ruochen/ez-api
1
0
Fork 0
mirror of https://github.com/EZ-Api/ez-api.git synced 2026-01-13 17:47:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
18b9846f83a2443d038eeee48053d335d5ce930c
ez-api/internal/api/auth_handler_test.go
zenfun 33838b1e2c feat(api): wrap JSON responses in envelope 
Add response envelope middleware to standardize JSON responses as
`{code,data,message}` with consistent business codes across endpoints.
Update Swagger annotations and tests to reflect the new response shape.

BREAKING CHANGE: API responses are now wrapped in a response envelope; clients must read payloads from `data` and handle `code`/`message` fields.
2026-01-10 00:15:08 +08:00

221 lines
6.5 KiB
Go
Raw Blame History

package api
import (
"fmt"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/alicebob/miniredis/v2"
"github.com/ez-api/ez-api/internal/middleware"
"github.com/ez-api/ez-api/internal/model"
"github.com/ez-api/ez-api/internal/service"
"github.com/ez-api/foundation/tokenhash"
"github.com/gin-gonic/gin"
"github.com/redis/go-redis/v9"
"gorm.io/driver/sqlite"
"gorm.io/gorm"
)
func newAuthHandler(t *testing.T) (*AuthHandler, *gorm.DB, *miniredis.Miniredis) {
t.Helper()
gin.SetMode(gin.TestMode)
t.Setenv("EZ_ADMIN_TOKEN", "admin-secret")
adminService, err := service.NewAdminService()
if err != nil {
t.Fatalf("NewAdminService: %v", err)
}
db, err := gorm.Open(sqlite.Open("file::memory:?cache=shared"), &gorm.Config{})
if err != nil {
t.Fatalf("open sqlite: %v", err)
}
if err := db.AutoMigrate(&model.Master{}, &model.Key{}); err != nil {
t.Fatalf("migrate: %v", err)
}
mr := miniredis.RunT(t)
rdb := redis.NewClient(&redis.Options{Addr: mr.Addr()})
masterService := service.NewMasterService(db)
statsService := service.NewStatsService(rdb)
handler := NewAuthHandler(db, rdb, adminService, masterService, statsService)
return handler, db, mr
}
func TestAuthHandler_Whoami_InvalidIssuedAtEpoch_Returns401(t *testing.T) {
handler, _, mr := newAuthHandler(t)
token := "sk-live-invalid-epoch"
hash := tokenhash.HashToken(token)
mr.HSet("auth:token:"+hash, "master_id", "1")
mr.HSet("auth:token:"+hash, "issued_at_epoch", "bad")
mr.HSet("auth:token:"+hash, "status", "active")
mr.HSet("auth:token:"+hash, "group", "default")
mr.HSet("auth:master:1", "epoch", "1")
mr.HSet("auth:master:1", "status", "active")
r := gin.New()
r.Use(middleware.ResponseEnvelope())
r.GET("/auth/whoami", handler.Whoami)
req := httptest.NewRequest(http.MethodGet, "/auth/whoami", nil)
req.Header.Set("Authorization", "Bearer "+token)
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d body=%s", rr.Code, rr.Body.String())
}
}
func TestAuthHandler_Whoami_InvalidMasterEpoch_Returns401(t *testing.T) {
handler, _, mr := newAuthHandler(t)
token := "sk-live-invalid-master-epoch"
hash := tokenhash.HashToken(token)
mr.HSet("auth:token:"+hash, "master_id", "1")
mr.HSet("auth:token:"+hash, "issued_at_epoch", "1")
mr.HSet("auth:token:"+hash, "status", "active")
mr.HSet("auth:token:"+hash, "group", "default")
mr.HSet("auth:master:1", "epoch", "bad")
mr.HSet("auth:master:1", "status", "active")
r := gin.New()
r.Use(middleware.ResponseEnvelope())
r.GET("/auth/whoami", handler.Whoami)
req := httptest.NewRequest(http.MethodGet, "/auth/whoami", nil)
req.Header.Set("Authorization", "Bearer "+token)
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d body=%s", rr.Code, rr.Body.String())
}
}
func TestAuthHandler_Whoami_KeyResponseIncludesIPRules(t *testing.T) {
handler, db, mr := newAuthHandler(t)
token := "sk-live-valid"
hash := tokenhash.HashToken(token)
expiresAt := time.Now().Add(time.Hour).Unix()
mr.HSet("auth:token:"+hash, "master_id", "1")
mr.HSet("auth:token:"+hash, "issued_at_epoch", "1")
mr.HSet("auth:token:"+hash, "status", "active")
mr.HSet("auth:token:"+hash, "group", "default")
mr.HSet("auth:token:"+hash, "expires_at", fmt.Sprintf("%d", expiresAt))
mr.HSet("auth:master:1", "epoch", "1")
mr.HSet("auth:master:1", "status", "active")
key := &model.Key{
MasterID: 1,
TokenHash: hash,
Group: "default",
Scopes: "chat:write",
DefaultNamespace: "default",
Namespaces: "default",
Status: "active",
IssuedAtEpoch: 1,
IssuedBy: "master",
AllowIPs: "1.2.3.4",
DenyIPs: "5.6.7.0/24",
}
if err := db.Create(key).Error; err != nil {
t.Fatalf("create key: %v", err)
}
r := gin.New()
r.Use(middleware.ResponseEnvelope())
r.GET("/auth/whoami", handler.Whoami)
req := httptest.NewRequest(http.MethodGet, "/auth/whoami", nil)
req.Header.Set("Authorization", "Bearer "+token)
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
if rr.Code != http.StatusOK {
t.Fatalf("expected 200, got %d body=%s", rr.Code, rr.Body.String())
}
var resp map[string]any
env := decodeEnvelope(t, rr, &resp)
if env.Code != "ok" {
t.Fatalf("expected code=ok, got %q", env.Code)
}
if env.Message != "" {
t.Fatalf("expected empty message, got %q", env.Message)
}
if resp["allow_ips"] != "1.2.3.4" {
t.Fatalf("expected allow_ips, got %v", resp["allow_ips"])
}
if resp["deny_ips"] != "5.6.7.0/24" {
t.Fatalf("expected deny_ips, got %v", resp["deny_ips"])
}
if got, ok := resp["expires_at"].(float64); !ok || int64(got) != expiresAt {
t.Fatalf("expected expires_at=%d, got %v", expiresAt, resp["expires_at"])
}
}
func TestAuthHandler_Whoami_ExpiredKey_Returns401(t *testing.T) {
handler, db, mr := newAuthHandler(t)
token := "sk-live-expired"
hash := tokenhash.HashToken(token)
// Set expiration to 1 hour ago
expiresAt := time.Now().Add(-time.Hour).Unix()
mr.HSet("auth:token:"+hash, "master_id", "1")
mr.HSet("auth:token:"+hash, "issued_at_epoch", "1")
mr.HSet("auth:token:"+hash, "status", "active")
mr.HSet("auth:token:"+hash, "group", "default")
mr.HSet("auth:token:"+hash, "expires_at", fmt.Sprintf("%d", expiresAt))
mr.HSet("auth:master:1", "epoch", "1")
mr.HSet("auth:master:1", "status", "active")
// Create key in DB
key := &model.Key{
MasterID: 1,
TokenHash: hash,
Group: "default",
Scopes: "chat:write",
DefaultNamespace: "default",
Namespaces: "default",
Status: "active",
IssuedAtEpoch: 1,
IssuedBy: "master",
}
if err := db.Create(key).Error; err != nil {
t.Fatalf("create key: %v", err)
}
r := gin.New()
r.Use(middleware.ResponseEnvelope())
r.GET("/auth/whoami", handler.Whoami)
req := httptest.NewRequest(http.MethodGet, "/auth/whoami", nil)
req.Header.Set("Authorization", "Bearer "+token)
rr := httptest.NewRecorder()
r.ServeHTTP(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Fatalf("expected 401 for expired key, got %d body=%s", rr.Code, rr.Body.String())
}
var resp map[string]any
env := decodeEnvelope(t, rr, &resp)
if env.Code != "unauthorized" {
t.Fatalf("expected code=unauthorized, got %q", env.Code)
}
if env.Message != "token has expired" {
t.Fatalf("expected message 'token has expired', got %q", env.Message)
}
if resp["error"] != "token has expired" {
t.Fatalf("expected 'token has expired' error, got %v", resp["error"])
}
}
Reference in New Issue View Git Blame Copy Permalink