favoritter/internal/store/session_test.go

// SPDX-License-Identifier: AGPL-3.0-or-later

package store

import (
	"testing"
	"time"
)

func TestSessionCreateAndValidate(t *testing.T) {
	db := testDB(t)
	users := NewUserStore(db)
	sessions := NewSessionStore(db)

	Argon2Memory = 1024
	Argon2Time = 1
	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()

	user, _ := users.Create("testuser", "password123", "user")

	token, err := sessions.Create(user.ID)
	if err != nil {
		t.Fatalf("create session: %v", err)
	}
	if len(token) != 64 { // 32 bytes hex-encoded
		t.Errorf("token length = %d, want 64", len(token))
	}

	session, err := sessions.Validate(token)
	if err != nil {
		t.Fatalf("validate session: %v", err)
	}
	if session.UserID != user.ID {
		t.Errorf("session user ID = %d, want %d", session.UserID, user.ID)
	}
}

func TestSessionValidateInvalidToken(t *testing.T) {
	db := testDB(t)
	sessions := NewSessionStore(db)

	_, err := sessions.Validate("nonexistent-token")
	if err != ErrSessionNotFound {
		t.Errorf("err = %v, want ErrSessionNotFound", err)
	}
}

func TestSessionDelete(t *testing.T) {
	db := testDB(t)
	users := NewUserStore(db)
	sessions := NewSessionStore(db)

	Argon2Memory = 1024
	Argon2Time = 1
	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()

	user, _ := users.Create("testuser", "password123", "user")
	token, _ := sessions.Create(user.ID)

	err := sessions.Delete(token)
	if err != nil {
		t.Fatalf("delete session: %v", err)
	}

	_, err = sessions.Validate(token)
	if err != ErrSessionNotFound {
		t.Errorf("after delete: err = %v, want ErrSessionNotFound", err)
	}
}

func TestSessionDeleteAllForUser(t *testing.T) {
	db := testDB(t)
	users := NewUserStore(db)
	sessions := NewSessionStore(db)

	Argon2Memory = 1024
	Argon2Time = 1
	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()

	user, _ := users.Create("testuser", "password123", "user")
	token1, _ := sessions.Create(user.ID)
	token2, _ := sessions.Create(user.ID)

	err := sessions.DeleteAllForUser(user.ID)
	if err != nil {
		t.Fatalf("delete all: %v", err)
	}

	_, err = sessions.Validate(token1)
	if err != ErrSessionNotFound {
		t.Error("token1 should be deleted")
	}
	_, err = sessions.Validate(token2)
	if err != ErrSessionNotFound {
		t.Error("token2 should be deleted")
	}
}

func TestSessionExpiry(t *testing.T) {
	db := testDB(t)
	users := NewUserStore(db)
	sessions := NewSessionStore(db)
	sessions.SetLifetime(1 * time.Millisecond)

	Argon2Memory = 1024
	Argon2Time = 1
	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()

	user, _ := users.Create("testuser", "password123", "user")
	token, _ := sessions.Create(user.ID)

	// Wait for expiry.
	time.Sleep(5 * time.Millisecond)

	_, err := sessions.Validate(token)
	if err != ErrSessionNotFound {
		t.Errorf("expired session: err = %v, want ErrSessionNotFound", err)
	}
}
test: add comprehensive test suite (44 tests across 3 packages) Store tests (21 tests): - Session: create, validate, delete, delete-all, expiry - Signup requests: create, duplicate, list pending, approve (creates user with must-reset), reject, double-approve/reject - Existing: user CRUD, auth, fave CRUD, tags, pagination Middleware tests (9 tests): - Real IP extraction from trusted/untrusted proxies - Base path stripping (with prefix, empty prefix) - Rate limiter (per-IP, exhaustion, different IPs) - Panic recovery (returns 500) - Security headers (CSP, X-Frame-Options, etc.) - RequireLogin redirect - MustResetPasswordGuard (static path passthrough) Handler integration tests (14 tests): - Health endpoint - Login page rendering, successful login, wrong password - Fave list requires auth, works when authenticated - Private fave hidden from other users, visible to owner - Admin panel requires admin role, works for admin - Tag search endpoint - Global Atom feed - Public profile with display name - Limited profile hides bio Also fixes template bugs: profile.html and fave_detail.html used $.IsOwner which fails inside {{with}} blocks ($ = root PageData, not .Data map). Fixed with $d variable capture pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-29 16:47:32 +02:00			`// SPDX-License-Identifier: AGPL-3.0-or-later`

			`package store`

			`import (`
			`"testing"`
			`"time"`
			`)`

			`func TestSessionCreateAndValidate(t *testing.T) {`
			`db := testDB(t)`
			`users := NewUserStore(db)`
			`sessions := NewSessionStore(db)`

			`Argon2Memory = 1024`
			`Argon2Time = 1`
			`defer func() { Argon2Memory = 65536; Argon2Time = 3 }()`

			`user, _ := users.Create("testuser", "password123", "user")`

			`token, err := sessions.Create(user.ID)`
			`if err != nil {`
			`t.Fatalf("create session: %v", err)`
			`}`
			`if len(token) != 64 { // 32 bytes hex-encoded`
			`t.Errorf("token length = %d, want 64", len(token))`
			`}`

			`session, err := sessions.Validate(token)`
			`if err != nil {`
			`t.Fatalf("validate session: %v", err)`
			`}`
			`if session.UserID != user.ID {`
			`t.Errorf("session user ID = %d, want %d", session.UserID, user.ID)`
			`}`
			`}`

			`func TestSessionValidateInvalidToken(t *testing.T) {`
			`db := testDB(t)`
			`sessions := NewSessionStore(db)`

			`_, err := sessions.Validate("nonexistent-token")`
			`if err != ErrSessionNotFound {`
			`t.Errorf("err = %v, want ErrSessionNotFound", err)`
			`}`
			`}`

			`func TestSessionDelete(t *testing.T) {`
			`db := testDB(t)`
			`users := NewUserStore(db)`
			`sessions := NewSessionStore(db)`

			`Argon2Memory = 1024`
			`Argon2Time = 1`
			`defer func() { Argon2Memory = 65536; Argon2Time = 3 }()`

			`user, _ := users.Create("testuser", "password123", "user")`
			`token, _ := sessions.Create(user.ID)`

			`err := sessions.Delete(token)`
			`if err != nil {`
			`t.Fatalf("delete session: %v", err)`
			`}`

			`_, err = sessions.Validate(token)`
			`if err != ErrSessionNotFound {`
			`t.Errorf("after delete: err = %v, want ErrSessionNotFound", err)`
			`}`
			`}`

			`func TestSessionDeleteAllForUser(t *testing.T) {`
			`db := testDB(t)`
			`users := NewUserStore(db)`
			`sessions := NewSessionStore(db)`

			`Argon2Memory = 1024`
			`Argon2Time = 1`
			`defer func() { Argon2Memory = 65536; Argon2Time = 3 }()`

			`user, _ := users.Create("testuser", "password123", "user")`
			`token1, _ := sessions.Create(user.ID)`
			`token2, _ := sessions.Create(user.ID)`

			`err := sessions.DeleteAllForUser(user.ID)`
			`if err != nil {`
			`t.Fatalf("delete all: %v", err)`
			`}`

			`_, err = sessions.Validate(token1)`
			`if err != ErrSessionNotFound {`
			`t.Error("token1 should be deleted")`
			`}`
			`_, err = sessions.Validate(token2)`
			`if err != ErrSessionNotFound {`
			`t.Error("token2 should be deleted")`
			`}`
			`}`

			`func TestSessionExpiry(t *testing.T) {`
			`db := testDB(t)`
			`users := NewUserStore(db)`
			`sessions := NewSessionStore(db)`
			`sessions.SetLifetime(1 * time.Millisecond)`

			`Argon2Memory = 1024`
			`Argon2Time = 1`
			`defer func() { Argon2Memory = 65536; Argon2Time = 3 }()`

			`user, _ := users.Create("testuser", "password123", "user")`
			`token, _ := sessions.Create(user.ID)`

			`// Wait for expiry.`
			`time.Sleep(5 * time.Millisecond)`

			`_, err := sessions.Validate(token)`
			`if err != ErrSessionNotFound {`
			`t.Errorf("expired session: err = %v, want ErrSessionNotFound", err)`
			`}`
			`}`