package handler import ( "bytes" "encoding/json" "net/http" "net/http/httptest" "testing" "github.com/gin-gonic/gin" "github.com/dhao2001/mygo/internal/middleware" "github.com/dhao2001/mygo/internal/model" "github.com/dhao2001/mygo/internal/service" ) func setupAccountHandler(t *testing.T) (*AccountHandler, []byte) { t.Helper() svc, secret := setupTestAuthService(t) return NewAccountHandler(svc), secret } func setupAccountRouter(t *testing.T) (*gin.Engine, []byte) { t.Helper() svc, secret := setupTestAuthService(t) authHandler := NewAuthHandler(svc) accountHandler := NewAccountHandler(svc) gin.SetMode(gin.TestMode) r := gin.New() auth := r.Group("/api/v1/auth") { auth.POST("/register", authHandler.Register) auth.POST("/login", authHandler.Login) } protected := r.Group("/api/v1") protected.Use(middleware.AuthRequired(secret)) { account := protected.Group("/account") { account.GET("", accountHandler.GetAccount) passkeys := account.Group("/passkeys") { passkeys.GET("", accountHandler.ListPasskeys) passkeys.POST("", accountHandler.CreatePasskey) passkeys.DELETE("/:id", accountHandler.RevokePasskey) } } } return r, secret } func TestAccountEndpoint(t *testing.T) { r, _ := setupAccountRouter(t) // Register + Login body, _ := json.Marshal(gin.H{"username": "alice", "email": "alice@example.com", "password": "password123"}) req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") rec := httptest.NewRecorder() r.ServeHTTP(rec, req) loginBody, _ := json.Marshal(gin.H{"email": "alice@example.com", "password": "password123"}) req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody)) req.Header.Set("Content-Type", "application/json") rec = httptest.NewRecorder() r.ServeHTTP(rec, req) var pair service.TokenPair json.Unmarshal(rec.Body.Bytes(), &pair) // Get /account req = httptest.NewRequest(http.MethodGet, "/api/v1/account", nil) req.Header.Set("Authorization", "Bearer "+pair.AccessToken) rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusOK { t.Errorf("status = %d, want %d", rec.Code, http.StatusOK) } } func TestAccountEndpointUnauthorized(t *testing.T) { r, _ := setupAccountRouter(t) req := httptest.NewRequest(http.MethodGet, "/api/v1/account", nil) rec := httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusUnauthorized { t.Errorf("status = %d, want %d", rec.Code, http.StatusUnauthorized) } } func TestPasskeyCRUD(t *testing.T) { r, _ := setupAccountRouter(t) // Register + Login body, _ := json.Marshal(gin.H{"username": "alice", "email": "alice@example.com", "password": "password123"}) req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/register", bytes.NewReader(body)) req.Header.Set("Content-Type", "application/json") rec := httptest.NewRecorder() r.ServeHTTP(rec, req) loginBody, _ := json.Marshal(gin.H{"email": "alice@example.com", "password": "password123"}) req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/login", bytes.NewReader(loginBody)) req.Header.Set("Content-Type", "application/json") rec = httptest.NewRecorder() r.ServeHTTP(rec, req) var pair service.TokenPair json.Unmarshal(rec.Body.Bytes(), &pair) authHeader := "Bearer " + pair.AccessToken // Create passkey pkBody, _ := json.Marshal(gin.H{"label": "My Phone"}) req = httptest.NewRequest(http.MethodPost, "/api/v1/account/passkeys", bytes.NewReader(pkBody)) req.Header.Set("Content-Type", "application/json") req.Header.Set("Authorization", authHeader) rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusCreated { t.Fatalf("create passkey: status = %d, body = %s", rec.Code, rec.Body.String()) } // List passkeys req = httptest.NewRequest(http.MethodGet, "/api/v1/account/passkeys", nil) req.Header.Set("Authorization", authHeader) rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusOK { t.Fatalf("list passkeys: status = %d", rec.Code) } // Revoke passkey var creds []model.Credential json.Unmarshal(rec.Body.Bytes(), &creds) if len(creds) != 1 { t.Fatalf("expected 1 passkey, got %d", len(creds)) } req = httptest.NewRequest(http.MethodDelete, "/api/v1/account/passkeys/"+creds[0].ID, nil) req.Header.Set("Authorization", authHeader) rec = httptest.NewRecorder() r.ServeHTTP(rec, req) if rec.Code != http.StatusOK { t.Errorf("revoke passkey: status = %d", rec.Code) } }