129 lines
3.3 KiB
Go
129 lines
3.3 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestJWTManager_GenerateValidate_Roundtrip(t *testing.T) {
|
|
m := NewJWTManager("test-secret-123")
|
|
token, err := m.GenerateToken(42, "user@example.com", "User", []string{"admin", "user"})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if token == "" {
|
|
t.Error("empty token")
|
|
}
|
|
|
|
claims, err := m.ValidateToken(token)
|
|
if err != nil {
|
|
t.Fatalf("validate: %v", err)
|
|
}
|
|
if claims.UserID != 42 || claims.Email != "user@example.com" || len(claims.Roles) != 2 {
|
|
t.Errorf("claims: %+v", claims)
|
|
}
|
|
if claims.ExpiresAt == nil || time.Until(claims.ExpiresAt.Time) > time.Hour {
|
|
t.Error("expiry not ~1h")
|
|
}
|
|
}
|
|
|
|
func TestJWTManager_DevSecretFallback(t *testing.T) {
|
|
m := NewJWTManager("") // empty -> dev
|
|
token, _ := m.GenerateToken(1, "a@b", "A", nil)
|
|
_, err := m.ValidateToken(token)
|
|
if err != nil {
|
|
t.Error("dev secret should allow roundtrip")
|
|
}
|
|
}
|
|
|
|
func TestJWTManager_BadToken(t *testing.T) {
|
|
m := NewJWTManager("s")
|
|
if _, err := m.ValidateToken("not.a.jwt"); err == nil {
|
|
t.Error("bad token should err")
|
|
}
|
|
// wrong sig
|
|
m2 := NewJWTManager("other")
|
|
tok, _ := m2.GenerateToken(1, "e", "n", nil)
|
|
if _, err := m.ValidateToken(tok); err == nil {
|
|
t.Error("wrong sig should invalid")
|
|
}
|
|
}
|
|
|
|
func TestJWTManager_Middleware(t *testing.T) {
|
|
m := NewJWTManager("sec")
|
|
token, _ := m.GenerateToken(7, "m@e", "M", []string{"admin"})
|
|
|
|
// with valid bearer
|
|
h := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
c, ok := GetUserFromContext(r.Context())
|
|
if !ok || c.UserID != 7 {
|
|
t.Error("claims not in ctx")
|
|
}
|
|
w.WriteHeader(200)
|
|
}))
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
rr := httptest.NewRecorder()
|
|
h.ServeHTTP(rr, req)
|
|
if rr.Code != 200 {
|
|
t.Errorf("valid bearer: %d", rr.Code)
|
|
}
|
|
|
|
// no token: passes through (no 401)
|
|
h2 := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(204)
|
|
}))
|
|
req2 := httptest.NewRequest("GET", "/", nil)
|
|
rr2 := httptest.NewRecorder()
|
|
h2.ServeHTTP(rr2, req2)
|
|
if rr2.Code != 204 {
|
|
t.Error("no token should pass")
|
|
}
|
|
|
|
// bad token: 401
|
|
req3 := httptest.NewRequest("GET", "/", nil)
|
|
req3.Header.Set("Authorization", "Bearer bad")
|
|
rr3 := httptest.NewRecorder()
|
|
h.ServeHTTP(rr3, req3)
|
|
if rr3.Code != 401 {
|
|
t.Errorf("bad token 401: %d", rr3.Code)
|
|
}
|
|
|
|
// wrong scheme
|
|
req4 := httptest.NewRequest("GET", "/", nil)
|
|
req4.Header.Set("Authorization", "Basic foo")
|
|
rr4 := httptest.NewRecorder()
|
|
h.ServeHTTP(rr4, req4)
|
|
if rr4.Code != 401 {
|
|
t.Errorf("bad scheme: %d", rr4.Code)
|
|
}
|
|
}
|
|
|
|
func TestRequireAuth(t *testing.T) {
|
|
// direct, needs ctx with claims
|
|
m := NewJWTManager("s")
|
|
tok, _ := m.GenerateToken(99, "r@a", "R", nil)
|
|
claims, _ := m.ValidateToken(tok)
|
|
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
// without ctx
|
|
rr := httptest.NewRecorder()
|
|
c, ok := RequireAuth(rr, req)
|
|
if ok || c != nil || rr.Code != 401 {
|
|
t.Error("require without claims should 401")
|
|
}
|
|
|
|
// with ctx set via context value
|
|
req2 := httptest.NewRequest("GET", "/", nil)
|
|
ctx := context.WithValue(req2.Context(), UserContextKey, claims)
|
|
req2 = req2.WithContext(ctx)
|
|
rr2 := httptest.NewRecorder()
|
|
c2, ok2 := RequireAuth(rr2, req2)
|
|
if !ok2 || c2.UserID != 99 {
|
|
t.Error("require with claims failed")
|
|
}
|
|
}
|