ryan/games
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 9 Wiki Activity
Files
93147ffc46713aa82000a1999e5bf3e1ad68bc78
games/features/auth/handlers_test.go
Ryan Hamamura 72d31fd143
Some checks failed
CI / Deploy / test (pull_request) Successful in 33s
Details
CI / Deploy / lint (pull_request) Failing after 38s
Details
CI / Deploy / deploy (pull_request) Has been skipped
Details
fix: convert auth flows from SSE to standard HTTP to fix session cookies 
Datastar's NewSSE() flushes HTTP headers before SCS's session middleware
can attach the Set-Cookie header, so the session cookie never reaches the
browser after login/register/logout.

Convert login, register, and logout to standard HTML forms with HTTP
redirects, which lets SCS write cookies normally. Also fix return_url
capture on the login page (was never being stored in the session).

Add handler tests covering login, register, and logout flows.
2026-03-11 10:10:28 -10:00

352 lines
11 KiB
Go
Raw Blame History

package auth_test
import (
"context"
"database/sql"
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"github.com/alexedwards/scs/v2"
"github.com/google/uuid"
"github.com/ryanhamamura/games/auth"
"github.com/ryanhamamura/games/db/repository"
featauth "github.com/ryanhamamura/games/features/auth"
"github.com/ryanhamamura/games/features/lobby"
appsessions "github.com/ryanhamamura/games/sessions"
"github.com/ryanhamamura/games/testutil"
)
// sessionCookieName is the default SCS cookie name used in tests.
const sessionCookieName = "session"
type testSetup struct {
db *sql.DB
queries *repository.Queries
sm *scs.SessionManager
}
func (s *testSetup) ctx() context.Context {
return context.Background()
}
func newTestSetup(t *testing.T) *testSetup {
t.Helper()
db, queries := testutil.NewTestDB(t)
sm := testutil.NewTestSessionManager(t, db)
return &testSetup{db: db, queries: queries, sm: sm}
}
// createTestUser inserts a user into the test database and returns the user ID.
func createTestUser(t *testing.T, setup *testSetup, username, password string) string {
t.Helper()
hash, err := auth.HashPassword(password)
if err != nil {
t.Fatalf("hashing password: %v", err)
}
id := uuid.New().String()
_, err = setup.queries.CreateUser(setup.ctx(), repository.CreateUserParams{
ID: id,
Username: username,
PasswordHash: hash,
})
if err != nil {
t.Fatalf("creating test user: %v", err)
}
return id
}
// postForm sends a POST request with form-encoded body through the session middleware,
// forwarding any cookies from a previous response.
func postForm(handler http.Handler, path string, values url.Values, cookies []*http.Cookie) *httptest.ResponseRecorder {
body := strings.NewReader(values.Encode())
req := httptest.NewRequest(http.MethodPost, path, body)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
for _, c := range cookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
handler.ServeHTTP(rec, req)
return rec
}
// getPage sends a GET request through the session middleware, forwarding cookies.
func getPage(handler http.Handler, path string, cookies []*http.Cookie) *httptest.ResponseRecorder {
req := httptest.NewRequest(http.MethodGet, path, nil)
for _, c := range cookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
handler.ServeHTTP(rec, req)
return rec
}
// extractSessionValue makes a GET request with the given cookies to a test endpoint
// that reads a session value, verifying the session was persisted correctly.
func extractSessionValue(t *testing.T, setup *testSetup, cookies []*http.Cookie, key string) string {
t.Helper()
var value string
handler := setup.sm.LoadAndSave(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
value = setup.sm.GetString(r.Context(), key)
}))
req := httptest.NewRequest(http.MethodGet, "/check-session", nil)
for _, c := range cookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
handler.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("session check returned %d", rec.Code)
}
return value
}
func TestHandleLogin_Success(t *testing.T) {
setup := newTestSetup(t)
createTestUser(t, setup, "alice", "password123")
handler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
rec := postForm(handler, "/auth/login", url.Values{
"username": {"alice"},
"password": {"password123"},
}, nil)
if rec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
}
if loc := rec.Header().Get("Location"); loc != "/" {
t.Errorf("expected redirect to /, got %q", loc)
}
// Verify the response sets a session cookie
cookies := rec.Result().Cookies()
if !hasCookie(cookies, sessionCookieName) {
t.Fatal("response did not set a session cookie")
}
// Verify session contains user data by reading it back
userID := extractSessionValue(t, setup, cookies, appsessions.KeyUserID)
if userID == "" {
t.Error("session does not contain user_id after login")
}
nickname := extractSessionValue(t, setup, cookies, appsessions.KeyNickname)
if nickname != "alice" {
t.Errorf("expected nickname %q, got %q", "alice", nickname)
}
}
func TestHandleLogin_InvalidPassword(t *testing.T) {
setup := newTestSetup(t)
createTestUser(t, setup, "alice", "password123")
handler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
rec := postForm(handler, "/auth/login", url.Values{
"username": {"alice"},
"password": {"wrongpassword"},
}, nil)
if rec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
}
loc := rec.Header().Get("Location")
if !strings.HasPrefix(loc, "/login?error=") {
t.Errorf("expected redirect to /login?error=..., got %q", loc)
}
}
func TestHandleLogin_UnknownUser(t *testing.T) {
setup := newTestSetup(t)
handler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
rec := postForm(handler, "/auth/login", url.Values{
"username": {"nonexistent"},
"password": {"password123"},
}, nil)
if rec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
}
loc := rec.Header().Get("Location")
if !strings.HasPrefix(loc, "/login?error=") {
t.Errorf("expected redirect to /login?error=..., got %q", loc)
}
}
func TestHandleLogin_ReturnURL(t *testing.T) {
setup := newTestSetup(t)
createTestUser(t, setup, "alice", "password123")
// First, visit the login page with a return_url to store it in the session
loginPageHandler := setup.sm.LoadAndSave(featauth.HandleLoginPage(setup.sm))
pageRec := getPage(loginPageHandler, "/login?return_url=/games/abc", nil)
cookies := pageRec.Result().Cookies()
// Now log in with those cookies so the handler can read return_url from session
loginHandler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
rec := postForm(loginHandler, "/auth/login", url.Values{
"username": {"alice"},
"password": {"password123"},
}, cookies)
if rec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
}
if loc := rec.Header().Get("Location"); loc != "/games/abc" {
t.Errorf("expected redirect to /games/abc, got %q", loc)
}
}
func TestHandleRegister_Success(t *testing.T) {
setup := newTestSetup(t)
handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
rec := postForm(handler, "/auth/register", url.Values{
"username": {"newuser"},
"password": {"password123"},
"confirm": {"password123"},
}, nil)
if rec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
}
if loc := rec.Header().Get("Location"); loc != "/" {
t.Errorf("expected redirect to /, got %q", loc)
}
cookies := rec.Result().Cookies()
if !hasCookie(cookies, sessionCookieName) {
t.Fatal("response did not set a session cookie")
}
userID := extractSessionValue(t, setup, cookies, appsessions.KeyUserID)
if userID == "" {
t.Error("session does not contain user_id after registration")
}
}
func TestHandleRegister_PasswordMismatch(t *testing.T) {
setup := newTestSetup(t)
handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
rec := postForm(handler, "/auth/register", url.Values{
"username": {"newuser"},
"password": {"password123"},
"confirm": {"differentpassword"},
}, nil)
if rec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
}
loc := rec.Header().Get("Location")
if !strings.Contains(loc, "Passwords+do+not+match") {
t.Errorf("expected error about password mismatch, got %q", loc)
}
}
func TestHandleRegister_InvalidUsername(t *testing.T) {
setup := newTestSetup(t)
handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
rec := postForm(handler, "/auth/register", url.Values{
"username": {"ab"}, // too short
"password": {"password123"},
"confirm": {"password123"},
}, nil)
if rec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
}
loc := rec.Header().Get("Location")
if !strings.HasPrefix(loc, "/register?error=") {
t.Errorf("expected redirect to /register?error=..., got %q", loc)
}
}
func TestHandleRegister_ShortPassword(t *testing.T) {
setup := newTestSetup(t)
handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
rec := postForm(handler, "/auth/register", url.Values{
"username": {"validuser"},
"password": {"short"},
"confirm": {"short"},
}, nil)
if rec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
}
loc := rec.Header().Get("Location")
if !strings.HasPrefix(loc, "/register?error=") {
t.Errorf("expected redirect to /register?error=..., got %q", loc)
}
}
func TestHandleRegister_DuplicateUsername(t *testing.T) {
setup := newTestSetup(t)
createTestUser(t, setup, "taken", "password123")
handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
rec := postForm(handler, "/auth/register", url.Values{
"username": {"taken"},
"password": {"password123"},
"confirm": {"password123"},
}, nil)
if rec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
}
loc := rec.Header().Get("Location")
if !strings.Contains(loc, "Username+already+taken") {
t.Errorf("expected error about duplicate username, got %q", loc)
}
}
func TestHandleLogout(t *testing.T) {
setup := newTestSetup(t)
createTestUser(t, setup, "alice", "password123")
// Log in first to establish a session
loginHandler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
loginRec := postForm(loginHandler, "/auth/login", url.Values{
"username": {"alice"},
"password": {"password123"},
}, nil)
cookies := loginRec.Result().Cookies()
// Verify we're logged in
userID := extractSessionValue(t, setup, cookies, appsessions.KeyUserID)
if userID == "" {
t.Fatal("expected to be logged in before testing logout")
}
// Now log out
logoutHandler := setup.sm.LoadAndSave(lobby.HandleLogout(setup.sm))
logoutRec := postForm(logoutHandler, "/logout", nil, cookies)
if logoutRec.Code != http.StatusSeeOther {
t.Errorf("expected status %d, got %d", http.StatusSeeOther, logoutRec.Code)
}
if loc := logoutRec.Header().Get("Location"); loc != "/" {
t.Errorf("expected redirect to /, got %q", loc)
}
// Verify session is cleared — use the cookies from the logout response
logoutCookies := logoutRec.Result().Cookies()
userID = extractSessionValue(t, setup, logoutCookies, appsessions.KeyUserID)
if userID != "" {
t.Errorf("expected empty user_id after logout, got %q", userID)
}
}
func hasCookie(cookies []*http.Cookie, name string) bool {
for _, c := range cookies {
if c.Name == name {
return true
}
}
return false
}
Reference in New Issue View Git Blame Copy Permalink