From 9462f8b245e12c1d88ff7838a576022a6356d1a8 Mon Sep 17 00:00:00 2001
From: Tim Wundenberg <tim@wundenbergs.de>
Date: Mon, 23 Dec 2024 22:51:46 +0100
Subject: [PATCH] chore(auth): #331 implement and fix fist sign up tests

---
 handler/auth.go                               |  5 +-
 .../middleware/cross_site_request_forgery.go  |  7 +-
 main_test.go                                  | 81 +++++++++++++++++++
 3 files changed, 91 insertions(+), 2 deletions(-)

diff --git a/handler/auth.go b/handler/auth.go
index 49a60d2..67663ba 100644
--- a/handler/auth.go
+++ b/handler/auth.go
@@ -203,8 +203,11 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
 			} else if errors.Is(err, service.ErrInvalidEmail) {
 				utils.TriggerToast(w, r, "error", "The email provided is invalid", http.StatusBadRequest)
 				return
+			} else if errors.Is(err, service.ErrInvalidPassword) {
+				utils.TriggerToast(w, r, "error", service.ErrInvalidPassword.Error(), http.StatusBadRequest)
+				return
 			}
-			// If the "service.ErrAccountExists", then just continue
+			// If err is "service.ErrAccountExists", then just continue
 		}
 
 		utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.", http.StatusOK)
diff --git a/handler/middleware/cross_site_request_forgery.go b/handler/middleware/cross_site_request_forgery.go
index 41d18bd..b80684d 100644
--- a/handler/middleware/cross_site_request_forgery.go
+++ b/handler/middleware/cross_site_request_forgery.go
@@ -8,6 +8,7 @@ import (
 	"me-fit/log"
 	"me-fit/service"
 	"me-fit/types"
+	"me-fit/utils"
 )
 
 type csrfResponseWriter struct {
@@ -57,7 +58,11 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 				}
 				if session == nil || csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
 					log.Info("CSRF-Token not correct")
-					http.Error(w, "CSRF-Token not correct", http.StatusBadRequest)
+					if r.Header.Get("HX-Request") == "true" {
+						utils.TriggerToast(w, r, "error", "CSRF-Token not correct", http.StatusBadRequest)
+					} else {
+						http.Error(w, "CSRF-Token not correct", http.StatusBadRequest)
+					}
 					return
 				}
 			}
diff --git a/main_test.go b/main_test.go
index 79d0930..f56910c 100644
--- a/main_test.go
+++ b/main_test.go
@@ -455,6 +455,87 @@ func TestIntegrationAuth(t *testing.T) {
 			assert.Equal(t, 0, rows)
 		})
 	})
+	t.Run("SignUp", func(t *testing.T) {
+		t.Run(`should redirect to "/" if signed in`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			userId := uuid.New()
+			sessionId := "session-id"
+			pass := service.GetHashPassword("password", []byte("salt"))
+
+			_, err := db.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", TRUE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/", resp.Header.Get("Location"))
+		})
+		t.Run(`should fail if csrf token is invalid`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"password":   {"password"},
+				"csrf-token": {"invalid-csrf-token"},
+			}
+			req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("HX-Request", "true")
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+			assert.Contains(t, resp.Header.Get("HX-Trigger"), "CSRF")
+		})
+		t.Run(`should fail if password is insecure`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signup", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			body, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(body)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSession := findCookie(resp, "id")
+			assert.NotNil(t, anonymousSession)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"password":   {"insecure-password"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signup", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("HX-Request", "true")
+			req.Header.Set("Cookie", "id="+anonymousSession.Value)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+			assert.Contains(t, resp.Header.Get("HX-Trigger"), "password")
+		})
+	})
 	t.Run("SignOut", func(t *testing.T) {
 		t.Run("should fail if csrf token is not valid", func(t *testing.T) {
 			t.Parallel()