chore(auth): #331 add tests for sign in

2024-12-23 22:26:46 +01:00
parent 7a9d34d464
commit 96b4cc6889
5 changed files with 202 additions and 12 deletions
--- a/main_test.go
+++ b/main_test.go
@@ -294,6 +294,166 @@ func TestIntegrationAuth(t *testing.T) {

 			assert.NotEqual(t, anonymousSession.Value, cookie.Value, "Session ID did not change")
 		})
+		t.Run("should return in ~250 ms in all cases", func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := db.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, uuid.New(), pass, []byte("salt"))
+			assert.Nil(t, err)
+
+			// Everythings correct
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			body, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(body)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSession := findCookie(resp, "id")
+			assert.NotNil(t, anonymousSession)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"password":   {"password"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+anonymousSession.Value)
+			req.Header.Set("HX-Request", "true")
+
+			timeStart := time.Now()
+			resp, err = httpClient.Do(req)
+			timeEnd := time.Now()
+			assert.Nil(t, err)
+			if timeEnd.Sub(timeStart) > 253*time.Millisecond || timeEnd.Sub(timeStart) <= 250*time.Millisecond {
+				t.Fail()
+				t.Logf("Time did not match: %v", timeEnd.Sub(timeStart))
+			}
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			//Wrong password
+			req, err = http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
+			assert.Nil(t, err)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			body, err = html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken = findCsrfToken(body)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSession = findCookie(resp, "id")
+			assert.NotNil(t, anonymousSession)
+
+			formData = url.Values{
+				"email":      {"mail@mail.de"},
+				"password":   {"wrong-password"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+anonymousSession.Value)
+			req.Header.Set("HX-Request", "true")
+
+			timeStart = time.Now()
+			resp, err = httpClient.Do(req)
+			timeEnd = time.Now()
+			assert.Nil(t, err)
+			if timeEnd.Sub(timeStart) > 253*time.Millisecond || timeEnd.Sub(timeStart) <= 250*time.Millisecond {
+				t.Fail()
+				t.Logf("Time did not match: %v", timeEnd.Sub(timeStart))
+			}
+			assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+
+			//Wrong username
+			req, err = http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
+			assert.Nil(t, err)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			body, err = html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken = findCsrfToken(body)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSession = findCookie(resp, "id")
+			assert.NotNil(t, anonymousSession)
+			formData = url.Values{
+
+				"email":      {"invalid-mail@mail.de"},
+				"password":   {"password"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+anonymousSession.Value)
+			req.Header.Set("HX-Request", "true")
+
+			timeStart = time.Now()
+			resp, err = httpClient.Do(req)
+			timeEnd = time.Now()
+			assert.Nil(t, err)
+			if timeEnd.Sub(timeStart) > 253*time.Millisecond || timeEnd.Sub(timeStart) <= 250*time.Millisecond {
+				t.Fail()
+				t.Logf("Time did not match: %v", timeEnd.Sub(timeStart))
+			}
+			assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+		})
+		t.Run("should create new session and invalidate old one (session fixation prevention)", func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := db.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, uuid.New(), pass, []byte("salt"))
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSession := findCookie(resp, "id")
+			assert.NotNil(t, anonymousSession)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"password":   {"password"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+anonymousSession.Value)
+			req.Header.Set("HX-Request", "true")
+
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM session WHERE session_id = ?", anonymousSession.Value).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 0, rows)
+			err = db.QueryRow("SELECT COUNT(*) FROM token WHERE token = ?", anonymousCsrfToken).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 0, rows)
+		})
 	})
 	t.Run("SignOut", func(t *testing.T) {
 		t.Run("should fail if csrf token is not valid", func(t *testing.T) {