wallet-sync-server/server/auth_test.go

package server

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"

	"lbryio/wallet-sync-server/auth"
	"lbryio/wallet-sync-server/server/paths"
	"lbryio/wallet-sync-server/store"
)

func TestServerAuthHandlerSuccess(t *testing.T) {
	testAuth := TestAuth{TestNewAuthTokenString: auth.AuthTokenString("seekrit")}
	testStore := TestStore{}
	s := Server{&testAuth, &testStore, &TestEnv{}, &TestMail{}, TestPort}

	requestBody := []byte(`{"deviceId": "dev-1", "email": "abc@example.com", "password": "12345678"}`)

	req := httptest.NewRequest(http.MethodPost, paths.PathAuthToken, bytes.NewBuffer(requestBody))
	w := httptest.NewRecorder()

	s.getAuthToken(w, req)
	body, _ := ioutil.ReadAll(w.Body)

	expectStatusCode(t, w, http.StatusOK)

	var result auth.AuthToken
	err := json.Unmarshal(body, &result)

	if err != nil || result.Token != testAuth.TestNewAuthTokenString {
		t.Errorf("Expected auth response to contain token: result: %+v err: %+v", string(body), err)
	}

	if testStore.Called.SaveToken != testAuth.TestNewAuthTokenString {
		t.Errorf("Expected Store.SaveToken to be called with %s", testAuth.TestNewAuthTokenString)
	}
}

func TestServerAuthHandlerErrors(t *testing.T) {
	tt := []struct {
		name                string
		email               string
		expectedStatusCode  int
		expectedErrorString string

		storeErrors      TestStoreFunctionsErrors
		authFailGenToken bool
	}{
		{
			name:                "validation error", // missing email address
			email:               "",
			expectedStatusCode:  http.StatusBadRequest,
			expectedErrorString: http.StatusText(http.StatusBadRequest) + ": Request failed validation: Invalid 'email'",

			// Just check one validation error (missing email address) to make sure the
			// validate function is called. We'll check the rest of the validation
			// errors in the other test below.
		},
		{
			name:                "login fail",
			email:               "abc@example.com",
			expectedStatusCode:  http.StatusUnauthorized,
			expectedErrorString: http.StatusText(http.StatusUnauthorized) + ": No match for email and/or password",

			storeErrors: TestStoreFunctionsErrors{GetUserId: store.ErrWrongCredentials},
		},
		{
			name:                "unverified account",
			email:               "abc@example.com",
			expectedStatusCode:  http.StatusUnauthorized,
			expectedErrorString: http.StatusText(http.StatusUnauthorized) + ": Account is not verified",

			storeErrors: TestStoreFunctionsErrors{GetUserId: store.ErrNotVerified},
		},
		{
			name:                "generate token fail",
			email:               "abc@example.com",
			expectedStatusCode:  http.StatusInternalServerError,
			expectedErrorString: http.StatusText(http.StatusInternalServerError),

			authFailGenToken: true,
		},
		{
			name:                "save token fail",
			email:               "abc@example.com",
			expectedStatusCode:  http.StatusInternalServerError,
			expectedErrorString: http.StatusText(http.StatusInternalServerError),

			storeErrors: TestStoreFunctionsErrors{SaveToken: fmt.Errorf("TestStore.SaveToken fail")},
		},
	}
	for _, tc := range tt {
		t.Run(tc.name, func(t *testing.T) {

			// Set this up to fail according to specification
			testAuth := TestAuth{TestNewAuthTokenString: auth.AuthTokenString("seekrit")}
			testStore := TestStore{Errors: tc.storeErrors}
			if tc.authFailGenToken { // TODO - TestAuth{Errors:authErrors}
				testAuth.FailGenToken = true
			}
			server := Server{&testAuth, &testStore, &TestEnv{}, &TestMail{}, TestPort}

			// Make request
			// So long as the JSON is well-formed, the content doesn't matter here since the password check will be stubbed out
			requestBody := fmt.Sprintf(`{"deviceId": "dev-1", "email": "%s", "password": "12345678"}`, tc.email)
			req := httptest.NewRequest(http.MethodPost, paths.PathAuthToken, bytes.NewBuffer([]byte(requestBody)))
			w := httptest.NewRecorder()

			server.getAuthToken(w, req)

			body, _ := ioutil.ReadAll(w.Body)

			expectStatusCode(t, w, tc.expectedStatusCode)
			expectErrorString(t, body, tc.expectedErrorString)
		})
	}
}

func TestServerValidateAuthRequest(t *testing.T) {
	authRequest := AuthRequest{DeviceId: "dId", Email: "joe@example.com", Password: "12345678"}
	if authRequest.validate() != nil {
		t.Errorf("Expected valid AuthRequest to successfully validate")
	}

	tt := []struct {
		authRequest         AuthRequest
		expectedErrorSubstr string
		failureDescription  string
	}{
		{
			AuthRequest{Email: "joe@example.com", Password: "12345678"},
			"deviceId",
			"Expected AuthRequest with missing device to not successfully validate",
		}, {
			AuthRequest{DeviceId: "dId", Email: "joe-example.com", Password: "12345678"},
			"email",
			"Expected AuthRequest with invalid email to not successfully validate",
		}, {
			// Note that Golang's email address parser, which I use, will accept
			// "Joe <joe@example.com>" so we need to make sure to avoid accepting it. See
			// the implementation.
			AuthRequest{DeviceId: "dId", Email: "Joe <joe@example.com>", Password: "12345678"},
			"email",
			"Expected AuthRequest with email with unexpected formatting to not successfully validate",
		}, {
			AuthRequest{DeviceId: "dId", Password: "12345678"},
			"email",
			"Expected AuthRequest with missing email to not successfully validate",
		}, {
			AuthRequest{DeviceId: "dId", Email: "joe@example.com"},
			"password",
			"Expected AuthRequest with missing password to not successfully validate",
		},
	}
	for _, tc := range tt {
		err := tc.authRequest.validate()
		if !strings.Contains(err.Error(), tc.expectedErrorSubstr) {
			t.Errorf(tc.failureDescription)
		}
	}
}
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`package server`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
			`import (`
			`"bytes"`
			`"encoding/json"`
Switch to specifying errors to return for mocked store functions. 2022-06-19 22:40:16 +02:00			`"fmt"`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`"io/ioutil"`
			`"net/http"`
			`"net/http/httptest"`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`"strings"`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`"testing"`
KDF for server password. Save salt in DB. 2022-07-13 18:32:48 +02:00
Rename the output. lbry-id -> wallet-sync-server 2022-08-22 18:05:53 +02:00			`"lbryio/wallet-sync-server/auth"`
			`"lbryio/wallet-sync-server/server/paths"`
			`"lbryio/wallet-sync-server/store"`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`)`

Implement and test a basic sqlite store 2021-12-19 23:24:43 +01:00			`func TestServerAuthHandlerSuccess(t *testing.T) {`
Server test/implement send verify-account email 2022-07-28 01:45:09 +02:00			`testAuth := TestAuth{TestNewAuthTokenString: auth.AuthTokenString("seekrit")}`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`testStore := TestStore{}`
Mailgun integration 2022-08-01 17:50:16 +02:00			`s := Server{&testAuth, &testStore, &TestEnv{}, &TestMail{}, TestPort}`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
validatePassword func 2022-08-23 01:41:30 +02:00			requestBody := []byte(`{"deviceId": "dev-1", "email": "abc@example.com", "password": "12345678"}`)
Tested auth endpoint 2021-12-10 22:35:47 +01:00
Mailgun integration 2022-08-01 17:50:16 +02:00			`req := httptest.NewRequest(http.MethodPost, paths.PathAuthToken, bytes.NewBuffer(requestBody))`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`w := httptest.NewRecorder()`

"Full" in Auth endpoint name is no longer useful 2022-06-08 00:24:01 +02:00			`s.getAuthToken(w, req)`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`body, _ := ioutil.ReadAll(w.Body)`

Add errors to GetWallet test 2022-06-21 17:52:03 +02:00			`expectStatusCode(t, w, http.StatusOK)`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
Test getWallet (via handleWallet) 2022-06-20 00:54:59 +02:00			`var result auth.AuthToken`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`err := json.Unmarshal(body, &result)`

Server test/implement send verify-account email 2022-07-28 01:45:09 +02:00			`if err != nil \|\| result.Token != testAuth.TestNewAuthTokenString {`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`t.Errorf("Expected auth response to contain token: result: %+v err: %+v", string(body), err)`
			`}`

Server test/implement send verify-account email 2022-07-28 01:45:09 +02:00			`if testStore.Called.SaveToken != testAuth.TestNewAuthTokenString {`
			`t.Errorf("Expected Store.SaveToken to be called with %s", testAuth.TestNewAuthTokenString)`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`}`
			`}`

Implement and test a basic sqlite store 2021-12-19 23:24:43 +01:00			`func TestServerAuthHandlerErrors(t *testing.T) {`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`tt := []struct {`
			`name string`
Oops, missed fmt 2022-06-22 17:06:05 +02:00			`email string`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`expectedStatusCode int`
			`expectedErrorString string`

Switch to specifying errors to return for mocked store functions. 2022-06-19 22:40:16 +02:00			`storeErrors TestStoreFunctionsErrors`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`authFailGenToken bool`
			`}{`
Basic validation checks in error tests (just to make sure validation functions are called) 2022-06-22 01:46:10 +02:00			`{`
			`name: "validation error", // missing email address`
			`email: "",`
			`expectedStatusCode: http.StatusBadRequest,`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`expectedErrorString: http.StatusText(http.StatusBadRequest) + ": Request failed validation: Invalid 'email'",`
Basic validation checks in error tests (just to make sure validation functions are called) 2022-06-22 01:46:10 +02:00
			`// Just check one validation error (missing email address) to make sure the`
			`// validate function is called. We'll check the rest of the validation`
			`// errors in the other test below.`
			`},`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`{`
Switch to specifying errors to return for mocked store functions. 2022-06-19 22:40:16 +02:00			`name: "login fail",`
Basic validation checks in error tests (just to make sure validation functions are called) 2022-06-22 01:46:10 +02:00			`email: "abc@example.com",`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			`expectedStatusCode: http.StatusUnauthorized,`
Make error message more accurate. Rename test. 2022-07-29 21:52:23 +02:00			`expectedErrorString: http.StatusText(http.StatusUnauthorized) + ": No match for email and/or password",`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
ErrNoUId -> ErrWrongCredentials 2022-07-06 18:44:35 +02:00			`storeErrors: TestStoreFunctionsErrors{GetUserId: store.ErrWrongCredentials},`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`},`
Don't hand out auth tokens if they're not verified 2022-07-26 16:53:31 +02:00			`{`
			`name: "unverified account",`
			`email: "abc@example.com",`
			`expectedStatusCode: http.StatusUnauthorized,`
			`expectedErrorString: http.StatusText(http.StatusUnauthorized) + ": Account is not verified",`

			`storeErrors: TestStoreFunctionsErrors{GetUserId: store.ErrNotVerified},`
			`},`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`{`
			`name: "generate token fail",`
Basic validation checks in error tests (just to make sure validation functions are called) 2022-06-22 01:46:10 +02:00			`email: "abc@example.com",`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`expectedStatusCode: http.StatusInternalServerError,`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`expectedErrorString: http.StatusText(http.StatusInternalServerError),`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
			`authFailGenToken: true,`
			`},`
			`{`
			`name: "save token fail",`
Basic validation checks in error tests (just to make sure validation functions are called) 2022-06-22 01:46:10 +02:00			`email: "abc@example.com",`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`expectedStatusCode: http.StatusInternalServerError,`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`expectedErrorString: http.StatusText(http.StatusInternalServerError),`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
Switch to specifying errors to return for mocked store functions. 2022-06-19 22:40:16 +02:00			`storeErrors: TestStoreFunctionsErrors{SaveToken: fmt.Errorf("TestStore.SaveToken fail")},`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`},`
			`}`
			`for _, tc := range tt {`
			`t.Run(tc.name, func(t *testing.T) {`

			`// Set this up to fail according to specification`
Server test/implement send verify-account email 2022-07-28 01:45:09 +02:00			`testAuth := TestAuth{TestNewAuthTokenString: auth.AuthTokenString("seekrit")}`
Switch to specifying errors to return for mocked store functions. 2022-06-19 22:40:16 +02:00			`testStore := TestStore{Errors: tc.storeErrors}`
			`if tc.authFailGenToken { // TODO - TestAuth{Errors:authErrors}`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`testAuth.FailGenToken = true`
			`}`
Mailgun integration 2022-08-01 17:50:16 +02:00			`server := Server{&testAuth, &testStore, &TestEnv{}, &TestMail{}, TestPort}`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
			`// Make request`
Switch to specifying errors to return for mocked store functions. 2022-06-19 22:40:16 +02:00			`// So long as the JSON is well-formed, the content doesn't matter here since the password check will be stubbed out`
validatePassword func 2022-08-23 01:41:30 +02:00			requestBody := fmt.Sprintf(`{"deviceId": "dev-1", "email": "%s", "password": "12345678"}`, tc.email)
Mailgun integration 2022-08-01 17:50:16 +02:00			`req := httptest.NewRequest(http.MethodPost, paths.PathAuthToken, bytes.NewBuffer([]byte(requestBody)))`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`w := httptest.NewRecorder()`

"Full" in Auth endpoint name is no longer useful 2022-06-08 00:24:01 +02:00			`server.getAuthToken(w, req)`
Tested auth endpoint 2021-12-10 22:35:47 +01:00
Simplify expectErrorString 2022-06-22 17:37:03 +02:00			`body, _ := ioutil.ReadAll(w.Body)`

Add errors to GetWallet test 2022-06-21 17:52:03 +02:00			`expectStatusCode(t, w, tc.expectedStatusCode)`
Simplify expectErrorString 2022-06-22 17:37:03 +02:00			`expectErrorString(t, body, tc.expectedErrorString)`
Tested auth endpoint 2021-12-10 22:35:47 +01:00			`})`
			`}`
			`}`

"Full" in Auth endpoint name is no longer useful 2022-06-08 00:24:01 +02:00			`func TestServerValidateAuthRequest(t *testing.T) {`
validatePassword func 2022-08-23 01:41:30 +02:00			`authRequest := AuthRequest{DeviceId: "dId", Email: "joe@example.com", Password: "12345678"}`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`if authRequest.validate() != nil {`
Salt Seed, used to generate secrets on client 2022-07-15 21:36:11 +02:00			`t.Errorf("Expected valid AuthRequest to successfully validate")`
AuthRequest validate test 2022-06-08 02:08:41 +02:00			`}`

wallet request validation test. loopify auth request validation test. 2022-06-22 01:27:54 +02:00			`tt := []struct {`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`authRequest AuthRequest`
			`expectedErrorSubstr string`
			`failureDescription string`
wallet request validation test. loopify auth request validation test. 2022-06-22 01:27:54 +02:00			`}{`
			`{`
validatePassword func 2022-08-23 01:41:30 +02:00			`AuthRequest{Email: "joe@example.com", Password: "12345678"},`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`"deviceId",`
wallet request validation test. loopify auth request validation test. 2022-06-22 01:27:54 +02:00			`"Expected AuthRequest with missing device to not successfully validate",`
			`}, {`
validatePassword func 2022-08-23 01:41:30 +02:00			`AuthRequest{DeviceId: "dId", Email: "joe-example.com", Password: "12345678"},`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`"email",`
wallet request validation test. loopify auth request validation test. 2022-06-22 01:27:54 +02:00			`"Expected AuthRequest with invalid email to not successfully validate",`
			`}, {`
			`// Note that Golang's email address parser, which I use, will accept`
			`// "Joe <joe@example.com>" so we need to make sure to avoid accepting it. See`
			`// the implementation.`
validatePassword func 2022-08-23 01:41:30 +02:00			`AuthRequest{DeviceId: "dId", Email: "Joe <joe@example.com>", Password: "12345678"},`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`"email",`
wallet request validation test. loopify auth request validation test. 2022-06-22 01:27:54 +02:00			`"Expected AuthRequest with email with unexpected formatting to not successfully validate",`
			`}, {`
validatePassword func 2022-08-23 01:41:30 +02:00			`AuthRequest{DeviceId: "dId", Password: "12345678"},`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`"email",`
wallet request validation test. loopify auth request validation test. 2022-06-22 01:27:54 +02:00			`"Expected AuthRequest with missing email to not successfully validate",`
			`}, {`
			`AuthRequest{DeviceId: "dId", Email: "joe@example.com"},`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`"password",`
wallet request validation test. loopify auth request validation test. 2022-06-22 01:27:54 +02:00			`"Expected AuthRequest with missing password to not successfully validate",`
			`},`
Test missing email explicitly 2022-06-17 22:15:27 +02:00			`}`
wallet request validation test. loopify auth request validation test. 2022-06-22 01:27:54 +02:00			`for _, tc := range tt {`
validate() functions return error messages 2022-07-11 15:42:08 +02:00			`err := tc.authRequest.validate()`
			`if !strings.Contains(err.Error(), tc.expectedErrorSubstr) {`
wallet request validation test. loopify auth request validation test. 2022-06-22 01:27:54 +02:00			`t.Errorf(tc.failureDescription)`
			`}`
AuthRequest validate test 2022-06-08 02:08:41 +02:00			`}`
Implement NewFullToken for Auth. Add a couple test stubs for this and wallet. 2021-12-24 04:29:02 +01:00			`}`