Ole-Morten Duesund
3a3b526a95
Store tests (21 tests):
- Session: create, validate, delete, delete-all, expiry
- Signup requests: create, duplicate, list pending, approve
(creates user with must-reset), reject, double-approve/reject
- Existing: user CRUD, auth, fave CRUD, tags, pagination
Middleware tests (9 tests):
- Real IP extraction from trusted/untrusted proxies
- Base path stripping (with prefix, empty prefix)
- Rate limiter (per-IP, exhaustion, different IPs)
- Panic recovery (returns 500)
- Security headers (CSP, X-Frame-Options, etc.)
- RequireLogin redirect
- MustResetPasswordGuard (static path passthrough)
Handler integration tests (14 tests):
- Health endpoint
- Login page rendering, successful login, wrong password
- Fave list requires auth, works when authenticated
- Private fave hidden from other users, visible to owner
- Admin panel requires admin role, works for admin
- Tag search endpoint
- Global Atom feed
- Public profile with display name
- Limited profile hides bio
Also fixes template bugs: profile.html and fave_detail.html used
$.IsOwner which fails inside {{with}} blocks ($ = root PageData,
not .Data map). Fixed with $d variable capture pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
135 lines
3.3 KiB
Go
135 lines
3.3 KiB
Go
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
package store
|
|
|
|
import (
|
|
"testing"
|
|
)
|
|
|
|
func TestSignupRequestCreateAndList(t *testing.T) {
|
|
db := testDB(t)
|
|
requests := NewSignupRequestStore(db)
|
|
|
|
Argon2Memory = 1024
|
|
Argon2Time = 1
|
|
defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
|
|
|
|
err := requests.Create("newuser", "password123")
|
|
if err != nil {
|
|
t.Fatalf("create request: %v", err)
|
|
}
|
|
|
|
// Duplicate should fail.
|
|
err = requests.Create("newuser", "password456")
|
|
if err != ErrSignupRequestExists {
|
|
t.Errorf("duplicate: err = %v, want ErrSignupRequestExists", err)
|
|
}
|
|
|
|
pending, err := requests.ListPending()
|
|
if err != nil {
|
|
t.Fatalf("list pending: %v", err)
|
|
}
|
|
if len(pending) != 1 {
|
|
t.Fatalf("pending count = %d, want 1", len(pending))
|
|
}
|
|
if pending[0].Username != "newuser" {
|
|
t.Errorf("username = %q, want %q", pending[0].Username, "newuser")
|
|
}
|
|
if pending[0].Status != "pending" {
|
|
t.Errorf("status = %q, want pending", pending[0].Status)
|
|
}
|
|
|
|
count, _ := requests.PendingCount()
|
|
if count != 1 {
|
|
t.Errorf("pending count = %d, want 1", count)
|
|
}
|
|
}
|
|
|
|
func TestSignupRequestApprove(t *testing.T) {
|
|
db := testDB(t)
|
|
users := NewUserStore(db)
|
|
requests := NewSignupRequestStore(db)
|
|
|
|
Argon2Memory = 1024
|
|
Argon2Time = 1
|
|
defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
|
|
|
|
// Create an admin to act as reviewer.
|
|
admin, _ := users.Create("admin", "adminpass", "admin")
|
|
|
|
// Create a signup request.
|
|
requests.Create("newuser", "password123")
|
|
pending, _ := requests.ListPending()
|
|
requestID := pending[0].ID
|
|
|
|
// Approve it.
|
|
err := requests.Approve(requestID, admin.ID)
|
|
if err != nil {
|
|
t.Fatalf("approve: %v", err)
|
|
}
|
|
|
|
// The user should now exist with must_reset_password=1.
|
|
user, err := users.GetByUsername("newuser")
|
|
if err != nil {
|
|
t.Fatalf("get approved user: %v", err)
|
|
}
|
|
if !user.MustResetPassword {
|
|
t.Error("approved user should have must_reset_password=true")
|
|
}
|
|
|
|
// The request should no longer be pending.
|
|
count, _ := requests.PendingCount()
|
|
if count != 0 {
|
|
t.Errorf("pending count after approve = %d, want 0", count)
|
|
}
|
|
|
|
// The approved request should have the correct status.
|
|
sr, _ := requests.GetByID(requestID)
|
|
if sr.Status != "approved" {
|
|
t.Errorf("status = %q, want approved", sr.Status)
|
|
}
|
|
|
|
// Double-approve should fail.
|
|
err = requests.Approve(requestID, admin.ID)
|
|
if err == nil {
|
|
t.Error("double approve should fail")
|
|
}
|
|
}
|
|
|
|
func TestSignupRequestReject(t *testing.T) {
|
|
db := testDB(t)
|
|
users := NewUserStore(db)
|
|
requests := NewSignupRequestStore(db)
|
|
|
|
Argon2Memory = 1024
|
|
Argon2Time = 1
|
|
defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
|
|
|
|
admin, _ := users.Create("admin", "adminpass", "admin")
|
|
requests.Create("rejectme", "password123")
|
|
pending, _ := requests.ListPending()
|
|
requestID := pending[0].ID
|
|
|
|
err := requests.Reject(requestID, admin.ID)
|
|
if err != nil {
|
|
t.Fatalf("reject: %v", err)
|
|
}
|
|
|
|
// Should not be in pending list.
|
|
count, _ := requests.PendingCount()
|
|
if count != 0 {
|
|
t.Errorf("pending count after reject = %d, want 0", count)
|
|
}
|
|
|
|
// User should NOT have been created.
|
|
_, err = users.GetByUsername("rejectme")
|
|
if err != ErrUserNotFound {
|
|
t.Errorf("rejected user should not exist: err = %v", err)
|
|
}
|
|
|
|
// Double-reject should fail.
|
|
err = requests.Reject(requestID, admin.ID)
|
|
if err != ErrSignupRequestNotFound {
|
|
t.Errorf("double reject: err = %v, want ErrSignupRequestNotFound", err)
|
|
}
|
|
}
|