wip: write tests

db/auth.go

@@ -338,7 +338,7 @@ func (db AuthSqlite) GetSession(sessionId string) (*types.Session, error) {
 			WHERE session_id = ?`, sessionId).Scan(&userId, &createdAt, &expiresAt)
 
 	if err != nil {
-		log.Warn("Session not found: %v", err)
+		log.Warn("Session \"%s\" not found: %v", sessionId, err)
 		return nil, ErrNotFound
 	}
 

handler/middleware/cross_site_request_forgery.go

@@ -53,7 +53,7 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 					csrfToken = r.Header.Get("csrf-token")
 				}
 				if session == nil || csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
-					log.Info("CSRF-Token not correct")
+					log.Info("CSRF-Token \"%s\" not correct", csrfToken)
 					if r.Header.Get("HX-Request") == "true" {
 						utils.TriggerToastWithStatus(w, r, "error", "CSRF-Token not correct", http.StatusBadRequest)
 					} else {

main_test.go

@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -1615,6 +1616,168 @@ func TestIntegrationAuth(t *testing.T) {
 	})
 }
 
+func TestIntegrationAccount(t *testing.T) {
+	t.Parallel()
+
+	t.Run("SignIn", func(t *testing.T) {
+		t.Run(`should throw unauthorized if try to getAll, get, edit, insert or delete`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			csrfToken, sessionId := createAnonymousSession(t, ctx, basePath)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/account", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/auth/signin", resp.Header.Get("Location"))
+
+			req, err = http.NewRequestWithContext(ctx, "GET", basePath+"/account/some-id", nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/auth/signin", resp.Header.Get("Location"))
+
+			formData := url.Values{
+				"name":       {"name"},
+				"csrf-token": {csrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/account/some-id", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/auth/signin", resp.Header.Get("Location"))
+
+			req, err = http.NewRequestWithContext(ctx, "DELETE", basePath+"/account/some-id", nil)
+			assert.Nil(t, err)
+			req.Header.Set("csrf-token", csrfToken)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/auth/signin", resp.Header.Get("Location"))
+		})
+		t.Run(`should be able to insert, get, delete and update`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			csrfToken, sessionId := createValidUserSession(t, db, ctx, basePath)
+
+			// Insert
+			expectedName := "My great Account"
+			formData := url.Values{
+				"name":       {expectedName},
+				"csrf-token": {csrfToken},
+			}
+			req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/account/new", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+			assert.Contains(t, expectedName, readBody(t, resp.Body))
+
+			var id uuid.UUID
+			err = db.Get(&id, "SELECT id FROM account")
+			assert.Nil(t, err)
+
+			// Update
+			expectedNewName := "My new Account"
+			formData = url.Values{
+				"name":       {expectedNewName},
+				"csrf-token": {csrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/account/"+id.String(), strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+			assert.Contains(t, expectedNewName, readBody(t, resp.Body))
+
+			// Get
+			req, err = http.NewRequestWithContext(ctx, "GET", basePath+"/account/"+id.String(), nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+			assert.Contains(t, expectedNewName, readBody(t, resp.Body))
+
+			// Delete
+			req, err = http.NewRequestWithContext(ctx, "DELETE", basePath+"/account/"+id.String(), strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+sessionId)
+			req.Header.Set("csrf-token", csrfToken)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			// Get (not found)
+			req, err = http.NewRequestWithContext(ctx, "GET", basePath+"/account/"+id.String(), nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusNotFound, resp.StatusCode)
+			assert.Contains(t, expectedNewName, readBody(t, resp.Body))
+		})
+		t.Run(`should not be able to see other users content`, func(t *testing.T) {
+			t.Parallel()
+			// TODO
+		})
+		t.Run(`should prohibit special characters in name`, func(t *testing.T) {
+			t.Parallel()
+			// TODO
+		})
+	})
+}
+
+func createValidUserSession(t *testing.T, db *sqlx.DB, ctx context.Context, basePath string) (string, string) {
+	userId := uuid.New()
+	sessionId := "session-id"
+	pass := service.GetHashPassword("password", []byte("salt"))
+	csrfToken := "my-verifying-token"
+
+	_, err := db.Exec(`
+		INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+		VALUES (?, "mail@mail.de", TRUE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+	assert.Nil(t, err)
+	_, err = db.Exec(`
+		INSERT INTO session (session_id, user_id, created_at, expires_at)
+		VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+	assert.Nil(t, err)
+
+	_, err = db.Exec(`
+		INSERT INTO token (token, user_id, session_id, type, created_at, expires_at)
+		VALUES (?, ?, ?, ?, datetime("now"), datetime("now", "+1 hour"))`, csrfToken, userId, sessionId, types.TokenTypeCsrf)
+	assert.Nil(t, err)
+
+	return csrfToken, sessionId
+}
+
+func createAnonymousSession(t *testing.T, ctx context.Context, basePath string) (string, string) {
+	req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
+	assert.Nil(t, err)
+	resp, err := httpClient.Do(req)
+	assert.Nil(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	html, err := html.Parse(resp.Body)
+	assert.Nil(t, err)
+
+	return findCsrfToken(html), findCookie(resp, "id").Value
+}
+
 func findCookie(resp *http.Response, name string) *http.Cookie {
 	for _, cookie := range resp.Cookies() {
 		if cookie.Name == name {
@@ -1751,3 +1914,11 @@ func getTokenAttribute(data *html.Node) *html.Attribute {
 
 	return nil
 }
+
+func readBody(t *testing.T, body io.ReadCloser) string {
+	defer body.Close()
+	data, err := io.ReadAll(body)
+	assert.Nil(t, err)
+
+	return string(data)
+}