From 43d0a3d022edefbf0deb0892049ccd47be564091 Mon Sep 17 00:00:00 2001 From: Tim Wundenberg Date: Mon, 16 Dec 2024 22:51:23 +0100 Subject: [PATCH] chore(test): add test for cache control and security headers --- main_test.go | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/main_test.go b/main_test.go index ec9b900..f99df06 100644 --- a/main_test.go +++ b/main_test.go @@ -30,7 +30,7 @@ var ( port atomic.Int32 ) -func TestSecurityHeader(t *testing.T) { +func TestIntegrationSecurityHeader(t *testing.T) { t.Parallel() t.Run("should keep caching for static content", func(t *testing.T) { t.Parallel() @@ -109,10 +109,10 @@ func TestSecurityHeader(t *testing.T) { }) } -func TestAuth(t *testing.T) { +func TestIntegrationAuth(t *testing.T) { t.Parallel() - t.Run("should signin and return session cookie", func(t *testing.T) { + t.Run("should return secure cookie on signin with generated csrf-token and session-id", func(t *testing.T) { t.Parallel() db, basePath, ctx := setupIntegrationTest(t) @@ -121,9 +121,7 @@ func TestAuth(t *testing.T) { _, err := db.Exec(` INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, uuid.New(), pass, []byte("salt")) - if err != nil { - t.Fatalf("Error inserting user: %v", err) - } + assert.Nil(t, err) req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil) assert.Nil(t, err) @@ -148,7 +146,7 @@ func TestAuth(t *testing.T) { req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode())) assert.Nil(t, err) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") - req.Header.Set("Cookie", anonymousSession.Name+"="+anonymousSession.Value) + req.Header.Set("Cookie", "id="+anonymousSession.Value) resp, err = httpClient.Do(req) assert.Nil(t, err) @@ -156,11 +154,10 @@ func TestAuth(t *testing.T) { assert.Equal(t, http.StatusSeeOther, resp.StatusCode) cookie := findCookie(resp, "id") - if cookie == nil { - t.Fatalf("No session cookie found") - } else if cookie.SameSite != http.SameSiteStrictMode || cookie.HttpOnly != true || cookie.Secure != true { - t.Fatalf("Cookie is not secure") - } + assert.NotNil(t, cookie) + assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite, "Cookie is not secure") + assert.True(t, cookie.HttpOnly, "Cookie is not secure") + assert.True(t, cookie.Secure, "Cookie is not secure") }) }