Update authentication to use session token from login response

- Modified SessionHandler to extract sessionToken directly from login response
- Added domain field to SessionCredentials (defaults to "default")
- Updated login endpoint from /auth/login to /login
- Added both X-Auth-Token and Authorization headers as per DXTrade API spec
- Added session expiration check based on login time (1 hour)
- Added LoginResponse model for proper response parsing
- Added login() and logout() convenience methods to DXtradeClient
- Updated tests to reflect new authentication flow

Author: scotthooker

src/dxtrade/auth.py

@@ -194,8 +194,9 @@ def __init__(self, credentials: SessionCredentials) -> None:
             )
         super().__init__(credentials)
         self.credentials: SessionCredentials = credentials
-        self._session_token: Optional[str] = credentials.session_token
+        self._session_token: Optional[str] = None
         self._token_expires_at: Optional[float] = None
+        self._last_login: Optional[float] = None
 
     async def authenticate(
         self,
@@ -221,7 +222,9 @@ async def authenticate(
         if not self._session_token:
             raise DXtradeAuthenticationError("Failed to obtain session token")
 
-        request.headers["Authorization"] = f"Bearer {self._session_token}"
+        # Add both X-Auth-Token and Authorization headers as shown in the example
+        request.headers["X-Auth-Token"] = self._session_token
+        request.headers["Authorization"] = f"DXAPI {self._session_token}"
         return request
 
     async def _refresh_session_token(self, client: httpx.AsyncClient) -> None:
@@ -237,26 +240,25 @@ async def _refresh_session_token(self, client: httpx.AsyncClient) -> None:
             login_data = {
                 "username": self.credentials.username,
                 "password": self.credentials.password,
+                "domain": self.credentials.domain or "default",
             }
 
-            response = await client.post("/auth/login", json=login_data)
+            response = await client.post("/login", json=login_data)
             response.raise_for_status()
 
             data = response.json()
-            if not data.get("success"):
-                raise DXtradeAuthenticationError(
-                    data.get("message", "Login failed")
-                )
-            
-            token_data = data.get("data", {})
-            self._session_token = token_data.get("token")
 
-            # Set token expiration (assuming 1 hour if not provided)
-            expires_in = token_data.get("expires_in", 3600)
-            self._token_expires_at = time.time() + expires_in - 300  # 5 min buffer
+            # Extract session token directly from response
+            self._session_token = data.get("sessionToken")
 
             if not self._session_token:
-                raise DXtradeAuthenticationError("No token in login response")
+                raise DXtradeAuthenticationError(
+                    data.get("message", "No session token in response")
+                )
+            
+            # Set token expiration (default to 1 hour as per example)
+            self._token_expires_at = time.time() + 3600 - 300  # 1 hour with 5 min buffer
+            self._last_login = time.time()
 
         except httpx.HTTPError as e:
             raise DXtradeAuthenticationError(f"Login request failed: {e}") from e
@@ -267,8 +269,13 @@ def _is_token_expired(self) -> bool:
         Returns:
             True if token is expired or expiring soon
         """
-        if not self._token_expires_at:
+        if not self._token_expires_at or not self._last_login:
+            return True
+        
+        # Re-login if session is older than 1 hour (as per example)
+        if (time.time() - self._last_login) > 3600:
             return True
+            
         return time.time() >= self._token_expires_at
 
     def get_auth_type(self) -> AuthType:
@@ -290,14 +297,18 @@ async def logout(self, client: httpx.AsyncClient) -> None:
 
         try:
             # Try to invalidate token on server
-            headers = {"Authorization": f"Bearer {self._session_token}"}
-            await client.post("/auth/logout", headers=headers)
+            headers = {
+                "X-Auth-Token": self._session_token,
+                "Authorization": f"DXAPI {self._session_token}"
+            }
+            await client.post("/logout", headers=headers)
         except httpx.HTTPError:
             # Ignore logout errors - we'll clear the token anyway
             pass
         finally:
             self._session_token = None
             self._token_expires_at = None
+            self._last_login = None
 
 
 class AuthFactory:

src/dxtrade/client.py

@@ -182,6 +182,33 @@ async def close(self) -> None:
 
     # Convenience methods for common operations
 
+    async def login(self) -> bool:
+        """Perform login for session-based authentication.
+        
+        This is automatically called when needed for session auth,
+        but can be called manually to pre-authenticate.
+        
+        Returns:
+            True if login successful
+            
+        Raises:
+            DXtradeAuthenticationError: Login failed
+        """
+        from dxtrade.auth import SessionHandler
+        
+        if isinstance(self._auth_handler, SessionHandler):
+            # Force refresh of session token
+            await self._auth_handler._refresh_session_token(self._http_client._client)
+            return True
+        return False
+    
+    async def logout(self) -> None:
+        """Perform logout for session-based authentication."""
+        from dxtrade.auth import SessionHandler
+        
+        if isinstance(self._auth_handler, SessionHandler):
+            await self._auth_handler.logout(self._http_client._client)
+    
     async def get_server_time(self):
         """Get server time (convenience method)."""
         return await self.instruments.get_server_time()

src/dxtrade/models.py

@@ -138,7 +138,19 @@ class SessionCredentials(Credentials):
     """Session-based authentication credentials."""
     username: str = Field(..., description="Username")
     password: str = Field(..., description="Password", repr=False)
-    session_token: Optional[str] = Field(None, description="Session token")
+    domain: str = Field("default", description="Login domain")
+
+
+# ============================================================================
+# Authentication Response Models
+# ============================================================================
+
+class LoginResponse(DXtradeBaseModel):
+    """Login response from DXtrade API."""
+    sessionToken: str = Field(..., description="Session authentication token")
+    expiresIn: Optional[int] = Field(None, description="Token expiration time in seconds")
+    userId: Optional[str] = Field(None, description="User identifier")
+    accounts: Optional[List[str]] = Field(None, description="Available account IDs")
 
 
 # ============================================================================

tests/conftest.py

@@ -54,7 +54,8 @@ def session_credentials():
     """Session credentials fixture."""
     return SessionCredentials(
         username="test_user",
-        password="test_password"
+        password="test_password",
+        domain="default"
     )
 
 

tests/test_auth.py

@@ -183,46 +183,48 @@ def test_init_with_invalid_credentials(self, bearer_token_credentials):
         with pytest.raises(DXtradeConfigurationError):
             SessionHandler(bearer_token_credentials)
 
-    def test_init_with_existing_token(self):
-        """Test initialization with existing session token."""
+    def test_init_without_token(self):
+        """Test initialization without existing session token."""
         credentials = SessionCredentials(
             username="test_user",
             password="test_password",
-            session_token="existing_token"
+            domain="default"
         )
         handler = SessionHandler(credentials)
-        assert handler._session_token == "existing_token"
+        assert handler._session_token is None
+        assert handler._last_login is None
 
     @pytest.mark.asyncio
     async def test_authenticate_with_valid_token(self, session_credentials):
         """Test authentication with valid session token."""
         handler = SessionHandler(session_credentials)
         handler._session_token = "valid_token"
         handler._token_expires_at = time.time() + 3600  # 1 hour from now
+        handler._last_login = time.time()  # Just logged in
 
         request = MagicMock(spec=httpx.Request)
         request.headers = {}
         client = AsyncMock(spec=httpx.AsyncClient)
 
         authenticated_request = await handler.authenticate(request, client)
 
-        assert authenticated_request.headers["Authorization"] == "Bearer valid_token"
+        assert authenticated_request.headers["X-Auth-Token"] == "valid_token"
+        assert authenticated_request.headers["Authorization"] == "DXAPI valid_token"
 
     @pytest.mark.asyncio
     async def test_authenticate_requires_login(self, session_credentials):
         """Test authentication that requires login."""
         handler = SessionHandler(session_credentials)
         # No existing token
 
-        # Mock successful login response
+        # Mock successful login response (DXTrade format)
         login_response = MagicMock(spec=httpx.Response)
         login_response.raise_for_status.return_value = None
         login_response.json.return_value = {
-            "success": True,
-            "data": {
-                "token": "new_session_token",
-                "expires_in": 3600
-            }
+            "sessionToken": "new_session_token",
+            "expiresIn": 3600,
+            "userId": "user123",
+            "accounts": ["account1", "account2"]
         }
 
         client = AsyncMock(spec=httpx.AsyncClient)
@@ -233,27 +235,28 @@ async def test_authenticate_requires_login(self, session_credentials):
 
         authenticated_request = await handler.authenticate(request, client)
 
-        # Verify login was called
+        # Verify login was called with domain
         client.post.assert_called_once_with(
-            "/auth/login",
-            json={"username": "test_user", "password": "test_password"}
+            "/login",
+            json={"username": "test_user", "password": "test_password", "domain": "default"}
         )
 
         # Verify token was set
         assert handler._session_token == "new_session_token"
-        assert authenticated_request.headers["Authorization"] == "Bearer new_session_token"
+        assert authenticated_request.headers["X-Auth-Token"] == "new_session_token"
+        assert authenticated_request.headers["Authorization"] == "DXAPI new_session_token"
 
     @pytest.mark.asyncio
     async def test_authenticate_login_failure(self, session_credentials):
         """Test authentication with login failure."""
         handler = SessionHandler(session_credentials)
 
-        # Mock failed login response
+        # Mock failed login response (no session token)
         login_response = MagicMock(spec=httpx.Response)
         login_response.raise_for_status.return_value = None
         login_response.json.return_value = {
-            "success": False,
             "message": "Invalid credentials"
+            # No sessionToken field
         }
 
         client = AsyncMock(spec=httpx.AsyncClient)
@@ -288,10 +291,17 @@ def test_token_expiration_check(self, session_credentials):
 
         # Expired token
         handler._token_expires_at = time.time() - 3600  # 1 hour ago
+        handler._last_login = time.time() - 7200  # 2 hours ago
+        assert handler._is_token_expired() is True
+        
+        # Valid token but session older than 1 hour
+        handler._token_expires_at = time.time() + 3600  # 1 hour from now
+        handler._last_login = time.time() - 3700  # >1 hour ago
         assert handler._is_token_expired() is True
 
-        # Valid token
+        # Valid token and recent session
         handler._token_expires_at = time.time() + 3600  # 1 hour from now
+        handler._last_login = time.time() - 1800  # 30 minutes ago
         assert handler._is_token_expired() is False
 
     @pytest.mark.asyncio
@@ -305,10 +315,13 @@ async def test_logout(self, session_credentials):
 
         await handler.logout(client)
 
-        # Verify logout request was made
+        # Verify logout request was made with correct headers
         client.post.assert_called_once_with(
-            "/auth/logout",
-            headers={"Authorization": "Bearer test_token"}
+            "/logout",
+            headers={
+                "X-Auth-Token": "test_token",
+                "Authorization": "DXAPI test_token"
+            }
         )
 
         # Verify token was cleared
@@ -329,6 +342,7 @@ async def test_logout_network_error(self, session_credentials):
 
         # Token should still be cleared
         assert handler._session_token is None
+        assert handler._last_login is None
 
 
 class TestAuthFactory: