package service import ( "context" "fmt" "testing" "time" "github.com/user-management-system/internal/auth" "github.com/user-management-system/internal/domain" "github.com/user-management-system/internal/repository" "github.com/user-management-system/internal/security" gormsqlite "gorm.io/driver/sqlite" "gorm.io/gorm" "gorm.io/gorm/logger" ) // ============================================================================= // Auth Service Unit Tests // ============================================================================= func TestPasswordStrength(t *testing.T) { tests := []struct { name string password string wantInfo PasswordStrengthInfo }{ { name: "empty_password", password: "", wantInfo: PasswordStrengthInfo{Score: 0, Length: 0, HasUpper: false, HasLower: false, HasDigit: false, HasSpecial: false}, }, { name: "lowercase_only", password: "abcdefgh", wantInfo: PasswordStrengthInfo{Score: 1, Length: 8, HasUpper: false, HasLower: true, HasDigit: false, HasSpecial: false}, }, { name: "uppercase_only", password: "ABCDEFGH", wantInfo: PasswordStrengthInfo{Score: 1, Length: 8, HasUpper: true, HasLower: false, HasDigit: false, HasSpecial: false}, }, { name: "digits_only", password: "12345678", wantInfo: PasswordStrengthInfo{Score: 1, Length: 8, HasUpper: false, HasLower: false, HasDigit: true, HasSpecial: false}, }, { name: "mixed_case_with_digits", password: "Abcd1234", wantInfo: PasswordStrengthInfo{Score: 3, Length: 8, HasUpper: true, HasLower: true, HasDigit: true, HasSpecial: false}, }, { name: "mixed_with_special", password: "Abcd1234!", wantInfo: PasswordStrengthInfo{Score: 4, Length: 9, HasUpper: true, HasLower: true, HasDigit: true, HasSpecial: true}, }, { name: "chinese_characters", password: "密码123456", wantInfo: PasswordStrengthInfo{Score: 1, Length: 8, HasUpper: false, HasLower: false, HasDigit: true, HasSpecial: false}, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { info := GetPasswordStrength(tt.password) if info.Score != tt.wantInfo.Score { t.Errorf("Score: got %d, want %d", info.Score, tt.wantInfo.Score) } if info.Length != tt.wantInfo.Length { t.Errorf("Length: got %d, want %d", info.Length, tt.wantInfo.Length) } if info.HasUpper != tt.wantInfo.HasUpper { t.Errorf("HasUpper: got %v, want %v", info.HasUpper, tt.wantInfo.HasUpper) } if info.HasLower != tt.wantInfo.HasLower { t.Errorf("HasLower: got %v, want %v", info.HasLower, tt.wantInfo.HasLower) } if info.HasDigit != tt.wantInfo.HasDigit { t.Errorf("HasDigit: got %v, want %v", info.HasDigit, tt.wantInfo.HasDigit) } if info.HasSpecial != tt.wantInfo.HasSpecial { t.Errorf("HasSpecial: got %v, want %v", info.HasSpecial, tt.wantInfo.HasSpecial) } }) } } func TestValidatePasswordStrength(t *testing.T) { tests := []struct { name string password string minLength int strict bool wantErr bool }{ { name: "valid_password_strict", password: "Abcd1234!", minLength: 8, strict: true, wantErr: false, }, { name: "too_short", password: "Ab1!", minLength: 8, strict: false, wantErr: true, }, { name: "weak_password", password: "abcdefgh", minLength: 8, strict: false, wantErr: true, }, { name: "strict_missing_uppercase", password: "abcd1234!", minLength: 8, strict: true, wantErr: true, }, { name: "strict_missing_lowercase", password: "ABCD1234!", minLength: 8, strict: true, wantErr: true, }, { name: "strict_missing_digit", password: "Abcdefgh!", minLength: 8, strict: true, wantErr: true, }, { name: "boundary_password_requires_three_character_classes", password: "abcd1234", minLength: 8, strict: false, wantErr: true, }, { name: "longer_password_allows_two_character_classes", password: "abcdefgh1234", minLength: 8, strict: false, wantErr: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { err := validatePasswordStrength(tt.password, tt.minLength, tt.strict) if (err != nil) != tt.wantErr { t.Errorf("validatePasswordStrength() error = %v, wantErr %v", err, tt.wantErr) } }) } } func TestSanitizeUsername(t *testing.T) { tests := []struct { name string input string want string }{ { name: "normal_username", input: "john_doe", want: "john_doe", }, { name: "username_with_spaces", input: "john doe", want: "john_doe", }, { name: "username_with_uppercase", input: "JohnDoe", want: "johndoe", }, { name: "username_with_special_chars", input: "john@doe", want: "johndoe", }, { name: "empty_username", input: "", want: "user", }, { name: "whitespace_only", input: " ", want: "user", }, { name: "username_with_emoji", input: "john😀doe", want: "johndoe", // emoji is filtered out as it's not letter/digit/./-/_ }, { name: "username_with_leading_underscore", input: "_john_", want: "john", // leading and trailing _ are trimmed }, { name: "username_with_trailing_dots", input: "john..doe...", want: "john..doe", // trailing dots trimmed }, { name: "long_username_truncated", input: "this_is_a_very_long_username_that_exceeds_fifty_characters_limit", want: "this_is_a_very_long_username_that_exceeds_fifty_ch", // 50 chars max, cuts off "acters_limit" }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got := sanitizeUsername(tt.input) if got != tt.want { t.Errorf("sanitizeUsername() = %q (len=%d), want %q (len=%d)", got, len(got), tt.want, len(tt.want)) } }) } } func TestIsValidPhoneSimple(t *testing.T) { tests := []struct { phone string want bool }{ {"13800138000", true}, {"+8613800138000", true}, // Valid: +86 prefix with 11 digit mobile {"8613800138000", true}, // Valid: 86 prefix with 11 digit mobile {"1234567890", false}, {"abcdefghij", false}, {"", false}, {"138001380001", false}, // 12 digits {"1380013800", false}, // 10 digits {"19800138000", true}, // 98 prefix // +[1-9]\d{6,14} allows international numbers like +16171234567 {"+16171234567", true}, // 11 digits international, valid for \d{6,14} {"+112345678901", true}, // 11 digits international, valid for \d{6,14} } for _, tt := range tests { t.Run(tt.phone, func(t *testing.T) { got := isValidPhoneSimple(tt.phone) if got != tt.want { t.Errorf("isValidPhoneSimple(%q) = %v, want %v", tt.phone, got, tt.want) } }) } } func TestLoginRequestGetAccount(t *testing.T) { tests := []struct { name string req *LoginRequest want string }{ { name: "account_field", req: &LoginRequest{Account: "john", Username: "jane", Email: "jane@test.com"}, want: "john", }, { name: "username_field", req: &LoginRequest{Username: "jane", Email: "jane@test.com"}, want: "jane", }, { name: "email_field", req: &LoginRequest{Email: "jane@test.com"}, want: "jane@test.com", }, { name: "phone_field", req: &LoginRequest{Phone: "13800138000"}, want: "13800138000", }, { name: "all_fields_with_whitespace", req: &LoginRequest{Account: " john ", Username: " jane ", Email: " jane@test.com "}, want: "john", }, { name: "empty_request", req: &LoginRequest{}, want: "", }, { name: "nil_request", req: nil, want: "", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got := tt.req.GetAccount() if got != tt.want { t.Errorf("GetAccount() = %q, want %q", got, tt.want) } }) } } func TestBuildDeviceFingerprint(t *testing.T) { tests := []struct { name string req *LoginRequest want string }{ { name: "full_device_info", req: &LoginRequest{ DeviceID: "device123", DeviceName: "iPhone 15", DeviceBrowser: "Safari", DeviceOS: "iOS 17", }, want: "device123|iPhone 15|Safari|iOS 17", }, { name: "partial_device_info", req: &LoginRequest{ DeviceID: "device123", DeviceName: "iPhone 15", }, want: "device123|iPhone 15", }, { name: "only_device_id", req: &LoginRequest{ DeviceID: "device123", }, want: "device123", }, { name: "empty_device_info", req: &LoginRequest{}, want: "", }, { name: "nil_request", req: nil, want: "", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got := buildDeviceFingerprint(tt.req) if got != tt.want { t.Errorf("buildDeviceFingerprint() = %q, want %q", got, tt.want) } }) } } func TestAuthServiceDefaultConfig(t *testing.T) { // Test that default configuration is applied correctly svc := NewAuthService(nil, nil, nil, nil, 0, 0, 0) if svc == nil { t.Fatal("NewAuthService returned nil") } // Check default password minimum length if svc.passwordMinLength != defaultPasswordMinLen { t.Errorf("passwordMinLength: got %d, want %d", svc.passwordMinLength, defaultPasswordMinLen) } // Check default max login attempts if svc.maxLoginAttempts != 5 { t.Errorf("maxLoginAttempts: got %d, want %d", svc.maxLoginAttempts, 5) } // Check default login lock duration if svc.loginLockDuration != 15*time.Minute { t.Errorf("loginLockDuration: got %v, want %v", svc.loginLockDuration, 15*time.Minute) } } func TestAuthServiceNilSafety(t *testing.T) { t.Run("validatePassword_nil_service", func(t *testing.T) { var svc *AuthService err := svc.validatePassword("Abcd1234!") if err != nil { t.Errorf("nil service should not error: %v", err) } }) t.Run("accessTokenTTL_nil_service", func(t *testing.T) { var svc *AuthService ttl := svc.accessTokenTTLSeconds() if ttl != 0 { t.Errorf("nil service should return 0: got %d", ttl) } }) t.Run("RefreshTokenTTL_nil_service", func(t *testing.T) { var svc *AuthService ttl := svc.RefreshTokenTTLSeconds() if ttl != 0 { t.Errorf("nil service should return 0: got %d", ttl) } }) t.Run("generateUniqueUsername_nil_service", func(t *testing.T) { var svc *AuthService username, err := svc.generateUniqueUsername(context.Background(), "testuser") if err != nil { t.Errorf("nil service should return username: %v", err) } if username != "testuser" { t.Errorf("username: got %q, want %q", username, "testuser") } }) t.Run("buildUserInfo_nil_user", func(t *testing.T) { var svc *AuthService info := svc.buildUserInfo(nil) if info != nil { t.Errorf("nil user should return nil info: got %v", info) } }) t.Run("ensureUserActive_nil_user", func(t *testing.T) { var svc *AuthService err := svc.ensureUserActive(nil) if err == nil { t.Error("nil user should return error") } }) t.Run("blacklistToken_nil_service", func(t *testing.T) { var svc *AuthService err := svc.blacklistTokenClaims(context.Background(), "token", nil) if err != nil { t.Errorf("nil service should not error: %v", err) } }) t.Run("Logout_nil_service", func(t *testing.T) { var svc *AuthService err := svc.Logout(context.Background(), "user", nil) if err != nil { t.Errorf("nil service should not error: %v", err) } }) t.Run("IsTokenBlacklisted_nil_service", func(t *testing.T) { var svc *AuthService blacklisted := svc.IsTokenBlacklisted(context.Background(), "jti") if blacklisted { t.Error("nil service should not blacklist tokens") } }) } func TestUserInfoFromCacheValue(t *testing.T) { t.Run("valid_UserInfo_pointer", func(t *testing.T) { info := &UserInfo{ID: 1, Username: "testuser"} got, ok := userInfoFromCacheValue(info) if !ok { t.Error("should parse *UserInfo") } if got.ID != 1 || got.Username != "testuser" { t.Errorf("got %+v, want %+v", got, info) } }) t.Run("valid_UserInfo_value", func(t *testing.T) { info := UserInfo{ID: 2, Username: "testuser2"} got, ok := userInfoFromCacheValue(info) if !ok { t.Error("should parse UserInfo value") } if got.ID != 2 || got.Username != "testuser2" { t.Errorf("got %+v, want %+v", got, info) } }) t.Run("invalid_type", func(t *testing.T) { got, ok := userInfoFromCacheValue("invalid string") if ok || got != nil { t.Errorf("should not parse string: ok=%v, got=%+v", ok, got) } }) t.Run("map_string_interface", func(t *testing.T) { info := map[string]interface{}{ "id": float64(3), "username": "mapuser", "email": "map@test.com", } got, ok := userInfoFromCacheValue(info) if !ok { t.Error("should parse map[string]interface{}") } if got == nil { t.Fatal("got nil") } if got.ID != 3 || got.Username != "mapuser" { t.Errorf("got ID=%d, Username=%s, want ID=3, Username=mapuser", got.ID, got.Username) } }) t.Run("map_with_invalid_data", func(t *testing.T) { info := map[string]interface{}{ "id": "not_a_number", } got, ok := userInfoFromCacheValue(info) // Should fail to parse if ok { t.Errorf("should not parse invalid map: ok=%v, got=%+v", ok, got) } }) } func TestEnsureUserActive(t *testing.T) { t.Run("nil_user", func(t *testing.T) { var svc *AuthService err := svc.ensureUserActive(nil) if err == nil { t.Error("nil user should error") } }) } func TestAttemptCount(t *testing.T) { tests := []struct { name string value interface{} want int }{ {"int_value", 5, 5}, {"int64_value", int64(3), 3}, {"float64_value", float64(4.0), 4}, {"string_int", "3", 0}, // strings are not converted {"invalid_type", "abc", 0}, {"nil", nil, 0}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got := attemptCount(tt.value) if got != tt.want { t.Errorf("attemptCount(%v) = %d, want %d", tt.value, got, tt.want) } }) } } func TestIncrementFailAttempts(t *testing.T) { t.Run("nil_service", func(t *testing.T) { var svc *AuthService count := svc.incrementFailAttempts(context.Background(), "key") if count != 0 { t.Errorf("nil service should return 0, got %d", count) } }) t.Run("empty_key", func(t *testing.T) { svc := NewAuthService(nil, nil, nil, nil, 8, 5, 15*time.Minute) count := svc.incrementFailAttempts(context.Background(), "") if count != 0 { t.Errorf("empty key should return 0, got %d", count) } }) } func TestWriteLoginLog_Nil(t *testing.T) { t.Run("nil_service", func(t *testing.T) { var svc *AuthService userID := int64(1) // Should not panic svc.writeLoginLog(context.Background(), &userID, 1, "127.0.0.1", true, "") }) t.Run("nil_user_id", func(t *testing.T) { svc := NewAuthService(nil, nil, nil, nil, 8, 5, 15*time.Minute) // Should not panic svc.writeLoginLog(context.Background(), nil, 1, "127.0.0.1", true, "") }) } func TestRecordLoginAnomaly_Nil(t *testing.T) { t.Run("nil_service", func(t *testing.T) { var svc *AuthService userID := int64(1) // Should not panic svc.recordLoginAnomaly(context.Background(), &userID, "127.0.0.1", "location", "device", true) }) t.Run("nil_user_id", func(t *testing.T) { svc := NewAuthService(nil, nil, nil, nil, 8, 5, 15*time.Minute) // Should not panic svc.recordLoginAnomaly(context.Background(), nil, "127.0.0.1", "location", "device", true) }) } func TestPublishEvent_Nil(t *testing.T) { t.Run("nil_service", func(t *testing.T) { var svc *AuthService // Should not panic svc.publishEvent(context.Background(), domain.EventUserRegistered, map[string]interface{}{"user_id": 1}) }) } func TestCacheUserInfo_Nil(t *testing.T) { t.Run("nil_service", func(t *testing.T) { var svc *AuthService // Should not panic svc.cacheUserInfo(context.Background(), nil) }) } func TestBestEffortRegisterDevice_Nil(t *testing.T) { t.Run("nil_service", func(t *testing.T) { var svc *AuthService // Should not panic svc.bestEffortRegisterDevice(context.Background(), 1, nil) }) } // ============================================================================= // Write Login Log Integration Tests // ============================================================================= func TestWriteLoginLog_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:loginlog_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.LoginLog{}); err != nil { t.Fatalf("failed to migrate: %v", err) } loginLogRepo := repository.NewLoginLogRepository(db) svc := NewAuthService(nil, nil, nil, nil, 8, 5, 15*time.Minute) svc.SetLoginLogRepository(loginLogRepo) userID := int64(123) t.Run("write successful login log", func(t *testing.T) { svc.writeLoginLog(context.Background(), &userID, domain.LoginTypePassword, "192.168.1.1", true, "") // Wait for async goroutine time.Sleep(100 * time.Millisecond) var logs []domain.LoginLog db.Find(&logs) if len(logs) != 1 { t.Errorf("Expected 1 log, got %d", len(logs)) } if len(logs) > 0 { if logs[0].Status != 1 { t.Errorf("Expected status 1, got %d", logs[0].Status) } if logs[0].IP != "192.168.1.1" { t.Errorf("Expected IP '192.168.1.1', got %s", logs[0].IP) } } }) t.Run("write failed login log", func(t *testing.T) { svc.writeLoginLog(context.Background(), &userID, domain.LoginTypePassword, "10.0.0.1", false, "wrong password") // Wait for async goroutine time.Sleep(100 * time.Millisecond) var logs []domain.LoginLog db.Where("ip = ?", "10.0.0.1").Find(&logs) if len(logs) != 1 { t.Errorf("Expected 1 log, got %d", len(logs)) } if len(logs) > 0 && logs[0].Status != 0 { t.Errorf("Expected status 0 for failed login, got %d", logs[0].Status) } }) } // ============================================================================= // Record Login Anomaly Tests // ============================================================================= // mockAnomalyDetector is a mock implementation of anomalyRecorder type mockAnomalyDetector struct { events []security.AnomalyEvent } func (m *mockAnomalyDetector) RecordLogin(ctx context.Context, userID int64, ip, location, deviceFingerprint string, success bool) []security.AnomalyEvent { return m.events } func TestRecordLoginAnomaly_WithDetector(t *testing.T) { t.Run("with anomaly detector returning events", func(t *testing.T) { svc := NewAuthService(nil, nil, nil, nil, 8, 5, 15*time.Minute) detector := &mockAnomalyDetector{ events: []security.AnomalyEvent{security.AnomalyBruteForce}, } svc.SetAnomalyDetector(detector) userID := int64(1) // Should not panic svc.recordLoginAnomaly(context.Background(), &userID, "127.0.0.1", "location", "device", false) }) t.Run("with anomaly detector returning no events", func(t *testing.T) { svc := NewAuthService(nil, nil, nil, nil, 8, 5, 15*time.Minute) detector := &mockAnomalyDetector{events: nil} svc.SetAnomalyDetector(detector) userID := int64(1) // Should not panic svc.recordLoginAnomaly(context.Background(), &userID, "127.0.0.1", "location", "device", true) }) } // ============================================================================= // Generate Unique Username Integration Tests // ============================================================================= func TestGenerateUniqueUsername_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:username_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) svc := NewAuthService(userRepo, nil, nil, nil, 8, 5, 15*time.Minute) t.Run("generate unique username with existing user", func(t *testing.T) { // Create existing user existingUser := &domain.User{ Username: "testuser", Password: "$2a$10$hash", Status: domain.UserStatusActive, } db.Create(existingUser) // Should generate unique username username, err := svc.generateUniqueUsername(context.Background(), "testuser") if err != nil { t.Fatalf("generateUniqueUsername failed: %v", err) } if username == "testuser" { t.Error("Expected different username since testuser already exists") } }) t.Run("generate unique username with new base", func(t *testing.T) { username, err := svc.generateUniqueUsername(context.Background(), "newuser123") if err != nil { t.Fatalf("generateUniqueUsername failed: %v", err) } if username != "newuser123" { t.Errorf("Expected 'newuser123', got %s", username) } }) t.Run("generate unique username with long base", func(t *testing.T) { longBase := "this_is_a_very_long_username_that_exceeds_the_normal_limit" username, err := svc.generateUniqueUsername(context.Background(), longBase) if err != nil { t.Fatalf("generateUniqueUsername failed: %v", err) } if len(username) > 50 { t.Errorf("Username should be truncated to 50 chars, got %d", len(username)) } }) } // ============================================================================= // Upsert OAuth Social Account Tests // ============================================================================= func TestUpsertOAuthSocialAccount_Nil(t *testing.T) { t.Run("nil service", func(t *testing.T) { var svc *AuthService _, err := svc.upsertOAuthSocialAccount(context.Background(), 1, "github", nil) if err == nil { t.Error("Expected error for nil service") } }) } func TestUpsertOAuthSocialAccount_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:upsert_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}, &domain.SocialAccount{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) socialRepo, _ := repository.NewSocialAccountRepository(db) svc := NewAuthService(userRepo, socialRepo, nil, nil, 8, 5, 15*time.Minute) // Create test user user := &domain.User{ Username: "oauthuser", Password: "$2a$10$hash", Status: domain.UserStatusActive, } db.Create(user) t.Run("create new social account", func(t *testing.T) { oauthUser := &auth.OAuthUser{ OpenID: "github123", Nickname: "GitHubUser", Email: "github@example.com", } account, err := svc.upsertOAuthSocialAccount(context.Background(), user.ID, "github", oauthUser) if err != nil { t.Fatalf("upsertOAuthSocialAccount failed: %v", err) } if account == nil { t.Fatal("Expected account to be created") } if account.Provider != "github" { t.Errorf("Expected provider 'github', got %s", account.Provider) } if account.OpenID != "github123" { t.Errorf("Expected OpenID 'github123', got %s", account.OpenID) } }) t.Run("update existing social account", func(t *testing.T) { oauthUser := &auth.OAuthUser{ OpenID: "github123", Nickname: "UpdatedUser", Email: "updated@example.com", } account, err := svc.upsertOAuthSocialAccount(context.Background(), user.ID, "github", oauthUser) if err != nil { t.Fatalf("upsertOAuthSocialAccount failed: %v", err) } if account.Nickname != "UpdatedUser" { t.Errorf("Expected nickname 'UpdatedUser', got %s", account.Nickname) } }) t.Run("nil oauth user", func(t *testing.T) { _, err := svc.upsertOAuthSocialAccount(context.Background(), user.ID, "github", nil) if err == nil { t.Error("Expected error for nil oauth user") } }) } // ============================================================================= // Login By Code Integration Tests // ============================================================================= func TestLoginByCode_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:logincode_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}, &domain.LoginLog{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) loginLogRepo := repository.NewLoginLogRepository(db) jwtManager, _ := auth.NewJWTWithOptions(auth.JWTOptions{ HS256Secret: fmt.Sprintf("test-secret-%d", time.Now().UnixNano()), AccessTokenExpire: 15 * time.Minute, RefreshTokenExpire: 7 * 24 * time.Hour, }) svc := NewAuthService(userRepo, nil, jwtManager, nil, 8, 5, 15*time.Minute) svc.SetLoginLogRepository(loginLogRepo) // Create test user with phone phone := "13800138000" user := &domain.User{ Username: "logincodeuser", Phone: &phone, Password: "$2a$10$hash", Status: domain.UserStatusActive, } db.Create(user) t.Run("LoginByCode without SMS service configured", func(t *testing.T) { _, err := svc.LoginByCode(context.Background(), "13800138000", "123456", "127.0.0.1") if err == nil { t.Error("Expected error when SMS service not configured") } }) } // ============================================================================= // OAuth Callback Tests // ============================================================================= func TestOAuthCallback_Nil(t *testing.T) { t.Run("nil service", func(t *testing.T) { var svc *AuthService _, err := svc.OAuthCallback(context.Background(), "github", "code123") if err == nil { t.Error("Expected error for nil service") } }) } func TestOAuthCallback_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:oauth_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}, &domain.SocialAccount{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) socialRepo, _ := repository.NewSocialAccountRepository(db) jwtManager, _ := auth.NewJWTWithOptions(auth.JWTOptions{ HS256Secret: fmt.Sprintf("test-secret-%d", time.Now().UnixNano()), AccessTokenExpire: 15 * time.Minute, RefreshTokenExpire: 7 * 24 * time.Hour, }) svc := NewAuthService(userRepo, socialRepo, jwtManager, nil, 8, 5, 15*time.Minute) t.Run("OAuthCallback without OAuth manager configured", func(t *testing.T) { _, err := svc.OAuthCallback(context.Background(), "github", "code123") if err == nil { t.Error("Expected error when OAuth manager not configured") } }) } // ============================================================================= // OAuth Bind Callback Tests // ============================================================================= func TestOAuthBindCallback_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:oauthbind_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}, &domain.SocialAccount{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) socialRepo, _ := repository.NewSocialAccountRepository(db) svc := NewAuthService(userRepo, socialRepo, nil, nil, 8, 5, 15*time.Minute) // Create test user user := &domain.User{ Username: "oauthbinduser", Password: "$2a$10$hash", Status: domain.UserStatusActive, } db.Create(user) t.Run("OAuthBindCallback without OAuth manager configured", func(t *testing.T) { _, err := svc.OAuthBindCallback(context.Background(), user.ID, "github", "code123") if err == nil { t.Error("Expected error when OAuth manager not configured") } }) } // ============================================================================= // Best Effort Register Device Tests // ============================================================================= func TestBestEffortRegisterDevice_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:device_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}, &domain.Device{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) deviceRepo := repository.NewDeviceRepository(db) deviceSvc := NewDeviceService(deviceRepo, userRepo) svc := NewAuthService(userRepo, nil, nil, nil, 8, 5, 15*time.Minute) svc.SetDeviceService(deviceSvc) // Create test user user := &domain.User{ Username: "deviceuser", Password: "$2a$10$hash", Status: domain.UserStatusActive, } db.Create(user) t.Run("register device with device info", func(t *testing.T) { req := &LoginRequest{ DeviceID: "device123", DeviceName: "iPhone 15", DeviceBrowser: "Safari", DeviceOS: "iOS 17", } svc.bestEffortRegisterDevice(context.Background(), user.ID, req) // Should not panic }) t.Run("register device with nil request", func(t *testing.T) { svc.bestEffortRegisterDevice(context.Background(), user.ID, nil) // Should not panic }) } // ============================================================================= // Verify Sensitive Action Tests // ============================================================================= func TestVerifySensitiveAction_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:sensitive_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) svc := NewAuthService(userRepo, nil, nil, nil, 8, 5, 15*time.Minute) hashedPassword, _ := auth.HashPassword("Password123!") t.Run("verify with password", func(t *testing.T) { user := &domain.User{ Username: "sensitiveuser", Password: hashedPassword, Status: domain.UserStatusActive, } db.Create(user) err := svc.verifySensitiveAction(context.Background(), user, "Password123!", "") if err != nil { t.Errorf("Expected no error for correct password, got: %v", err) } }) t.Run("verify with wrong password", func(t *testing.T) { user := &domain.User{ Username: "wrongpassuser", Password: hashedPassword, Status: domain.UserStatusActive, } db.Create(user) err := svc.verifySensitiveAction(context.Background(), user, "wrongpassword", "") if err == nil { t.Error("Expected error for wrong password") } }) t.Run("verify with TOTP user", func(t *testing.T) { user := &domain.User{ Username: "totpuser", Password: hashedPassword, Status: domain.UserStatusActive, TOTPEnabled: true, TOTPSecret: "JBSWY3DPEHPK3PXP", } db.Create(user) // TOTP requires valid code, so this should fail err := svc.verifySensitiveAction(context.Background(), user, "", "invalid_totp") if err == nil { t.Error("Expected error for invalid TOTP code") } }) } // ============================================================================= // Verify TOTP Code Or Recovery Code Tests // ============================================================================= func TestVerifyTOTPCodeOrRecoveryCode_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:totp_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) svc := NewAuthService(userRepo, nil, nil, nil, 8, 5, 15*time.Minute) t.Run("user without TOTP", func(t *testing.T) { user := &domain.User{ Username: "nototpuser", Password: "$2a$10$hash", Status: domain.UserStatusActive, TOTPEnabled: false, } db.Create(user) err := svc.verifyTOTPCodeOrRecoveryCode(context.Background(), user, "123456") if err == nil { t.Error("Expected error for user without TOTP") } }) t.Run("user with TOTP but wrong code", func(t *testing.T) { user := &domain.User{ Username: "totpuser2", Password: "$2a$10$hash", Status: domain.UserStatusActive, TOTPEnabled: true, TOTPSecret: "JBSWY3DPEHPK3PXP", } db.Create(user) err := svc.verifyTOTPCodeOrRecoveryCode(context.Background(), user, "invalid_code") if err == nil { t.Error("Expected error for invalid TOTP code") } }) } // ============================================================================= // Start Social Account Binding Tests // ============================================================================= func TestStartSocialAccountBinding_Integration(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:startbind_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}, &domain.SocialAccount{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) socialRepo, _ := repository.NewSocialAccountRepository(db) svc := NewAuthService(userRepo, socialRepo, nil, nil, 8, 5, 15*time.Minute) hashedPassword, _ := auth.HashPassword("Password123!") t.Run("Start binding without OAuth manager", func(t *testing.T) { user := &domain.User{ Username: "startbinduser", Password: hashedPassword, Status: domain.UserStatusActive, } db.Create(user) _, _, err := svc.StartSocialAccountBinding(context.Background(), user.ID, "github", "http://localhost", "Password123!", "") if err == nil { t.Error("Expected error when OAuth manager not configured") } }) } // ============================================================================= // Verify TOTP Code Or Recovery Code Extended Tests // ============================================================================= func TestVerifyTOTPCodeOrRecoveryCode_NilUser(t *testing.T) { svc := NewAuthService(nil, nil, nil, nil, 8, 5, 15*time.Minute) err := svc.verifyTOTPCodeOrRecoveryCode(context.Background(), nil, "123456") if err == nil { t.Error("Expected error for nil user") } } func TestVerifyTOTPCodeOrRecoveryCode_RecoveryCode(t *testing.T) { // Create in-memory database db, err := gorm.Open(gormsqlite.New(gormsqlite.Config{ DriverName: "sqlite", DSN: fmt.Sprintf("file:totp_recovery_test_%d?mode=memory&cache=shared", time.Now().UnixNano()), }), &gorm.Config{ Logger: logger.Default.LogMode(logger.Silent), }) if err != nil { t.Fatalf("failed to connect database: %v", err) } if err := db.AutoMigrate(&domain.User{}); err != nil { t.Fatalf("failed to migrate: %v", err) } userRepo := repository.NewUserRepository(db) svc := NewAuthService(userRepo, nil, nil, nil, 8, 5, 15*time.Minute) t.Run("user with empty TOTP secret", func(t *testing.T) { user := &domain.User{ Username: "emptysecret", Password: "$2a$10$hash", Status: domain.UserStatusActive, TOTPEnabled: true, TOTPSecret: "", } db.Create(user) err := svc.verifyTOTPCodeOrRecoveryCode(context.Background(), user, "123456") if err == nil { t.Error("Expected error for empty TOTP secret") } }) t.Run("user with TOTP enabled but no recovery codes", func(t *testing.T) { user := &domain.User{ Username: "norecovery", Password: "$2a$10$hash", Status: domain.UserStatusActive, TOTPEnabled: true, TOTPSecret: "JBSWY3DPEHPK3PXP", TOTPRecoveryCodes: "", } db.Create(user) err := svc.verifyTOTPCodeOrRecoveryCode(context.Background(), user, "invalidcode") if err == nil { t.Error("Expected error for invalid code without recovery codes") } }) } // ============================================================================= // RefreshTokenTTLSeconds Tests // ============================================================================= func TestRefreshTokenTTLSeconds(t *testing.T) { t.Run("nil service returns 0", func(t *testing.T) { var nilSvc *AuthService ttl := nilSvc.RefreshTokenTTLSeconds() if ttl != 0 { t.Errorf("Expected 0, got %d", ttl) } }) t.Run("service without jwt manager returns 0", func(t *testing.T) { svc := &AuthService{} ttl := svc.RefreshTokenTTLSeconds() if ttl != 0 { t.Errorf("Expected 0, got %d", ttl) } }) t.Run("service with jwt manager", func(t *testing.T) { jwtManager, _ := auth.NewJWTWithOptions(auth.JWTOptions{ HS256Secret: "test-secret", AccessTokenExpire: 15 * time.Minute, RefreshTokenExpire: 7 * 24 * time.Hour, }) svc := &AuthService{jwtManager: jwtManager} ttl := svc.RefreshTokenTTLSeconds() if ttl == 0 { t.Error("Expected non-zero TTL") } }) } // ============================================================================= // PublishEvent Tests // ============================================================================= func TestPublishEvent(t *testing.T) { t.Run("nil service does not panic", func(t *testing.T) { var nilSvc *AuthService nilSvc.publishEvent(context.Background(), domain.EventUserLogin, nil) }) t.Run("service without webhook service does not panic", func(t *testing.T) { svc := &AuthService{} svc.publishEvent(context.Background(), domain.EventUserLogin, map[string]interface{}{"user_id": 1}) }) } // ============================================================================= // OAuthLogin Tests // ============================================================================= func TestOAuthLogin(t *testing.T) { t.Run("nil service returns error", func(t *testing.T) { var nilSvc *AuthService _, err := nilSvc.OAuthLogin(context.Background(), "github", "http://localhost/callback") if err == nil { t.Error("Expected error for nil service") } }) t.Run("service without oauth manager returns error", func(t *testing.T) { svc := &AuthService{} _, err := svc.OAuthLogin(context.Background(), "github", "http://localhost/callback") if err == nil { t.Error("Expected error when oauth manager not configured") } }) } // ============================================================================= // StartSocialAccountBinding Extended Tests // ============================================================================= func TestStartSocialAccountBinding_Extended(t *testing.T) { t.Run("nil service returns error", func(t *testing.T) { var nilSvc *AuthService _, _, err := nilSvc.StartSocialAccountBinding(context.Background(), 1, "github", "http://localhost", "password", "") if err == nil { t.Error("Expected error for nil service") } }) t.Run("service without oauth manager returns error", func(t *testing.T) { svc := &AuthService{} _, _, err := svc.StartSocialAccountBinding(context.Background(), 1, "github", "http://localhost", "password", "") if err == nil { t.Error("Expected error when oauth manager not configured") } }) }