelist tokens) will be store in cache (same expiry as the related token)
       - active token cache
-        - key: {token_jti}, value: {"type": "access token", "sibling_id": "jti of sibling"}
+        - key: `{token_jti}`, value: `{"type": "access token", "sibling_id": "jti of sibling"}`
         - expiry same as the token
 - [ ] Token reply attack prevention
     - when user refreshes tokens, old tokens (access & refresh token) will be revoked. Refresh token are for single use only

tests/auth/test_session.py

@@ -97,15 +97,24 @@ async def test_update_last_activity():
         print("Session not exists, creating session in cache...")
         await create_session_in_cache(user_id=user_id, session_id=session_id)
 
-    # Create a payload with the user_id and session_id
-    payload = {"sub": user_id, "sid": session_id}
+    # Create a valid token payload
+    token_payload = {"sub": user_id, "sid": session_id}
 
-    # Call the function with the payload
-    result = await update_last_activity(payload)
+    # update existing session last activity
+    result = await update_last_activity(token_payload)
 
     # Assert that the result is True, indicating the session was successfully updated
     assert result is True
 
+    # Create a invalid token payload (fake session id)
+    token_payload = {"sub": user_id, "sid": "session-" + str(uuid.uuid4())[8:]}
+
+    # update non-existing session last activity
+    result = await update_last_activity(token_payload)
+
+    # Assert that the result is False, indicating the session was not updated
+    assert result is False
+
 @pytest.mark.asyncio
 async def test_remove():
     """
@@ -120,6 +129,10 @@ async def test_remove():
     # Assert that the result is 1, indicating one session was successfully removed
     assert result == 1
 
+    # expect raise ValueError
+    with pytest.raises(ValueError) as exc_info:
+        await remove("", session_id)
+
 @pytest.mark.asyncio
 async def test_retrieve_by_userid():
     """