feat: harden runtime import and frontend verification workflows

internal/app/admin_auth_extra_test.go

@@ -0,0 +1,133 @@
+package app
+
+import (
+	"encoding/base64"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestAdminSessionDebugValue(t *testing.T) {
+	secret := "test-secret"
+	username := "admin"
+	expiresAt := time.Now().Add(time.Hour)
+
+	result := adminSessionDebugValue(secret, username, expiresAt)
+
+	// Result should be a hex string
+	if result == "" {
+		t.Error("adminSessionDebugValue should return non-empty string")
+	}
+
+	// Should be valid hex (only contains hex characters)
+	for _, c := range result {
+		if !((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f')) {
+			t.Errorf("adminSessionDebugValue returned non-hex character: %c", c)
+		}
+	}
+}
+
+func TestAdminSessionPayload(t *testing.T) {
+	tests := []struct {
+		name     string
+		raw      string
+		wantUser string
+		wantExp  bool
+	}{
+		{
+			name:     "valid payload",
+			raw:      createValidPayload("admin", "1234567890"),
+			wantUser: "admin",
+			wantExp:  true,
+		},
+		{
+			name:     "invalid format - no dot",
+			raw:      "invalid-no-dot",
+			wantUser: "",
+			wantExp:  false,
+		},
+		{
+			name:     "invalid format - too many dots",
+			raw:      "part1.part2.part3",
+			wantUser: "",
+			wantExp:  false,
+		},
+		{
+			name:     "invalid base64",
+			raw:      "invalid!!!.signature",
+			wantUser: "",
+			wantExp:  false,
+		},
+		{
+			name:     "empty string",
+			raw:      "",
+			wantUser: "",
+			wantExp:  false,
+		},
+		{
+			name:     "single part",
+			raw:      "onlyonepart",
+			wantUser: "",
+			wantExp:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			payload := adminSessionPayload(tt.raw)
+
+			// All results should have "raw" field
+			if _, ok := payload["raw"]; !ok {
+				t.Error("payload should contain 'raw' field")
+			}
+
+			if tt.wantUser != "" {
+				if user, ok := payload["username"].(string); !ok || user != tt.wantUser {
+					t.Errorf("username = %v, want %v", user, tt.wantUser)
+				}
+			}
+
+			if tt.wantExp {
+				if _, ok := payload["expires_unix"]; !ok {
+					t.Error("expected expires_unix field")
+				}
+				if _, ok := payload["payload"]; !ok {
+					t.Error("expected payload field")
+				}
+			}
+		})
+	}
+}
+
+func TestMarshalAdminSessionPayload(t *testing.T) {
+	validPayload := createValidPayload("admin", "1234567890")
+
+	result := marshalAdminSessionPayload(validPayload)
+
+	// Result should be valid JSON
+	if result == "" {
+		t.Error("marshalAdminSessionPayload should return non-empty string")
+	}
+
+	// Should contain expected fields
+	if !strings.Contains(result, "raw") {
+		t.Error("result should contain 'raw' field")
+	}
+
+	if !strings.Contains(result, "username") {
+		t.Error("result should contain 'username' field")
+	}
+
+	// Test with invalid payload
+	invalidResult := marshalAdminSessionPayload("invalid")
+	if invalidResult == "" {
+		t.Error("marshalAdminSessionPayload with invalid input should still return something")
+	}
+}
+
+// createValidPayload creates a valid payload string for testing
+func createValidPayload(username, expires string) string {
+	body := username + "|" + expires
+	encoded := base64.RawURLEncoding.EncodeToString([]byte(body))
+	return encoded + ".signature"
+}