test: add comprehensive test suite (44 tests across 3 packages)

Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
  (creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination

Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)

Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio

Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/store/session_test.go

@@ -0,0 +1,119 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package store
+
+import (
+	"testing"
+	"time"
+)
+
+func TestSessionCreateAndValidate(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	sessions := NewSessionStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	user, _ := users.Create("testuser", "password123", "user")
+
+	token, err := sessions.Create(user.ID)
+	if err != nil {
+		t.Fatalf("create session: %v", err)
+	}
+	if len(token) != 64 { // 32 bytes hex-encoded
+		t.Errorf("token length = %d, want 64", len(token))
+	}
+
+	session, err := sessions.Validate(token)
+	if err != nil {
+		t.Fatalf("validate session: %v", err)
+	}
+	if session.UserID != user.ID {
+		t.Errorf("session user ID = %d, want %d", session.UserID, user.ID)
+	}
+}
+
+func TestSessionValidateInvalidToken(t *testing.T) {
+	db := testDB(t)
+	sessions := NewSessionStore(db)
+
+	_, err := sessions.Validate("nonexistent-token")
+	if err != ErrSessionNotFound {
+		t.Errorf("err = %v, want ErrSessionNotFound", err)
+	}
+}
+
+func TestSessionDelete(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	sessions := NewSessionStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	user, _ := users.Create("testuser", "password123", "user")
+	token, _ := sessions.Create(user.ID)
+
+	err := sessions.Delete(token)
+	if err != nil {
+		t.Fatalf("delete session: %v", err)
+	}
+
+	_, err = sessions.Validate(token)
+	if err != ErrSessionNotFound {
+		t.Errorf("after delete: err = %v, want ErrSessionNotFound", err)
+	}
+}
+
+func TestSessionDeleteAllForUser(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	sessions := NewSessionStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	user, _ := users.Create("testuser", "password123", "user")
+	token1, _ := sessions.Create(user.ID)
+	token2, _ := sessions.Create(user.ID)
+
+	err := sessions.DeleteAllForUser(user.ID)
+	if err != nil {
+		t.Fatalf("delete all: %v", err)
+	}
+
+	_, err = sessions.Validate(token1)
+	if err != ErrSessionNotFound {
+		t.Error("token1 should be deleted")
+	}
+	_, err = sessions.Validate(token2)
+	if err != ErrSessionNotFound {
+		t.Error("token2 should be deleted")
+	}
+}
+
+func TestSessionExpiry(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	sessions := NewSessionStore(db)
+	sessions.SetLifetime(1 * time.Millisecond)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	user, _ := users.Create("testuser", "password123", "user")
+	token, _ := sessions.Create(user.ID)
+
+	// Wait for expiry.
+	time.Sleep(5 * time.Millisecond)
+
+	_, err := sessions.Validate(token)
+	if err != ErrSessionNotFound {
+		t.Errorf("expired session: err = %v, want ErrSessionNotFound", err)
+	}
+}

internal/store/signup_request_test.go

@@ -0,0 +1,135 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package store
+
+import (
+	"testing"
+)
+
+func TestSignupRequestCreateAndList(t *testing.T) {
+	db := testDB(t)
+	requests := NewSignupRequestStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	err := requests.Create("newuser", "password123")
+	if err != nil {
+		t.Fatalf("create request: %v", err)
+	}
+
+	// Duplicate should fail.
+	err = requests.Create("newuser", "password456")
+	if err != ErrSignupRequestExists {
+		t.Errorf("duplicate: err = %v, want ErrSignupRequestExists", err)
+	}
+
+	pending, err := requests.ListPending()
+	if err != nil {
+		t.Fatalf("list pending: %v", err)
+	}
+	if len(pending) != 1 {
+		t.Fatalf("pending count = %d, want 1", len(pending))
+	}
+	if pending[0].Username != "newuser" {
+		t.Errorf("username = %q, want %q", pending[0].Username, "newuser")
+	}
+	if pending[0].Status != "pending" {
+		t.Errorf("status = %q, want pending", pending[0].Status)
+	}
+
+	count, _ := requests.PendingCount()
+	if count != 1 {
+		t.Errorf("pending count = %d, want 1", count)
+	}
+}
+
+func TestSignupRequestApprove(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	requests := NewSignupRequestStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	// Create an admin to act as reviewer.
+	admin, _ := users.Create("admin", "adminpass", "admin")
+
+	// Create a signup request.
+	requests.Create("newuser", "password123")
+	pending, _ := requests.ListPending()
+	requestID := pending[0].ID
+
+	// Approve it.
+	err := requests.Approve(requestID, admin.ID)
+	if err != nil {
+		t.Fatalf("approve: %v", err)
+	}
+
+	// The user should now exist with must_reset_password=1.
+	user, err := users.GetByUsername("newuser")
+	if err != nil {
+		t.Fatalf("get approved user: %v", err)
+	}
+	if !user.MustResetPassword {
+		t.Error("approved user should have must_reset_password=true")
+	}
+
+	// The request should no longer be pending.
+	count, _ := requests.PendingCount()
+	if count != 0 {
+		t.Errorf("pending count after approve = %d, want 0", count)
+	}
+
+	// The approved request should have the correct status.
+	sr, _ := requests.GetByID(requestID)
+	if sr.Status != "approved" {
+		t.Errorf("status = %q, want approved", sr.Status)
+	}
+
+	// Double-approve should fail.
+	err = requests.Approve(requestID, admin.ID)
+	if err == nil {
+		t.Error("double approve should fail")
+	}
+}
+
+func TestSignupRequestReject(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	requests := NewSignupRequestStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	admin, _ := users.Create("admin", "adminpass", "admin")
+	requests.Create("rejectme", "password123")
+	pending, _ := requests.ListPending()
+	requestID := pending[0].ID
+
+	err := requests.Reject(requestID, admin.ID)
+	if err != nil {
+		t.Fatalf("reject: %v", err)
+	}
+
+	// Should not be in pending list.
+	count, _ := requests.PendingCount()
+	if count != 0 {
+		t.Errorf("pending count after reject = %d, want 0", count)
+	}
+
+	// User should NOT have been created.
+	_, err = users.GetByUsername("rejectme")
+	if err != ErrUserNotFound {
+		t.Errorf("rejected user should not exist: err = %v", err)
+	}
+
+	// Double-reject should fail.
+	err = requests.Reject(requestID, admin.ID)
+	if err != ErrSignupRequestNotFound {
+		t.Errorf("double reject: err = %v, want ErrSignupRequestNotFound", err)
+	}
+}