Update handler integration tests

2025-11-06 07:54:22 +00:00 · 2024-12-07 23:09:57 +01:00
parent ad4af2f82d
commit 5633406f5c
7 changed files with 427 additions and 244 deletions
--- a/server/internal/handlers/auth_handlers_integration_test.go
+++ b/server/internal/handlers/auth_handlers_integration_test.go
@@ -4,8 +4,12 @@ package handlers_test

 import (
 	"encoding/json"
+	"io"
 	"net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"
+	"time"

 	"novamd/internal/handlers"
 	"novamd/internal/models"
@@ -25,40 +29,58 @@ func TestAuthHandlers_Integration(t *testing.T) {
 				Password: "admin123",
 			}

-			rr := h.makeRequest(t, http.MethodPost, "/api/v1/auth/login", loginReq, "", nil)
+			rr := h.makeRequest(t, http.MethodPost, "/api/v1/auth/login", loginReq, nil, nil)
 			require.Equal(t, http.StatusOK, rr.Code)

+			// Verify all required cookies are present with correct attributes
+			cookies := rr.Result().Cookies()
+			var foundAccessToken, foundRefreshToken, foundCSRF bool
+			for _, cookie := range cookies {
+				switch cookie.Name {
+				case "access_token":
+					foundAccessToken = true
+					assert.True(t, cookie.HttpOnly, "access_token cookie must be HttpOnly")
+					assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite)
+					assert.Equal(t, 900, cookie.MaxAge) // 15 minutes
+				case "refresh_token":
+					foundRefreshToken = true
+					assert.True(t, cookie.HttpOnly, "refresh_token cookie must be HttpOnly")
+					assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite)
+					assert.Equal(t, 604800, cookie.MaxAge) // 7 days
+				case "csrf_token":
+					foundCSRF = true
+					assert.False(t, cookie.HttpOnly, "csrf_token cookie must not be HttpOnly")
+					assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite)
+					assert.Equal(t, 900, cookie.MaxAge) // 15 minutes
+				}
+			}
+			assert.True(t, foundAccessToken, "access_token cookie not found")
+			assert.True(t, foundRefreshToken, "refresh_token cookie not found")
+			assert.True(t, foundCSRF, "csrf_token cookie not found")
+
+			// Verify CSRF token is in both cookie and header, and they match
+			var csrfCookie *http.Cookie
+			for _, cookie := range rr.Result().Cookies() {
+				if cookie.Name == "csrf_token" {
+					csrfCookie = cookie
+					break
+				}
+			}
+			require.NotNil(t, csrfCookie, "csrf_token cookie not found")
+			csrfHeader := rr.Header().Get("X-CSRF-Token")
+			assert.Equal(t, csrfCookie.Value, csrfHeader)
+
+			// Verify response body
 			var resp handlers.LoginResponse
 			err := json.NewDecoder(rr.Body).Decode(&resp)
 			require.NoError(t, err)
-
-			assert.NotEmpty(t, resp.AccessToken)
-			assert.NotEmpty(t, resp.RefreshToken)
+			assert.NotEmpty(t, resp.SessionID)
+			assert.False(t, resp.ExpiresAt.IsZero())
 			assert.NotNil(t, resp.User)
 			assert.Equal(t, loginReq.Email, resp.User.Email)
 			assert.Equal(t, models.RoleAdmin, resp.User.Role)
 		})

-		t.Run("successful login - regular user", func(t *testing.T) {
-			loginReq := handlers.LoginRequest{
-				Email:    "user@test.com",
-				Password: "user123",
-			}
-
-			rr := h.makeRequest(t, http.MethodPost, "/api/v1/auth/login", loginReq, "", nil)
-			require.Equal(t, http.StatusOK, rr.Code)
-
-			var resp handlers.LoginResponse
-			err := json.NewDecoder(rr.Body).Decode(&resp)
-			require.NoError(t, err)
-
-			assert.NotEmpty(t, resp.AccessToken)
-			assert.NotEmpty(t, resp.RefreshToken)
-			assert.NotNil(t, resp.User)
-			assert.Equal(t, loginReq.Email, resp.User.Email)
-			assert.Equal(t, models.RoleEditor, resp.User.Role)
-		})
-
 		t.Run("login failures", func(t *testing.T) {
 			tests := []struct {
 				name     string
@@ -97,12 +119,26 @@ func TestAuthHandlers_Integration(t *testing.T) {
 					},
 					wantCode: http.StatusBadRequest,
 				},
+				{
+					name:     "malformed JSON",
+					request:  handlers.LoginRequest{}, // Will be overridden with bad JSON
+					wantCode: http.StatusBadRequest,
+				},
 			}

 			for _, tt := range tests {
 				t.Run(tt.name, func(t *testing.T) {
-					rr := h.makeRequest(t, http.MethodPost, "/api/v1/auth/login", tt.request, "", nil)
+					var rr *httptest.ResponseRecorder
+					if tt.name == "malformed JSON" {
+						// Need lower level helper to send malformed JSON
+						req := h.newRequest(t, http.MethodPost, "/api/v1/auth/login", nil)
+						req.Body = io.NopCloser(strings.NewReader("{bad json"))
+						rr = h.executeRequest(req)
+					} else {
+						rr = h.makeRequest(t, http.MethodPost, "/api/v1/auth/login", tt.request, nil, nil)
+					}
 					assert.Equal(t, tt.wantCode, rr.Code)
+					assert.Empty(t, rr.Result().Cookies(), "failed login should not set cookies")
 				})
 			}
 		})
@@ -110,58 +146,76 @@ func TestAuthHandlers_Integration(t *testing.T) {

 	t.Run("refresh token", func(t *testing.T) {
 		t.Run("successful token refresh", func(t *testing.T) {
-			// First login to get refresh token
-			loginReq := handlers.LoginRequest{
-				Email:    "user@test.com",
-				Password: "user123",
-			}
-
-			rr := h.makeRequest(t, http.MethodPost, "/api/v1/auth/login", loginReq, "", nil)
+			// Need lower level helpers for precise cookie control
+			req := h.newRequest(t, http.MethodPost, "/api/v1/auth/refresh", nil)
+			h.addAuthCookies(t, req, h.RegularSession, true) // Adds both tokens
+			rr := h.executeRequest(req)
 			require.Equal(t, http.StatusOK, rr.Code)

-			var loginResp handlers.LoginResponse
-			err := json.NewDecoder(rr.Body).Decode(&loginResp)
-			require.NoError(t, err)
-
-			// Now try to refresh the token
-			refreshReq := handlers.RefreshRequest{
-				RefreshToken: loginResp.RefreshToken,
+			// Verify new cookies
+			cookies := rr.Result().Cookies()
+			var foundAccessToken, foundCSRF bool
+			for _, cookie := range cookies {
+				switch cookie.Name {
+				case "access_token":
+					foundAccessToken = true
+					assert.Equal(t, 900, cookie.MaxAge)
+				case "csrf_token":
+					foundCSRF = true
+					assert.Equal(t, 900, cookie.MaxAge)
+				case "refresh_token":
+					t.Error("refresh token should not be renewed")
+				}
 			}
-
-			rr = h.makeRequest(t, http.MethodPost, "/api/v1/auth/refresh", refreshReq, "", nil)
-			require.Equal(t, http.StatusOK, rr.Code)
-
-			var refreshResp handlers.RefreshResponse
-			err = json.NewDecoder(rr.Body).Decode(&refreshResp)
-			require.NoError(t, err)
-			assert.NotEmpty(t, refreshResp.AccessToken)
+			assert.True(t, foundAccessToken, "new access_token cookie not found")
+			assert.True(t, foundCSRF, "new csrf_token cookie not found")
 		})

-		t.Run("refresh failures", func(t *testing.T) {
+		t.Run("refresh token edge cases", func(t *testing.T) {
 			tests := []struct {
 				name     string
-				request  handlers.RefreshRequest
+				setup    func(*http.Request)
 				wantCode int
 			}{
 				{
-					name: "invalid refresh token",
-					request: handlers.RefreshRequest{
-						RefreshToken: "invalid-token",
+					name: "missing refresh token cookie",
+					setup: func(req *http.Request) {
+						// Only add access token
+						token, _ := h.JWTManager.GenerateAccessToken(h.RegularSession.UserID, "admin")
+						req.AddCookie(h.CookieManager.GenerateAccessTokenCookie(token))
+					},
+					wantCode: http.StatusBadRequest,
+				},
+				{
+					name: "expired refresh token",
+					setup: func(req *http.Request) {
+						expiredSession := &models.Session{
+							ID:           "expired",
+							UserID:       h.RegularUser.ID,
+							RefreshToken: "expired-token",
+							ExpiresAt:    time.Now().Add(-1 * time.Hour),
+						}
+						h.addAuthCookies(t, req, expiredSession, true)
 					},
 					wantCode: http.StatusUnauthorized,
 				},
 				{
-					name: "empty refresh token",
-					request: handlers.RefreshRequest{
-						RefreshToken: "",
+					name: "invalid refresh token format",
+					setup: func(req *http.Request) {
+						req.AddCookie(&http.Cookie{
+							Name:  "refresh_token",
+							Value: "invalid-format",
+						})
 					},
-					wantCode: http.StatusBadRequest,
+					wantCode: http.StatusUnauthorized,
 				},
 			}

 			for _, tt := range tests {
 				t.Run(tt.name, func(t *testing.T) {
-					rr := h.makeRequest(t, http.MethodPost, "/api/v1/auth/refresh", tt.request, "", nil)
+					req := h.newRequest(t, http.MethodPost, "/api/v1/auth/refresh", nil)
+					tt.setup(req)
+					rr := h.executeRequest(req)
 					assert.Equal(t, tt.wantCode, rr.Code)
 				})
 			}
@@ -170,63 +224,136 @@ func TestAuthHandlers_Integration(t *testing.T) {

 	t.Run("logout", func(t *testing.T) {
 		t.Run("successful logout", func(t *testing.T) {
-			// First login to get session
-			loginReq := handlers.LoginRequest{
-				Email:    "user@test.com",
-				Password: "user123",
-			}
-
-			rr := h.makeRequest(t, http.MethodPost, "/api/v1/auth/login", loginReq, "", nil)
-			require.Equal(t, http.StatusOK, rr.Code)
-
-			var loginResp handlers.LoginResponse
-			err := json.NewDecoder(rr.Body).Decode(&loginResp)
-			require.NoError(t, err)
-
-			// Now logout using session ID from login response
-			headers := map[string]string{
-				"X-Session-ID": loginResp.Session.ID,
-			}
-			rr = h.makeRequest(t, http.MethodPost, "/api/v1/auth/logout", nil, loginResp.AccessToken, headers)
+			// Need CSRF token for POST request
+			req := h.newRequest(t, http.MethodPost, "/api/v1/auth/logout", nil)
+			csrfToken := h.addAuthCookies(t, req, h.RegularSession, true)
+			req.Header.Set("X-CSRF-Token", csrfToken)
+			rr := h.executeRequest(req)
 			require.Equal(t, http.StatusNoContent, rr.Code)

-			// Try to use the refresh token - should fail
-			refreshReq := handlers.RefreshRequest{
-				RefreshToken: loginResp.RefreshToken,
+			// Verify cookies are properly invalidated
+			for _, cookie := range rr.Result().Cookies() {
+				assert.True(t, cookie.MaxAge < 0, "cookie should be invalidated")
+				assert.True(t, cookie.Expires.Before(time.Now()), "cookie should be expired")
 			}

-			rr = h.makeRequest(t, http.MethodPost, "/api/v1/auth/refresh", refreshReq, "", nil)
+			// Verify session is actually invalidated
+			rr = h.makeRequest(t, http.MethodGet, "/api/v1/auth/me", nil, h.RegularSession, nil)
 			assert.Equal(t, http.StatusUnauthorized, rr.Code)
 		})

-		t.Run("logout without session ID", func(t *testing.T) {
-			rr := h.makeRequest(t, http.MethodPost, "/api/v1/auth/logout", nil, h.RegularToken, nil)
-			assert.Equal(t, http.StatusBadRequest, rr.Code)
+		t.Run("logout edge cases", func(t *testing.T) {
+			tests := []struct {
+				name     string
+				setup    func(*http.Request)
+				wantCode int
+			}{
+				{
+					name: "missing CSRF token",
+					setup: func(req *http.Request) {
+						h.addAuthCookies(t, req, h.RegularSession, true)
+						// Deliberately not setting X-CSRF-Token header
+					},
+					wantCode: http.StatusForbidden,
+				},
+				{
+					name: "mismatched CSRF token",
+					setup: func(req *http.Request) {
+						h.addAuthCookies(t, req, h.RegularSession, true)
+						req.Header.Set("X-CSRF-Token", "wrong-token")
+					},
+					wantCode: http.StatusForbidden,
+				},
+				{
+					name: "missing auth cookies",
+					setup: func(req *http.Request) {
+						// No setup - testing completely unauthenticated request
+					},
+					wantCode: http.StatusUnauthorized,
+				},
+			}
+
+			for _, tt := range tests {
+				t.Run(tt.name, func(t *testing.T) {
+					req := h.newRequest(t, http.MethodPost, "/api/v1/auth/logout", nil)
+					tt.setup(req)
+					rr := h.executeRequest(req)
+					assert.Equal(t, tt.wantCode, rr.Code)
+				})
+			}
 		})
 	})

 	t.Run("get current user", func(t *testing.T) {
 		t.Run("successful get current user", func(t *testing.T) {
-			rr := h.makeRequest(t, http.MethodGet, "/api/v1/auth/me", nil, h.RegularToken, nil)
+			rr := h.makeRequest(t, http.MethodGet, "/api/v1/auth/me", nil, h.RegularSession, nil)
 			require.Equal(t, http.StatusOK, rr.Code)

 			var user models.User
 			err := json.NewDecoder(rr.Body).Decode(&user)
 			require.NoError(t, err)
-
-			assert.Equal(t, h.RegularUser.ID, user.ID)
 			assert.Equal(t, h.RegularUser.Email, user.Email)
-			assert.Equal(t, h.RegularUser.Role, user.Role)
 		})

-		t.Run("get current user without token", func(t *testing.T) {
-			rr := h.makeRequest(t, http.MethodGet, "/api/v1/auth/me", nil, "", nil)
-			assert.Equal(t, http.StatusUnauthorized, rr.Code)
-		})
+		t.Run("auth edge cases", func(t *testing.T) {
+			tests := []struct {
+				name     string
+				setup    func(*http.Request)
+				wantCode int
+			}{
+				{
+					name: "missing auth cookie",
+					setup: func(req *http.Request) {
+						// No setup - testing unauthenticated request
+					},
+					wantCode: http.StatusUnauthorized,
+				},
+				{
+					name: "invalid session ID",
+					setup: func(req *http.Request) {
+						invalidSession := &models.Session{
+							ID:           "invalid",
+							UserID:       999,
+							RefreshToken: "invalid",
+							ExpiresAt:    time.Now().Add(time.Hour),
+						}
+						h.addAuthCookies(t, req, invalidSession, false)
+					},
+					wantCode: http.StatusUnauthorized,
+				},
+				{
+					name: "expired session",
+					setup: func(req *http.Request) {
+						expiredSession := &models.Session{
+							ID:           "expired",
+							UserID:       h.RegularUser.ID,
+							RefreshToken: "expired-token",
+							ExpiresAt:    time.Now().Add(-1 * time.Hour),
+						}
+						h.addAuthCookies(t, req, expiredSession, false)
+					},
+					wantCode: http.StatusUnauthorized,
+				},
+				{
+					name: "malformed access token",
+					setup: func(req *http.Request) {
+						req.AddCookie(&http.Cookie{
+							Name:  "access_token",
+							Value: "malformed-token",
+						})
+					},
+					wantCode: http.StatusUnauthorized,
+				},
+			}

-		t.Run("get current user with invalid token", func(t *testing.T) {
-			rr := h.makeRequest(t, http.MethodGet, "/api/v1/auth/me", nil, "invalid-token", nil)
-			assert.Equal(t, http.StatusUnauthorized, rr.Code)
+			for _, tt := range tests {
+				t.Run(tt.name, func(t *testing.T) {
+					req := h.newRequest(t, http.MethodGet, "/api/v1/auth/me", nil)
+					tt.setup(req)
+					rr := h.executeRequest(req)
+					assert.Equal(t, tt.wantCode, rr.Code)
+				})
+			}
 		})
 	})
 }