favoritter/internal/store/signup_request_test.go

// SPDX-License-Identifier: AGPL-3.0-or-later

package store

import (
	"testing"
)

func TestSignupRequestCreateAndList(t *testing.T) {
	db := testDB(t)
	requests := NewSignupRequestStore(db)

	Argon2Memory = 1024
	Argon2Time = 1
	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()

	err := requests.Create("newuser", "password123")
	if err != nil {
		t.Fatalf("create request: %v", err)
	}

	// Duplicate should fail.
	err = requests.Create("newuser", "password456")
	if err != ErrSignupRequestExists {
		t.Errorf("duplicate: err = %v, want ErrSignupRequestExists", err)
	}

	pending, err := requests.ListPending()
	if err != nil {
		t.Fatalf("list pending: %v", err)
	}
	if len(pending) != 1 {
		t.Fatalf("pending count = %d, want 1", len(pending))
	}
	if pending[0].Username != "newuser" {
		t.Errorf("username = %q, want %q", pending[0].Username, "newuser")
	}
	if pending[0].Status != "pending" {
		t.Errorf("status = %q, want pending", pending[0].Status)
	}

	count, _ := requests.PendingCount()
	if count != 1 {
		t.Errorf("pending count = %d, want 1", count)
	}
}

func TestSignupRequestApprove(t *testing.T) {
	db := testDB(t)
	users := NewUserStore(db)
	requests := NewSignupRequestStore(db)

	Argon2Memory = 1024
	Argon2Time = 1
	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()

	// Create an admin to act as reviewer.
	admin, _ := users.Create("admin", "adminpass", "admin")

	// Create a signup request.
	requests.Create("newuser", "password123")
	pending, _ := requests.ListPending()
	requestID := pending[0].ID

	// Approve it.
	err := requests.Approve(requestID, admin.ID)
	if err != nil {
		t.Fatalf("approve: %v", err)
	}

	// The user should now exist with must_reset_password=1.
	user, err := users.GetByUsername("newuser")
	if err != nil {
		t.Fatalf("get approved user: %v", err)
	}
	if !user.MustResetPassword {
		t.Error("approved user should have must_reset_password=true")
	}

	// The request should no longer be pending.
	count, _ := requests.PendingCount()
	if count != 0 {
		t.Errorf("pending count after approve = %d, want 0", count)
	}

	// The approved request should have the correct status.
	sr, _ := requests.GetByID(requestID)
	if sr.Status != "approved" {
		t.Errorf("status = %q, want approved", sr.Status)
	}

	// Double-approve should fail.
	err = requests.Approve(requestID, admin.ID)
	if err == nil {
		t.Error("double approve should fail")
	}
}

func TestSignupRequestReject(t *testing.T) {
	db := testDB(t)
	users := NewUserStore(db)
	requests := NewSignupRequestStore(db)

	Argon2Memory = 1024
	Argon2Time = 1
	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()

	admin, _ := users.Create("admin", "adminpass", "admin")
	requests.Create("rejectme", "password123")
	pending, _ := requests.ListPending()
	requestID := pending[0].ID

	err := requests.Reject(requestID, admin.ID)
	if err != nil {
		t.Fatalf("reject: %v", err)
	}

	// Should not be in pending list.
	count, _ := requests.PendingCount()
	if count != 0 {
		t.Errorf("pending count after reject = %d, want 0", count)
	}

	// User should NOT have been created.
	_, err = users.GetByUsername("rejectme")
	if err != ErrUserNotFound {
		t.Errorf("rejected user should not exist: err = %v", err)
	}

	// Double-reject should fail.
	err = requests.Reject(requestID, admin.ID)
	if err != ErrSignupRequestNotFound {
		t.Errorf("double reject: err = %v, want ErrSignupRequestNotFound", err)
	}
}
test: add comprehensive test suite (44 tests across 3 packages) Store tests (21 tests): - Session: create, validate, delete, delete-all, expiry - Signup requests: create, duplicate, list pending, approve (creates user with must-reset), reject, double-approve/reject - Existing: user CRUD, auth, fave CRUD, tags, pagination Middleware tests (9 tests): - Real IP extraction from trusted/untrusted proxies - Base path stripping (with prefix, empty prefix) - Rate limiter (per-IP, exhaustion, different IPs) - Panic recovery (returns 500) - Security headers (CSP, X-Frame-Options, etc.) - RequireLogin redirect - MustResetPasswordGuard (static path passthrough) Handler integration tests (14 tests): - Health endpoint - Login page rendering, successful login, wrong password - Fave list requires auth, works when authenticated - Private fave hidden from other users, visible to owner - Admin panel requires admin role, works for admin - Tag search endpoint - Global Atom feed - Public profile with display name - Limited profile hides bio Also fixes template bugs: profile.html and fave_detail.html used $.IsOwner which fails inside {{with}} blocks ($ = root PageData, not .Data map). Fixed with $d variable capture pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-29 16:47:32 +02:00			`// SPDX-License-Identifier: AGPL-3.0-or-later`

			`package store`

			`import (`
			`"testing"`
			`)`

			`func TestSignupRequestCreateAndList(t *testing.T) {`
			`db := testDB(t)`
			`requests := NewSignupRequestStore(db)`

			`Argon2Memory = 1024`
			`Argon2Time = 1`
			`defer func() { Argon2Memory = 65536; Argon2Time = 3 }()`

			`err := requests.Create("newuser", "password123")`
			`if err != nil {`
			`t.Fatalf("create request: %v", err)`
			`}`

			`// Duplicate should fail.`
			`err = requests.Create("newuser", "password456")`
			`if err != ErrSignupRequestExists {`
			`t.Errorf("duplicate: err = %v, want ErrSignupRequestExists", err)`
			`}`

			`pending, err := requests.ListPending()`
			`if err != nil {`
			`t.Fatalf("list pending: %v", err)`
			`}`
			`if len(pending) != 1 {`
			`t.Fatalf("pending count = %d, want 1", len(pending))`
			`}`
			`if pending[0].Username != "newuser" {`
			`t.Errorf("username = %q, want %q", pending[0].Username, "newuser")`
			`}`
			`if pending[0].Status != "pending" {`
			`t.Errorf("status = %q, want pending", pending[0].Status)`
			`}`

			`count, _ := requests.PendingCount()`
			`if count != 1 {`
			`t.Errorf("pending count = %d, want 1", count)`
			`}`
			`}`

			`func TestSignupRequestApprove(t *testing.T) {`
			`db := testDB(t)`
			`users := NewUserStore(db)`
			`requests := NewSignupRequestStore(db)`

			`Argon2Memory = 1024`
			`Argon2Time = 1`
			`defer func() { Argon2Memory = 65536; Argon2Time = 3 }()`

			`// Create an admin to act as reviewer.`
			`admin, _ := users.Create("admin", "adminpass", "admin")`

			`// Create a signup request.`
			`requests.Create("newuser", "password123")`
			`pending, _ := requests.ListPending()`
			`requestID := pending[0].ID`

			`// Approve it.`
			`err := requests.Approve(requestID, admin.ID)`
			`if err != nil {`
			`t.Fatalf("approve: %v", err)`
			`}`

			`// The user should now exist with must_reset_password=1.`
			`user, err := users.GetByUsername("newuser")`
			`if err != nil {`
			`t.Fatalf("get approved user: %v", err)`
			`}`
			`if !user.MustResetPassword {`
			`t.Error("approved user should have must_reset_password=true")`
			`}`

			`// The request should no longer be pending.`
			`count, _ := requests.PendingCount()`
			`if count != 0 {`
			`t.Errorf("pending count after approve = %d, want 0", count)`
			`}`

			`// The approved request should have the correct status.`
			`sr, _ := requests.GetByID(requestID)`
			`if sr.Status != "approved" {`
			`t.Errorf("status = %q, want approved", sr.Status)`
			`}`

			`// Double-approve should fail.`
			`err = requests.Approve(requestID, admin.ID)`
			`if err == nil {`
			`t.Error("double approve should fail")`
			`}`
			`}`

			`func TestSignupRequestReject(t *testing.T) {`
			`db := testDB(t)`
			`users := NewUserStore(db)`
			`requests := NewSignupRequestStore(db)`

			`Argon2Memory = 1024`
			`Argon2Time = 1`
			`defer func() { Argon2Memory = 65536; Argon2Time = 3 }()`

			`admin, _ := users.Create("admin", "adminpass", "admin")`
			`requests.Create("rejectme", "password123")`
			`pending, _ := requests.ListPending()`
			`requestID := pending[0].ID`

			`err := requests.Reject(requestID, admin.ID)`
			`if err != nil {`
			`t.Fatalf("reject: %v", err)`
			`}`

			`// Should not be in pending list.`
			`count, _ := requests.PendingCount()`
			`if count != 0 {`
			`t.Errorf("pending count after reject = %d, want 0", count)`
			`}`

			`// User should NOT have been created.`
			`_, err = users.GetByUsername("rejectme")`
			`if err != ErrUserNotFound {`
			`t.Errorf("rejected user should not exist: err = %v", err)`
			`}`

			`// Double-reject should fail.`
			`err = requests.Reject(requestID, admin.ID)`
			`if err != ErrSignupRequestNotFound {`
			`t.Errorf("double reject: err = %v, want ErrSignupRequestNotFound", err)`
			`}`
			`}`