98 lines
3.2 KiB
Go
98 lines
3.2 KiB
Go
package handlers
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"testing"
|
|
)
|
|
|
|
func TestGoogleLogin_RequiresRedirectURI(t *testing.T) {
|
|
original := os.Getenv("ALLOWED_REDIRECT_URIS")
|
|
os.Setenv("ALLOWED_REDIRECT_URIS", "http://localhost:5173")
|
|
defer os.Setenv("ALLOWED_REDIRECT_URIS", original)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/v1/auth/login", nil)
|
|
recorder := httptest.NewRecorder()
|
|
|
|
GoogleLogin(recorder, req)
|
|
|
|
if recorder.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected status %d, got %d", http.StatusBadRequest, recorder.Code)
|
|
}
|
|
}
|
|
|
|
func TestGoogleLogin_RejectsUnauthorizedRedirectURI(t *testing.T) {
|
|
original := os.Getenv("ALLOWED_REDIRECT_URIS")
|
|
os.Setenv("ALLOWED_REDIRECT_URIS", "http://localhost:5173")
|
|
defer os.Setenv("ALLOWED_REDIRECT_URIS", original)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/v1/auth/login?redirect_uri=http://malicious.example", nil)
|
|
recorder := httptest.NewRecorder()
|
|
|
|
GoogleLogin(recorder, req)
|
|
|
|
if recorder.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected status %d, got %d", http.StatusUnauthorized, recorder.Code)
|
|
}
|
|
}
|
|
|
|
func TestValidateState_MissingCookie(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/v1/auth/callback?state=test-state", nil)
|
|
recorder := httptest.NewRecorder()
|
|
|
|
ok := validateState(recorder, req)
|
|
if ok {
|
|
t.Fatal("expected validateState to return false when oauth_state cookie is missing")
|
|
}
|
|
if recorder.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected status %d, got %d", http.StatusUnauthorized, recorder.Code)
|
|
}
|
|
}
|
|
|
|
func TestValidateState_Success(t *testing.T) {
|
|
req := httptest.NewRequest(http.MethodGet, "/v1/auth/callback?state=test-state", nil)
|
|
req.AddCookie(&http.Cookie{Name: oauthStateCookieName, Value: "test-state"})
|
|
recorder := httptest.NewRecorder()
|
|
|
|
ok := validateState(recorder, req)
|
|
if !ok {
|
|
t.Fatal("expected validateState to return true for matching state")
|
|
}
|
|
}
|
|
|
|
func TestCallbackRedirectURI_MissingCookie(t *testing.T) {
|
|
original := os.Getenv("ALLOWED_REDIRECT_URIS")
|
|
os.Setenv("ALLOWED_REDIRECT_URIS", "http://localhost:5173")
|
|
defer os.Setenv("ALLOWED_REDIRECT_URIS", original)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/v1/auth/callback?state=test-state", nil)
|
|
recorder := httptest.NewRecorder()
|
|
|
|
_, ok := callbackRedirectURI(recorder, req)
|
|
if ok {
|
|
t.Fatal("expected callbackRedirectURI to return false when redirect cookie is missing")
|
|
}
|
|
if recorder.Code != http.StatusUnauthorized {
|
|
t.Fatalf("expected status %d, got %d", http.StatusUnauthorized, recorder.Code)
|
|
}
|
|
}
|
|
|
|
func TestCallbackRedirectURI_Success(t *testing.T) {
|
|
original := os.Getenv("ALLOWED_REDIRECT_URIS")
|
|
os.Setenv("ALLOWED_REDIRECT_URIS", "http://localhost:5173")
|
|
defer os.Setenv("ALLOWED_REDIRECT_URIS", original)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/v1/auth/callback?state=test-state", nil)
|
|
req.AddCookie(&http.Cookie{Name: oauthRedirectURICookieName, Value: "http://localhost:5173"})
|
|
recorder := httptest.NewRecorder()
|
|
|
|
uri, ok := callbackRedirectURI(recorder, req)
|
|
if !ok {
|
|
t.Fatal("expected callbackRedirectURI to return true for allowed redirect URI")
|
|
}
|
|
if uri != "http://localhost:5173" {
|
|
t.Fatalf("expected redirect URI %q, got %q", "http://localhost:5173", uri)
|
|
}
|
|
}
|