x/spend-sparrow
2
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

chore(auth): #331 implement and fix fist sign up tests

Browse Source
This commit is contained in:
Tim Wundenberg
2024-12-23 22:51:46 +01:00
parent 7a7d7cf204
commit 9462f8b245
3 changed files with 91 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
handler/auth.go
View File

@@ -203,8 +203,11 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
} else if errors.Is(err, service.ErrInvalidEmail) { } else if errors.Is(err, service.ErrInvalidEmail) {
utils.TriggerToast(w, r, "error", "The email provided is invalid", http.StatusBadRequest) utils.TriggerToast(w, r, "error", "The email provided is invalid", http.StatusBadRequest)
return return
} else if errors.Is(err, service.ErrInvalidPassword) {
utils.TriggerToast(w, r, "error", service.ErrInvalidPassword.Error(), http.StatusBadRequest)
return
} }
// If the "service.ErrAccountExists", then just continue // If err is "service.ErrAccountExists", then just continue
} }
utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.", http.StatusOK) utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.", http.StatusOK)

5
handler/middleware/cross_site_request_forgery.go
View File

@@ -8,6 +8,7 @@ import (
"me-fit/log" "me-fit/log"
"me-fit/service" "me-fit/service"
"me-fit/types" "me-fit/types"
"me-fit/utils"
) )
type csrfResponseWriter struct { type csrfResponseWriter struct {
@@ -57,7 +58,11 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
} }
if session == nil || csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) { if session == nil || csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
log.Info("CSRF-Token not correct") log.Info("CSRF-Token not correct")
if r.Header.Get("HX-Request") == "true" {
utils.TriggerToast(w, r, "error", "CSRF-Token not correct", http.StatusBadRequest)
} else {
http.Error(w, "CSRF-Token not correct", http.StatusBadRequest) http.Error(w, "CSRF-Token not correct", http.StatusBadRequest)
}
return return
} }
} }

81
main_test.go
View File

@@ -455,6 +455,87 @@ func TestIntegrationAuth(t *testing.T) {
assert.Equal(t, 0, rows) assert.Equal(t, 0, rows)
}) })
}) })
t.Run("SignUp", func(t *testing.T) {
t.Run(`should redirect to "/" if signed in`, func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
sessionId := "session-id"
pass := service.GetHashPassword("password", []byte("salt"))
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", TRUE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO session (session_id, user_id, created_at, expires_at)
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
assert.Nil(t, err)
req.Header.Set("Cookie", "id="+sessionId)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
assert.Equal(t, "/", resp.Header.Get("Location"))
})
t.Run(`should fail if csrf token is invalid`, func(t *testing.T) {
t.Parallel()
_, basePath, ctx := setupIntegrationTest(t)
formData := url.Values{
"email": {"mail@mail.de"},
"password": {"password"},
"csrf-token": {"invalid-csrf-token"},
}
req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
resp, err := httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
assert.Contains(t, resp.Header.Get("HX-Trigger"), "CSRF")
})
t.Run(`should fail if password is insecure`, func(t *testing.T) {
t.Parallel()
_, basePath, ctx := setupIntegrationTest(t)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signup", nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
body, err := html.Parse(resp.Body)
assert.Nil(t, err)
anonymousCsrfToken := findCsrfToken(body)
assert.NotEqual(t, "", anonymousCsrfToken)
anonymousSession := findCookie(resp, "id")
assert.NotNil(t, anonymousSession)
formData := url.Values{
"email": {"mail@mail.de"},
"password": {"insecure-password"},
"csrf-token": {anonymousCsrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signup", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
req.Header.Set("Cookie", "id="+anonymousSession.Value)
resp, err = httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
assert.Contains(t, resp.Header.Get("HX-Trigger"), "password")
})
})
t.Run("SignOut", func(t *testing.T) { t.Run("SignOut", func(t *testing.T) {
t.Run("should fail if csrf token is not valid", func(t *testing.T) { t.Run("should fail if csrf token is not valid", func(t *testing.T) {
t.Parallel() t.Parallel()