test: add comprehensive test suite (44 tests across 3 packages)
Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
(creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination
Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)
Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio
Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
aa5ab6b415
commit
3a3b526a95
6 changed files with 866 additions and 15 deletions
119
internal/store/session_test.go
Normal file
119
internal/store/session_test.go
Normal file
|
|
@ -0,0 +1,119 @@
|
|||
// SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
package store
|
||||
|
||||
import (
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
func TestSessionCreateAndValidate(t *testing.T) {
|
||||
db := testDB(t)
|
||||
users := NewUserStore(db)
|
||||
sessions := NewSessionStore(db)
|
||||
|
||||
Argon2Memory = 1024
|
||||
Argon2Time = 1
|
||||
defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
|
||||
|
||||
user, _ := users.Create("testuser", "password123", "user")
|
||||
|
||||
token, err := sessions.Create(user.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("create session: %v", err)
|
||||
}
|
||||
if len(token) != 64 { // 32 bytes hex-encoded
|
||||
t.Errorf("token length = %d, want 64", len(token))
|
||||
}
|
||||
|
||||
session, err := sessions.Validate(token)
|
||||
if err != nil {
|
||||
t.Fatalf("validate session: %v", err)
|
||||
}
|
||||
if session.UserID != user.ID {
|
||||
t.Errorf("session user ID = %d, want %d", session.UserID, user.ID)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSessionValidateInvalidToken(t *testing.T) {
|
||||
db := testDB(t)
|
||||
sessions := NewSessionStore(db)
|
||||
|
||||
_, err := sessions.Validate("nonexistent-token")
|
||||
if err != ErrSessionNotFound {
|
||||
t.Errorf("err = %v, want ErrSessionNotFound", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSessionDelete(t *testing.T) {
|
||||
db := testDB(t)
|
||||
users := NewUserStore(db)
|
||||
sessions := NewSessionStore(db)
|
||||
|
||||
Argon2Memory = 1024
|
||||
Argon2Time = 1
|
||||
defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
|
||||
|
||||
user, _ := users.Create("testuser", "password123", "user")
|
||||
token, _ := sessions.Create(user.ID)
|
||||
|
||||
err := sessions.Delete(token)
|
||||
if err != nil {
|
||||
t.Fatalf("delete session: %v", err)
|
||||
}
|
||||
|
||||
_, err = sessions.Validate(token)
|
||||
if err != ErrSessionNotFound {
|
||||
t.Errorf("after delete: err = %v, want ErrSessionNotFound", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSessionDeleteAllForUser(t *testing.T) {
|
||||
db := testDB(t)
|
||||
users := NewUserStore(db)
|
||||
sessions := NewSessionStore(db)
|
||||
|
||||
Argon2Memory = 1024
|
||||
Argon2Time = 1
|
||||
defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
|
||||
|
||||
user, _ := users.Create("testuser", "password123", "user")
|
||||
token1, _ := sessions.Create(user.ID)
|
||||
token2, _ := sessions.Create(user.ID)
|
||||
|
||||
err := sessions.DeleteAllForUser(user.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("delete all: %v", err)
|
||||
}
|
||||
|
||||
_, err = sessions.Validate(token1)
|
||||
if err != ErrSessionNotFound {
|
||||
t.Error("token1 should be deleted")
|
||||
}
|
||||
_, err = sessions.Validate(token2)
|
||||
if err != ErrSessionNotFound {
|
||||
t.Error("token2 should be deleted")
|
||||
}
|
||||
}
|
||||
|
||||
func TestSessionExpiry(t *testing.T) {
|
||||
db := testDB(t)
|
||||
users := NewUserStore(db)
|
||||
sessions := NewSessionStore(db)
|
||||
sessions.SetLifetime(1 * time.Millisecond)
|
||||
|
||||
Argon2Memory = 1024
|
||||
Argon2Time = 1
|
||||
defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
|
||||
|
||||
user, _ := users.Create("testuser", "password123", "user")
|
||||
token, _ := sessions.Create(user.ID)
|
||||
|
||||
// Wait for expiry.
|
||||
time.Sleep(5 * time.Millisecond)
|
||||
|
||||
_, err := sessions.Validate(token)
|
||||
if err != ErrSessionNotFound {
|
||||
t.Errorf("expired session: err = %v, want ErrSessionNotFound", err)
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue