x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

chore(test): add test for cache control and security headers

Browse Source
This commit is contained in:
Tim Wundenberg
2024-12-16 22:51:23 +01:00
parent c48194c36f
commit 43d0a3d022
1 changed files with 9 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
main_test.go
View File

@@ -30,7 +30,7 @@ var (
port atomic.Int32 port atomic.Int32
) )
func TestSecurityHeader(t *testing.T) { func TestIntegrationSecurityHeader(t *testing.T) {
t.Parallel() t.Parallel()
t.Run("should keep caching for static content", func(t *testing.T) { t.Run("should keep caching for static content", func(t *testing.T) {
t.Parallel() t.Parallel()
@@ -109,10 +109,10 @@ func TestSecurityHeader(t *testing.T) {
}) })
} }
func TestAuth(t *testing.T) { func TestIntegrationAuth(t *testing.T) {
t.Parallel() t.Parallel()
t.Run("should signin and return session cookie", func(t *testing.T) { t.Run("should return secure cookie on signin with generated csrf-token and session-id", func(t *testing.T) {
t.Parallel() t.Parallel()
db, basePath, ctx := setupIntegrationTest(t) db, basePath, ctx := setupIntegrationTest(t)
@@ -121,9 +121,7 @@ func TestAuth(t *testing.T) {
_, err := db.Exec(` _, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, uuid.New(), pass, []byte("salt")) VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, uuid.New(), pass, []byte("salt"))
if err != nil { assert.Nil(t, err)
t.Fatalf("Error inserting user: %v", err)
}
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil) req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
assert.Nil(t, err) assert.Nil(t, err)
@@ -148,7 +146,7 @@ func TestAuth(t *testing.T) {
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode())) req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode()))
assert.Nil(t, err) assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Cookie", anonymousSession.Name+"="+anonymousSession.Value) req.Header.Set("Cookie", "id="+anonymousSession.Value)
resp, err = httpClient.Do(req) resp, err = httpClient.Do(req)
assert.Nil(t, err) assert.Nil(t, err)
@@ -156,11 +154,10 @@ func TestAuth(t *testing.T) {
assert.Equal(t, http.StatusSeeOther, resp.StatusCode) assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
cookie := findCookie(resp, "id") cookie := findCookie(resp, "id")
if cookie == nil { assert.NotNil(t, cookie)
t.Fatalf("No session cookie found") assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite, "Cookie is not secure")
} else if cookie.SameSite != http.SameSiteStrictMode || cookie.HttpOnly != true || cookie.Secure != true { assert.True(t, cookie.HttpOnly, "Cookie is not secure")
t.Fatalf("Cookie is not secure") assert.True(t, cookie.Secure, "Cookie is not secure")
}
}) })
} }