init push

This commit is contained in:
2026-07-16 22:16:45 +07:00
commit 8b068bdb10
1021 changed files with 332816 additions and 0 deletions

View File

@@ -0,0 +1,949 @@
package middleware
import (
"context"
"io"
"net/http"
"strings"
"testing"
"time"
"github.com/gofiber/fiber/v2"
"wucher/internal/config"
"wucher/internal/domain/auth"
"wucher/internal/service"
sharedconst "wucher/internal/shared/const"
"wucher/internal/shared/pkg/appctx"
"wucher/internal/shared/pkg/uuidv7"
)
type middlewareAuthRepo struct {
users map[string]*auth.User
getByIDErr error
}
func newMiddlewareAuthRepo() *middlewareAuthRepo {
return &middlewareAuthRepo{users: map[string]*auth.User{}}
}
func (r *middlewareAuthRepo) CreateUser(_ context.Context, user *auth.User) error {
if user != nil && !user.IsActive {
user.IsActive = true
}
r.users[string(user.ID)] = user
return nil
}
func (r *middlewareAuthRepo) GetUserByID(_ context.Context, id []byte) (*auth.User, error) {
if r.getByIDErr != nil {
return nil, r.getByIDErr
}
return r.users[string(id)], nil
}
func (r *middlewareAuthRepo) GetUserByEmail(_ context.Context, _ string) (*auth.User, error) {
return nil, nil
}
func (r *middlewareAuthRepo) GetUserBySSOEmail(_ context.Context, _ string) (*auth.User, error) {
return nil, nil
}
func (r *middlewareAuthRepo) GetUserByUsername(_ context.Context, _ string) (*auth.User, error) {
return nil, nil
}
func (r *middlewareAuthRepo) UpdateUserTimezone(_ context.Context, _ []byte, _ string) error {
return nil
}
func (r *middlewareAuthRepo) SetUserPassword(_ context.Context, _ []byte, _ []byte, _ []byte) error {
return nil
}
func (r *middlewareAuthRepo) SetUserSecurityPIN(_ context.Context, id []byte, pinHash []byte, setAt time.Time) error {
u := r.users[string(id)]
if u == nil {
return nil
}
u.SecurityPINHash = append([]byte(nil), pinHash...)
ts := setAt.UTC()
u.SecurityPINSetAt = &ts
return nil
}
func (r *middlewareAuthRepo) MarkEmailVerified(_ context.Context, _ []byte) error {
return nil
}
func (r *middlewareAuthRepo) CreatePasswordResetToken(_ context.Context, _ *auth.PasswordResetToken) error {
return nil
}
func (r *middlewareAuthRepo) InvalidateActivePasswordResetTokensByUserID(_ context.Context, _ []byte, _ time.Time) error {
return nil
}
func (r *middlewareAuthRepo) ConsumePasswordResetTokenAndSetPassword(_ context.Context, _ []byte, _ []byte, _ []byte, _ time.Time) ([]byte, bool, error) {
return nil, false, nil
}
func (r *middlewareAuthRepo) CreateSecurityPINResetToken(_ context.Context, _ *auth.SecurityPINResetToken) error {
return nil
}
func (r *middlewareAuthRepo) InvalidateActiveSecurityPINResetTokensByUserID(_ context.Context, _ []byte, _ time.Time) error {
return nil
}
func (r *middlewareAuthRepo) GetActiveSecurityPINResetTokenUser(_ context.Context, _ []byte, _ time.Time) (*auth.User, error) {
return nil, nil
}
func (r *middlewareAuthRepo) ConsumeSecurityPINResetTokenAndSetPIN(_ context.Context, _ []byte, _ []byte, _ time.Time) ([]byte, bool, error) {
return nil, false, nil
}
func (r *middlewareAuthRepo) UpsertIdentity(_ context.Context, _ *auth.UserIdentity) error {
return nil
}
func (r *middlewareAuthRepo) CreateIdentity(_ context.Context, _ *auth.UserIdentity) error {
return nil
}
func (r *middlewareAuthRepo) GetIdentityByProviderSubject(_ context.Context, _ string, _ string) (*auth.UserIdentity, error) {
return nil, nil
}
func (r *middlewareAuthRepo) GetIdentityByUserID(_ context.Context, _ []byte) (*auth.UserIdentity, error) {
return nil, nil
}
func (r *middlewareAuthRepo) DeleteIdentityByUserIDProvider(_ context.Context, _ []byte, _ string) (bool, error) {
return false, nil
}
func (r *middlewareAuthRepo) GetUserTOTP(_ context.Context, _ []byte) (*auth.UserTOTP, error) {
return nil, nil
}
func (r *middlewareAuthRepo) UpsertUserTOTP(_ context.Context, _ *auth.UserTOTP) error {
return nil
}
func (r *middlewareAuthRepo) DisableUserTOTP(_ context.Context, _ []byte) error {
return nil
}
func (r *middlewareAuthRepo) DeleteUserTOTPSetup(_ context.Context, _ []byte) error {
return nil
}
func (r *middlewareAuthRepo) UpdateUserTOTPLastUsed(_ context.Context, _ []byte) error {
return nil
}
func (r *middlewareAuthRepo) GetActiveUserEmailLoginOTP(_ context.Context, _ []byte, _ time.Time) (*auth.UserEmailLoginOTP, error) {
return nil, nil
}
func (r *middlewareAuthRepo) CountUserEmailLoginOTPSince(_ context.Context, _ []byte, _ time.Time) (int64, error) {
return 0, nil
}
func (r *middlewareAuthRepo) CreateUserEmailLoginOTP(_ context.Context, _ *auth.UserEmailLoginOTP) error {
return nil
}
func (r *middlewareAuthRepo) InvalidateActiveUserEmailLoginOTPs(_ context.Context, _ []byte, _ time.Time) error {
return nil
}
func (r *middlewareAuthRepo) ConsumeUserEmailLoginOTP(_ context.Context, _ []byte, _ []byte, _ time.Time) (bool, int, error) {
return false, 0, nil
}
func (r *middlewareAuthRepo) ListUserWebAuthnCredentials(_ context.Context, _ []byte) ([]auth.UserWebAuthnCredential, error) {
return nil, nil
}
func (r *middlewareAuthRepo) CreateUserWebAuthnCredential(_ context.Context, _ *auth.UserWebAuthnCredential) error {
return nil
}
func (r *middlewareAuthRepo) UpdateUserWebAuthnCredential(_ context.Context, _ []byte, _ []byte, _ []byte, _ time.Time) error {
return nil
}
func (r *middlewareAuthRepo) DeleteAllUserWebAuthnCredentials(_ context.Context, _ []byte) error {
return nil
}
type middlewareRoleRepo struct {
allowed bool
err error
permissionByKey *auth.Permission
permissionByKeyErr error
}
type middlewareTokenStore struct {
store map[string][]byte
}
func newMiddlewareTokenStore() *middlewareTokenStore {
return &middlewareTokenStore{store: map[string][]byte{}}
}
func (m *middlewareTokenStore) Set(_ context.Context, key string, value []byte, _ time.Duration) error {
m.store[key] = append([]byte(nil), value...)
return nil
}
func (m *middlewareTokenStore) SetIfNotExists(_ context.Context, key string, value []byte, _ time.Duration) (bool, error) {
if _, ok := m.store[key]; ok {
return false, nil
}
m.store[key] = append([]byte(nil), value...)
return true, nil
}
func (m *middlewareTokenStore) Get(_ context.Context, key string) ([]byte, error) {
v, ok := m.store[key]
if !ok {
return nil, nil
}
return append([]byte(nil), v...), nil
}
func (m *middlewareTokenStore) Delete(_ context.Context, key string) error {
delete(m.store, key)
return nil
}
func (r *middlewareRoleRepo) CreateRole(_ context.Context, _ *auth.Role) error { return nil }
func (r *middlewareRoleRepo) UpdateRole(_ context.Context, _ *auth.Role) error { return nil }
func (r *middlewareRoleRepo) DeleteRole(_ context.Context, _ []byte) error { return nil }
func (r *middlewareRoleRepo) GetRoleByID(_ context.Context, _ []byte) (*auth.Role, error) {
return nil, nil
}
func (r *middlewareRoleRepo) GetRoleByName(_ context.Context, _ string) (*auth.Role, error) {
return nil, nil
}
func (r *middlewareRoleRepo) HasRolePermission(_ context.Context, _ []byte, _ string) (bool, error) {
if r.err != nil {
return false, r.err
}
return r.allowed, nil
}
func (r *middlewareRoleRepo) GetPermissionByID(_ context.Context, _ []byte) (*auth.Permission, error) {
return nil, nil
}
func (r *middlewareRoleRepo) GetPermissionByKey(_ context.Context, _ string) (*auth.Permission, error) {
return r.permissionByKey, r.permissionByKeyErr
}
func (r *middlewareRoleRepo) UpdatePermission(_ context.Context, _ *auth.Permission) error {
return nil
}
func (r *middlewareRoleRepo) ListPermissionsByRoleID(_ context.Context, _ []byte) ([]auth.Permission, error) {
return nil, nil
}
func (r *middlewareRoleRepo) ListPermissions(_ context.Context, _ string, _ string, _ int, _ int) ([]auth.Permission, int64, error) {
return nil, 0, nil
}
func (r *middlewareRoleRepo) AssignPermission(_ context.Context, roleID, permissionID []byte) (*auth.RolePermission, error) {
return &auth.RolePermission{RoleID: roleID, PermissionID: permissionID}, nil
}
func (r *middlewareRoleRepo) RemovePermission(_ context.Context, _ []byte, _ []byte) error {
return nil
}
func (r *middlewareRoleRepo) ListRoles(_ context.Context, _ string, _ string, _ int, _ int) ([]auth.Role, int64, error) {
return nil, 0, nil
}
func TestAuthRequired(t *testing.T) {
t.Run("service not configured", func(t *testing.T) {
app := fiber.New()
app.Use(AuthRequired(nil))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", resp.StatusCode)
}
})
t.Run("invalid access token", func(t *testing.T) {
svc := service.NewAuthService(nil, nil, nil, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{
JWTAccessSecret: "access-secret",
JWTRefreshSecret: "refresh-secret",
JWTAccessTTL: time.Minute,
JWTRefreshTTL: time.Hour,
JWTAccessCookieName: "at",
}})
app := fiber.New()
app.Use(AuthRequired(svc))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
req.AddCookie(&http.Cookie{Name: svc.AccessCookieName(), Value: "not-a-jwt"})
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", resp.StatusCode)
}
})
t.Run("success stores user_id and continues", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
tokens := newMiddlewareTokenStore()
svc := service.NewAuthService(repo, nil, tokens, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{
JWTAccessSecret: "access-secret",
JWTRefreshSecret: "refresh-secret",
JWTAccessTTL: time.Minute,
JWTRefreshTTL: time.Hour,
JWTAccessCookieName: "at",
}})
userID := uuidv7.MustBytes()
user := &auth.User{ID: userID, IsActive: true}
if err := repo.CreateUser(context.Background(), user); err != nil {
t.Fatalf("create user: %v", err)
}
pair, err := svc.IssueTokensWithClientForProvider(context.Background(), user, "", "", "microsoft")
if err != nil {
t.Fatalf("issue tokens: %v", err)
}
app := fiber.New()
app.Use(AuthRequired(svc))
app.Get("/protected", func(c *fiber.Ctx) error {
raw := c.Locals("user_id")
got, ok := raw.([]byte)
if !ok || string(got) != string(userID) {
return c.Status(http.StatusInternalServerError).SendString("missing user context")
}
if got := appctx.GetUserID(c.UserContext()); string(got) != string(userID) {
return c.Status(http.StatusInternalServerError).SendString("missing user id in request context")
}
return c.SendStatus(http.StatusOK)
})
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
req.AddCookie(&http.Cookie{Name: svc.AccessCookieName(), Value: pair.AccessToken})
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusOK {
body, _ := io.ReadAll(resp.Body)
t.Fatalf("expected 200, got %d body=%s", resp.StatusCode, string(body))
}
})
t.Run("duplicate access cookies use the valid token", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
tokens := newMiddlewareTokenStore()
svc := service.NewAuthService(repo, nil, tokens, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{
JWTAccessSecret: "access-secret",
JWTRefreshSecret: "refresh-secret",
JWTAccessTTL: time.Minute,
JWTRefreshTTL: time.Hour,
JWTAccessCookieName: "at",
}})
userID := uuidv7.MustBytes()
user := &auth.User{ID: userID, IsActive: true}
if err := repo.CreateUser(context.Background(), user); err != nil {
t.Fatalf("create user: %v", err)
}
pair, err := svc.IssueTokensWithClientForProvider(context.Background(), user, "", "", "microsoft")
if err != nil {
t.Fatalf("issue tokens: %v", err)
}
app := fiber.New()
app.Use(AuthRequired(svc))
app.Get("/protected", func(c *fiber.Ctx) error {
raw := c.Locals("user_id")
got, ok := raw.([]byte)
if !ok || string(got) != string(userID) {
return c.Status(http.StatusInternalServerError).SendString("missing user context")
}
return c.SendStatus(http.StatusOK)
})
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
req.Header.Set("Cookie", svc.AccessCookieName()+"=not-a-valid-token; "+svc.AccessCookieName()+"="+pair.AccessToken)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusOK {
body, _ := io.ReadAll(resp.Body)
t.Fatalf("expected 200, got %d body=%s", resp.StatusCode, string(body))
}
})
t.Run("expired by idle timeout", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
tokens := newMiddlewareTokenStore()
svc := service.NewAuthService(repo, nil, tokens, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{
JWTAccessSecret: "access-secret",
JWTRefreshSecret: "refresh-secret",
JWTAccessTTL: time.Minute,
JWTRefreshTTL: time.Hour,
SessionIdleTTL: time.Millisecond,
JWTAccessCookieName: "at",
}})
userID := uuidv7.MustBytes()
user := &auth.User{ID: userID, IsActive: true}
if err := repo.CreateUser(context.Background(), user); err != nil {
t.Fatalf("create user: %v", err)
}
pair, err := svc.IssueTokensWithClientForProvider(context.Background(), user, "", "", "microsoft")
if err != nil {
t.Fatalf("issue tokens: %v", err)
}
time.Sleep(5 * time.Millisecond)
app := fiber.New()
app.Use(AuthRequired(svc))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
req.AddCookie(&http.Cookie{Name: svc.AccessCookieName(), Value: pair.AccessToken})
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusUnauthorized {
t.Fatalf("expected 401 for idle-expired session, got %d", resp.StatusCode)
}
})
}
func TestPermissionRequired(t *testing.T) {
t.Run("service not configured", func(t *testing.T) {
app := fiber.New()
app.Use(PermissionRequired(nil, "users.read"))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", resp.StatusCode)
}
})
t.Run("missing auth context", func(t *testing.T) {
svc := service.NewAuthService(nil, nil, nil, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
app := fiber.New()
app.Use(PermissionRequired(svc, "users.read"))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", resp.StatusCode)
}
})
t.Run("permission check error", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
roleRepo := &middlewareRoleRepo{err: context.DeadlineExceeded}
svc := service.NewAuthService(repo, roleRepo, nil, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
userID := uuidv7.MustBytes()
roleID := uuidv7.MustBytes()
repo.users[string(userID)] = &auth.User{ID: userID, RoleID: roleID}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PermissionRequired(svc, "users.read"))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusForbidden {
t.Fatalf("expected 403, got %d", resp.StatusCode)
}
})
t.Run("insufficient permission", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
roleRepo := &middlewareRoleRepo{allowed: false}
svc := service.NewAuthService(repo, roleRepo, nil, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
userID := uuidv7.MustBytes()
roleID := uuidv7.MustBytes()
repo.users[string(userID)] = &auth.User{ID: userID, RoleID: roleID}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PermissionRequired(svc, "users.read"))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusForbidden {
t.Fatalf("expected 403, got %d", resp.StatusCode)
}
body, _ := io.ReadAll(resp.Body)
if !strings.Contains(string(body), "insufficient permission") {
t.Fatalf("unexpected body: %s", string(body))
}
})
t.Run("allowed permission continues", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
roleRepo := &middlewareRoleRepo{allowed: true}
svc := service.NewAuthService(repo, roleRepo, nil, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
userID := uuidv7.MustBytes()
roleID := uuidv7.MustBytes()
repo.users[string(userID)] = &auth.User{ID: userID, RoleID: roleID}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PermissionRequired(svc, "users.read"))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusOK {
t.Fatalf("expected 200, got %d", resp.StatusCode)
}
})
t.Run("requires pin without token returns 202", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
roleRepo := &middlewareRoleRepo{
allowed: true,
permissionByKey: &auth.Permission{RequiresPIN: true},
}
tokens := newMiddlewareTokenStore()
svc := service.NewAuthService(
repo,
roleRepo,
tokens,
nil,
service.AuthServiceDependencies{
SSO: nil, Protector: nil, Config: config.AuthConfig{
JWTAccessSecret: "access-secret",
JWTRefreshSecret: "refresh-secret",
JWTAccessTTL: time.Minute,
JWTRefreshTTL: time.Minute * 10,
SecurityPINActionTokenTTL: time.Minute,
},
},
)
userID := uuidv7.MustBytes()
roleID := uuidv7.MustBytes()
repo.users[string(userID)] = &auth.User{ID: userID, RoleID: roleID}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PermissionRequired(svc, "users.read"))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodGet, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusAccepted {
t.Fatalf("expected 202, got %d", resp.StatusCode)
}
})
t.Run("requires pin with mapped action token returns 200", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
roleRepo := &middlewareRoleRepo{
allowed: true,
permissionByKey: &auth.Permission{RequiresPIN: true},
}
tokens := newMiddlewareTokenStore()
svc := service.NewAuthService(
repo,
roleRepo,
tokens,
nil,
service.AuthServiceDependencies{
SSO: nil, Protector: nil, Config: config.AuthConfig{
JWTAccessSecret: "access-secret",
JWTRefreshSecret: "refresh-secret",
JWTAccessTTL: time.Minute,
JWTRefreshTTL: time.Minute * 10,
SecurityPINActionTokenTTL: time.Minute,
},
},
)
userID := uuidv7.MustBytes()
roleID := uuidv7.MustBytes()
repo.users[string(userID)] = &auth.User{ID: userID, RoleID: roleID}
if err := svc.SetSecurityPIN(context.Background(), userID, "123456"); err != nil {
t.Fatalf("SetSecurityPIN: %v", err)
}
token, err := svc.VerifySecurityPINForAction(context.Background(), userID, "123456", sharedconst.PinActionBaseCreate)
if err != nil {
t.Fatalf("VerifySecurityPINForAction: %v", err)
}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PermissionRequired(svc, "base.create"))
app.Post("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodPost, "/protected", nil)
req.Header.Set(permissionPinVerificationHeader, token)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusOK {
t.Fatalf("expected 200, got %d", resp.StatusCode)
}
})
t.Run("reusable variant accepts the same token twice", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
roleRepo := &middlewareRoleRepo{
allowed: true,
permissionByKey: &auth.Permission{RequiresPIN: true},
}
tokens := newMiddlewareTokenStore()
svc := service.NewAuthService(
repo,
roleRepo,
tokens,
nil,
service.AuthServiceDependencies{
SSO: nil, Protector: nil, Config: config.AuthConfig{
JWTAccessSecret: "access-secret",
JWTRefreshSecret: "refresh-secret",
JWTAccessTTL: time.Minute,
JWTRefreshTTL: time.Minute * 10,
SecurityPINActionTokenTTL: time.Minute,
},
},
)
userID := uuidv7.MustBytes()
roleID := uuidv7.MustBytes()
repo.users[string(userID)] = &auth.User{ID: userID, RoleID: roleID}
if err := svc.SetSecurityPIN(context.Background(), userID, "123456"); err != nil {
t.Fatalf("SetSecurityPIN: %v", err)
}
token, err := svc.VerifySecurityPINForAction(context.Background(), userID, "123456", sharedconst.PinActionAuditLogRead)
if err != nil {
t.Fatalf("VerifySecurityPINForAction: %v", err)
}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PermissionRequiredReusable(svc, "audit.read"))
app.Get("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req1, _ := http.NewRequest(http.MethodGet, "/protected", nil)
req1.Header.Set(permissionPinVerificationHeader, token)
resp1, err := app.Test(req1)
if err != nil {
t.Fatalf("app.Test first: %v", err)
}
if resp1.StatusCode != http.StatusOK {
t.Fatalf("expected first request 200, got %d", resp1.StatusCode)
}
req2, _ := http.NewRequest(http.MethodGet, "/protected", nil)
req2.Header.Set(permissionPinVerificationHeader, token)
resp2, err := app.Test(req2)
if err != nil {
t.Fatalf("app.Test second: %v", err)
}
if resp2.StatusCode != http.StatusOK {
t.Fatalf("expected second request 200, got %d", resp2.StatusCode)
}
})
t.Run("consuming variant rejects the same token twice", func(t *testing.T) {
repo := newMiddlewareAuthRepo()
roleRepo := &middlewareRoleRepo{
allowed: true,
permissionByKey: &auth.Permission{RequiresPIN: true},
}
tokens := newMiddlewareTokenStore()
svc := service.NewAuthService(
repo,
roleRepo,
tokens,
nil,
service.AuthServiceDependencies{
SSO: nil, Protector: nil, Config: config.AuthConfig{
JWTAccessSecret: "access-secret",
JWTRefreshSecret: "refresh-secret",
JWTAccessTTL: time.Minute,
JWTRefreshTTL: time.Minute * 10,
SecurityPINActionTokenTTL: time.Minute,
},
},
)
userID := uuidv7.MustBytes()
roleID := uuidv7.MustBytes()
repo.users[string(userID)] = &auth.User{ID: userID, RoleID: roleID}
if err := svc.SetSecurityPIN(context.Background(), userID, "123456"); err != nil {
t.Fatalf("SetSecurityPIN: %v", err)
}
token, err := svc.VerifySecurityPINForAction(context.Background(), userID, "123456", sharedconst.PinActionBaseCreate)
if err != nil {
t.Fatalf("VerifySecurityPINForAction: %v", err)
}
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PermissionRequired(svc, "base.create"))
app.Post("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req1, _ := http.NewRequest(http.MethodPost, "/protected", nil)
req1.Header.Set(permissionPinVerificationHeader, token)
resp1, err := app.Test(req1)
if err != nil {
t.Fatalf("app.Test first: %v", err)
}
if resp1.StatusCode != http.StatusOK {
t.Fatalf("expected first request 200, got %d", resp1.StatusCode)
}
req2, _ := http.NewRequest(http.MethodPost, "/protected", nil)
req2.Header.Set(permissionPinVerificationHeader, token)
resp2, err := app.Test(req2)
if err != nil {
t.Fatalf("app.Test second: %v", err)
}
if resp2.StatusCode != http.StatusAccepted {
t.Fatalf("expected second request 202, got %d", resp2.StatusCode)
}
})
}
func TestPinRequired(t *testing.T) {
t.Run("service not configured", func(t *testing.T) {
app := fiber.New()
app.Use(PinRequired(nil, "a546de2f-f1e6-4c2c-ab03-9b4bf39f4d74"))
app.Post("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodPost, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", resp.StatusCode)
}
})
t.Run("missing auth context", func(t *testing.T) {
svc := service.NewAuthService(nil, nil, nil, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
app := fiber.New()
app.Use(PinRequired(svc, "a546de2f-f1e6-4c2c-ab03-9b4bf39f4d74"))
app.Post("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodPost, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusUnauthorized {
t.Fatalf("expected 401, got %d", resp.StatusCode)
}
})
t.Run("invalid pin action token", func(t *testing.T) {
tokenStore := newMiddlewareTokenStore()
svc := service.NewAuthService(nil, nil, tokenStore, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
userID := uuidv7.MustBytes()
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PinRequired(svc, "a546de2f-f1e6-4c2c-ab03-9b4bf39f4d74"))
app.Post("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodPost, "/protected", nil)
req.Header.Set(pinVerificationHeader, "bad-token")
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusAccepted {
t.Fatalf("expected 202, got %d", resp.StatusCode)
}
})
t.Run("valid pin action token", func(t *testing.T) {
tokenStore := newMiddlewareTokenStore()
svc := service.NewAuthService(nil, nil, tokenStore, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
userID := uuidv7.MustBytes()
userIDStr, err := uuidv7.BytesToString(userID)
if err != nil {
t.Fatalf("bytes to string: %v", err)
}
action := "a546de2f-f1e6-4c2c-ab03-9b4bf39f4d74"
token := "token-ok"
key := "auth:pin_action:" + token
tokenStore.store[key] = []byte(userIDStr + "|" + action)
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PinRequired(svc, action))
app.Post("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodPost, "/protected", nil)
req.Header.Set(pinVerificationHeader, token)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusOK {
body, _ := io.ReadAll(resp.Body)
t.Fatalf("expected 200, got %d body=%s", resp.StatusCode, string(body))
}
req2, _ := http.NewRequest(http.MethodPost, "/protected", nil)
req2.Header.Set(pinVerificationHeader, token)
resp2, err := app.Test(req2)
if err != nil {
t.Fatalf("app.Test second: %v", err)
}
if resp2.StatusCode != http.StatusAccepted {
t.Fatalf("expected second request 202, got %d", resp2.StatusCode)
}
})
}
func TestPinRequiredForPermission(t *testing.T) {
t.Run("skip when permission does not require pin", func(t *testing.T) {
roleRepo := &middlewareRoleRepo{permissionByKey: &auth.Permission{RequiresPIN: false}}
svc := service.NewAuthService(nil, roleRepo, nil, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
userID := uuidv7.MustBytes()
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PinRequiredForPermission(svc, "a546de2f-f1e6-4c2c-ab03-9b4bf39f4d74", "user.delete"))
app.Post("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodPost, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusOK {
t.Fatalf("expected 200, got %d", resp.StatusCode)
}
})
t.Run("require pin when permission policy enabled", func(t *testing.T) {
tokenStore := newMiddlewareTokenStore()
roleRepo := &middlewareRoleRepo{permissionByKey: &auth.Permission{RequiresPIN: true}}
svc := service.NewAuthService(nil, roleRepo, tokenStore, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
userID := uuidv7.MustBytes()
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PinRequiredForPermission(svc, "a546de2f-f1e6-4c2c-ab03-9b4bf39f4d74", "user.delete"))
app.Post("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
req, _ := http.NewRequest(http.MethodPost, "/protected", nil)
resp, err := app.Test(req)
if err != nil {
t.Fatalf("app.Test: %v", err)
}
if resp.StatusCode != http.StatusAccepted {
t.Fatalf("expected 202, got %d", resp.StatusCode)
}
userIDStr, err := uuidv7.BytesToString(userID)
if err != nil {
t.Fatalf("bytes to string: %v", err)
}
token := "token-ok"
tokenStore.store["auth:pin_action:"+token] = []byte(userIDStr + "|a546de2f-f1e6-4c2c-ab03-9b4bf39f4d74")
req2, _ := http.NewRequest(http.MethodPost, "/protected", nil)
req2.Header.Set(pinVerificationHeader, token)
resp2, err := app.Test(req2)
if err != nil {
t.Fatalf("app.Test second: %v", err)
}
if resp2.StatusCode != http.StatusOK {
t.Fatalf("expected 200, got %d", resp2.StatusCode)
}
})
t.Run("reusable token when permission policy enabled", func(t *testing.T) {
tokenStore := newMiddlewareTokenStore()
roleRepo := &middlewareRoleRepo{permissionByKey: &auth.Permission{RequiresPIN: true}}
svc := service.NewAuthService(nil, roleRepo, tokenStore, nil, service.AuthServiceDependencies{SSO: nil, Protector: nil, Config: config.AuthConfig{}})
userID := uuidv7.MustBytes()
app := fiber.New()
app.Use(func(c *fiber.Ctx) error {
c.Locals("user_id", userID)
return c.Next()
})
app.Use(PinRequiredReusableForPermission(svc, "a546de2f-f1e6-4c2c-ab03-9b4bf39f4d74", "user.delete"))
app.Post("/protected", func(c *fiber.Ctx) error { return c.SendStatus(http.StatusOK) })
userIDStr, err := uuidv7.BytesToString(userID)
if err != nil {
t.Fatalf("bytes to string: %v", err)
}
token := "token-reusable"
tokenStore.store["auth:pin_action:"+token] = []byte(userIDStr + "|a546de2f-f1e6-4c2c-ab03-9b4bf39f4d74")
req1, _ := http.NewRequest(http.MethodPost, "/protected", nil)
req1.Header.Set(pinVerificationHeader, token)
resp1, err := app.Test(req1)
if err != nil {
t.Fatalf("app.Test first: %v", err)
}
if resp1.StatusCode != http.StatusOK {
t.Fatalf("expected first request 200, got %d", resp1.StatusCode)
}
req2, _ := http.NewRequest(http.MethodPost, "/protected", nil)
req2.Header.Set(pinVerificationHeader, token)
resp2, err := app.Test(req2)
if err != nil {
t.Fatalf("app.Test second: %v", err)
}
if resp2.StatusCode != http.StatusOK {
t.Fatalf("expected second request 200, got %d", resp2.StatusCode)
}
})
}