Add tests for auth, rate limiting, security, and util

internal/api/middleware/ratelimit_test.go

@@ -0,0 +1,64 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+func TestRateLimitByIP_BlocksAfterLimit(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	r := gin.New()
+	// 1 request per hour, burst 1 => second immediate request should 429.
+	r.Use(RateLimitByIP(1, time.Hour, 1, time.Minute))
+	r.GET("/", func(c *gin.Context) { c.String(200, "ok") })
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.RemoteAddr = "203.0.113.10:1234"
+
+	w1 := httptest.NewRecorder()
+	r.ServeHTTP(w1, req)
+	if w1.Code != http.StatusOK {
+		t.Fatalf("first request code = %d, want %d", w1.Code, http.StatusOK)
+	}
+
+	w2 := httptest.NewRecorder()
+	r.ServeHTTP(w2, req)
+	if w2.Code != http.StatusTooManyRequests {
+		t.Fatalf("second request code = %d, want %d", w2.Code, http.StatusTooManyRequests)
+	}
+}
+
+func TestRateLimitByIP_AllowsBurst(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	r := gin.New()
+	// 1 per hour, but burst 2 => first two immediate requests should pass.
+	r.Use(RateLimitByIP(1, time.Hour, 2, time.Minute))
+	r.GET("/", func(c *gin.Context) { c.String(200, "ok") })
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.RemoteAddr = "203.0.113.11:1234"
+
+	w1 := httptest.NewRecorder()
+	r.ServeHTTP(w1, req)
+	if w1.Code != http.StatusOK {
+		t.Fatalf("first request code = %d, want %d", w1.Code, http.StatusOK)
+	}
+
+	w2 := httptest.NewRecorder()
+	r.ServeHTTP(w2, req)
+	if w2.Code != http.StatusOK {
+		t.Fatalf("second request code = %d, want %d", w2.Code, http.StatusOK)
+	}
+
+	w3 := httptest.NewRecorder()
+	r.ServeHTTP(w3, req)
+	if w3.Code != http.StatusTooManyRequests {
+		t.Fatalf("third request code = %d, want %d", w3.Code, http.StatusTooManyRequests)
+	}
+}

internal/auth/service_test.go

@@ -0,0 +1,82 @@
+package auth
+
+import (
+	"ResendIt/internal/security"
+	"ResendIt/internal/user"
+	"testing"
+
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func TestServiceLogin_InvalidUserDoesNotEnumerate(t *testing.T) {
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+	if err := db.AutoMigrate(&user.User{}); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	svc := NewService(NewRepository(db))
+
+	_, err = svc.Login("does-not-exist", "whatever")
+	if err != ErrInvalidCredentials {
+		t.Fatalf("expected ErrInvalidCredentials for missing user, got %v", err)
+	}
+}
+
+func TestServiceLogin_WrongPassword(t *testing.T) {
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+	if err := db.AutoMigrate(&user.User{}); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	hash, err := security.HashPassword("right")
+	if err != nil {
+		t.Fatalf("hash: %v", err)
+	}
+
+	u := user.User{Username: "alice", PasswordHash: hash, Role: "user"}
+	if err := db.Create(&u).Error; err != nil {
+		t.Fatalf("create user: %v", err)
+	}
+
+	svc := NewService(NewRepository(db))
+	_, err = svc.Login("alice", "wrong")
+	if err != ErrInvalidCredentials {
+		t.Fatalf("expected ErrInvalidCredentials for wrong password, got %v", err)
+	}
+}
+
+func TestServiceLogin_SuccessReturnsJWT(t *testing.T) {
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+	if err := db.AutoMigrate(&user.User{}); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	hash, err := security.HashPassword("right")
+	if err != nil {
+		t.Fatalf("hash: %v", err)
+	}
+
+	u := user.User{Username: "alice", PasswordHash: hash, Role: "user"}
+	if err := db.Create(&u).Error; err != nil {
+		t.Fatalf("create user: %v", err)
+	}
+
+	svc := NewService(NewRepository(db))
+	token, err := svc.Login("alice", "right")
+	if err != nil {
+		t.Fatalf("expected success, got error: %v", err)
+	}
+	if token == "" {
+		t.Fatalf("expected non-empty jwt token")
+	}
+}

internal/security/password_test.go

@@ -0,0 +1,22 @@
+package security
+
+import "testing"
+
+func TestHashAndCheckPassword(t *testing.T) {
+	pw := "correct horse battery staple"
+
+	hash, err := HashPassword(pw)
+	if err != nil {
+		t.Fatalf("HashPassword returned error: %v", err)
+	}
+	if hash == "" {
+		t.Fatalf("expected non-empty hash")
+	}
+
+	if !CheckPassword(pw, hash) {
+		t.Fatalf("expected CheckPassword to succeed for correct password")
+	}
+	if CheckPassword("wrong", hash) {
+		t.Fatalf("expected CheckPassword to fail for wrong password")
+	}
+}

internal/util/util_test.go

@@ -0,0 +1,40 @@
+package util
+
+import "testing"
+
+func TestHumanSize(t *testing.T) {
+	tests := []struct {
+		in   int64
+		want string
+	}{
+		{0, "0 B"},
+		{1, "1 B"},
+		{1023, "1023 B"},
+		{1024, "1.0 KB"},
+		{1024 * 1024, "1.0 MB"},
+	}
+
+	for _, tt := range tests {
+		if got := HumanSize(tt.in); got != tt.want {
+			t.Fatalf("HumanSize(%d) = %q, want %q", tt.in, got, tt.want)
+		}
+	}
+}
+
+func TestSafeFilename(t *testing.T) {
+	if got := SafeFilename("  hello.txt  "); got != "hello.txt" {
+		t.Fatalf("expected trimmed filename, got %q", got)
+	}
+
+	// Strips control characters, quotes, and backslashes.
+	in := "a\n\rb\t\"c\\d"
+	got := SafeFilename(in)
+	if got != "abcd" {
+		t.Fatalf("SafeFilename(%q) = %q, want %q", in, got, "abcd")
+	}
+
+	// Empty after sanitization becomes default.
+	if got := SafeFilename("\n\r\t"); got != "file" {
+		t.Fatalf("expected default filename, got %q", got)
+	}
+}