From 7b1293bb6fa8a7d6e14362ca0d547d04fce62f03 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 24 Mar 2026 13:46:44 +0100 Subject: [PATCH] Add tests for auth, rate limiting, security, and util --- internal/api/middleware/ratelimit_test.go | 64 ++++++++++++++++++ internal/auth/service_test.go | 82 +++++++++++++++++++++++ internal/security/password_test.go | 22 ++++++ internal/util/util_test.go | 40 +++++++++++ 4 files changed, 208 insertions(+) create mode 100644 internal/api/middleware/ratelimit_test.go create mode 100644 internal/auth/service_test.go create mode 100644 internal/security/password_test.go create mode 100644 internal/util/util_test.go diff --git a/internal/api/middleware/ratelimit_test.go b/internal/api/middleware/ratelimit_test.go new file mode 100644 index 0000000..0984b70 --- /dev/null +++ b/internal/api/middleware/ratelimit_test.go @@ -0,0 +1,64 @@ +package middleware + +import ( + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/gin-gonic/gin" +) + +func TestRateLimitByIP_BlocksAfterLimit(t *testing.T) { + gin.SetMode(gin.TestMode) + + r := gin.New() + // 1 request per hour, burst 1 => second immediate request should 429. + r.Use(RateLimitByIP(1, time.Hour, 1, time.Minute)) + r.GET("/", func(c *gin.Context) { c.String(200, "ok") }) + + req := httptest.NewRequest(http.MethodGet, "/", nil) + req.RemoteAddr = "203.0.113.10:1234" + + w1 := httptest.NewRecorder() + r.ServeHTTP(w1, req) + if w1.Code != http.StatusOK { + t.Fatalf("first request code = %d, want %d", w1.Code, http.StatusOK) + } + + w2 := httptest.NewRecorder() + r.ServeHTTP(w2, req) + if w2.Code != http.StatusTooManyRequests { + t.Fatalf("second request code = %d, want %d", w2.Code, http.StatusTooManyRequests) + } +} + +func TestRateLimitByIP_AllowsBurst(t *testing.T) { + gin.SetMode(gin.TestMode) + + r := gin.New() + // 1 per hour, but burst 2 => first two immediate requests should pass. + r.Use(RateLimitByIP(1, time.Hour, 2, time.Minute)) + r.GET("/", func(c *gin.Context) { c.String(200, "ok") }) + + req := httptest.NewRequest(http.MethodGet, "/", nil) + req.RemoteAddr = "203.0.113.11:1234" + + w1 := httptest.NewRecorder() + r.ServeHTTP(w1, req) + if w1.Code != http.StatusOK { + t.Fatalf("first request code = %d, want %d", w1.Code, http.StatusOK) + } + + w2 := httptest.NewRecorder() + r.ServeHTTP(w2, req) + if w2.Code != http.StatusOK { + t.Fatalf("second request code = %d, want %d", w2.Code, http.StatusOK) + } + + w3 := httptest.NewRecorder() + r.ServeHTTP(w3, req) + if w3.Code != http.StatusTooManyRequests { + t.Fatalf("third request code = %d, want %d", w3.Code, http.StatusTooManyRequests) + } +} diff --git a/internal/auth/service_test.go b/internal/auth/service_test.go new file mode 100644 index 0000000..31fc9f8 --- /dev/null +++ b/internal/auth/service_test.go @@ -0,0 +1,82 @@ +package auth + +import ( + "ResendIt/internal/security" + "ResendIt/internal/user" + "testing" + + "gorm.io/driver/sqlite" + "gorm.io/gorm" +) + +func TestServiceLogin_InvalidUserDoesNotEnumerate(t *testing.T) { + db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{}) + if err != nil { + t.Fatalf("open sqlite: %v", err) + } + if err := db.AutoMigrate(&user.User{}); err != nil { + t.Fatalf("migrate: %v", err) + } + + svc := NewService(NewRepository(db)) + + _, err = svc.Login("does-not-exist", "whatever") + if err != ErrInvalidCredentials { + t.Fatalf("expected ErrInvalidCredentials for missing user, got %v", err) + } +} + +func TestServiceLogin_WrongPassword(t *testing.T) { + db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{}) + if err != nil { + t.Fatalf("open sqlite: %v", err) + } + if err := db.AutoMigrate(&user.User{}); err != nil { + t.Fatalf("migrate: %v", err) + } + + hash, err := security.HashPassword("right") + if err != nil { + t.Fatalf("hash: %v", err) + } + + u := user.User{Username: "alice", PasswordHash: hash, Role: "user"} + if err := db.Create(&u).Error; err != nil { + t.Fatalf("create user: %v", err) + } + + svc := NewService(NewRepository(db)) + _, err = svc.Login("alice", "wrong") + if err != ErrInvalidCredentials { + t.Fatalf("expected ErrInvalidCredentials for wrong password, got %v", err) + } +} + +func TestServiceLogin_SuccessReturnsJWT(t *testing.T) { + db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{}) + if err != nil { + t.Fatalf("open sqlite: %v", err) + } + if err := db.AutoMigrate(&user.User{}); err != nil { + t.Fatalf("migrate: %v", err) + } + + hash, err := security.HashPassword("right") + if err != nil { + t.Fatalf("hash: %v", err) + } + + u := user.User{Username: "alice", PasswordHash: hash, Role: "user"} + if err := db.Create(&u).Error; err != nil { + t.Fatalf("create user: %v", err) + } + + svc := NewService(NewRepository(db)) + token, err := svc.Login("alice", "right") + if err != nil { + t.Fatalf("expected success, got error: %v", err) + } + if token == "" { + t.Fatalf("expected non-empty jwt token") + } +} diff --git a/internal/security/password_test.go b/internal/security/password_test.go new file mode 100644 index 0000000..ad26fec --- /dev/null +++ b/internal/security/password_test.go @@ -0,0 +1,22 @@ +package security + +import "testing" + +func TestHashAndCheckPassword(t *testing.T) { + pw := "correct horse battery staple" + + hash, err := HashPassword(pw) + if err != nil { + t.Fatalf("HashPassword returned error: %v", err) + } + if hash == "" { + t.Fatalf("expected non-empty hash") + } + + if !CheckPassword(pw, hash) { + t.Fatalf("expected CheckPassword to succeed for correct password") + } + if CheckPassword("wrong", hash) { + t.Fatalf("expected CheckPassword to fail for wrong password") + } +} diff --git a/internal/util/util_test.go b/internal/util/util_test.go new file mode 100644 index 0000000..5fdc0ab --- /dev/null +++ b/internal/util/util_test.go @@ -0,0 +1,40 @@ +package util + +import "testing" + +func TestHumanSize(t *testing.T) { + tests := []struct { + in int64 + want string + }{ + {0, "0 B"}, + {1, "1 B"}, + {1023, "1023 B"}, + {1024, "1.0 KB"}, + {1024 * 1024, "1.0 MB"}, + } + + for _, tt := range tests { + if got := HumanSize(tt.in); got != tt.want { + t.Fatalf("HumanSize(%d) = %q, want %q", tt.in, got, tt.want) + } + } +} + +func TestSafeFilename(t *testing.T) { + if got := SafeFilename(" hello.txt "); got != "hello.txt" { + t.Fatalf("expected trimmed filename, got %q", got) + } + + // Strips control characters, quotes, and backslashes. + in := "a\n\rb\t\"c\\d" + got := SafeFilename(in) + if got != "abcd" { + t.Fatalf("SafeFilename(%q) = %q, want %q", in, got, "abcd") + } + + // Empty after sanitization becomes default. + if got := SafeFilename("\n\r\t"); got != "file" { + t.Fatalf("expected default filename, got %q", got) + } +}