internal/api/middleware/auth_bootstrap_test.go

package middleware

import (
	"context"
	"net/http"
	"net/http/httptest"
	"testing"
	"time"

	"github.com/gin-gonic/gin"
	"github.com/user-management-system/internal/auth"
	"github.com/user-management-system/internal/cache"
	"github.com/user-management-system/internal/domain"
	"github.com/user-management-system/internal/repository"
	"github.com/user-management-system/internal/service"
	gormsqlite "gorm.io/driver/sqlite"
	"gorm.io/gorm"
	"gorm.io/gorm/logger"
	_ "modernc.org/sqlite"
)

func TestAuthMiddleware_AcceptsBootstrapAdminTokenImmediately(t *testing.T) {
	t.Helper()
	gin.SetMode(gin.TestMode)

	db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{
		DriverName: "sqlite",
		DSN:        "file:middleware_bootstrap_test?mode=memory&cache=shared",
	}), &gorm.Config{
		Logger: logger.Default.LogMode(logger.Silent),
	})
	if err != nil {
		t.Fatalf("open sqlite failed: %v", err)
	}

	if err := db.AutoMigrate(&domain.User{}, &domain.Role{}, &domain.UserRole{}); err != nil {
		t.Fatalf("migrate failed: %v", err)
	}

	if err := db.Create(&domain.Role{
		Name:     "管理员",
		Code:     "admin",
		IsSystem: true,
		Status:   domain.RoleStatusEnabled,
	}).Error; err != nil {
		t.Fatalf("seed admin role failed: %v", err)
	}

	jwtManager, err := auth.NewJWTWithOptions(auth.JWTOptions{
		HS256Secret:        "test-bootstrap-token-secret-at-least-32-chars",
		AccessTokenExpire:  15 * time.Minute,
		RefreshTokenExpire: 7 * 24 * time.Hour,
	})
	if err != nil {
		t.Fatalf("create jwt manager failed: %v", err)
	}

	l1Cache := cache.NewL1Cache()
	l2Cache := cache.NewRedisCache(false)
	cacheManager := cache.NewCacheManager(l1Cache, l2Cache)

	userRepo := repository.NewUserRepository(db)
	roleRepo := repository.NewRoleRepository(db)
	userRoleRepo := repository.NewUserRoleRepository(db)

	authService := service.NewAuthService(userRepo, nil, jwtManager, cacheManager, 8, 5, 15*time.Minute)
	authService.SetRoleRepositories(userRoleRepo, roleRepo)

	loginResponse, err := authService.BootstrapAdmin(context.Background(), &service.BootstrapAdminRequest{
		Username: "bootstrap_admin",
		Email:    "bootstrap_admin@example.com",
		Password: "AdminPass123!",
	}, "127.0.0.1")
	if err != nil {
		t.Fatalf("bootstrap admin failed: %v", err)
	}
	if loginResponse == nil || loginResponse.AccessToken == "" {
		t.Fatalf("expected bootstrap access token, got %+v", loginResponse)
	}

	if _, err := jwtManager.ValidateAccessToken(loginResponse.AccessToken); err != nil {
		t.Fatalf("bootstrap access token should validate immediately: %v", err)
	}

	authMiddleware := NewAuthMiddleware(jwtManager, userRepo, userRoleRepo, l1Cache)
	authMiddleware.SetCacheManager(cacheManager)

	recorder := httptest.NewRecorder()
	ctx, engine := gin.CreateTestContext(recorder)
	ctx.Request = httptest.NewRequest(http.MethodGet, "/protected", nil)
	ctx.Request.Header.Set("Authorization", "Bearer "+loginResponse.AccessToken)

	engine.Use(authMiddleware.Required())
	engine.GET("/protected", func(c *gin.Context) {
		c.JSON(http.StatusOK, gin.H{"code": 0})
	})

	engine.ServeHTTP(recorder, ctx.Request)

	if recorder.Code != http.StatusOK {
		t.Fatalf("expected bootstrap token to pass auth middleware immediately, got %d body: %s", recorder.Code, recorder.Body.String())
	}
}
fix: v6 code review P0 auth/IDOR fixes + frontend regression patches Backend fixes: - auth_handler: P0 认证逻辑修复 - ratelimit: 限速中间件增强 + 新增单元测试 - auth_service: 认证服务逻辑完善 + 新增测试 - server: server 配置增强 + 新增测试 - handler_test: 新增 handler 层集成测试 - auth_bootstrap_test: bootstrap 路径测试 Frontend patches: - LoginPage/RegisterPage: CSRF + 表单交互修复 - BootstrapAdminPage: 引导流程修复 - DevicesPage: 设备管理页修复 - auth/social-accounts/users/webhooks services: 类型修正 - csrf.ts: CSRF token 处理修正 - E2E 脚本: CDP smoke + auth e2e 增强 Docs: - FULL_CODE_REVIEW_REPORT_2026-04-20 - report-v6 执行计划 - REAL_PROJECT_STATUS 更新 - .gitignore: 新增 .gocache-*/config.yaml 排除验证: go build/vet 0错误, go test 42/42 PASS, 0 FAIL 2026-04-23 07:14:12 +08:00			`package middleware`

			`import (`
			`"context"`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`
			`"time"`

			`"github.com/gin-gonic/gin"`
			`"github.com/user-management-system/internal/auth"`
			`"github.com/user-management-system/internal/cache"`
			`"github.com/user-management-system/internal/domain"`
			`"github.com/user-management-system/internal/repository"`
			`"github.com/user-management-system/internal/service"`
			`gormsqlite "gorm.io/driver/sqlite"`
			`"gorm.io/gorm"`
			`"gorm.io/gorm/logger"`
			`_ "modernc.org/sqlite"`
			`)`

			`func TestAuthMiddleware_AcceptsBootstrapAdminTokenImmediately(t *testing.T) {`
			`t.Helper()`
			`gin.SetMode(gin.TestMode)`

			`db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{`
			`DriverName: "sqlite",`
			`DSN: "file:middleware_bootstrap_test?mode=memory&cache=shared",`
			`}), &gorm.Config{`
			`Logger: logger.Default.LogMode(logger.Silent),`
			`})`
			`if err != nil {`
			`t.Fatalf("open sqlite failed: %v", err)`
			`}`

			`if err := db.AutoMigrate(&domain.User{}, &domain.Role{}, &domain.UserRole{}); err != nil {`
			`t.Fatalf("migrate failed: %v", err)`
			`}`

			`if err := db.Create(&domain.Role{`
			`Name: "管理员",`
			`Code: "admin",`
			`IsSystem: true,`
			`Status: domain.RoleStatusEnabled,`
			`}).Error; err != nil {`
			`t.Fatalf("seed admin role failed: %v", err)`
			`}`

			`jwtManager, err := auth.NewJWTWithOptions(auth.JWTOptions{`
			`HS256Secret: "test-bootstrap-token-secret-at-least-32-chars",`
			`AccessTokenExpire: 15 * time.Minute,`
			`RefreshTokenExpire: 7 * 24 * time.Hour,`
			`})`
			`if err != nil {`
			`t.Fatalf("create jwt manager failed: %v", err)`
			`}`

			`l1Cache := cache.NewL1Cache()`
			`l2Cache := cache.NewRedisCache(false)`
			`cacheManager := cache.NewCacheManager(l1Cache, l2Cache)`

			`userRepo := repository.NewUserRepository(db)`
			`roleRepo := repository.NewRoleRepository(db)`
			`userRoleRepo := repository.NewUserRoleRepository(db)`

			`authService := service.NewAuthService(userRepo, nil, jwtManager, cacheManager, 8, 5, 15*time.Minute)`
			`authService.SetRoleRepositories(userRoleRepo, roleRepo)`

			`loginResponse, err := authService.BootstrapAdmin(context.Background(), &service.BootstrapAdminRequest{`
			`Username: "bootstrap_admin",`
			`Email: "bootstrap_admin@example.com",`
			`Password: "AdminPass123!",`
			`}, "127.0.0.1")`
			`if err != nil {`
			`t.Fatalf("bootstrap admin failed: %v", err)`
			`}`
			`if loginResponse == nil \|\| loginResponse.AccessToken == "" {`
			`t.Fatalf("expected bootstrap access token, got %+v", loginResponse)`
			`}`

			`if _, err := jwtManager.ValidateAccessToken(loginResponse.AccessToken); err != nil {`
			`t.Fatalf("bootstrap access token should validate immediately: %v", err)`
			`}`

			`authMiddleware := NewAuthMiddleware(jwtManager, userRepo, userRoleRepo, l1Cache)`
			`authMiddleware.SetCacheManager(cacheManager)`

			`recorder := httptest.NewRecorder()`
			`ctx, engine := gin.CreateTestContext(recorder)`
			`ctx.Request = httptest.NewRequest(http.MethodGet, "/protected", nil)`
			`ctx.Request.Header.Set("Authorization", "Bearer "+loginResponse.AccessToken)`

			`engine.Use(authMiddleware.Required())`
			`engine.GET("/protected", func(c *gin.Context) {`
			`c.JSON(http.StatusOK, gin.H{"code": 0})`
			`})`

			`engine.ServeHTTP(recorder, ctx.Request)`

			`if recorder.Code != http.StatusOK {`
			`t.Fatalf("expected bootstrap token to pass auth middleware immediately, got %d body: %s", recorder.Code, recorder.Body.String())`
			`}`
			`}`