chore(auth): #331 add tests for sign out

2024-12-22 23:40:09 +01:00
parent fb6cc0acda
commit 52cd85d904
7 changed files with 142 additions and 85 deletions
--- a/main_test.go
+++ b/main_test.go
@@ -163,6 +163,70 @@ func TestIntegrationAuth(t *testing.T) {
 			assert.NotEqual(t, anonymousSession.Value, cookie.Value, "Session ID did not change")
 		})
 	})
+	t.Run("SignOut", func(t *testing.T) {
+		t.Run("should fail if csrf token is not valid", func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/sign-out", nil)
+			assert.Nil(t, err)
+			req.Header.Set("csrf-token", "invalid-csrf-token")
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+		})
+		t.Run(`should delete current session and redirect to "/"`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			userId := uuid.New()
+			sessionId := "session-id"
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := db.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/", nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			var csrfToken string
+			err = db.QueryRow("SELECT token FROM token WHERE user_id = ? AND type = ?", userId, types.TokenTypeCsrf).Scan(&csrfToken)
+			assert.Nil(t, err)
+
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signout", nil)
+			assert.Nil(t, err)
+			req.Header.Set("csrf-token", csrfToken)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/", resp.Header.Get("Location"))
+
+			cookie := findCookie(resp, "id")
+			assert.NotNil(t, cookie)
+			assert.Equal(t, "", cookie.Value)
+			assert.Equal(t, -1, cookie.MaxAge)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM session WHERE user_id = ?", userId).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 0, rows)
+		})
+	})
 	t.Run("DeleteAccount", func(t *testing.T) {
 		t.Run(`should redirect to "/" if not signed in`, func(t *testing.T) {
 			t.Parallel()