long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden auth flows and align api contracts

Browse Source
This commit is contained in:
Your Name
2026-05-30 21:29:24 +08:00
parent 7ad65a0138
commit a332917142
50 changed files with 23594 additions and 723 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
internal/api/handler/avatar_handler_test.go
View File

@@ -39,7 +39,7 @@ func doUploadAvatar(url, token string, userID string, filename string, content [
// Create multipart form
var body bytes.Buffer
writer := multipart.NewWriter(&body)
// Add file
part, _ := writer.CreateFormFile("avatar", filename)
part.Write(content)
@@ -76,7 +76,7 @@ func TestAvatarHandler_UploadAvatar_Success(t *testing.T) {
// Get user ID by getting user info
resp, body := doGet(server.URL+"/api/v1/users/me", token)
defer resp.Body.Close()
userID := "1" // Default to 1, adjust based on response
if resp.StatusCode == http.StatusOK {
// Parse user ID from response
@@ -129,7 +129,7 @@ func TestAvatarHandler_UploadAvatar_OtherUser_Forbidden(t *testing.T) {
registerUser(server.URL, "usera", "usera@test.com", "Pass123!")
tokenA := getToken(server.URL, "usera", "Pass123!")
registerUser(server.URL, "userb", "userb@test.com", "Pass123!")
// userB token - but we try to upload to userA
@@ -200,7 +200,10 @@ func TestAvatarHandler_UploadAvatar_NoFile(t *testing.T) {
req.Header.Set("Authorization", "Bearer "+token)
client := &http.Client{}
resp, _ := client.Do(req)
resp, err := client.Do(req)
if err != nil {
t.Fatalf("request failed: %v", err)
}
defer resp.Body.Close()
// Should reject missing file
@@ -220,7 +223,7 @@ func TestAvatarHandler_UploadAvatar_FileTooLarge(t *testing.T) {
// Create oversized file (6MB > 5MB limit)
largeContent := make([]byte, 6*1024*1024)
copy(largeContent, []byte{0x89, 0x50, 0x4E, 0x47}) // PNG header
resp, _ := doUploadAvatar(server.URL, token, "1", "large.png", largeContent)
defer resp.Body.Close()
@@ -239,7 +242,7 @@ func TestAvatarHandler_UploadAvatar_AllowedFormats(t *testing.T) {
assert.NotEmpty(t, token)
formats := []string{".png", ".jpg", ".jpeg", ".gif", ".webp"}
for i, ext := range formats {
imageData := createTestImage(ext)
// Ensure we don't slice beyond the length
@@ -248,9 +251,9 @@ func TestAvatarHandler_UploadAvatar_AllowedFormats(t *testing.T) {
dataSize = 100
}
resp, respBody := doUploadAvatar(server.URL, token, "1", "avatar"+ext, imageData[:dataSize])
t.Logf("Format %s returned status: %d", ext, resp.StatusCode)
// Accept various responses based on image validity
if i == len(formats)-1 {
resp.Body.Close()
@@ -269,12 +272,12 @@ func TestAvatarHandler_UploadAvatar_DisallowedExtensions(t *testing.T) {
assert.NotEmpty(t, token)
disallowed := []string{".exe", ".php", ".sh", ".bat", ".pdf", ".doc"}
for _, ext := range disallowed {
fakeContent := []byte("fake content")
resp, _ := doUploadAvatar(server.URL, token, "1", "file"+ext, fakeContent)
defer resp.Body.Close()
// Should reject disallowed extensions
if resp.StatusCode != http.StatusOK {
assert.True(t, resp.StatusCode == http.StatusBadRequest || resp.StatusCode == http.StatusInternalServerError,