package handler import ( "bytes" "encoding/json" "net/http" "net/http/httptest" "testing" "time" "github.com/gin-gonic/gin" "gorm.io/driver/sqlite" "gorm.io/gorm" "github.com/dhao2001/mygo/internal/middleware" "github.com/dhao2001/mygo/internal/model" "github.com/dhao2001/mygo/internal/repository" "github.com/dhao2001/mygo/internal/service" ) func setupAuthHandler(t *testing.T) (*AuthHandler, []byte) { t.Helper() db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{}) if err != nil { t.Fatalf("open db: %v", err) } if err := db.AutoMigrate(&model.User{}, &model.Session{}, &model.Credential{}); err != nil { t.Fatalf("migrate: %v", err) } secret := []byte("test-secret") authService := service.NewAuthService( repository.NewUserRepository(db), repository.NewSessionRepository(db), repository.NewCredentialRepository(db), secret, 15*time.Minute, 7*24*time.Hour, ) return NewAuthHandler(authService), secret } func setupAuthRouter(t *testing.T) (*gin.Engine, []byte) { t.Helper() handler, secret := setupAuthHandler(t) gin.SetMode(gin.TestMode) r := gin.New() auth := r.Group("/api/v1/auth") { auth.POST("/register", handler.Register) auth.POST("/login", handler.Login) auth.POST("/refresh", handler.Refresh) auth.POST("/logout", handler.Logout) } protected := r.Group("/api/v1") protected.Use(middleware.AuthRequired(secret)) { account := protected.Group("/account") { account.GET("", handler.GetAccount) passkeys := account.Group("/passkeys") { passkeys.GET("", handler.ListPasskeys) passkeys.POST("", handler.CreatePasskey) passkeys.DELETE("/:id", handler.RevokePasskey) } } } return r, secret } func TestRegisterHandler(t *testing.T) { r, _ := setupAuthRouter(t) body, _ := json.Marshal(gin.H{ "username": "alice", "email": "alice@example.com", "password": "password123", }) req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") rec := httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusCreated { t.Errorf("status = %d, want %d; body = %s", rec.Code, http.StatusCreated, rec.Body.String()) } } func TestRegisterHandlerDuplicate(t *testing.T) { r, _ := setupAuthRouter(t) body, _ := json.Marshal(gin.H{ "username": "alice", "email": "alice@example.com", "password": "password123", }) for i := range 2 { req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") rec := httptest.NewRecorder() r.ServeHTTP(rec, req) if i == 0 && rec.Code != http.StatusCreated { t.Fatalf("first register: status = %d", rec.Code) } if i == 1 && rec.Code != http.StatusConflict { t.Errorf("second register: status = %d, want %d", rec.Code, http.StatusConflict) } } } func TestLoginHandler(t *testing.T) { r, _ := setupAuthRouter(t) // Register first body, _ := json.Marshal(gin.H{ "username": "alice", "email": "alice@example.com", "password": "password123", }) req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") rec := httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusCreated { t.Fatalf("register failed: %d", rec.Code) } // Login loginBody, _ := json.Marshal(gin.H{ "email": "alice@example.com", "password": "password123", }) req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody)) req.Header.Set("Content-Type", "application/json") rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusOK { t.Errorf("status = %d, want %d; body = %s", rec.Code, http.StatusOK, rec.Body.String()) } var pair service.TokenPair if err := json.Unmarshal(rec.Body.Bytes(), &pair); err != nil { t.Fatalf("unmarshal response: %v", err) } if pair.AccessToken == "" || pair.RefreshToken == "" { t.Fatal("tokens should not be empty") } } func TestLoginHandlerWrongPassword(t *testing.T) { r, _ := setupAuthRouter(t) body, _ := json.Marshal(gin.H{ "username": "alice", "email": "alice@example.com", "password": "password123", }) req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") rec := httptest.NewRecorder() r.ServeHTTP(rec, req) loginBody, _ := json.Marshal(gin.H{ "email": "alice@example.com", "password": "wrongpassword", }) req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody)) req.Header.Set("Content-Type", "application/json") rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusUnauthorized { t.Errorf("status = %d, want %d", rec.Code, http.StatusUnauthorized) } } func TestRefreshHandler(t *testing.T) { r, _ := setupAuthRouter(t) // Register + Login body, _ := json.Marshal(gin.H{ "username": "alice", "email": "alice@example.com", "password": "password123", }) req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") httptest.NewRecorder().Body = nil rec := httptest.NewRecorder() r.ServeHTTP(rec, req) loginBody, _ := json.Marshal(gin.H{"email": "alice@example.com", "password": "password123"}) req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody)) req.Header.Set("Content-Type", "application/json") rec = httptest.NewRecorder() r.ServeHTTP(rec, req) var pair service.TokenPair json.Unmarshal(rec.Body.Bytes(), &pair) // Refresh refreshBody, _ := json.Marshal(gin.H{"refresh_token": pair.RefreshToken}) req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/refresh", bytes.NewReader(refreshBody)) req.Header.Set("Content-Type", "application/json") rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusOK { t.Errorf("status = %d, want %d; body = %s", rec.Code, http.StatusOK, rec.Body.String()) } } func TestAccountEndpoint(t *testing.T) { r, _ := setupAuthRouter(t) // Register + Login body, _ := json.Marshal(gin.H{"username": "alice", "email": "alice@example.com", "password": "password123"}) req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") rec := httptest.NewRecorder() r.ServeHTTP(rec, req) loginBody, _ := json.Marshal(gin.H{"email": "alice@example.com", "password": "password123"}) req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody)) req.Header.Set("Content-Type", "application/json") rec = httptest.NewRecorder() r.ServeHTTP(rec, req) var pair service.TokenPair json.Unmarshal(rec.Body.Bytes(), &pair) // Get /account req = httptest.NewRequest(http.MethodGet, "/api/v1/account", nil) req.Header.Set("Authorization", "Bearer "+pair.AccessToken) rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusOK { t.Errorf("status = %d, want %d", rec.Code, http.StatusOK) } } func TestAccountEndpointUnauthorized(t *testing.T) { r, _ := setupAuthRouter(t) req := httptest.NewRequest(http.MethodGet, "/api/v1/account", nil) rec := httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusUnauthorized { t.Errorf("status = %d, want %d", rec.Code, http.StatusUnauthorized) } } func TestPasskeyCRUD(t *testing.T) { r, _ := setupAuthRouter(t) // Register + Login body, _ := json.Marshal(gin.H{"username": "alice", "email": "alice@example.com", "password": "password123"}) req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") rec := httptest.NewRecorder() r.ServeHTTP(rec, req) loginBody, _ := json.Marshal(gin.H{"email": "alice@example.com", "password": "password123"}) req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody)) req.Header.Set("Content-Type", "application/json") rec = httptest.NewRecorder() r.ServeHTTP(rec, req) var pair service.TokenPair json.Unmarshal(rec.Body.Bytes(), &pair) authHeader := "Bearer " + pair.AccessToken // Create passkey pkBody, _ := json.Marshal(gin.H{"label": "My Phone"}) req = httptest.NewRequest(http.MethodPost, "/api/v1/account/passkeys", bytes.NewReader(pkBody)) req.Header.Set("Content-Type", "application/json") req.Header.Set("Authorization", authHeader) rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusCreated { t.Fatalf("create passkey: status = %d, body = %s", rec.Code, rec.Body.String()) } // List passkeys req = httptest.NewRequest(http.MethodGet, "/api/v1/account/passkeys", nil) req.Header.Set("Authorization", authHeader) rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusOK { t.Fatalf("list passkeys: status = %d", rec.Code) } // Revoke passkey var creds []model.Credential json.Unmarshal(rec.Body.Bytes(), &creds) if len(creds) != 1 { t.Fatalf("expected 1 passkey, got %d", len(creds)) } req = httptest.NewRequest(http.MethodDelete, "/api/v1/account/passkeys/"+creds[0].ID, nil) req.Header.Set("Authorization", authHeader) rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusOK { t.Errorf("revoke passkey: status = %d", rec.Code) } }