codit/backend/internal/middleware/auth_test.go

package middleware

import "context"
import "net/http"
import "net/http/httptest"
import "testing"

import "codit/internal/models"

func TestAPIKeyFromRequest(t *testing.T) {
	var req *http.Request
	var token string
	req = httptest.NewRequest(http.MethodGet, "/", nil)
	req.Header.Set("X-API-Key", "abc")
	token = apiKeyFromRequest(req)
	if token != "abc" {
		t.Fatalf("expected header token, got %q", token)
	}
	req = httptest.NewRequest(http.MethodGet, "/", nil)
	req.Header.Set("Authorization", "Bearer xyz")
	token = apiKeyFromRequest(req)
	if token != "xyz" {
		t.Fatalf("expected bearer token, got %q", token)
	}
}

func TestRequireAuth(t *testing.T) {
	var called bool
	var handler http.Handler
	var recorder *httptest.ResponseRecorder
	var req *http.Request
	handler = RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		called = true
		w.WriteHeader(http.StatusNoContent)
	}))
	recorder = httptest.NewRecorder()
	req = httptest.NewRequest(http.MethodGet, "/", nil)
	handler.ServeHTTP(recorder, req)
	if recorder.Code != http.StatusUnauthorized {
		t.Fatalf("expected 401, got %d", recorder.Code)
	}
	if called {
		t.Fatalf("protected handler should not be called")
	}
}

func TestRequireAdmin(t *testing.T) {
	var called bool
	var handler http.Handler
	var recorder *httptest.ResponseRecorder
	var req *http.Request
	var user models.User
	var ctx context.Context
	handler = RequireAdmin(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
		called = true
		w.WriteHeader(http.StatusNoContent)
	}))
	user = models.User{ID: "u1", Username: "admin", IsAdmin: true}
	ctx = context.WithValue(context.Background(), userKey, user)
	recorder = httptest.NewRecorder()
	req = httptest.NewRequest(http.MethodGet, "/", nil).WithContext(ctx)
	handler.ServeHTTP(recorder, req)
	if recorder.Code != http.StatusNoContent {
		t.Fatalf("expected 204, got %d", recorder.Code)
	}
	if !called {
		t.Fatalf("admin handler should be called")
	}
}