test: add comprehensive test suite (44 tests across 3 packages)
Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
(creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination
Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)
Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio
Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:47:32 +02:00
|
|
|
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
|
|
|
|
|
|
package handler
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
|
|
|
|
"net/url"
|
|
|
|
|
"strconv"
|
|
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"kode.naiv.no/olemd/favoritter/internal/config"
|
|
|
|
|
"kode.naiv.no/olemd/favoritter/internal/database"
|
|
|
|
|
"kode.naiv.no/olemd/favoritter/internal/middleware"
|
|
|
|
|
"kode.naiv.no/olemd/favoritter/internal/render"
|
|
|
|
|
"kode.naiv.no/olemd/favoritter/internal/store"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// testServer creates a fully wired test server with an in-memory database.
|
|
|
|
|
func testServer(t *testing.T) (*Handler, *http.ServeMux) {
|
|
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
|
|
db, err := database.Open(":memory:")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("open db: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if err := database.Migrate(db); err != nil {
|
|
|
|
|
t.Fatalf("migrate: %v", err)
|
|
|
|
|
}
|
|
|
|
|
t.Cleanup(func() { db.Close() })
|
|
|
|
|
|
|
|
|
|
// Use fast Argon2 params for tests.
|
|
|
|
|
store.Argon2Memory = 1024
|
|
|
|
|
store.Argon2Time = 1
|
|
|
|
|
|
|
|
|
|
cfg := &config.Config{
|
|
|
|
|
DBPath: ":memory:",
|
|
|
|
|
Listen: ":0",
|
|
|
|
|
UploadDir: t.TempDir(),
|
|
|
|
|
SiteName: "Test",
|
|
|
|
|
DevMode: false, // Use embedded templates in tests.
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
users := store.NewUserStore(db)
|
|
|
|
|
sessions := store.NewSessionStore(db)
|
|
|
|
|
settings := store.NewSettingsStore(db)
|
|
|
|
|
faves := store.NewFaveStore(db)
|
|
|
|
|
tags := store.NewTagStore(db)
|
|
|
|
|
signupRequests := store.NewSignupRequestStore(db)
|
|
|
|
|
|
|
|
|
|
renderer, err := render.New(cfg)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("renderer: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
h := New(Deps{
|
|
|
|
|
Config: cfg,
|
|
|
|
|
Users: users,
|
|
|
|
|
Sessions: sessions,
|
|
|
|
|
Settings: settings,
|
|
|
|
|
Faves: faves,
|
|
|
|
|
Tags: tags,
|
|
|
|
|
SignupRequests: signupRequests,
|
|
|
|
|
Renderer: renderer,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
mux := h.Routes()
|
|
|
|
|
|
test: add comprehensive test suite (44 → 169 tests) and v1.1 plan
Add 125 new test functions across 10 new test files, covering:
- CSRF middleware (8 tests): double-submit cookie validation
- Auth middleware (12 tests): SessionLoader, RequireAdmin, context helpers
- API handlers (28 tests): auth, faves CRUD, tags, users, export/import
- Web handlers (41 tests): signup, login, password reset, fave CRUD,
admin panel, feeds, import/export, profiles, settings
- Config (8 tests): env parsing, defaults, trusted proxies, normalization
- Database (6 tests): migrations, PRAGMAs, idempotency, seeding
- Image processing (10 tests): JPEG/PNG, resize, EXIF strip, path traversal
- Render (6 tests): page/error/partial rendering, template functions
- Settings store (3 tests): CRUD operations
- Regression tests for display name fallback and CSP-safe autocomplete
Also adds CSRF middleware to testServer chain for end-to-end CSRF
verification, TESTPLAN.md documenting coverage, and PLANS-v1.1.md
with implementation plans for notes+OG, PWA, editing UX, and admin.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 00:18:01 +02:00
|
|
|
// Wrap with SessionLoader and CSRFProtection so authenticated tests work.
|
|
|
|
|
chain := middleware.CSRFProtection(cfg)(middleware.SessionLoader(sessions, users)(mux))
|
test: add comprehensive test suite (44 tests across 3 packages)
Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
(creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination
Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)
Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio
Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:47:32 +02:00
|
|
|
wrappedMux := http.NewServeMux()
|
|
|
|
|
wrappedMux.Handle("/", chain)
|
|
|
|
|
|
|
|
|
|
return h, wrappedMux
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// loginUser creates a user and returns a session cookie for authenticated requests.
|
|
|
|
|
func loginUser(t *testing.T, h *Handler, username, password, role string) *http.Cookie {
|
|
|
|
|
t.Helper()
|
|
|
|
|
user, err := h.deps.Users.Create(username, password, role)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("create user %s: %v", username, err)
|
|
|
|
|
}
|
|
|
|
|
token, err := h.deps.Sessions.Create(user.ID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("create session: %v", err)
|
|
|
|
|
}
|
|
|
|
|
return &http.Cookie{Name: "session", Value: token}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestHealthEndpoint(t *testing.T) {
|
|
|
|
|
_, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/health", nil)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("health: got %d, want 200", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
if !strings.Contains(rr.Body.String(), `"status":"ok"`) {
|
|
|
|
|
t.Errorf("health body = %q", rr.Body.String())
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestLoginPageRendering(t *testing.T) {
|
|
|
|
|
_, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/login", nil)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("login page: got %d, want 200", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
body := rr.Body.String()
|
|
|
|
|
if !strings.Contains(body, "Logg inn") {
|
|
|
|
|
t.Error("login page should contain 'Logg inn'")
|
|
|
|
|
}
|
|
|
|
|
if !strings.Contains(body, "csrf_token") {
|
|
|
|
|
t.Error("login page should contain CSRF token field")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestLoginSuccess(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
// Create a user.
|
|
|
|
|
h.deps.Users.Create("testuser", "password123", "user")
|
|
|
|
|
|
|
|
|
|
// Get CSRF token from login page.
|
|
|
|
|
getReq := httptest.NewRequest("GET", "/login", nil)
|
|
|
|
|
getRR := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(getRR, getReq)
|
|
|
|
|
csrfCookie := extractCookie(getRR, "csrf_token")
|
|
|
|
|
|
|
|
|
|
// POST login.
|
|
|
|
|
form := url.Values{
|
|
|
|
|
"username": {"testuser"},
|
|
|
|
|
"password": {"password123"},
|
|
|
|
|
"csrf_token": {csrfCookie},
|
|
|
|
|
}
|
|
|
|
|
req := httptest.NewRequest("POST", "/login", strings.NewReader(form.Encode()))
|
|
|
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
|
req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfCookie})
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusSeeOther {
|
|
|
|
|
t.Errorf("login POST: got %d, want 303", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Should have a session cookie.
|
|
|
|
|
sessionCookie := extractCookie(rr, "session")
|
|
|
|
|
if sessionCookie == "" {
|
|
|
|
|
t.Error("login should set session cookie")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestLoginWrongPassword(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
h.deps.Users.Create("testuser", "password123", "user")
|
|
|
|
|
|
|
|
|
|
getReq := httptest.NewRequest("GET", "/login", nil)
|
|
|
|
|
getRR := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(getRR, getReq)
|
|
|
|
|
csrfCookie := extractCookie(getRR, "csrf_token")
|
|
|
|
|
|
|
|
|
|
form := url.Values{
|
|
|
|
|
"username": {"testuser"},
|
|
|
|
|
"password": {"wrongpassword"},
|
|
|
|
|
"csrf_token": {csrfCookie},
|
|
|
|
|
}
|
|
|
|
|
req := httptest.NewRequest("POST", "/login", strings.NewReader(form.Encode()))
|
|
|
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
|
req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrfCookie})
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("wrong password: got %d, want 200 (re-render with flash)", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
if !strings.Contains(rr.Body.String(), "Feil brukernavn eller passord") {
|
|
|
|
|
t.Error("should show error message")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestFaveListRequiresLogin(t *testing.T) {
|
|
|
|
|
_, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/faves", nil)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusSeeOther {
|
|
|
|
|
t.Errorf("unauthenticated /faves: got %d, want 303 redirect", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestFaveListAuthenticated(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
cookie := loginUser(t, h, "testuser", "pass123", "user")
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/faves", nil)
|
|
|
|
|
req.AddCookie(cookie)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("authenticated /faves: got %d, want 200", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
if !strings.Contains(rr.Body.String(), "Mine favoritter") {
|
|
|
|
|
t.Error("fave list page should contain 'Mine favoritter'")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestPrivateFaveHiddenFromOthers(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
// User A creates a private fave.
|
|
|
|
|
userA, _ := h.deps.Users.Create("usera", "pass123", "user")
|
feat: add notes field to favorites and enhance OG meta tags
Add an optional long-form "notes" text field to each favorite for
reviews, thoughts, or extended descriptions. The field is stored in
SQLite via a new migration (002_add_fave_notes.sql) and propagated
through the entire stack:
- Model: Notes field on Fave struct
- Store: All SQL queries (Create, GetByID, Update, list methods,
scanFaves) updated with notes column
- Web handlers: Read/write notes in create, edit, update forms
- API handlers: Notes in create, update, get, import request/response
- Export: Notes included in both JSON and CSV exports
- Import: Notes parsed from both JSON and CSV imports
- Feed: Notes used as Atom feed item summary when present
- Form template: New textarea between URL and image fields
- Detail template: Display notes, enhanced og:description with
cascade: notes (truncated) → URL → generic fallback text
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 00:40:08 +02:00
|
|
|
fave, _ := h.deps.Faves.Create(userA.ID, "Secret fave", "", "", "", "private")
|
test: add comprehensive test suite (44 tests across 3 packages)
Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
(creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination
Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)
Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio
Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:47:32 +02:00
|
|
|
|
|
|
|
|
// User B tries to view it.
|
|
|
|
|
cookieB := loginUser(t, h, "userb", "pass123", "user")
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID), nil)
|
|
|
|
|
req.AddCookie(cookieB)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusNotFound {
|
|
|
|
|
t.Errorf("private fave for other user: got %d, want 404", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestPrivateFaveVisibleToOwner(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
userA, _ := h.deps.Users.Create("usera", "pass123", "user")
|
feat: add notes field to favorites and enhance OG meta tags
Add an optional long-form "notes" text field to each favorite for
reviews, thoughts, or extended descriptions. The field is stored in
SQLite via a new migration (002_add_fave_notes.sql) and propagated
through the entire stack:
- Model: Notes field on Fave struct
- Store: All SQL queries (Create, GetByID, Update, list methods,
scanFaves) updated with notes column
- Web handlers: Read/write notes in create, edit, update forms
- API handlers: Notes in create, update, get, import request/response
- Export: Notes included in both JSON and CSV exports
- Import: Notes parsed from both JSON and CSV imports
- Feed: Notes used as Atom feed item summary when present
- Form template: New textarea between URL and image fields
- Detail template: Display notes, enhanced og:description with
cascade: notes (truncated) → URL → generic fallback text
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 00:40:08 +02:00
|
|
|
fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "", "private")
|
test: add comprehensive test suite (44 tests across 3 packages)
Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
(creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination
Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)
Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio
Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:47:32 +02:00
|
|
|
|
|
|
|
|
tokenA, _ := h.deps.Sessions.Create(userA.ID)
|
|
|
|
|
cookieA := &http.Cookie{Name: "session", Value: tokenA}
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID), nil)
|
|
|
|
|
req.AddCookie(cookieA)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("own private fave: got %d, want 200", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestAdminRequiresAdminRole(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
cookie := loginUser(t, h, "regularuser", "pass123", "user")
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/admin", nil)
|
|
|
|
|
req.AddCookie(cookie)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusForbidden {
|
|
|
|
|
t.Errorf("non-admin accessing /admin: got %d, want 403", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestAdminDashboardForAdmin(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
cookie := loginUser(t, h, "admin", "pass123", "admin")
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/admin", nil)
|
|
|
|
|
req.AddCookie(cookie)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("admin dashboard: got %d, want 200", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
if !strings.Contains(rr.Body.String(), "Administrasjon") {
|
|
|
|
|
t.Error("admin dashboard should contain 'Administrasjon'")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestTagSearchEndpoint(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
// Create some tags via faves.
|
|
|
|
|
user, _ := h.deps.Users.Create("testuser", "pass123", "user")
|
feat: add notes field to favorites and enhance OG meta tags
Add an optional long-form "notes" text field to each favorite for
reviews, thoughts, or extended descriptions. The field is stored in
SQLite via a new migration (002_add_fave_notes.sql) and propagated
through the entire stack:
- Model: Notes field on Fave struct
- Store: All SQL queries (Create, GetByID, Update, list methods,
scanFaves) updated with notes column
- Web handlers: Read/write notes in create, edit, update forms
- API handlers: Notes in create, update, get, import request/response
- Export: Notes included in both JSON and CSV exports
- Import: Notes parsed from both JSON and CSV imports
- Feed: Notes used as Atom feed item summary when present
- Form template: New textarea between URL and image fields
- Detail template: Display notes, enhanced og:description with
cascade: notes (truncated) → URL → generic fallback text
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 00:40:08 +02:00
|
|
|
fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "", "public")
|
test: add comprehensive test suite (44 tests across 3 packages)
Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
(creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination
Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)
Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio
Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:47:32 +02:00
|
|
|
h.deps.Tags.SetFaveTags(fave.ID, []string{"music", "movies", "manga"})
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/tags/search?q=mu", nil)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("tag search: got %d, want 200", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
body := rr.Body.String()
|
|
|
|
|
if !strings.Contains(body, "music") {
|
|
|
|
|
t.Error("tag search for 'mu' should include 'music'")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestFeedGlobal(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
user, _ := h.deps.Users.Create("testuser", "pass123", "user")
|
feat: add notes field to favorites and enhance OG meta tags
Add an optional long-form "notes" text field to each favorite for
reviews, thoughts, or extended descriptions. The field is stored in
SQLite via a new migration (002_add_fave_notes.sql) and propagated
through the entire stack:
- Model: Notes field on Fave struct
- Store: All SQL queries (Create, GetByID, Update, list methods,
scanFaves) updated with notes column
- Web handlers: Read/write notes in create, edit, update forms
- API handlers: Notes in create, update, get, import request/response
- Export: Notes included in both JSON and CSV exports
- Import: Notes parsed from both JSON and CSV imports
- Feed: Notes used as Atom feed item summary when present
- Form template: New textarea between URL and image fields
- Detail template: Display notes, enhanced og:description with
cascade: notes (truncated) → URL → generic fallback text
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 00:40:08 +02:00
|
|
|
h.deps.Faves.Create(user.ID, "Public fave", "", "", "", "public")
|
test: add comprehensive test suite (44 tests across 3 packages)
Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
(creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination
Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)
Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio
Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:47:32 +02:00
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/feed.xml", nil)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("global feed: got %d, want 200", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
ct := rr.Header().Get("Content-Type")
|
|
|
|
|
if !strings.Contains(ct, "atom+xml") {
|
|
|
|
|
t.Errorf("content-type = %q, want atom+xml", ct)
|
|
|
|
|
}
|
|
|
|
|
if !strings.Contains(rr.Body.String(), "Public fave") {
|
|
|
|
|
t.Error("feed should contain fave title")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestPublicProfile(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
user, _ := h.deps.Users.Create("testuser", "pass123", "user")
|
|
|
|
|
h.deps.Users.UpdateProfile(user.ID, "Test User", "Hello world", "public", "public")
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/u/testuser", nil)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("public profile: got %d, want 200", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
body := rr.Body.String()
|
|
|
|
|
if !strings.Contains(body, "Test User") {
|
|
|
|
|
t.Error("profile should show display name")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestLimitedProfileHidesBio(t *testing.T) {
|
|
|
|
|
h, mux := testServer(t)
|
|
|
|
|
|
|
|
|
|
user, _ := h.deps.Users.Create("private", "pass123", "user")
|
|
|
|
|
h.deps.Users.UpdateProfile(user.ID, "Hidden User", "Secret bio", "limited", "public")
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest("GET", "/u/private", nil)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
mux.ServeHTTP(rr, req)
|
|
|
|
|
|
|
|
|
|
if rr.Code != http.StatusOK {
|
|
|
|
|
t.Errorf("limited profile: got %d, want 200", rr.Code)
|
|
|
|
|
}
|
|
|
|
|
body := rr.Body.String()
|
|
|
|
|
if strings.Contains(body, "Secret bio") {
|
|
|
|
|
t.Error("limited profile should not show bio")
|
|
|
|
|
}
|
|
|
|
|
if !strings.Contains(body, "begrenset synlighet") {
|
|
|
|
|
t.Error("limited profile should show visibility notice")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func faveIDStr(n int64) string {
|
|
|
|
|
return strconv.FormatInt(n, 10)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// extractCookie gets a cookie value from a response recorder.
|
|
|
|
|
func extractCookie(rr *httptest.ResponseRecorder, name string) string {
|
|
|
|
|
for _, c := range rr.Result().Cookies() {
|
|
|
|
|
if c.Name == name {
|
|
|
|
|
return c.Value
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return ""
|
|
|
|
|
}
|