From ea653f0087b2b5b4d09e6b6712a52fbcabebb348 Mon Sep 17 00:00:00 2001 From: Tim Wundenberg Date: Fri, 20 Dec 2024 22:21:38 +0100 Subject: [PATCH] chore(auth): #331 unify existing tests --- main_test.go | 283 ++++++++++++++++++++++++++------------------------- 1 file changed, 146 insertions(+), 137 deletions(-) diff --git a/main_test.go b/main_test.go index da7395b..5bd15ea 100644 --- a/main_test.go +++ b/main_test.go @@ -112,184 +112,193 @@ func TestIntegrationSecurityHeader(t *testing.T) { func TestIntegrationAuth(t *testing.T) { t.Parallel() - t.Run("should return secure cookie on signin with generated csrf-token and session-id", func(t *testing.T) { - t.Parallel() + t.Run("SignIn", func(t *testing.T) { + t.Run("should return secure cookie with NEW session-id", func(t *testing.T) { + t.Parallel() - db, basePath, ctx := setupIntegrationTest(t) + db, basePath, ctx := setupIntegrationTest(t) - pass := service.GetHashPassword("password", []byte("salt")) - _, err := db.Exec(` + pass := service.GetHashPassword("password", []byte("salt")) + _, err := db.Exec(` INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, uuid.New(), pass, []byte("salt")) - assert.Nil(t, err) + assert.Nil(t, err) - req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil) - assert.Nil(t, err) + req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil) + assert.Nil(t, err) - resp, err := httpClient.Do(req) - assert.Nil(t, err) + resp, err := httpClient.Do(req) + assert.Nil(t, err) - html, err := html.Parse(resp.Body) - assert.Nil(t, err) + html, err := html.Parse(resp.Body) + assert.Nil(t, err) - csrfToken := findCsrfToken(html) - assert.NotEqual(t, "", csrfToken) - anonymousSession := findCookie(resp, "id") - assert.NotNil(t, anonymousSession) + anonymousCsrfToken := findCsrfToken(html) + assert.NotEqual(t, "", anonymousCsrfToken) + anonymousSession := findCookie(resp, "id") + assert.NotNil(t, anonymousSession) - formData := url.Values{ - "email": {"mail@mail.de"}, - "password": {"password"}, - "csrf-token": {csrfToken}, - } + formData := url.Values{ + "email": {"mail@mail.de"}, + "password": {"password"}, + "csrf-token": {anonymousCsrfToken}, + } - req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode())) - assert.Nil(t, err) - req.Header.Set("Content-Type", "application/x-www-form-urlencoded") - req.Header.Set("Cookie", "id="+anonymousSession.Value) + req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode())) + assert.Nil(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Cookie", "id="+anonymousSession.Value) - resp, err = httpClient.Do(req) - assert.Nil(t, err) + resp, err = httpClient.Do(req) + assert.Nil(t, err) - assert.Equal(t, http.StatusSeeOther, resp.StatusCode) + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) - cookie := findCookie(resp, "id") - assert.NotNil(t, cookie) - assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite, "Cookie is not secure") - assert.True(t, cookie.HttpOnly, "Cookie is not secure") - assert.True(t, cookie.Secure, "Cookie is not secure") + cookie := findCookie(resp, "id") + assert.NotNil(t, cookie) + assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite, "Cookie is not secure") + assert.True(t, cookie.HttpOnly, "Cookie is not secure") + assert.True(t, cookie.Secure, "Cookie is not secure") + + assert.NotEqual(t, anonymousSession.Value, cookie.Value, "Session ID did not change") + }) }) - t.Run("should change password and invalidate other sessions from user", func(t *testing.T) { - t.Parallel() + t.Run("ChangePassword", func(t *testing.T) { + t.Run("should change password and invalidate all other user sessions", func(t *testing.T) { + t.Parallel() - db, basePath, ctx := setupIntegrationTest(t) - userId := uuid.New() - userIdOther := uuid.New() + db, basePath, ctx := setupIntegrationTest(t) + userId := uuid.New() + userIdOther := uuid.New() - pass := service.GetHashPassword("password", []byte("salt")) - _, err := db.Exec(` + pass := service.GetHashPassword("password", []byte("salt")) + _, err := db.Exec(` INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt")) - sessionId := "session-id" - assert.Nil(t, err) - _, err = db.Exec(` + sessionId := "session-id" + assert.Nil(t, err) + _, err = db.Exec(` INSERT INTO session (session_id, user_id, created_at, expires_at) VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId) - assert.Nil(t, err) - _, err = db.Exec(` + assert.Nil(t, err) + _, err = db.Exec(` INSERT INTO session (session_id, user_id, created_at, expires_at) VALUES ("second", ?, datetime(), datetime("now", "+1 day"))`, userId) - assert.Nil(t, err) - _, err = db.Exec(` + assert.Nil(t, err) + _, err = db.Exec(` INSERT INTO session (session_id, user_id, created_at, expires_at) VALUES ("other", ?, datetime(), datetime("now", "+1 day"))`, userIdOther) - assert.Nil(t, err) - - req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil) - assert.Nil(t, err) - req.Header.Set("Cookie", "id="+sessionId) - resp, err := httpClient.Do(req) - assert.Nil(t, err) - - html, err := html.Parse(resp.Body) - assert.Nil(t, err) - - csrfToken := findCsrfToken(html) - assert.NotEqual(t, "", csrfToken) - - formData := url.Values{ - "current-password": {"password"}, - "new-password": {"MyNewSecurePassword1!"}, - "csrf-token": {csrfToken}, - } - - req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode())) - assert.Nil(t, err) - req.Header.Set("Content-Type", "application/x-www-form-urlencoded") - req.Header.Set("Cookie", "id="+sessionId) - req.Header.Set("HX-Request", "true") - resp, err = httpClient.Do(req) - assert.Nil(t, err) - - assert.Equal(t, http.StatusOK, resp.StatusCode) - - var sessionIds []string - sessions, err := db.Query(`SELECT session_id FROM session WHERE NOT user_id = ? ORDER BY session_id`, uuid.Nil) - assert.Nil(t, err) - for sessions.Next() { - var sessionId string - err = sessions.Scan(&sessionId) assert.Nil(t, err) - sessionIds = append(sessionIds, sessionId) - } - assert.Equal(t, 2, len(sessionIds)) - assert.Equal(t, "other", sessionIds[0]) - assert.Equal(t, "session-id", sessionIds[1]) + req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil) + assert.Nil(t, err) + req.Header.Set("Cookie", "id="+sessionId) + resp, err := httpClient.Do(req) + assert.Nil(t, err) + + html, err := html.Parse(resp.Body) + assert.Nil(t, err) + + csrfToken := findCsrfToken(html) + assert.NotEqual(t, "", csrfToken) + + formData := url.Values{ + "current-password": {"password"}, + "new-password": {"MyNewSecurePassword1!"}, + "csrf-token": {csrfToken}, + } + + req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode())) + assert.Nil(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Cookie", "id="+sessionId) + req.Header.Set("HX-Request", "true") + resp, err = httpClient.Do(req) + assert.Nil(t, err) + + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var sessionIds []string + sessions, err := db.Query(`SELECT session_id FROM session WHERE NOT user_id = ? ORDER BY session_id`, uuid.Nil) + assert.Nil(t, err) + for sessions.Next() { + var sessionId string + err = sessions.Scan(&sessionId) + assert.Nil(t, err) + sessionIds = append(sessionIds, sessionId) + } + + assert.Equal(t, 2, len(sessionIds)) + assert.Equal(t, "other", sessionIds[0]) + assert.Equal(t, "session-id", sessionIds[1]) + }) }) - t.Run("should forget password and invalidate all user sessions", func(t *testing.T) { - t.Parallel() - d, basePath, ctx := setupIntegrationTest(t) - userId := uuid.New() + t.Run("ForgotPassword", func(t *testing.T) { + t.Run("should change password and invalidate ALL sessions", func(t *testing.T) { + t.Parallel() - pass := service.GetHashPassword("password", []byte("salt")) - _, err := d.Exec(` + d, basePath, ctx := setupIntegrationTest(t) + userId := uuid.New() + + pass := service.GetHashPassword("password", []byte("salt")) + _, err := d.Exec(` INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt")) - assert.Nil(t, err) - _, err = d.Exec(` + assert.Nil(t, err) + _, err = d.Exec(` INSERT INTO session (session_id, user_id, created_at, expires_at) VALUES ("session-id", ?, datetime(), datetime("now", "+1 day"))`, userId) - assert.Nil(t, err) + assert.Nil(t, err) - req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil) - assert.Nil(t, err) - resp, err := httpClient.Do(req) - assert.Nil(t, err) + req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil) + assert.Nil(t, err) + resp, err := httpClient.Do(req) + assert.Nil(t, err) - sessionId := findCookie(resp, "id").Value - html, err := html.Parse(resp.Body) - assert.Nil(t, err) - csrfToken := findCsrfToken(html) - assert.NotEqual(t, "", csrfToken) + sessionId := findCookie(resp, "id").Value + html, err := html.Parse(resp.Body) + assert.Nil(t, err) + csrfToken := findCsrfToken(html) + assert.NotEqual(t, "", csrfToken) - formData := url.Values{ - "email": {"mail@mail.de"}, - "csrf-token": {csrfToken}, - } - req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password", strings.NewReader(formData.Encode())) - assert.Nil(t, err) - req.Header.Set("Content-Type", "application/x-www-form-urlencoded") - req.Header.Set("Cookie", "id="+sessionId) - req.Header.Set("HX-Request", "true") - resp, err = httpClient.Do(req) - assert.Nil(t, err) - assert.Equal(t, http.StatusOK, resp.StatusCode) + formData := url.Values{ + "email": {"mail@mail.de"}, + "csrf-token": {csrfToken}, + } + req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password", strings.NewReader(formData.Encode())) + assert.Nil(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Cookie", "id="+sessionId) + req.Header.Set("HX-Request", "true") + resp, err = httpClient.Do(req) + assert.Nil(t, err) + assert.Equal(t, http.StatusOK, resp.StatusCode) - var token string - err = d.QueryRow("SELECT token FROM token WHERE type = ?", types.TokenTypePasswordReset).Scan(&token) - assert.Nil(t, err) + var token string + err = d.QueryRow("SELECT token FROM token WHERE type = ?", types.TokenTypePasswordReset).Scan(&token) + assert.Nil(t, err) - formData = url.Values{ - "new-password": {"MyNewSecurePassword1!"}, - "csrf-token": {csrfToken}, - } - req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password-actual", strings.NewReader(formData.Encode())) - assert.Nil(t, err) - req.Header.Set("Content-Type", "application/x-www-form-urlencoded") - req.Header.Set("Cookie", "id="+sessionId) - req.Header.Set("HX-Request", "true") - req.Header.Set("HX-Current-URL", basePath+"/auth/change-password?token="+url.QueryEscape(token)) - resp, err = httpClient.Do(req) - assert.Nil(t, err) - assert.Equal(t, http.StatusOK, resp.StatusCode) + formData = url.Values{ + "new-password": {"MyNewSecurePassword1!"}, + "csrf-token": {csrfToken}, + } + req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password-actual", strings.NewReader(formData.Encode())) + assert.Nil(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Cookie", "id="+sessionId) + req.Header.Set("HX-Request", "true") + req.Header.Set("HX-Current-URL", basePath+"/auth/change-password?token="+url.QueryEscape(token)) + resp, err = httpClient.Do(req) + assert.Nil(t, err) + assert.Equal(t, http.StatusOK, resp.StatusCode) - sessions, err := d.Query("SELECT session_id FROM session WHERE user_id = ?", userId) - assert.Nil(t, err) - assert.False(t, sessions.Next()) + sessions, err := d.Query("SELECT session_id FROM session WHERE user_id = ?", userId) + assert.Nil(t, err) + assert.False(t, sessions.Next()) + }) }) }