fix(test): use auth.JWTSecret() in integration tests instead of hardcoded secret (#349)

The integration tests hardcoded the old default JWT secret while .env sets a different JWT_SECRET, causing all authenticated requests to fail with 401. Use auth.JWTSecret() so tests stay in sync with the server. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 18:21:21 +08:00 · 2026-04-02 18:21:21 +08:00 · 36ba23b3cd
commit 36ba23b3cd
parent 5df444ba00
1 changed files with 5 additions and 3 deletions
--- a/server/cmd/server/integration_test.go
+++ b/server/cmd/server/integration_test.go
@ -17,6 +17,7 @@ import (
 	"github.com/gorilla/websocket"
 	"github.com/jackc/pgx/v5/pgxpool"

+	"github.com/multica-ai/multica/server/internal/auth"
 	"github.com/multica-ai/multica/server/internal/events"
 	"github.com/multica-ai/multica/server/internal/realtime"
 )
@ -29,7 +30,8 @@ var (
 	testWorkspaceID string
 )

-var jwtSecret = []byte("multica-dev-secret-change-in-production")
+// jwtSecret is resolved at runtime via auth.JWTSecret() so it respects
+// the JWT_SECRET env var (set in .env) and stays in sync with the server.

 const (
 	integrationTestEmail         = "integration-test@multica.ai"
@ -196,7 +198,7 @@ func generateTestJWT(userID, email, name string) (string, error) {
 		"exp":   time.Now().Add(72 * time.Hour).Unix(),
 		"iat":   time.Now().Unix(),
 	})
-	return token.SignedString(jwtSecret)
+	return token.SignedString(auth.JWTSecret())
 }

 // ---- Health ----
@ -417,7 +419,7 @@ func TestInvalidJWT(t *testing.T) {
 		}()},
 		{"expired token", func() string {
 			claims := jwt.MapClaims{"sub": "test", "exp": time.Now().Add(-time.Hour).Unix()}
-			t, _ := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString(jwtSecret)
+			t, _ := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString(auth.JWTSecret())
 			return t
 		}()},
 	}