wallet-sync-server/server/auth_test.go

package server

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/http/httptest"
	"orblivion/lbry-id/auth"
	"strings"
	"testing"
)

func TestServerAuthHandlerSuccess(t *testing.T) {
	testAuth := TestAuth{TestToken: auth.TokenString("seekrit")}
	testStore := TestStore{}
	s := Server{&testAuth, &testStore}

	requestBody := []byte(`{"deviceId": "dev-1", "email": "abc@example.com", "password": "123"}`)

	req := httptest.NewRequest(http.MethodPost, PathAuthToken, bytes.NewBuffer(requestBody))
	w := httptest.NewRecorder()

	s.getAuthToken(w, req)
	body, _ := ioutil.ReadAll(w.Body)

	var result auth.AuthToken

	if want, got := http.StatusOK, w.Result().StatusCode; want != got {
		t.Errorf("StatusCode: expected %s (%d), got %s (%d)", http.StatusText(want), want, http.StatusText(got), got)
	}

	err := json.Unmarshal(body, &result)

	if err != nil || result.Token != testAuth.TestToken {
		t.Errorf("Expected auth response to contain token: result: %+v err: %+v", string(body), err)
	}

	if !testStore.Called.SaveToken {
		t.Errorf("Expected Store.SaveToken to be called")
	}
}

func TestServerAuthHandlerErrors(t *testing.T) {
	tt := []struct {
		name                string
		method              string
		requestBody         string
		expectedStatusCode  int
		expectedErrorString string

		storeFailures    TestStoreFunctions
		authFailGenToken bool
	}{
		{
			name:                "bad method",
			method:              http.MethodGet,
			requestBody:         "",
			expectedStatusCode:  http.StatusMethodNotAllowed,
			expectedErrorString: http.StatusText(http.StatusMethodNotAllowed),
		},
		{
			name:                "request body too large",
			method:              http.MethodPost,
			requestBody:         fmt.Sprintf(`{"password": "%s"}`, strings.Repeat("a", 10000)),
			expectedStatusCode:  http.StatusRequestEntityTooLarge,
			expectedErrorString: http.StatusText(http.StatusRequestEntityTooLarge),
		},
		{
			name:                "malformed request body JSON",
			method:              http.MethodPost,
			requestBody:         "{",
			expectedStatusCode:  http.StatusBadRequest,
			expectedErrorString: http.StatusText(http.StatusBadRequest) + ": Request body JSON malformed or structure mismatch",
		},
		{
			name:                "body JSON failed validation",
			method:              http.MethodPost,
			requestBody:         "{}",
			expectedStatusCode:  http.StatusBadRequest,
			expectedErrorString: http.StatusText(http.StatusBadRequest) + ": Request failed validation",
		},
		{
			name:   "login fail",
			method: http.MethodPost,
			// so long as the JSON is well-formed, the content doesn't matter here since the password check will be stubbed out
			requestBody:         `{"deviceId": "dev-1", "email": "abc@example.com", "password": "123"}`,
			expectedStatusCode:  http.StatusUnauthorized,
			expectedErrorString: http.StatusText(http.StatusUnauthorized) + ": No match for email and password",

			storeFailures: TestStoreFunctions{GetUserId: true},
		},
		{
			name:                "generate token fail",
			method:              http.MethodPost,
			requestBody:         `{"deviceId": "dev-1", "email": "abc@example.com", "password": "123"}`,
			expectedStatusCode:  http.StatusInternalServerError,
			expectedErrorString: http.StatusText(http.StatusInternalServerError),

			authFailGenToken: true,
		},
		{
			name:                "save token fail",
			method:              http.MethodPost,
			requestBody:         `{"deviceId": "dev-1", "email": "abc@example.com", "password": "123"}`,
			expectedStatusCode:  http.StatusInternalServerError,
			expectedErrorString: http.StatusText(http.StatusInternalServerError),

			storeFailures: TestStoreFunctions{SaveToken: true},
		},
	}
	for _, tc := range tt {
		t.Run(tc.name, func(t *testing.T) {

			// Set this up to fail according to specification
			testAuth := TestAuth{TestToken: auth.TokenString("seekrit")}
			testStore := TestStore{Failures: tc.storeFailures}
			if tc.authFailGenToken { // TODO - TestAuth{Failures:authFailures}
				testAuth.FailGenToken = true
			}
			server := Server{&testAuth, &testStore}

			// Make request
			req := httptest.NewRequest(tc.method, PathAuthToken, bytes.NewBuffer([]byte(tc.requestBody)))
			w := httptest.NewRecorder()

			server.getAuthToken(w, req)

			if want, got := tc.expectedStatusCode, w.Result().StatusCode; want != got {
				t.Errorf("StatusCode: expected %d, got %d", want, got)
			}

			body, _ := ioutil.ReadAll(w.Body)

			var result ErrorResponse
			if err := json.Unmarshal(body, &result); err != nil {
				t.Fatalf("Error decoding error message %s: `%s`", err, body)
			}

			if want, got := tc.expectedErrorString, result.Error; want != got {
				t.Errorf("Error String: expected %s, got %s", want, got)
			}
		})
	}
}

func TestServerValidateAuthRequest(t *testing.T) {
	authRequest := AuthRequest{DeviceId: "dId", Email: "joe@example.com", Password: "aoeu"}
	if !authRequest.validate() {
		t.Fatalf("Expected valid AuthRequest to successfully validate")
	}

	authRequest = AuthRequest{Email: "joe@example.com", Password: "aoeu"}
	if authRequest.validate() {
		t.Fatalf("Expected AuthRequest with missing device to not successfully validate")
	}

	authRequest = AuthRequest{DeviceId: "dId", Email: "joe-example.com", Password: "aoeu"}
	if authRequest.validate() {
		t.Fatalf("Expected AuthRequest with invalid email to not successfully validate")
	}

	// Note that Golang's email address parser, which I use, will accept
	// "Joe <joe@example.com>" so we need to make sure to avoid accepting it. See
	// the implementation.
	authRequest = AuthRequest{DeviceId: "dId", Email: "Joe <joe@example.com>", Password: "aoeu"}
	if authRequest.validate() {
		t.Fatalf("Expected AuthRequest with email with unexpected formatting to not successfully validate")
	}

	authRequest = AuthRequest{DeviceId: "dId", Password: "aoeu"}
	if authRequest.validate() {
		t.Fatalf("Expected AuthRequest with missing email to not successfully validate")
	}

	authRequest = AuthRequest{DeviceId: "dId", Email: "joe@example.com"}
	if authRequest.validate() {
		t.Fatalf("Expected AuthRequest with missing password to not successfully validate")
	}
}
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`package server`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
			`import (`
			`"bytes"`
			`"encoding/json"`
			`"fmt"`
			`"io/ioutil"`
			`"net/http"`
			`"net/http/httptest"`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`"orblivion/lbry-id/auth"`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`"strings"`
			`"testing"`
			`)`

Implement and test a basic sqlite store 2021-12-19 23:24:43 +01:00			`func TestServerAuthHandlerSuccess(t *testing.T) {`
Protocol changes * Regress from `lastSynced` to just `sequence` to start with something simpler * Simplified payload: separate metadata, assume canonical way to hmac it together * No more "wallet state" except as a simple wrapper on the front end * Version number in wallet payloads 2022-06-09 23:04:49 +02:00			`testAuth := TestAuth{TestToken: auth.TokenString("seekrit")}`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`testStore := TestStore{}`
Protocol changes * Regress from `lastSynced` to just `sequence` to start with something simpler * Simplified payload: separate metadata, assume canonical way to hmac it together * No more "wallet state" except as a simple wrapper on the front end * Version number in wallet payloads 2022-06-09 23:04:49 +02:00			`s := Server{&testAuth, &testStore}`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			requestBody := []byte(`{"deviceId": "dev-1", "email": "abc@example.com", "password": "123"}`)
Tested auth endpoint 2021-12-10 22:35:47 +01:00
"Full" in Auth endpoint name is no longer useful 2022-06-08 00:24:01 +02:00			`req := httptest.NewRequest(http.MethodPost, PathAuthToken, bytes.NewBuffer(requestBody))`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`w := httptest.NewRecorder()`

"Full" in Auth endpoint name is no longer useful 2022-06-08 00:24:01 +02:00			`s.getAuthToken(w, req)`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`body, _ := ioutil.ReadAll(w.Body)`

Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`var result auth.AuthToken`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
			`if want, got := http.StatusOK, w.Result().StatusCode; want != got {`
			`t.Errorf("StatusCode: expected %s (%d), got %s (%d)", http.StatusText(want), want, http.StatusText(got), got)`
			`}`

			`err := json.Unmarshal(body, &result)`

			`if err != nil \|\| result.Token != testAuth.TestToken {`
			`t.Errorf("Expected auth response to contain token: result: %+v err: %+v", string(body), err)`
			`}`

Better organized fake store functions for server test 2022-06-17 18:52:17 +02:00			`if !testStore.Called.SaveToken {`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`t.Errorf("Expected Store.SaveToken to be called")`
			`}`
			`}`

Implement and test a basic sqlite store 2021-12-19 23:24:43 +01:00			`func TestServerAuthHandlerErrors(t *testing.T) {`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`tt := []struct {`
			`name string`
			`method string`
			`requestBody string`
			`expectedStatusCode int`
			`expectedErrorString string`

Better organized fake store functions for server test 2022-06-17 18:52:17 +02:00			`storeFailures TestStoreFunctions`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`authFailGenToken bool`
			`}{`
			`{`
			`name: "bad method",`
			`method: http.MethodGet,`
			`requestBody: "",`
			`expectedStatusCode: http.StatusMethodNotAllowed,`
			`expectedErrorString: http.StatusText(http.StatusMethodNotAllowed),`
			`},`
			`{`
			`name: "request body too large",`
			`method: http.MethodPost,`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			requestBody: fmt.Sprintf(`{"password": "%s"}`, strings.Repeat("a", 10000)),
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`expectedStatusCode: http.StatusRequestEntityTooLarge,`
			`expectedErrorString: http.StatusText(http.StatusRequestEntityTooLarge),`
			`},`
			`{`
			`name: "malformed request body JSON",`
			`method: http.MethodPost,`
			`requestBody: "{",`
			`expectedStatusCode: http.StatusBadRequest,`
Fix test for error string 2022-06-17 18:58:44 +02:00			`expectedErrorString: http.StatusText(http.StatusBadRequest) + ": Request body JSON malformed or structure mismatch",`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`},`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`{`
			`name: "body JSON failed validation",`
			`method: http.MethodPost,`
			`requestBody: "{}",`
			`expectedStatusCode: http.StatusBadRequest,`
			`expectedErrorString: http.StatusText(http.StatusBadRequest) + ": Request failed validation",`
			`},`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`{`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			`name: "login fail",`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`method: http.MethodPost,`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			`// so long as the JSON is well-formed, the content doesn't matter here since the password check will be stubbed out`
			requestBody: `{"deviceId": "dev-1", "email": "abc@example.com", "password": "123"}`,
			`expectedStatusCode: http.StatusUnauthorized,`
			`expectedErrorString: http.StatusText(http.StatusUnauthorized) + ": No match for email and password",`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
Better organized fake store functions for server test 2022-06-17 18:52:17 +02:00			`storeFailures: TestStoreFunctions{GetUserId: true},`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`},`
			`{`
			`name: "generate token fail",`
			`method: http.MethodPost,`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			requestBody: `{"deviceId": "dev-1", "email": "abc@example.com", "password": "123"}`,
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`expectedStatusCode: http.StatusInternalServerError,`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`expectedErrorString: http.StatusText(http.StatusInternalServerError),`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
			`authFailGenToken: true,`
			`},`
			`{`
			`name: "save token fail",`
			`method: http.MethodPost,`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			requestBody: `{"deviceId": "dev-1", "email": "abc@example.com", "password": "123"}`,
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`expectedStatusCode: http.StatusInternalServerError,`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`expectedErrorString: http.StatusText(http.StatusInternalServerError),`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
Better organized fake store functions for server test 2022-06-17 18:52:17 +02:00			`storeFailures: TestStoreFunctions{SaveToken: true},`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`},`
			`}`
			`for _, tc := range tt {`
			`t.Run(tc.name, func(t *testing.T) {`

			`// Set this up to fail according to specification`
Protocol changes * Regress from `lastSynced` to just `sequence` to start with something simpler * Simplified payload: separate metadata, assume canonical way to hmac it together * No more "wallet state" except as a simple wrapper on the front end * Version number in wallet payloads 2022-06-09 23:04:49 +02:00			`testAuth := TestAuth{TestToken: auth.TokenString("seekrit")}`
Better organized fake store functions for server test 2022-06-17 18:52:17 +02:00			`testStore := TestStore{Failures: tc.storeFailures}`
			`if tc.authFailGenToken { // TODO - TestAuth{Failures:authFailures}`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`testAuth.FailGenToken = true`
			`}`
Protocol changes * Regress from `lastSynced` to just `sequence` to start with something simpler * Simplified payload: separate metadata, assume canonical way to hmac it together * No more "wallet state" except as a simple wrapper on the front end * Version number in wallet payloads 2022-06-09 23:04:49 +02:00			`server := Server{&testAuth, &testStore}`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
			`// Make request`
"Full" in Auth endpoint name is no longer useful 2022-06-08 00:24:01 +02:00			`req := httptest.NewRequest(tc.method, PathAuthToken, bytes.NewBuffer([]byte(tc.requestBody)))`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`w := httptest.NewRecorder()`

"Full" in Auth endpoint name is no longer useful 2022-06-08 00:24:01 +02:00			`server.getAuthToken(w, req)`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
			`if want, got := tc.expectedStatusCode, w.Result().StatusCode; want != got {`
			`t.Errorf("StatusCode: expected %d, got %d", want, got)`
			`}`

			`body, _ := ioutil.ReadAll(w.Body)`

			`var result ErrorResponse`
			`if err := json.Unmarshal(body, &result); err != nil {`
			t.Fatalf("Error decoding error message %s: `%s`", err, body)
			`}`

			`if want, got := tc.expectedErrorString, result.Error; want != got {`
			`t.Errorf("Error String: expected %s, got %s", want, got)`
			`}`
			`})`
			`}`
			`}`

"Full" in Auth endpoint name is no longer useful 2022-06-08 00:24:01 +02:00			`func TestServerValidateAuthRequest(t *testing.T) {`
AuthRequest validate test 2022-06-08 02:08:41 +02:00			`authRequest := AuthRequest{DeviceId: "dId", Email: "joe@example.com", Password: "aoeu"}`
			`if !authRequest.validate() {`
			`t.Fatalf("Expected valid AuthRequest to successfully validate")`
			`}`

			`authRequest = AuthRequest{Email: "joe@example.com", Password: "aoeu"}`
			`if authRequest.validate() {`
			`t.Fatalf("Expected AuthRequest with missing device to not successfully validate")`
			`}`

			`authRequest = AuthRequest{DeviceId: "dId", Email: "joe-example.com", Password: "aoeu"}`
			`if authRequest.validate() {`
			`t.Fatalf("Expected AuthRequest with invalid email to not successfully validate")`
			`}`

			`// Note that Golang's email address parser, which I use, will accept`
			`// "Joe <joe@example.com>" so we need to make sure to avoid accepting it. See`
			`// the implementation.`
			`authRequest = AuthRequest{DeviceId: "dId", Email: "Joe <joe@example.com>", Password: "aoeu"}`
			`if authRequest.validate() {`
			`t.Fatalf("Expected AuthRequest with email with unexpected formatting to not successfully validate")`
			`}`

Test missing email explicitly 2022-06-17 22:15:27 +02:00			`authRequest = AuthRequest{DeviceId: "dId", Password: "aoeu"}`
			`if authRequest.validate() {`
			`t.Fatalf("Expected AuthRequest with missing email to not successfully validate")`
			`}`

AuthRequest validate test 2022-06-08 02:08:41 +02:00			`authRequest = AuthRequest{DeviceId: "dId", Email: "joe@example.com"}`
			`if authRequest.validate() {`
			`t.Fatalf("Expected AuthRequest with missing password to not successfully validate")`
			`}`
Implement NewFullToken for Auth. Add a couple test stubs for this and wallet. 2021-12-24 04:29:02 +01:00			`}`