marketing-shibata50/multica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
multica/server/internal/middleware/auth_test.go
Jiayuan Zhang 6dfc61fa86 test: add comprehensive test suite (Go unit/integration, Vitest, Playwright E2E) 
- Add JWT middleware unit tests (8 tests covering all auth edge cases)
- Add WebSocket hub tests (5 tests for client lifecycle and broadcast)
- Add full HTTP integration tests (12 tests through real Chi router with DB)
- Add frontend component tests for login, issues, and issue detail pages
- Add auth context unit tests (9 tests for login/logout/name resolution)
- Add Playwright E2E tests for auth, issues, comments, and navigation
- Configure Vitest with jsdom, React plugin, and path aliases

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-22 11:50:25 +08:00

185 lines
5.1 KiB
Go
Raw Blame History

package middleware
import (
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/golang-jwt/jwt/v5"
)
func generateToken(claims jwt.MapClaims, secret []byte) string {
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
s, _ := token.SignedString(secret)
return s
}
func validClaims() jwt.MapClaims {
return jwt.MapClaims{
"sub": "test-user-id",
"email": "test@multica.ai",
"exp": time.Now().Add(time.Hour).Unix(),
}
}
func TestAuth_MissingHeader(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
req := httptest.NewRequest("GET", "/api/me", nil)
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
if w.Code != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", w.Code)
}
if body := w.Body.String(); body != `{"error":"missing authorization header"}`+"\n" {
t.Fatalf("unexpected body: %s", body)
}
}
func TestAuth_NoBearerPrefix(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
req := httptest.NewRequest("GET", "/api/me", nil)
req.Header.Set("Authorization", "Token some-token")
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
if w.Code != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", w.Code)
}
if body := w.Body.String(); body != `{"error":"invalid authorization format"}`+"\n" {
t.Fatalf("unexpected body: %s", body)
}
}
func TestAuth_InvalidToken(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
req := httptest.NewRequest("GET", "/api/me", nil)
req.Header.Set("Authorization", "Bearer not-a-valid-jwt")
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
if w.Code != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", w.Code)
}
}
func TestAuth_ExpiredToken(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
claims := validClaims()
claims["exp"] = time.Now().Add(-time.Hour).Unix()
token := generateToken(claims, jwtSecret)
req := httptest.NewRequest("GET", "/api/me", nil)
req.Header.Set("Authorization", "Bearer "+token)
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
if w.Code != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", w.Code)
}
}
func TestAuth_WrongSecret(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
token := generateToken(validClaims(), []byte("wrong-secret"))
req := httptest.NewRequest("GET", "/api/me", nil)
req.Header.Set("Authorization", "Bearer "+token)
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
if w.Code != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", w.Code)
}
}
func TestAuth_WrongSigningMethod(t *testing.T) {
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("next handler should not be called")
}))
// Use "none" signing method
token := jwt.NewWithClaims(jwt.SigningMethodNone, validClaims())
s, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
req := httptest.NewRequest("GET", "/api/me", nil)
req.Header.Set("Authorization", "Bearer "+s)
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
if w.Code != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", w.Code)
}
}
func TestAuth_ValidToken(t *testing.T) {
var gotUserID, gotEmail string
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
gotUserID = r.Header.Get("X-User-ID")
gotEmail = r.Header.Get("X-User-Email")
w.WriteHeader(http.StatusOK)
}))
token := generateToken(validClaims(), jwtSecret)
req := httptest.NewRequest("GET", "/api/me", nil)
req.Header.Set("Authorization", "Bearer "+token)
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
if w.Code != http.StatusOK {
t.Fatalf("expected 200, got %d", w.Code)
}
if gotUserID != "test-user-id" {
t.Fatalf("expected X-User-ID 'test-user-id', got '%s'", gotUserID)
}
if gotEmail != "test@multica.ai" {
t.Fatalf("expected X-User-Email 'test@multica.ai', got '%s'", gotEmail)
}
}
func TestAuth_MissingClaims(t *testing.T) {
var gotUserID, gotEmail string
handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
gotUserID = r.Header.Get("X-User-ID")
gotEmail = r.Header.Get("X-User-Email")
w.WriteHeader(http.StatusOK)
}))
// Token with no sub or email claims, only exp
claims := jwt.MapClaims{
"exp": time.Now().Add(time.Hour).Unix(),
}
token := generateToken(claims, jwtSecret)
req := httptest.NewRequest("GET", "/api/me", nil)
req.Header.Set("Authorization", "Bearer "+token)
w := httptest.NewRecorder()
handler.ServeHTTP(w, req)
if w.Code != http.StatusOK {
t.Fatalf("expected 200, got %d", w.Code)
}
if gotUserID != "" {
t.Fatalf("expected empty X-User-ID, got '%s'", gotUserID)
}
if gotEmail != "" {
t.Fatalf("expected empty X-User-Email, got '%s'", gotEmail)
}
}
Reference in a new issue View git blame Copy permalink