fix: harden handler context and rate limit isolation
This commit is contained in:
Your Name
95
internal/api/handler/context_guard_test.go
Normal file
95
internal/api/handler/context_guard_test.go
Normal file
@@ -0,0 +1,95 @@
|
||||
package handler
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
func init() {
|
||||
gin.SetMode(gin.TestMode)
|
||||
}
|
||||
|
||||
func TestSSOHandlerAuthorize_InvalidContextTypes_ReturnsUnauthorized(t *testing.T) {
|
||||
h := &SSOHandler{}
|
||||
engine := gin.New()
|
||||
engine.GET("/authorize", func(c *gin.Context) {
|
||||
c.Set("user_id", "not-int64")
|
||||
c.Set("username", 123)
|
||||
h.Authorize(c)
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/authorize?client_id=test-client&redirect_uri=https://example.com/callback&response_type=code", nil)
|
||||
w := httptest.NewRecorder()
|
||||
engine.ServeHTTP(w, req)
|
||||
|
||||
if w.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("expected 401, got %d", w.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSSOHandlerUserInfo_InvalidContextTypes_ReturnsUnauthorized(t *testing.T) {
|
||||
h := &SSOHandler{}
|
||||
engine := gin.New()
|
||||
engine.GET("/userinfo", func(c *gin.Context) {
|
||||
c.Set("user_id", "not-int64")
|
||||
c.Set("username", 123)
|
||||
h.UserInfo(c)
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/userinfo", nil)
|
||||
w := httptest.NewRecorder()
|
||||
engine.ServeHTTP(w, req)
|
||||
|
||||
if w.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("expected 401, got %d", w.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestWebhookHandlerCreateWebhook_InvalidContextType_ReturnsUnauthorized(t *testing.T) {
|
||||
h := &WebhookHandler{}
|
||||
engine := gin.New()
|
||||
engine.POST("/webhooks", func(c *gin.Context) {
|
||||
c.Set("user_id", "not-int64")
|
||||
h.CreateWebhook(c)
|
||||
})
|
||||
|
||||
body, err := json.Marshal(map[string]any{
|
||||
"name": "test",
|
||||
"url": "https://example.com/webhook",
|
||||
"events": []string{"user.created"},
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("marshal request: %v", err)
|
||||
}
|
||||
|
||||
req := httptest.NewRequest(http.MethodPost, "/webhooks", bytes.NewReader(body))
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
w := httptest.NewRecorder()
|
||||
engine.ServeHTTP(w, req)
|
||||
|
||||
if w.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("expected 401, got %d", w.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestWebhookHandlerListWebhooks_InvalidContextType_ReturnsUnauthorized(t *testing.T) {
|
||||
h := &WebhookHandler{}
|
||||
engine := gin.New()
|
||||
engine.GET("/webhooks", func(c *gin.Context) {
|
||||
c.Set("user_id", "not-int64")
|
||||
h.ListWebhooks(c)
|
||||
})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/webhooks?page=1&page_size=20", nil)
|
||||
w := httptest.NewRecorder()
|
||||
engine.ServeHTTP(w, req)
|
||||
|
||||
if w.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("expected 401, got %d", w.Code)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user