deblan-mirror/dnote
1
0
Fork 0
mirror of https://github.com/dnote/dnote synced 2026-03-14 22:45:50 +01:00
Code Issues Projects Releases Packages Wiki Activity
dnote/pkg/server/middleware/auth_test.go
Sung b03ca999a5
 Remove the unused encrypted and public fields (#700) 
* Remove encrypted fields from notes and books

* Remove public from notes

* Use consistent flags
2025-10-19 18:32:20 -07:00

269 lines
8.3 KiB
Go
Raw Blame History

/* Copyright (C) 2019, 2020, 2021, 2022, 2023, 2024, 2025 Dnote contributors
*
* This file is part of Dnote.
*
* Dnote is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Dnote is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with Dnote. If not, see <https://www.gnu.org/licenses/>.
*/
package middleware
import (
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/dnote/dnote/pkg/assert"
"github.com/dnote/dnote/pkg/server/database"
"github.com/dnote/dnote/pkg/server/testutils"
)
func TestGuestOnly(t *testing.T) {
db := testutils.InitMemoryDB(t)
handler := func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}
server := httptest.NewServer(GuestOnly(db, handler))
defer server.Close()
t.Run("guest", func(t *testing.T) {
req := testutils.MakeReq(server.URL, "GET", "/", "")
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusOK, "status code mismatch")
})
t.Run("logged in", func(t *testing.T) {
user := testutils.SetupUserData(db)
req := testutils.MakeReq(server.URL, "GET", "/", "")
res := testutils.HTTPAuthDo(t, db, req, user)
assert.Equal(t, res.StatusCode, http.StatusFound, "status code mismatch")
assert.Equal(t, res.Header.Get("Location"), "/", "location mismatch")
})
t.Run("error getting credential", func(t *testing.T) {
req := testutils.MakeReq(server.URL, "GET", "/", "")
req.Header.Set("Authorization", "InvalidFormat")
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusOK, "status code mismatch")
})
}
func TestAuth(t *testing.T) {
db := testutils.InitMemoryDB(t)
user := testutils.SetupUserData(db)
testutils.SetupAccountData(db, user, "alice@test.com", "pass1234")
session := database.Session{
Key: "A9xgggqzTHETy++GDi1NpDNe0iyqosPm9bitdeNGkJU=",
UserID: user.ID,
ExpiresAt: time.Now().Add(time.Hour * 24),
}
testutils.MustExec(t, db.Save(&session), "preparing session")
expiredSession := database.Session{
Key: "Vvgm3eBXfXGEFWERI7faiRJ3DAzJw+7DdT9J1LEyNfI=",
UserID: user.ID,
ExpiresAt: time.Now().Add(-time.Hour * 24),
}
testutils.MustExec(t, db.Save(&expiredSession), "preparing expired session")
handler := func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}
t.Run("valid session with header", func(t *testing.T) {
server := httptest.NewServer(Auth(db, handler, nil))
defer server.Close()
req := testutils.MakeReq(server.URL, "GET", "/", "")
req.Header.Set("Authorization", "Bearer "+session.Key)
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusOK, "status code mismatch")
})
t.Run("expired session with header", func(t *testing.T) {
server := httptest.NewServer(Auth(db, handler, nil))
defer server.Close()
req := testutils.MakeReq(server.URL, "GET", "/", "")
req.Header.Set("Authorization", "Bearer "+expiredSession.Key)
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusUnauthorized, "status code mismatch")
})
t.Run("invalid session with header", func(t *testing.T) {
server := httptest.NewServer(Auth(db, handler, nil))
defer server.Close()
req := testutils.MakeReq(server.URL, "GET", "/", "")
req.Header.Set("Authorization", "Bearer someInvalidSessionKey=")
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusUnauthorized, "status code mismatch")
})
t.Run("valid session with cookie", func(t *testing.T) {
server := httptest.NewServer(Auth(db, handler, nil))
defer server.Close()
req := testutils.MakeReq(server.URL, "GET", "/", "")
req.AddCookie(&http.Cookie{
Name: "id",
Value: session.Key,
HttpOnly: true,
})
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusOK, "status code mismatch")
})
t.Run("expired session with cookie", func(t *testing.T) {
server := httptest.NewServer(Auth(db, handler, nil))
defer server.Close()
req := testutils.MakeReq(server.URL, "GET", "/", "")
req.AddCookie(&http.Cookie{
Name: "id",
Value: expiredSession.Key,
HttpOnly: true,
})
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusUnauthorized, "status code mismatch")
})
t.Run("no auth", func(t *testing.T) {
server := httptest.NewServer(Auth(db, handler, nil))
defer server.Close()
req := testutils.MakeReq(server.URL, "GET", "/", "")
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusUnauthorized, "status code mismatch")
})
t.Run("redirect guests to login", func(t *testing.T) {
server := httptest.NewServer(Auth(db, handler, &AuthParams{RedirectGuestsToLogin: true}))
defer server.Close()
req := testutils.MakeReq(server.URL, "GET", "/settings", "")
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusFound, "status code mismatch")
assert.Equal(t, res.Header.Get("Location"), "/login?referrer=%2Fsettings", "location mismatch")
})
}
func TestTokenAuth(t *testing.T) {
db := testutils.InitMemoryDB(t)
user := testutils.SetupUserData(db)
tok := database.Token{
UserID: user.ID,
Type: database.TokenTypeResetPassword,
Value: "xpwFnc0MdllFUePDq9DLeQ==",
}
testutils.MustExec(t, db.Save(&tok), "preparing token")
session := database.Session{
Key: "A9xgggqzTHETy++GDi1NpDNe0iyqosPm9bitdeNGkJU=",
UserID: user.ID,
ExpiresAt: time.Now().Add(time.Hour * 24),
}
testutils.MustExec(t, db.Save(&session), "preparing session")
handler := func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}
server := httptest.NewServer(TokenAuth(db, handler, database.TokenTypeResetPassword, nil))
defer server.Close()
t.Run("with token", func(t *testing.T) {
req := testutils.MakeReq(server.URL, "GET", "/?token=xpwFnc0MdllFUePDq9DLeQ==", "")
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusOK, "status code mismatch")
})
t.Run("with invalid token", func(t *testing.T) {
req := testutils.MakeReq(server.URL, "GET", "/?token=someRandomToken==", "")
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusUnauthorized, "status code mismatch")
})
t.Run("with session header", func(t *testing.T) {
req := testutils.MakeReq(server.URL, "GET", "/", "")
req.Header.Set("Authorization", "Bearer "+session.Key)
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusOK, "status code mismatch")
})
t.Run("with invalid session", func(t *testing.T) {
req := testutils.MakeReq(server.URL, "GET", "/", "")
req.Header.Set("Authorization", "Bearer someInvalidSessionKey=")
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusUnauthorized, "status code mismatch")
})
t.Run("without anything", func(t *testing.T) {
req := testutils.MakeReq(server.URL, "GET", "/", "")
res := testutils.HTTPDo(t, req)
assert.Equal(t, res.StatusCode, http.StatusUnauthorized, "status code mismatch")
})
}
func TestWithAccount(t *testing.T) {
db := testutils.InitMemoryDB(t)
handler := func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}
t.Run("user with account", func(t *testing.T) {
user := testutils.SetupUserData(db)
testutils.SetupAccountData(db, user, "alice@test.com", "pass1234")
server := httptest.NewServer(Auth(db, handler, nil))
defer server.Close()
req := testutils.MakeReq(server.URL, "GET", "/", "")
res := testutils.HTTPAuthDo(t, db, req, user)
assert.Equal(t, res.StatusCode, http.StatusOK, "status code mismatch")
})
t.Run("user without account", func(t *testing.T) {
user := testutils.SetupUserData(db)
// Note: not creating account for this user
server := httptest.NewServer(Auth(db, handler, nil))
defer server.Close()
req := testutils.MakeReq(server.URL, "GET", "/", "")
res := testutils.HTTPAuthDo(t, db, req, user)
assert.Equal(t, res.StatusCode, http.StatusForbidden, "status code mismatch")
})
}
Reference in a new issue View git blame Copy permalink