auth_test.go
94 lines1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
package security
import (
"net/http"
"net/http/httptest"
"testing"
"time"
)
func TestCreateToken_ValidateToken(t *testing.T) {
claims := map[string]any{"user_id": "abc123"}
token, err := CreateToken(claims, "secret", time.Hour)
if err != nil {
t.Fatal(err)
}
if token == "" {
t.Fatal("expected non-empty token")
}
got, err := ValidateToken(token, "secret")
if err != nil {
t.Fatal(err)
}
if got["user_id"] != "abc123" {
t.Errorf("expected user_id=abc123, got %v", got["user_id"])
}
}
func TestValidateToken_WrongSecret(t *testing.T) {
token, _ := CreateToken(map[string]any{"id": "1"}, "secret1", time.Hour)
_, err := ValidateToken(token, "secret2")
if err != ErrInvalidToken {
t.Errorf("expected ErrInvalidToken, got %v", err)
}
}
func TestValidateToken_Expired(t *testing.T) {
token, _ := CreateToken(map[string]any{"id": "1"}, "secret", -time.Hour)
_, err := ValidateToken(token, "secret")
if err != ErrExpiredToken {
t.Errorf("expected ErrExpiredToken, got %v", err)
}
}
func TestValidateToken_Malformed(t *testing.T) {
_, err := ValidateToken("not.a.token", "secret")
if err != ErrInvalidToken {
t.Errorf("expected ErrInvalidToken, got %v", err)
}
}
func TestSessionCookie_SetAndGet(t *testing.T) {
rec := httptest.NewRecorder()
SetSessionCookie(rec, "session", "mytoken", time.Hour)
cookies := rec.Result().Cookies()
if len(cookies) != 1 {
t.Fatalf("expected 1 cookie, got %d", len(cookies))
}
if cookies[0].Name != "session" || cookies[0].Value != "mytoken" {
t.Errorf("unexpected cookie: %+v", cookies[0])
}
if !cookies[0].HttpOnly {
t.Error("expected HttpOnly")
}
if cookies[0].SameSite != http.SameSiteLaxMode {
t.Error("expected SameSite=Lax")
}
}
func TestSessionFromRequest(t *testing.T) {
req := httptest.NewRequest("GET", "/", nil)
req.AddCookie(&http.Cookie{Name: "session", Value: "abc"})
if v := SessionFromRequest(req, "session"); v != "abc" {
t.Errorf("expected abc, got %q", v)
}
if v := SessionFromRequest(req, "other"); v != "" {
t.Errorf("expected empty for missing cookie, got %q", v)
}
}
func TestClearSessionCookie(t *testing.T) {
rec := httptest.NewRecorder()
ClearSessionCookie(rec, "session")
cookies := rec.Result().Cookies()
if len(cookies) != 1 {
t.Fatalf("expected 1 cookie, got %d", len(cookies))
}
if cookies[0].MaxAge != -1 {
t.Errorf("expected MaxAge=-1, got %d", cookies[0].MaxAge)
}
}