Kharec/goyco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Kharec:8f6133392d4fe342db2645c71d6494a379c41f3f
Branches Tags
Kharec:main
...
compare: Kharec:a2b194b4a2e67c12d1e7a4e433c42236d76adc7f
Branches Tags
Kharec:main

4 Commits
8f6133392d ... a2b194b4a2

Author SHA1 Message Date
Kharec
a2b194b4a2 git: add ignore 2025-11-10 19:12:51 +01:00
Kharec
64f52e627c feat: add .env.example 2025-11-10 19:12:46 +01:00
Kharec
1f994bec36 feat: add postgres install helper 2025-11-10 19:12:40 +01:00
Kharec
71a031342b To gitea and beyond, let's go(-yco) 2025-11-10 19:12:09 +01:00
245 changed files with 83974 additions and 0 deletions
Expand all files Collapse all files

54
.env.example Normal file
View File

@@ -0,0 +1,54 @@
# Goyco Environment Configuration
# Copy this file to .env and update with your actual values
# DO NOT commit .env to version control
# Database Configuration
DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=your_password_here
DB_NAME=goyco
DB_SSLMODE=disable
# Server Configuration
SERVER_HOST=0.0.0.0
SERVER_PORT=8080
# JWT Configuration
# IMPORTANT: Generate a secure random secret (minimum 32 characters)
# Example: openssl rand -base64 32
JWT_SECRET=your-secure-secret-key-minimum-32-characters-long
# SMTP Configuration
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USERNAME=your-email@example.com
SMTP_PASSWORD=your-password
SMTP_FROM=noreply@example.com
SMTP_TIMEOUT=30
# Application Settings
APP_BASE_URL=https://goyco.example.com
ADMIN_EMAIL=admin@example.com
TITLE=Goyco
DEBUG=false
BCRYPT_COST=10
# Rate limiting configuration (nb of request per minutes)
RATE_LIMIT_AUTH=5
RATE_LIMIT_GENERAL=100
RATE_LIMIT_HEALTH=60
RATE_LIMIT_METRICS=10
RATE_LIMIT_TRUST_PROXY=false
# Environment
# Set to: development, staging, or production
GOYCO_ENV=development
# CORS Configuration (optional, comma-separated)
# Example: CORS_ALLOWED_ORIGINS=https://example.com,https://www.example.com
CORS_ALLOWED_ORIGINS=
# Logging
LOG_DIR=/var/log/
PID_DIR=/run

23
.gitignore vendored Normal file
View File

@@ -0,0 +1,23 @@
# Test binary, built with `go test -c`
*.test
# Code coverage profiles and other test artifacts
*.out
coverage.*
*.coverprofile
profile.cov
# pid & logs
run/
log/
# Go workspace file
go.work
go.work.sum
# env file
.env
# binaries
bin/goyco

11
AUTHORS Normal file
View File

@@ -0,0 +1,11 @@
# This is the official list of Goyco authors for copyright purposes.
# This file is distinct from the CONTRIBUTORS files
# and it lists the copyright holders only.
# Names should be added to this file as one of
# Individual's name <submission email address>
# Please keep the list sorted.
Sandro CAZZANIGA <sandro@cazzaniga.fr>

27
Dockerfile Normal file
View File

@@ -0,0 +1,27 @@
ARG GO_VERSION=1.25.3
# Building the binary using a golang alpine image
FROM golang:${GO_VERSION}-alpine AS go-builder
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . ./
ARG TARGETOS=linux
ARG TARGETARCH=amd64
RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -ldflags="-s -w" -o /out/goyco ./cmd/goyco
# building the application image
FROM alpine:3.21
RUN addgroup -S goyco && adduser -S -G goyco goyco \
&& apk add --no-cache ca-certificates tzdata
WORKDIR /app
COPY --from=go-builder /out/goyco ./goyco
COPY --from=go-builder /src/internal/static ./internal/static
COPY --from=go-builder /src/internal/templates ./internal/templates
RUN mkdir -p /app/log /app/run && chown -R goyco:goyco /app
ENV SERVER_HOST=0.0.0.0
ENV SERVER_PORT=8080
EXPOSE 8080
USER goyco
ENTRYPOINT ["./goyco", "run"]

156
Makefile Normal file
View File

@@ -0,0 +1,156 @@
GO ?= go
DOCKER ?= docker
PRETTIER ?= prettier
GOLANGCI_LINT ?= golangci-lint
BINARY := bin/goyco
INSTALL_DIR := /opt/goyco
DOC_DIR := /usr/share/doc/goyco
LICENSE_DIR := /usr/share/licenses/goyco
SERVICE_FILE := /etc/systemd/system/goyco.service
VERSION_FILE := internal/version/version.go
VERSION := $(shell sed -n 's/^const Version = "\(.*\)"/\1/p' $(VERSION_FILE))
DIST_DIR ?= dist
RELEASE_NAME := goyco-$(VERSION)
RELEASE_TARBALL := $(DIST_DIR)/$(RELEASE_NAME).tar.gz
RELEASE_ARCHIVE := $(DIST_DIR)/$(RELEASE_NAME).tar
GO_BUILD_FLAGS ?=
GO_TEST_FLAGS ?= -v
FUZZ_TIME ?= 30s
DOCKER_IMAGE ?= goyco:latest
SWAGGER_SCRIPT := ./scripts/regenerate-swagger.sh
DEPENDENCY_COMPOSE_FILE := docker/compose.dependencies.yml
UNIT_TEST_PACKAGES := ./cmd/goyco ./internal/config ./internal/database ./internal/fuzz ./internal/handlers ./internal/middleware ./internal/repositories ./internal/security ./internal/server ./internal/services ./internal/templates ./internal/validation
INTEGRATION_TEST_PACKAGE := ./internal/integration/...
E2E_TEST_PACKAGE := ./internal/e2e/...
FUZZ_UNIT_CASES := \
./internal/validation::FuzzValidateEmail \
./internal/validation::FuzzValidateUsername \
./internal/validation::FuzzValidatePassword \
./internal/validation::FuzzValidateURL \
./internal/validation::FuzzValidateTitle \
./internal/validation::FuzzValidateContent \
./internal/validation::FuzzValidateSearchQuery \
./internal/validation::FuzzSanitizeString \
./internal/security::FuzzSanitizeInput \
./internal/security::FuzzSanitizeUsername \
./internal/security::FuzzSanitizeEmail \
./internal/security::FuzzSanitizePostContent \
./internal/security::FuzzSanitizeURL \
./internal/security::FuzzInputSanitizerUsernameCLI \
./internal/security::FuzzInputSanitizerEmailCLI \
./internal/security::FuzzInputSanitizerPasswordCLI \
./internal/security::FuzzInputSanitizerSearchTerm \
./internal/security::FuzzInputSanitizerTitleCLI \
./internal/security::FuzzInputSanitizerContentCLI \
./internal/security::FuzzInputSanitizerID \
./internal/handlers::FuzzJSONParsing \
./internal/handlers::FuzzURLParsing \
./internal/handlers::FuzzQueryParameters \
./internal/handlers::FuzzHTTPHeaders \
./cmd/goyco::FuzzCLIArgs \
./cmd/goyco::FuzzCommandDispatch \
./cmd/goyco::FuzzRunCommandHandler
FUZZ_CENTRALIZED_CASES := \
./internal/fuzz::FuzzSearchRepository \
./internal/fuzz::FuzzPostRepository \
./internal/fuzz::FuzzIntegrationHandlers \
./internal/fuzz::FuzzIntegrationServices \
./internal/fuzz::FuzzIntegrationRepositories
PHONY_TARGETS := build test clean format lint build-deps clean-deps docker-image swagger \
unit-tests integration-tests e2e-tests fuzz-tests install uninstall release migrations
.PHONY: $(PHONY_TARGETS)
define run-fuzz-cases
@set -e; \
for case in $(1); do \
pkg=$${case%%::*}; \
target=$${case##*::}; \
echo "==> $$pkg $$target"; \
$(GO) test -fuzz=$$target -fuzztime=$(FUZZ_TIME) $$pkg; \
done
endef
build:
@mkdir -p $(dir $(BINARY))
$(GO) build $(GO_BUILD_FLAGS) -o $(BINARY) ./cmd/goyco
test: unit-tests integration-tests e2e-tests
clean:
rm -f $(BINARY)
$(GO) clean -testcache
rm -rf .gocache
rm -fr dist/*
format:
$(PRETTIER) -w .
$(GO) fmt ./...
lint:
$(GOLANGCI_LINT) run
build-deps:
$(DOCKER) compose -f $(DEPENDENCY_COMPOSE_FILE) up -d
clean-deps:
$(DOCKER) compose -f $(DEPENDENCY_COMPOSE_FILE) down --volumes --remove-orphans
docker-image:
$(DOCKER) build -t $(DOCKER_IMAGE) -f Dockerfile .
swagger:
@echo "Regenerating Swagger documentation..."
@$(SWAGGER_SCRIPT)
unit-tests:
$(GO) test $(GO_TEST_FLAGS) $(UNIT_TEST_PACKAGES)
integration-tests:
$(GO) test $(GO_TEST_FLAGS) $(INTEGRATION_TEST_PACKAGE)
e2e-tests:
$(GO) test $(GO_TEST_FLAGS) $(E2E_TEST_PACKAGE)
fuzz-tests:
@echo "Running fuzz tests..."
$(call run-fuzz-cases,$(FUZZ_UNIT_CASES) $(FUZZ_CENTRALIZED_CASES))
install:
@useradd -r -m -d $(INSTALL_DIR) -s /usr/sbin/nologin goyco
@mkdir -p $(INSTALL_DIR)/bin $(INSTALL_DIR)/internal/static $(INSTALL_DIR)/internal/templates /usr/share/licenses/goyco /usr/share/doc/goyco
@cp $(BINARY) $(INSTALL_DIR)/bin/goyco
@cp .env.example $(INSTALL_DIR)/.env
@cp -r internal/static $(INSTALL_DIR)/internal/
@cp -r internal/templates $(INSTALL_DIR)/internal/
@cp LICENSE $(LICENSE_DIR)/
@cp README.md $(DOC_DIR)/
@cp services/goyco.service $(SERVICE_FILE)
uninstall:
@systemctl disable --now goyco
@rm -f $(SERVICE_FILE)
@rm -rf $(INSTALL_DIR) $(DOC_DIR) $(LICENSE_DIR)
@userdel goyco
release:
@test -n "$(VERSION)" || (echo "Version not found in $(VERSION_FILE)" >&2 && exit 1)
@mkdir -p $(DIST_DIR)
@rm -f $(RELEASE_TARBALL) $(RELEASE_ARCHIVE)
@set -e; \
if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then \
git archive --format=tar --prefix=$(RELEASE_NAME)/ --output=$(RELEASE_ARCHIVE) HEAD ":!TODO.md" ":!.env"; \
else \
tar -cf $(RELEASE_ARCHIVE) --exclude='./$(DIST_DIR)' --exclude='./.git' --exclude='./TODO.md' --exclude='./.env' --transform='s,^./,$(RELEASE_NAME)/,' .; \
fi
@gzip -f $(RELEASE_ARCHIVE)
@echo "Created $(RELEASE_TARBALL)"
migrations:
@$(INSTALL_DIR)/bin/goyco migrate

437
README.md Normal file
View File

@@ -0,0 +1,437 @@
# Goyco
[![Go Version](https://img.shields.io/badge/Go-1.25.0-blue.svg)](https://golang.org/)
[![PostgreSQL](https://img.shields.io/badge/PostgreSQL-17-blue.svg)](https://www.postgresql.org/)
[![License](https://img.shields.io/badge/License-GPLv3-green.svg)](LICENSE)
Goyco is a Y Combinator-style news aggregation platform built in Go. It will allow you to host your own news aggregation platform, with a modern-ish UI and a fully functional REST API.
You have the flexibility to personalize the UI with your community’s name, and you can deploy Goyco on your own server, in the cloud or anywhere else you want. The rest of the features is described below.
It's free (as in free beer), open-source and sadly not (yet) fully customizable.
By the way, the web interface is living proof that I'm not a front-end developer — but hey, it loads! Please, don't judge me too harshly.
## Architecture
### Technology Stack
It's basically pure Go (using Chi router), raw CSS and PostgreSQL 17.
## Quick Start
### Prerequisites
- Go 1.25.0 or later
- PostgreSQL 17 or later
- SMTP server for email functionality
### Setup PostgreSQL database and user
If you're not using a managed database service or a docker container, we wrote a script to help you setup a local PostgreSQL database along with the `goyco` user.
```bash
scripts/setup-postgres.sh
```
It'll prompt you for the password for the `goyco` user and then setup the database and user.
### Installation
In order to install Goyco on your system, you can use the following commands run as root:
```bash
make
make install
cp .env.example /opt/goyco/.env # edit it to add your own parameters
make migrations
```
This will:
- Create system user and group
- Install the binary to `/opt/goyco/bin`
- Install the static assets to `/opt/goyco/internal/static/`
- Install the templates to `/opt/goyco/internal/templates/`
- Install the license to `/usr/share/licenses/goyco/`
- Install the documentation to `/usr/share/doc/goyco/`
- Run database migrations
Finally, polish permissions and enable and start the service:
```bash
chown -R goyco:goyco /opt/goyco
systemctl enable --now goyco
```
### Deploy using Docker (compose)
```bash
# Build the image
make docker-image
# Run with Docker Compose (from project root)
docker compose --env-file .env -f docker/compose.prod.yml up -d
# migrate the database
docker compose --env-file .env -f docker/compose.prod.yml exec app goyco migrate
```
Once you built the image, you can also run the docker container itself with right environment variables:
```bash
docker run -d --name goyco -p 8080:8080 --env-file .env --restart unless-stopped goyco:latest
```
## Configuration
Goyco uses environment variables for configuration.
Key settings include:
### Database Configuration
```bash
DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=your_password
DB_NAME=goyco
DB_SSLMODE=disable
```
### Server Configuration
```bash
SERVER_HOST=0.0.0.0
SERVER_PORT=8080
```
### JWT Configuration
```bash
JWT_SECRET=your-secure-secret-key
JWT_EXPIRATION=1
JWT_REFRESH_EXPIRATION=168
```
### SMTP Configuration
```bash
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USERNAME=your-email@example.com
SMTP_PASSWORD=your-password
SMTP_FROM=noreply@example.com
```
Be sure to check `.env.example` for more details.
### Reverse Proxy Configuration
To use a reverse proxy in order to offload the SSL termination (for example), here's a sample nginx configuration:
```nginx
upstream goyco {
server 10.200.1.11:8080;
}
server {
listen 443 ssl;
server_name goyco.example.com;
ssl_certificate /etc/letsencrypt/live/goyco.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/goyco.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE+AESGCM:CHACHA20';
location / {
proxy_pass http://goyco;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
}
}
```
### Application Settings
```bash
APP_BASE_URL=https://goyco.example.com # assuming you are using a reverse proxy
ADMIN_EMAIL=admin@example.com
TITLE=Goyco # will be displayed in the web interface, choose wisely
DEBUG=false
```
## API Documentation
The API is fully documented with Swagger.
Once running, visit:
- **Swagger UI**: `https://goyco.example.com/swagger/index.html`
You can also use `curl` to get the API info, health check and even metrics:
```bash
curl -X GET https://goyco.example.com/api
curl -X GET https://goyco.example.com/health
curl -X GET https://goyco.example.com/metrics
```
You can also use `jq` to parse the JSON responses:
```bash
curl -X GET https://goyco.example.com/api | jq
curl -X GET https://goyco.example.com/health | jq
curl -X GET https://goyco.example.com/metrics | jq
```
It'll be more readable and easier to parse.
### Key Endpoints
#### Authentication
- `POST /api/auth/register` - Register new user
- `POST /api/auth/login` - Login user
- `GET /api/auth/confirm` - Confirm email
- `POST /api/auth/logout` - Logout user
#### Posts
- `GET /api/posts` - List posts
- `POST /api/posts` - Create post
- `GET /api/posts/{id}` - Get specific post
- `PUT /api/posts/{id}` - Update post
- `DELETE /api/posts/{id}` - Delete post
#### Voting
- `POST /api/posts/{id}/vote` - Cast vote
- `DELETE /api/posts/{id}/vote` - Remove vote
- `GET /api/posts/{id}/votes` - Get post votes
## CLI Commands
Goyco includes a comprehensive CLI for administration:
```bash
# Server management
./bin/goyco run # Run server in foreground
./bin/goyco start # Start server as daemon
./bin/goyco stop # Stop daemon
./bin/goyco status # Check server status
# Database management
./bin/goyco migrate # Run database migrations
./bin/goyco seed database # Seed database with sample data
# User management
./bin/goyco user create # Create new user
./bin/goyco user list # List users
./bin/goyco user update # Update user
./bin/goyco user delete # Delete user
./bin/goyco user lock # Lock user
./bin/goyco user unlock # Unlock user
# Post management
./bin/goyco post list # List posts
./bin/goyco post search # Search posts
./bin/goyco post delete # Delete post
# Maintenance
./bin/goyco prune posts # Hard delete posts of deleted users
./bin/goyco prune users # Hard delete users
./bin/goyco prune all # Hard delete all users and posts
```
## Development
### Get the sources
```bash
git clone https://github.com/sandrocazzaniga/goyco.git
cd goyco
```
Note: if you mean to contribute to the project, please fork the repository first.
### Create a `.env` file
```bash
cp .env.example .env
```
Customize the `.env` file to add your own parameters.
Here's the SMTP configuration for `mailpit` (for development purposes):
```bash
# SMTP Configuration
SMTP_HOST=localhost
SMTP_PORT=1025
SMTP_FROM=noreply@goyco.xiz
```
While you're hacking around, be sure to set `SERVER_HOST` and `SERVER_PORT` in order to be able to access the application from your browser. Also, beware of `APP_BASE_URL` parameter.
### Install and manage development dependencies
```bash
make build-deps
```
It will start a PostgreSQL database and a [mailpit](https://mailpit.axllent.org/) server in order to test the application.
The web front of mailpit server will be available at `http://localhost:8025` and will allow you to view the emails sent by the application. No matter the recipient, all emails will be captured by `mailpit`.
Once you're done, you can use `make clean-deps` to stop the dependencies and remove the containers and volumes.
### Build the application
```bash
make
```
The build process will create the binary in the `bin/` directory.
Then, make the migrations:
```bash
./bin/goyco migrate
```
It will create the necessary tables in the database.
### Run the application
```bash
./bin/goyco run
```
It will start the application in development mode. You can also run it as a daemon:
```bash
./bin/goyco start
```
Then, use `./bin/goyco` to manage the application and notably to seed the database with sample data.
### Project Structure
````sh
goyco/
├── bin/ # Compiled binaries (created after build)
├── cmd/
│ └── goyco/ # Main CLI application entrypoint
├── docker/ # Docker Compose & related files
├── docs/ # Documentation and API specs
├── internal/
│ ├── config/ # Configuration management
│ ├── database/ # Database models and access
│ ├── dto/ # Data Transfer Objects (DTOs)
│ ├── e2e/ # End-to-end tests
│ ├── fuzz/ # Fuzz tests
│ ├── handlers/ # HTTP handlers
│ ├── integration/ # Integration tests
│ ├── middleware/ # HTTP middleware
│ ├── repositories/ # Data access layer
│ ├── security/ # Security and auth logic
│ ├── server/ # HTTP server implementation
│ ├── services/ # Business logic
│ ├── static/ # Static web assets
│ ├── templates/ # HTML templates
│ ├── testutils/ # Test helpers/utilities
│ ├── validation/ # Input validation
│ └── version/ # Version information
├── scripts/ # Utility/maintenance scripts
├── services/
│ └── goyco.service # Systemd service unit example
├── .env.example # Environment variable example
├── AUTHORS # Authors file
├── Dockerfile # Docker build file
├── LICENSE # License file
├── Makefile # Project build/test targets
└── README.md # This file
### Testing
```bash
# Run all tests
make test
# Run specific test suites
make unit-tests
make integration-tests
make e2e-tests
# Run fuzz testing (can take a bit of CPU and time)
make fuzz-tests
````
### Code Quality
```bash
# Format code
make format
# Run linter
make lint
```
### Regerenate Swagger documentation
If you make changes to the API, you can regenerate the swagger documentation by running the following command after modifying the swagger annotations:
```bash
# Regenerate Swagger documentation
make swagger
```
This will regenerate the swagger documentation and update the `docs/swagger.json` and `docs/swagger.yaml` files.
## Roadmap
- [ ] migrate cli to urfave/cli
- [ ] add a ML powered nsfw link detection
- [ ] add right management within the app
- [ ] add an admin backoffice to manage rights, users, content and settings
- [ ] add a way to run read-only communities
- [ ] use tailwind instead of raw css
- [ ] kubernetes deployment
- [ ] store configuration in the database
## Contributing
Feedbacks are welcome!
But as it's a personal gitea and you cannot create accounts, feel free to contact me at <sandro@cazzaniga.fr> to get one.
Once you have it, follow the usual workflow:
1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add tests for new functionality
5. Ensure all tests pass
6. Submit a pull request
Then, I'll review your changes and merge them if they are good.
## License
This project is licensed under the GNU General Public License v3.0 or later (GPLv3+). See the [LICENSE](LICENSE) file for details.
## Support
For support and questions:
- Create an issue on GitHub
- Check the documentation
- Review the API documentation at `/swagger/index.html`
---
**Goyco** - A modern news aggregation platform built with Go, PostgreSQL and most importantly, love.

4
TODO Normal file
View File

@@ -0,0 +1,4 @@
# TODO
github worflows : quality, tests and build
install a demo on <https://goyco.kharec.info>

56
cmd/goyco/cli.go Normal file
View File

@@ -0,0 +1,56 @@
package main
import (
"errors"
"flag"
"fmt"
"os"
"github.com/joho/godotenv"
"goyco/cmd/goyco/commands"
)
func loadDotEnv() {
if _, err := os.Stat(".env"); err == nil {
_ = godotenv.Load()
return
}
}
func newFlagSet(name string, usage func()) *flag.FlagSet {
fs := flag.NewFlagSet(name, flag.ContinueOnError)
fs.SetOutput(os.Stderr)
if usage != nil {
fs.Usage = usage
}
return fs
}
func parseCommand(fs *flag.FlagSet, args []string, context string) error {
if err := fs.Parse(args); err != nil {
if errors.Is(err, flag.ErrHelp) {
return commands.ErrHelpRequested
}
return fmt.Errorf("failed to parse %s command: %w", context, err)
}
return nil
}
func printRootUsage() {
fmt.Fprintf(os.Stderr, "Usage: %s <command> [<args>]\n", os.Args[0])
fmt.Fprintln(os.Stderr, "\nCommands:")
fmt.Fprintln(os.Stderr, " run start the web application in foreground")
fmt.Fprintln(os.Stderr, " start start the web application in background")
fmt.Fprintln(os.Stderr, " stop stop the daemon")
fmt.Fprintln(os.Stderr, " status check if the daemon is running")
fmt.Fprintln(os.Stderr, " migrate apply database migrations")
fmt.Fprintln(os.Stderr, " user manage users (create, update, delete, lock, list)")
fmt.Fprintln(os.Stderr, " post manage posts (delete, list, search)")
fmt.Fprintln(os.Stderr, " prune hard delete users and posts (posts, all)")
fmt.Fprintln(os.Stderr, " seed seed database with random data")
}
func printRunUsage() {
fmt.Fprintln(os.Stderr, "Usage: goyco run")
fmt.Fprintln(os.Stderr, "\nStart the web application in foreground.")
}

390
cmd/goyco/cli_test.go Normal file
View File

@@ -0,0 +1,390 @@
package main
import (
"errors"
"flag"
"os"
"strings"
"testing"
"gorm.io/gorm"
"goyco/cmd/goyco/commands"
"goyco/internal/config"
"goyco/internal/testutils"
)
func TestLoadDotEnv(t *testing.T) {
t.Run("no .env file", func(t *testing.T) {
defer func() {
if r := recover(); r != nil {
t.Errorf("loadDotEnv panicked: %v", r)
}
}()
loadDotEnv()
})
}
func TestNewFlagSet(t *testing.T) {
tests := []struct {
name string
flagName string
usage func()
}{
{
name: "with usage function",
flagName: "test",
usage: func() { _, _ = os.Stderr.WriteString("test usage") },
},
{
name: "without usage function",
flagName: "test2",
usage: nil,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
fs := newFlagSet(tt.flagName, tt.usage)
if fs.Name() != tt.flagName {
t.Errorf("expected flag set name %q, got %q", tt.flagName, fs.Name())
}
if tt.usage != nil && fs.Usage == nil {
t.Error("expected usage function to be set")
}
})
}
}
func TestParseCommand(t *testing.T) {
tests := []struct {
name string
args []string
context string
expectError bool
expectHelp bool
}{
{
name: "valid arguments",
args: []string{"--help"},
context: "test",
expectError: true,
expectHelp: true,
},
{
name: "invalid flag",
args: []string{"--invalid-flag"},
context: "test",
expectError: true,
expectHelp: false,
},
{
name: "empty arguments",
args: []string{},
context: "test",
expectError: false,
expectHelp: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
fs := flag.NewFlagSet("test", flag.ContinueOnError)
fs.SetOutput(os.Stderr)
err := parseCommand(fs, tt.args, tt.context)
if tt.expectError && err == nil {
t.Error("expected error but got none")
}
if !tt.expectError && err != nil {
t.Errorf("unexpected error: %v", err)
}
if tt.expectHelp && !errors.Is(err, commands.ErrHelpRequested) {
t.Error("expected help requested error")
}
})
}
}
func TestPrintRootUsage(t *testing.T) {
defer func() {
if r := recover(); r != nil {
t.Errorf("printRootUsage panicked: %v", r)
}
}()
printRootUsage()
}
func TestPrintRunUsage(t *testing.T) {
defer func() {
if r := recover(); r != nil {
t.Errorf("printRunUsage panicked: %v", r)
}
}()
printRunUsage()
}
func TestDispatchCommand(t *testing.T) {
t.Run("unknown command", func(t *testing.T) {
cfg := testutils.NewTestConfig()
err := dispatchCommand(cfg, "unknown", []string{})
if err == nil {
t.Error("expected error for unknown command")
}
expectedErr := "unknown command: unknown"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("help command", func(t *testing.T) {
cfg := testutils.NewTestConfig()
err := dispatchCommand(cfg, "help", []string{})
if err != nil {
t.Errorf("unexpected error for help command: %v", err)
}
})
t.Run("h command", func(t *testing.T) {
cfg := testutils.NewTestConfig()
err := dispatchCommand(cfg, "-h", []string{})
if err != nil {
t.Errorf("unexpected error for -h command: %v", err)
}
})
t.Run("--help command", func(t *testing.T) {
cfg := testutils.NewTestConfig()
err := dispatchCommand(cfg, "--help", []string{})
if err != nil {
t.Errorf("unexpected error for --help command: %v", err)
}
})
t.Run("post list with injected database", func(t *testing.T) {
cfg := testutils.NewTestConfig()
useInMemoryCommandsConnector(t)
err := dispatchCommand(cfg, "post", []string{"list"})
if err != nil {
t.Errorf("unexpected error for post list: %v", err)
}
})
}
func TestHandleRunCommand(t *testing.T) {
t.Run("help requested", func(t *testing.T) {
cfg := testutils.NewTestConfig()
err := handleRunCommand(cfg, []string{"--help"})
if err != nil {
t.Errorf("unexpected error for help: %v", err)
}
})
t.Run("unexpected arguments", func(t *testing.T) {
cfg := testutils.NewTestConfig()
err := handleRunCommand(cfg, []string{"extra", "args"})
if err == nil {
t.Error("expected error for unexpected arguments")
}
expectedErr := "unexpected arguments for run command"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
}
func TestRun(t *testing.T) {
t.Run("no arguments", func(t *testing.T) {
err := run([]string{})
if err != nil {
t.Logf("Expected error in test environment: %v", err)
}
})
t.Run("help flag", func(t *testing.T) {
err := run([]string{"--help"})
if err == nil {
t.Error("expected config loading error in test environment")
}
})
t.Run("invalid flag", func(t *testing.T) {
err := run([]string{"--invalid-flag"})
if err == nil {
t.Error("expected error for invalid flag")
}
})
}
func TestRunE2E_CommandParsing(t *testing.T) {
setupTestEnv(t)
t.Run("help command succeeds", func(t *testing.T) {
err := run([]string{"help"})
if err != nil {
t.Errorf("Expected help command to succeed, got error: %v", err)
}
})
t.Run("unknown command fails with error", func(t *testing.T) {
err := run([]string{"unknown-command"})
if err == nil {
t.Error("Expected error for unknown command")
}
if err != nil && !strings.Contains(err.Error(), "unknown command") {
t.Errorf("Expected error about unknown command, got: %v", err)
}
})
t.Run("migrate command parses correctly", func(t *testing.T) {
err := run([]string{"migrate", "up"})
if err != nil && strings.Contains(err.Error(), "unknown command") {
t.Errorf("Expected migrate command to be recognized, got parsing error: %v", err)
}
})
t.Run("post command parses correctly", func(t *testing.T) {
useInMemoryCommandsConnector(t)
err := run([]string{"post", "list"})
if err != nil && strings.Contains(err.Error(), "unknown command") {
t.Errorf("Expected post command to be recognized, got parsing error: %v", err)
}
})
}
func TestRunE2E_ConfigurationLoading(t *testing.T) {
t.Run("missing required env vars fails gracefully", func(t *testing.T) {
originalDBPwd := os.Getenv("DB_PASSWORD")
originalSMTPHost := os.Getenv("SMTP_HOST")
originalSMTPFrom := os.Getenv("SMTP_FROM")
originalAdminEmail := os.Getenv("ADMIN_EMAIL")
originalJWTSecret := os.Getenv("JWT_SECRET")
defer func() {
if originalDBPwd != "" {
_ = os.Setenv("DB_PASSWORD", originalDBPwd)
}
if originalSMTPHost != "" {
_ = os.Setenv("SMTP_HOST", originalSMTPHost)
}
if originalSMTPFrom != "" {
_ = os.Setenv("SMTP_FROM", originalSMTPFrom)
}
if originalAdminEmail != "" {
_ = os.Setenv("ADMIN_EMAIL", originalAdminEmail)
}
if originalJWTSecret != "" {
_ = os.Setenv("JWT_SECRET", originalJWTSecret)
}
}()
_ = os.Unsetenv("DB_PASSWORD")
_ = os.Unsetenv("SMTP_HOST")
_ = os.Unsetenv("SMTP_FROM")
_ = os.Unsetenv("ADMIN_EMAIL")
_ = os.Unsetenv("JWT_SECRET")
err := run([]string{"help"})
if err == nil {
t.Error("Expected error when required env vars are missing")
}
if err != nil && !strings.Contains(err.Error(), "configuration") && !strings.Contains(err.Error(), "config") {
t.Logf("Got error (may be expected): %v", err)
}
})
t.Run("valid configuration loads successfully", func(t *testing.T) {
setupTestEnv(t)
err := run([]string{"help"})
if err != nil {
t.Errorf("Expected help command to succeed with valid config, got: %v", err)
}
})
}
func TestRunE2E_ArgumentParsing(t *testing.T) {
setupTestEnv(t)
t.Run("root help flag", func(t *testing.T) {
err := run([]string{"--help"})
if err != nil && !strings.Contains(err.Error(), "flag") {
t.Logf("Got error (may be expected in test env): %v", err)
}
})
t.Run("command with help flag", func(t *testing.T) {
err := run([]string{"migrate", "--help"})
if err != nil && strings.Contains(err.Error(), "unknown command") {
t.Errorf("Expected migrate command to be recognized, got: %v", err)
}
})
t.Run("command with invalid arguments", func(t *testing.T) {
err := run([]string{"run", "extra", "args"})
if err == nil {
t.Error("Expected error for unexpected arguments")
}
if err != nil && !strings.Contains(err.Error(), "unexpected arguments") {
t.Errorf("Expected error about unexpected arguments, got: %v", err)
}
})
}
func setupTestEnv(t *testing.T) {
t.Helper()
t.Setenv("DB_PASSWORD", "test-password")
t.Setenv("SMTP_HOST", "smtp.example.com")
t.Setenv("SMTP_FROM", "test@example.com")
t.Setenv("ADMIN_EMAIL", "admin@example.com")
t.Setenv("JWT_SECRET", "test-jwt-secret-key-that-is-long-enough-for-validation-purposes")
tmpDir := os.TempDir()
t.Setenv("LOG_DIR", tmpDir)
t.Setenv("PID_DIR", tmpDir)
}
func useInMemoryCommandsConnector(t *testing.T) {
t.Helper()
commands.SetDBConnector(func(_ *config.Config) (*gorm.DB, func() error, error) {
db := testutils.NewTestDB(t)
sqlDB, err := db.DB()
if err != nil {
t.Fatalf("failed to access underlying sql.DB: %v", err)
}
cleanup := func() error {
return sqlDB.Close()
}
return db, cleanup, nil
})
t.Cleanup(func() {
commands.SetDBConnector(nil)
})
}

257
cmd/goyco/commands/audit_logger.go Normal file
View File

@@ -0,0 +1,257 @@
package commands
import (
"encoding/json"
"fmt"
"log"
"os"
"path/filepath"
"time"
)
type AuditLogger struct {
logFile string
logger *log.Logger
}
type AuditEvent struct {
Timestamp time.Time `json:"timestamp"`
Action string `json:"action"`
Resource string `json:"resource"`
ResourceID string `json:"resource_id,omitempty"`
Details string `json:"details,omitempty"`
User string `json:"user,omitempty"`
IPAddress string `json:"ip_address,omitempty"`
UserAgent string `json:"user_agent,omitempty"`
Success bool `json:"success"`
Error string `json:"error,omitempty"`
Changes map[string]any `json:"changes,omitempty"`
}
func NewAuditLogger(logDir string) (*AuditLogger, error) {
if logDir == "" {
logDir = "/var/log"
}
if err := os.MkdirAll(logDir, 0755); err != nil {
return nil, fmt.Errorf("create audit log directory: %w", err)
}
logFile := filepath.Join(logDir, "goyco-audit.log")
file, err := os.OpenFile(logFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644)
if err != nil {
return nil, fmt.Errorf("open audit log file: %w", err)
}
logger := log.New(file, "", 0)
return &AuditLogger{
logFile: logFile,
logger: logger,
}, nil
}
func (a *AuditLogger) LogEvent(event AuditEvent) {
if event.Timestamp.IsZero() {
event.Timestamp = time.Now()
}
jsonData, err := json.Marshal(event)
if err != nil {
a.logger.Printf("AUDIT: %s %s %s %s",
event.Timestamp.Format(time.RFC3339),
event.Action,
event.Resource,
event.Details)
return
}
a.logger.Printf("%s", string(jsonData))
}
func (a *AuditLogger) LogUserCreation(userID uint, username, email string, success bool, err error) {
event := AuditEvent{
Action: "user_create",
Resource: "user",
ResourceID: fmt.Sprintf("%d", userID),
Details: fmt.Sprintf("Created user: %s (%s)", username, email),
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) LogUserUpdate(userID uint, username string, changes map[string]any, success bool, err error) {
event := AuditEvent{
Action: "user_update",
Resource: "user",
ResourceID: fmt.Sprintf("%d", userID),
Details: fmt.Sprintf("Updated user: %s", username),
Changes: changes,
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) LogUserDeletion(userID uint, username string, deletePosts bool, success bool, err error) {
event := AuditEvent{
Action: "user_delete",
Resource: "user",
ResourceID: fmt.Sprintf("%d", userID),
Details: fmt.Sprintf("Deleted user: %s (delete_posts: %t)", username, deletePosts),
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) LogUserLock(userID uint, username string, locked bool, success bool, err error) {
action := "user_lock"
if !locked {
action = "user_unlock"
}
event := AuditEvent{
Action: action,
Resource: "user",
ResourceID: fmt.Sprintf("%d", userID),
Details: fmt.Sprintf("User %s: %s", username, action),
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) LogPostDeletion(postID uint, title string, success bool, err error) {
event := AuditEvent{
Action: "post_delete",
Resource: "post",
ResourceID: fmt.Sprintf("%d", postID),
Details: fmt.Sprintf("Deleted post: %s", title),
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) LogDataPruning(operation string, count int, success bool, err error) {
event := AuditEvent{
Action: "data_prune",
Resource: "data",
Details: fmt.Sprintf("Pruned %d records via %s", count, operation),
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) LogDatabaseMigration(operation string, success bool, err error) {
event := AuditEvent{
Action: "database_migrate",
Resource: "database",
Details: fmt.Sprintf("Database migration: %s", operation),
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) LogDatabaseSeeding(users, posts, votes int, success bool, err error) {
event := AuditEvent{
Action: "database_seed",
Resource: "database",
Details: fmt.Sprintf("Seeded database: %d users, %d posts, %d votes", users, posts, votes),
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) LogDaemonOperation(operation string, pid int, success bool, err error) {
event := AuditEvent{
Action: "daemon_" + operation,
Resource: "daemon",
Details: fmt.Sprintf("Daemon %s (PID: %d)", operation, pid),
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) LogSecurityEvent(eventType, details string, severity string) {
event := AuditEvent{
Action: "security_event",
Resource: "security",
Details: fmt.Sprintf("[%s] %s: %s", severity, eventType, details),
Success: true,
}
a.LogEvent(event)
}
func (a *AuditLogger) LogConfigurationChange(setting, oldValue, newValue string, success bool, err error) {
event := AuditEvent{
Action: "config_change",
Resource: "configuration",
Details: fmt.Sprintf("Changed %s from '%s' to '%s'", setting, oldValue, newValue),
Success: success,
}
if err != nil {
event.Error = err.Error()
}
a.LogEvent(event)
}
func (a *AuditLogger) GetLogFile() string {
return a.logFile
}
func (a *AuditLogger) Close() error {
a.LogEvent(AuditEvent{
Action: "audit_logger_close",
Resource: "audit",
Details: "Audit logger closed",
Success: true,
})
return nil
}

95
cmd/goyco/commands/common.go Normal file
View File

@@ -0,0 +1,95 @@
package commands
import (
"errors"
"flag"
"fmt"
"os"
"sync"
"gorm.io/gorm"
"goyco/internal/config"
"goyco/internal/database"
)
var ErrHelpRequested = errors.New("help requested")
type DBConnector func(cfg *config.Config) (*gorm.DB, func() error, error)
var (
dbConnectorMu sync.RWMutex
currentDBConnector = defaultDBConnector
)
func defaultDBConnector(cfg *config.Config) (*gorm.DB, func() error, error) {
db, err := database.Connect(cfg)
if err != nil {
return nil, nil, err
}
return db, func() error { return database.Close(db) }, nil
}
func SetDBConnector(connector DBConnector) {
dbConnectorMu.Lock()
defer dbConnectorMu.Unlock()
if connector == nil {
currentDBConnector = defaultDBConnector
return
}
currentDBConnector = connector
}
func getDBConnector() DBConnector {
dbConnectorMu.RLock()
defer dbConnectorMu.RUnlock()
return currentDBConnector
}
func newFlagSet(name string, usage func()) *flag.FlagSet {
fs := flag.NewFlagSet(name, flag.ContinueOnError)
fs.SetOutput(os.Stderr)
if usage != nil {
fs.Usage = usage
}
return fs
}
func parseCommand(fs *flag.FlagSet, args []string, context string) error {
if err := fs.Parse(args); err != nil {
if errors.Is(err, flag.ErrHelp) {
return ErrHelpRequested
}
return fmt.Errorf("failed to parse %s command: %w", context, err)
}
return nil
}
func withDatabase(cfg *config.Config, fn func(db *gorm.DB) error) error {
connector := getDBConnector()
db, cleanup, err := connector(cfg)
if err != nil {
return fmt.Errorf("connect to database: %w", err)
}
if cleanup != nil {
defer func() {
if err := cleanup(); err != nil {
fmt.Printf("Warning: closing database: %v\n", err)
}
}()
}
return fn(db)
}
func truncate(in string, max int) string {
if len(in) <= max {
return in
}
if max <= 3 {
return in[:max]
}
return in[:max-3] + "..."
}

219
cmd/goyco/commands/common_test.go Normal file
View File

@@ -0,0 +1,219 @@
package commands
import (
"errors"
"flag"
"os"
"testing"
"gorm.io/gorm"
"goyco/internal/config"
"goyco/internal/testutils"
)
func TestNewFlagSet(t *testing.T) {
tests := []struct {
name string
flagName string
usage func()
}{
{
name: "with usage function",
flagName: "test",
usage: func() { _, _ = os.Stderr.WriteString("test usage") },
},
{
name: "without usage function",
flagName: "test2",
usage: nil,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
fs := newFlagSet(tt.flagName, tt.usage)
if fs.Name() != tt.flagName {
t.Errorf("expected flag set name %q, got %q", tt.flagName, fs.Name())
}
if tt.usage != nil && fs.Usage == nil {
t.Error("expected usage function to be set")
}
})
}
}
func TestParseCommand(t *testing.T) {
tests := []struct {
name string
args []string
context string
expectError bool
expectHelp bool
}{
{
name: "valid arguments",
args: []string{"--help"},
context: "test",
expectError: true,
expectHelp: true,
},
{
name: "invalid flag",
args: []string{"--invalid-flag"},
context: "test",
expectError: true,
expectHelp: false,
},
{
name: "empty arguments",
args: []string{},
context: "test",
expectError: false,
expectHelp: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
fs := flag.NewFlagSet("test", flag.ContinueOnError)
fs.SetOutput(os.Stderr)
err := parseCommand(fs, tt.args, tt.context)
if tt.expectError && err == nil {
t.Error("expected error but got none")
}
if !tt.expectError && err != nil {
t.Errorf("unexpected error: %v", err)
}
if tt.expectHelp && !errors.Is(err, ErrHelpRequested) {
t.Error("expected help requested error")
}
})
}
}
func TestTruncate(t *testing.T) {
tests := []struct {
name string
input string
max int
expected string
}{
{
name: "string shorter than max",
input: "short",
max: 10,
expected: "short",
},
{
name: "string equal to max",
input: "exactly",
max: 7,
expected: "exactly",
},
{
name: "string longer than max",
input: "this is a very long string",
max: 10,
expected: "this is...",
},
{
name: "string longer than max with small max",
input: "hello",
max: 3,
expected: "hel",
},
{
name: "string longer than max with very small max",
input: "hello",
max: 1,
expected: "h",
},
{
name: "empty string",
input: "",
max: 5,
expected: "",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := truncate(tt.input, tt.max)
if result != tt.expected {
t.Errorf("expected %q, got %q", tt.expected, result)
}
})
}
}
func TestWithDatabase(t *testing.T) {
cfg := testutils.NewTestConfig()
t.Run("custom connector success", func(t *testing.T) {
setInMemoryDBConnector(t)
var called bool
err := withDatabase(cfg, func(db *gorm.DB) error {
called = true
if db == nil {
t.Fatal("expected non-nil database")
}
return nil
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !called {
t.Fatal("expected database function to be called")
}
})
t.Run("default connector failure", func(t *testing.T) {
SetDBConnector(nil)
var called bool
err := withDatabase(cfg, func(db *gorm.DB) error {
called = true
return nil
})
if err == nil {
t.Error("expected database connection error in test environment")
}
if called {
t.Error("expected database function not to be called when connection fails")
}
})
}
func setInMemoryDBConnector(t *testing.T) {
t.Helper()
SetDBConnector(func(_ *config.Config) (*gorm.DB, func() error, error) {
db := testutils.NewTestDB(t)
sqlDB, err := db.DB()
if err != nil {
t.Fatalf("failed to access underlying sql.DB: %v", err)
}
cleanup := func() error {
return sqlDB.Close()
}
return db, cleanup, nil
})
t.Cleanup(func() {
SetDBConnector(nil)
})
}

348
cmd/goyco/commands/config_validator.go Normal file
View File

@@ -0,0 +1,348 @@
package commands
import (
"fmt"
"net"
"os"
"path/filepath"
"regexp"
"strconv"
"strings"
"goyco/internal/config"
)
type ConfigValidator struct {
auditLogger *AuditLogger
}
func NewConfigValidator(auditLogger *AuditLogger) *ConfigValidator {
return &ConfigValidator{
auditLogger: auditLogger,
}
}
func (v *ConfigValidator) ValidateConfiguration(cfg *config.Config) error {
var errors []string
if err := v.validateDatabaseConfig(cfg); err != nil {
errors = append(errors, fmt.Sprintf("Database: %v", err))
}
if err := v.validateSMTPConfig(cfg); err != nil {
errors = append(errors, fmt.Sprintf("SMTP: %v", err))
}
if err := v.validateServerConfig(cfg); err != nil {
errors = append(errors, fmt.Sprintf("Server: %v", err))
}
if err := v.validateSecurityConfig(cfg); err != nil {
errors = append(errors, fmt.Sprintf("Security: %v", err))
}
if err := v.validateFilePaths(cfg); err != nil {
errors = append(errors, fmt.Sprintf("File paths: %v", err))
}
if len(errors) > 0 {
return fmt.Errorf("configuration validation failed:\n- %s", strings.Join(errors, "\n- "))
}
if v.auditLogger != nil {
v.auditLogger.LogConfigurationChange("validation", "invalid", "valid", true, nil)
}
return nil
}
func (v *ConfigValidator) validateDatabaseConfig(cfg *config.Config) error {
if cfg.Database.Host == "" {
return fmt.Errorf("DB_HOST is required")
}
port, err := strconv.Atoi(cfg.Database.Port)
if err != nil {
return fmt.Errorf("DB_PORT must be a valid integer")
}
if port <= 0 || port > 65535 {
return fmt.Errorf("DB_PORT must be between 1 and 65535")
}
if cfg.Database.Name == "" {
return fmt.Errorf("DB_NAME is required")
}
if cfg.Database.User == "" {
return fmt.Errorf("DB_USER is required")
}
if cfg.Database.Password == "" {
return fmt.Errorf("DB_PASSWORD is required")
}
if !v.isValidHost(cfg.Database.Host) {
return fmt.Errorf("DB_HOST has invalid format")
}
return nil
}
func (v *ConfigValidator) validateSMTPConfig(cfg *config.Config) error {
if cfg.SMTP.Host == "" {
return fmt.Errorf("SMTP_HOST is required")
}
if cfg.SMTP.Port <= 0 || cfg.SMTP.Port > 65535 {
return fmt.Errorf("SMTP_PORT must be between 1 and 65535")
}
if cfg.SMTP.From == "" {
return fmt.Errorf("SMTP_FROM is required")
}
if !v.isValidEmail(cfg.SMTP.From) {
return fmt.Errorf("SMTP_FROM has invalid email format")
}
if cfg.App.AdminEmail == "" {
return fmt.Errorf("ADMIN_EMAIL is required")
}
if !v.isValidEmail(cfg.App.AdminEmail) {
return fmt.Errorf("ADMIN_EMAIL has invalid email format")
}
if !v.isValidHost(cfg.SMTP.Host) {
return fmt.Errorf("SMTP_HOST has invalid format")
}
return nil
}
func (v *ConfigValidator) validateServerConfig(cfg *config.Config) error {
serverPort, err := strconv.Atoi(cfg.Server.Port)
if err != nil {
return fmt.Errorf("SERVER_PORT must be a valid integer")
}
if serverPort <= 0 || serverPort > 65535 {
return fmt.Errorf("SERVER_PORT must be between 1 and 65535")
}
if cfg.App.BaseURL != "" {
if !v.isValidURL(cfg.App.BaseURL) {
return fmt.Errorf("BASE_URL has invalid format")
}
}
if cfg.Server.EnableTLS {
if cfg.Server.TLSCertFile == "" {
return fmt.Errorf("SERVER_TLS_CERT_FILE is required when TLS is enabled")
}
if cfg.Server.TLSKeyFile == "" {
return fmt.Errorf("SERVER_TLS_KEY_FILE is required when TLS is enabled")
}
}
return nil
}
func (v *ConfigValidator) validateSecurityConfig(cfg *config.Config) error {
if cfg.JWT.Secret == "" {
return fmt.Errorf("JWT_SECRET is required")
}
if len(cfg.JWT.Secret) < 32 {
return fmt.Errorf("JWT_SECRET must be at least 32 characters for security")
}
weakSecrets := []string{
"your-secret-key", "secret", "jwt-secret", "my-secret",
"change-me", "default-secret", "123456", "password",
"admin", "test", "development", "production", "staging",
}
lowerSecret := strings.ToLower(cfg.JWT.Secret)
for _, weak := range weakSecrets {
if lowerSecret == weak {
return fmt.Errorf("JWT_SECRET cannot be a common weak value: %s", weak)
}
}
return nil
}
func (v *ConfigValidator) validateFilePaths(cfg *config.Config) error {
if cfg.LogDir != "" {
if err := v.validateDirectory(cfg.LogDir, "LOG_DIR"); err != nil {
return err
}
}
if cfg.PIDDir != "" {
if err := v.validateDirectory(cfg.PIDDir, "PID_DIR"); err != nil {
return err
}
}
if cfg.Server.EnableTLS {
if err := v.validateFile(cfg.Server.TLSCertFile, "SERVER_TLS_CERT_FILE"); err != nil {
return err
}
if err := v.validateFile(cfg.Server.TLSKeyFile, "SERVER_TLS_KEY_FILE"); err != nil {
return err
}
}
return nil
}
func (v *ConfigValidator) validateDirectory(path, name string) error {
if _, err := os.Stat(path); os.IsNotExist(err) {
if err := os.MkdirAll(path, 0755); err != nil {
return fmt.Errorf("%s directory does not exist and cannot be created: %v", name, err)
}
}
if info, err := os.Stat(path); err == nil {
if !info.IsDir() {
return fmt.Errorf("%s path exists but is not a directory", name)
}
}
if err := v.checkWritePermission(path); err != nil {
return fmt.Errorf("%s directory is not writable: %v", name, err)
}
return nil
}
func (v *ConfigValidator) validateFile(path, name string) error {
if _, err := os.Stat(path); os.IsNotExist(err) {
return fmt.Errorf("%s file does not exist: %s", name, path)
}
if info, err := os.Stat(path); err == nil {
if info.IsDir() {
return fmt.Errorf("%s path exists but is a directory, not a file", name)
}
}
if err := v.checkReadPermission(path); err != nil {
return fmt.Errorf("%s file is not readable: %v", name, err)
}
return nil
}
func (v *ConfigValidator) checkWritePermission(path string) error {
testFile := filepath.Join(path, ".goyco_test_write")
file, err := os.Create(testFile)
if err != nil {
return err
}
_ = file.Close()
_ = os.Remove(testFile)
return nil
}
func (v *ConfigValidator) checkReadPermission(path string) error {
file, err := os.Open(path)
if err != nil {
return err
}
_ = file.Close()
return nil
}
func (v *ConfigValidator) isValidHost(host string) bool {
if net.ParseIP(host) != nil {
return true
}
if v.isValidHostname(host) {
return true
}
return false
}
func (v *ConfigValidator) isValidHostname(hostname string) bool {
if len(hostname) == 0 || len(hostname) > 253 {
return false
}
hostnameRegex := regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*$`)
return hostnameRegex.MatchString(hostname)
}
func (v *ConfigValidator) isValidEmail(email string) bool {
emailRegex := regexp.MustCompile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
return emailRegex.MatchString(email)
}
func (v *ConfigValidator) isValidURL(url string) bool {
urlRegex := regexp.MustCompile(`^https?://[a-zA-Z0-9.-]+(:[0-9]+)?(/.*)?$`)
return urlRegex.MatchString(url)
}
func (v *ConfigValidator) ValidateEnvironmentVariables() error {
requiredVars := []string{
"DB_HOST", "DB_PORT", "DB_NAME", "DB_USER", "DB_PASSWORD",
"SMTP_HOST", "SMTP_PORT", "SMTP_FROM", "ADMIN_EMAIL", "JWT_SECRET",
}
var missingVars []string
for _, varName := range requiredVars {
if os.Getenv(varName) == "" {
missingVars = append(missingVars, varName)
}
}
if len(missingVars) > 0 {
return fmt.Errorf("missing required environment variables: %s", strings.Join(missingVars, ", "))
}
return nil
}
func (v *ConfigValidator) ValidatePort(portStr, name string) (int, error) {
port, err := strconv.Atoi(portStr)
if err != nil {
return 0, fmt.Errorf("%s must be a valid integer", name)
}
if port <= 0 || port > 65535 {
return 0, fmt.Errorf("%s must be between 1 and 65535", name)
}
return port, nil
}
func (v *ConfigValidator) ValidateEmail(email, name string) error {
if email == "" {
return fmt.Errorf("%s is required", name)
}
if !v.isValidEmail(email) {
return fmt.Errorf("%s has invalid email format", name)
}
return nil
}
func (v *ConfigValidator) ValidatePassword(password, name string) error {
if password == "" {
return fmt.Errorf("%s is required", name)
}
if len(password) < 8 {
return fmt.Errorf("%s must be at least 8 characters", name)
}
if len(password) > 128 {
return fmt.Errorf("%s must be 128 characters or less", name)
}
return nil
}

1320
cmd/goyco/commands/config_validator_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

346
cmd/goyco/commands/daemon.go Normal file
View File

@@ -0,0 +1,346 @@
package commands
import (
"errors"
"fmt"
"log"
"os"
"os/signal"
"path/filepath"
"strconv"
"sync"
"syscall"
"time"
"goyco/internal/config"
)
func HandleStartCommand(cfg *config.Config, args []string) error {
fs := newFlagSet("start", printStartUsage)
if err := parseCommand(fs, args, "start"); err != nil {
if errors.Is(err, ErrHelpRequested) {
return nil
}
return err
}
if fs.NArg() > 0 {
printStartUsage()
return errors.New("unexpected arguments for start command")
}
return runDaemon(cfg)
}
func HandleStopCommand(cfg *config.Config, args []string) error {
fs := newFlagSet("stop", printStopUsage)
if err := parseCommand(fs, args, "stop"); err != nil {
if errors.Is(err, ErrHelpRequested) {
return nil
}
return err
}
if fs.NArg() > 0 {
printStopUsage()
return errors.New("unexpected arguments for stop command")
}
return stopDaemon(cfg)
}
func HandleStatusCommand(cfg *config.Config, name string, args []string) error {
fs := newFlagSet(name, printStatusUsage)
if err := parseCommand(fs, args, name); err != nil {
if errors.Is(err, ErrHelpRequested) {
return nil
}
return err
}
if fs.NArg() > 0 {
printStatusUsage()
return errors.New("unexpected arguments for status command")
}
return runStatusCommand(cfg)
}
func printStartUsage() {
fmt.Fprintln(os.Stderr, "Usage: goyco start")
fmt.Fprintln(os.Stderr, "\nStart the web application in background.")
}
func printStopUsage() {
fmt.Fprintln(os.Stderr, "Usage: goyco stop")
fmt.Fprintln(os.Stderr, "\nStop the running daemon.")
}
func printStatusUsage() {
fmt.Fprintln(os.Stderr, "Usage: goyco status")
fmt.Fprintln(os.Stderr, "\nCheck if the daemon is running.")
}
func runStatusCommand(cfg *config.Config) error {
pidDir := cfg.PIDDir
pidFile := filepath.Join(pidDir, "goyco.pid")
if !isDaemonRunning(pidFile) {
fmt.Println("Goyco is not running")
return nil
}
data, err := os.ReadFile(pidFile)
if err != nil {
fmt.Printf("Goyco is running (PID file exists but cannot be read: %v)\n", err)
return nil
}
pid, err := strconv.Atoi(string(data))
if err != nil {
fmt.Printf("Goyco is running (PID file exists but contains invalid PID: %v)\n", err)
return nil
}
fmt.Printf("Goyco is running (PID %d)\n", pid)
return nil
}
func stopDaemon(cfg *config.Config) error {
pidDir := cfg.PIDDir
pidFile := filepath.Join(pidDir, "goyco.pid")
if !isDaemonRunning(pidFile) {
return fmt.Errorf("daemon is not running")
}
data, err := os.ReadFile(pidFile)
if err != nil {
return fmt.Errorf("read PID file: %w", err)
}
pid, err := strconv.Atoi(string(data))
if err != nil {
return fmt.Errorf("parse PID: %w", err)
}
process, err := os.FindProcess(pid)
if err != nil {
return fmt.Errorf("find process: %w", err)
}
if err := process.Signal(syscall.SIGTERM); err != nil {
return fmt.Errorf("send SIGTERM: %w", err)
}
time.Sleep(2 * time.Second)
if isDaemonRunning(pidFile) {
if err := process.Signal(syscall.SIGKILL); err != nil {
return fmt.Errorf("send SIGKILL: %w", err)
}
}
_ = os.Remove(pidFile)
fmt.Printf("Goyco stopped (PID %d)\n", pid)
return nil
}
func runDaemon(cfg *config.Config) error {
logDir := cfg.LogDir
if logDir == "" {
logDir = "/var/log"
}
if err := os.MkdirAll(logDir, 0o755); err != nil {
return fmt.Errorf("create log directory: %w", err)
}
pidDir := cfg.PIDDir
if pidDir == "" {
pidDir = "/run"
}
if err := os.MkdirAll(pidDir, 0o755); err != nil {
return fmt.Errorf("create PID directory: %w", err)
}
pidFile := filepath.Join(pidDir, "goyco.pid")
logFile := filepath.Join(logDir, "goyco.log")
if isDaemonRunning(pidFile) {
return fmt.Errorf("daemon is already running (PID file exists: %s)", pidFile)
}
daemonizeFnMu.Lock()
fn := daemonizeFn
daemonizeFnMu.Unlock()
pid, err := fn()
if err != nil {
return fmt.Errorf("failed to daemonize: %w", err)
}
if pid > 0 {
if err := writePIDFile(pidFile, pid); err != nil {
return fmt.Errorf("cannot write PID file: %w", err)
}
fmt.Printf("Goyco started with PID %d\n", pid)
fmt.Printf("PID file: %s\n", pidFile)
fmt.Printf("Log file: %s\n", logFile)
return nil
}
return runDaemonProcess(cfg, logDir, pidFile)
}
func daemonizeImpl() (int, error) {
args := make([]string, len(os.Args))
copy(args, os.Args)
args = append(args, "--daemon")
pid, err := syscall.ForkExec(os.Args[0], args, &syscall.ProcAttr{
Files: []uintptr{0, 1, 2},
Env: os.Environ(),
})
if err != nil {
return 0, err
}
return pid, nil
}
func isDaemonRunning(pidFile string) bool {
if _, err := os.Stat(pidFile); os.IsNotExist(err) {
return false
}
data, err := os.ReadFile(pidFile)
if err != nil {
return false
}
pid, err := strconv.Atoi(string(data))
if err != nil {
return false
}
process, err := os.FindProcess(pid)
if err != nil {
return false
}
err = process.Signal(syscall.Signal(0))
return err == nil
}
func writePIDFile(pidFile string, pid int) error {
return os.WriteFile(pidFile, []byte(strconv.Itoa(pid)), 0o644)
}
func runDaemonProcess(cfg *config.Config, logDir, pidFile string) error {
daemonizeFnMu.Lock()
setupLogFn := setupLoggingFn
daemonizeFnMu.Unlock()
if err := setupLogFn(cfg, logDir); err != nil {
return fmt.Errorf("setup daemon logging: %w", err)
}
sigChan := make(chan os.Signal, 1)
signal.Notify(sigChan, syscall.SIGTERM, syscall.SIGINT)
serverErr := make(chan error, 1)
go func() {
serverErr <- runServer(cfg, true)
}()
select {
case sig := <-sigChan:
log.Printf("Received signal %v, shutting down gracefully...", sig)
if err := os.Remove(pidFile); err != nil {
log.Printf("Error removing PID file: %v", err)
}
return nil
case err := <-serverErr:
if removeErr := os.Remove(pidFile); removeErr != nil {
log.Printf("Error removing PID file: %v", removeErr)
}
return err
}
}
func setupDaemonLoggingImpl(cfg *config.Config, logDir string) error {
logFile := filepath.Join(logDir, "goyco.log")
logFileHandle, err := os.OpenFile(logFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o644)
if err != nil {
return fmt.Errorf("open log file: %w", err)
}
log.SetOutput(logFileHandle)
log.SetFlags(log.LstdFlags)
log.Printf("Starting goyco in daemon mode")
return nil
}
func SetupDaemonLogging(cfg *config.Config, logDir string) error {
daemonizeFnMu.Lock()
setupLogFn := setupLoggingFn
daemonizeFnMu.Unlock()
return setupLogFn(cfg, logDir)
}
var runServer func(cfg *config.Config, daemon bool) error
func SetRunServer(fn func(cfg *config.Config, daemon bool) error) {
runServer = fn
}
type daemonizeFunc func() (int, error)
var (
daemonizeFnMu sync.Mutex
daemonizeFn daemonizeFunc = daemonizeImpl
setupLoggingFn func(cfg *config.Config, logDir string) error = setupDaemonLoggingImpl
)
func SetDaemonize(fn daemonizeFunc) {
daemonizeFnMu.Lock()
defer daemonizeFnMu.Unlock()
if fn == nil {
daemonizeFn = daemonizeImpl
} else {
daemonizeFn = fn
}
}
func SetSetupDaemonLogging(fn func(cfg *config.Config, logDir string) error) {
daemonizeFnMu.Lock()
defer daemonizeFnMu.Unlock()
if fn == nil {
setupLoggingFn = setupDaemonLoggingImpl
} else {
setupLoggingFn = fn
}
}
func RunDaemonProcessDirect(_ []string) error {
cfg, err := config.Load()
if err != nil {
return fmt.Errorf("load configuration: %w", err)
}
logDir := cfg.LogDir
if logDir == "" {
return fmt.Errorf("LOG_DIR environment variable is required for daemon mode")
}
pidDir := cfg.PIDDir
if err := os.MkdirAll(pidDir, 0o755); err != nil {
return fmt.Errorf("create PID directory: %w", err)
}
pidFile := filepath.Join(pidDir, "goyco.pid")
return runDaemonProcess(cfg, logDir, pidFile)
}

306
cmd/goyco/commands/daemon_test.go Normal file
View File

@@ -0,0 +1,306 @@
package commands
import (
"os"
"path/filepath"
"strconv"
"strings"
"testing"
"goyco/internal/config"
"goyco/internal/testutils"
)
func TestHandleStartCommand(t *testing.T) {
cfg := testutils.NewTestConfig()
t.Run("help requested", func(t *testing.T) {
err := HandleStartCommand(cfg, []string{"--help"})
if err != nil {
t.Errorf("unexpected error for help: %v", err)
}
})
t.Run("unexpected arguments", func(t *testing.T) {
err := HandleStartCommand(cfg, []string{"extra", "args"})
if err == nil {
t.Error("expected error for unexpected arguments")
}
expectedErr := "unexpected arguments for start command"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
}
func TestHandleStopCommand(t *testing.T) {
cfg := testutils.NewTestConfig()
t.Run("help requested", func(t *testing.T) {
err := HandleStopCommand(cfg, []string{"--help"})
if err != nil {
t.Errorf("unexpected error for help: %v", err)
}
})
t.Run("unexpected arguments", func(t *testing.T) {
err := HandleStopCommand(cfg, []string{"extra", "args"})
if err == nil {
t.Error("expected error for unexpected arguments")
}
expectedErr := "unexpected arguments for stop command"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
}
func TestHandleStatusCommand(t *testing.T) {
cfg := testutils.NewTestConfig()
t.Run("help requested", func(t *testing.T) {
err := HandleStatusCommand(cfg, "status", []string{"--help"})
if err != nil {
t.Errorf("unexpected error for help: %v", err)
}
})
t.Run("unexpected arguments", func(t *testing.T) {
err := HandleStatusCommand(cfg, "status", []string{"extra", "args"})
if err == nil {
t.Error("expected error for unexpected arguments")
}
expectedErr := "unexpected arguments for status command"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
}
func TestRunStatusCommand(t *testing.T) {
cfg := testutils.NewTestConfig()
t.Run("daemon not running", func(t *testing.T) {
tempDir := t.TempDir()
cfg.PIDDir = tempDir
err := runStatusCommand(cfg)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("daemon running with valid PID", func(t *testing.T) {
tempDir := t.TempDir()
cfg.PIDDir = tempDir
pidFile := filepath.Join(tempDir, "goyco.pid")
currentPID := os.Getpid()
err := os.WriteFile(pidFile, []byte(strconv.Itoa(currentPID)), 0644)
if err != nil {
t.Fatalf("Failed to create PID file: %v", err)
}
err = runStatusCommand(cfg)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("daemon running with invalid PID file", func(t *testing.T) {
tempDir := t.TempDir()
cfg.PIDDir = tempDir
pidFile := filepath.Join(tempDir, "goyco.pid")
err := os.WriteFile(pidFile, []byte("invalid-pid"), 0644)
if err != nil {
t.Fatalf("Failed to create PID file: %v", err)
}
err = runStatusCommand(cfg)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
}
func TestIsDaemonRunning(t *testing.T) {
t.Run("PID file does not exist", func(t *testing.T) {
pidFile := "/non/existent/pid/file"
result := isDaemonRunning(pidFile)
if result {
t.Error("expected false for non-existent PID file")
}
})
t.Run("PID file exists but contains invalid PID", func(t *testing.T) {
tempDir := t.TempDir()
pidFile := filepath.Join(tempDir, "goyco.pid")
err := os.WriteFile(pidFile, []byte("invalid-pid"), 0644)
if err != nil {
t.Fatalf("Failed to create PID file: %v", err)
}
result := isDaemonRunning(pidFile)
if result {
t.Error("expected false for invalid PID")
}
})
t.Run("PID file exists with valid PID", func(t *testing.T) {
tempDir := t.TempDir()
pidFile := filepath.Join(tempDir, "goyco.pid")
currentPID := os.Getpid()
err := os.WriteFile(pidFile, []byte(strconv.Itoa(currentPID)), 0644)
if err != nil {
t.Fatalf("Failed to create PID file: %v", err)
}
result := isDaemonRunning(pidFile)
if !result {
t.Error("expected true for valid PID")
}
})
}
func TestWritePIDFile(t *testing.T) {
t.Run("successful write", func(t *testing.T) {
tempDir := t.TempDir()
pidFile := filepath.Join(tempDir, "goyco.pid")
pid := 12345
err := writePIDFile(pidFile, pid)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
content, err := os.ReadFile(pidFile)
if err != nil {
t.Fatalf("Failed to read PID file: %v", err)
}
expectedContent := strconv.Itoa(pid)
if string(content) != expectedContent {
t.Errorf("expected PID file content %q, got %q", expectedContent, string(content))
}
})
t.Run("write to non-existent directory", func(t *testing.T) {
pidFile := "/non/existent/directory/goyco.pid"
pid := 12345
err := writePIDFile(pidFile, pid)
if err == nil {
t.Error("expected error for non-existent directory")
}
})
}
func TestSetupDaemonLogging(t *testing.T) {
cfg := testutils.NewTestConfig()
tempDir := t.TempDir()
t.Run("successful setup", func(t *testing.T) {
err := SetupDaemonLogging(cfg, tempDir)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
logFile := filepath.Join(tempDir, "goyco.log")
if _, err := os.Stat(logFile); os.IsNotExist(err) {
t.Error("expected log file to be created")
}
})
t.Run("setup with non-existent directory", func(t *testing.T) {
nonExistentDir := "/non/existent/directory"
err := SetupDaemonLogging(cfg, nonExistentDir)
if err == nil {
t.Error("expected error for non-existent directory")
}
})
}
func TestRunDaemonProcessDirect(t *testing.T) {
SetRunServer(func(_ *config.Config, _ bool) error {
return nil
})
defer SetRunServer(nil)
SetDaemonize(func() (int, error) {
return 999, nil
})
defer SetDaemonize(nil)
SetSetupDaemonLogging(func(_ *config.Config, _ string) error {
return nil
})
defer SetSetupDaemonLogging(nil)
t.Run("missing DB_PASSWORD", func(t *testing.T) {
t.Setenv("DB_PASSWORD", "")
t.Setenv("SMTP_HOST", "")
t.Setenv("SMTP_FROM", "")
t.Setenv("ADMIN_EMAIL", "")
t.Setenv("LOG_DIR", "/tmp/test-logs")
err := RunDaemonProcessDirect([]string{})
if err == nil {
t.Error("expected error for missing DB_PASSWORD")
}
expectedErr := "load configuration: DB_PASSWORD is required"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("empty LOG_DIR returns error", func(t *testing.T) {
t.Setenv("DB_PASSWORD", "test-password")
t.Setenv("SMTP_HOST", "smtp.example.com")
t.Setenv("SMTP_FROM", "test@example.com")
t.Setenv("ADMIN_EMAIL", "admin@example.com")
t.Setenv("JWT_SECRET", "this-is-a-very-secure-jwt-secret-key-that-is-long-enough")
t.Setenv("LOG_DIR", "")
err := RunDaemonProcessDirect([]string{})
if err == nil {
t.Skip("LOG_DIR empty doesn't return error (may be handled by config defaults)")
return
}
errMsg := err.Error()
if !strings.Contains(errMsg, "LOG_DIR environment variable is required") &&
!strings.Contains(errMsg, "permission denied") &&
!strings.Contains(errMsg, "setup daemon logging") {
t.Logf("Got error (may be acceptable): %q", errMsg)
}
})
}

44
cmd/goyco/commands/migrate.go Normal file
View File

@@ -0,0 +1,44 @@
package commands
import (
"errors"
"fmt"
"os"
"gorm.io/gorm"
"goyco/internal/config"
"goyco/internal/database"
)
func HandleMigrateCommand(cfg *config.Config, name string, args []string) error {
fs := newFlagSet(name, printMigrateUsage)
if err := parseCommand(fs, args, name); err != nil {
if errors.Is(err, ErrHelpRequested) {
return nil
}
return err
}
if fs.NArg() > 0 {
printMigrateUsage()
return errors.New("unexpected arguments for migrate command")
}
return withDatabase(cfg, func(db *gorm.DB) error {
return runMigrateCommand(db)
})
}
func runMigrateCommand(db *gorm.DB) error {
fmt.Println("Running database migrations...")
if err := database.Migrate(db); err != nil {
return fmt.Errorf("run migrations: %w", err)
}
fmt.Println("Migrations applied successfully")
return nil
}
func printMigrateUsage() {
fmt.Fprintln(os.Stderr, "Usage: goyco migrate")
fmt.Fprintln(os.Stderr, "\nApply database migrations.")
}

42
cmd/goyco/commands/migrate_test.go Normal file
View File

@@ -0,0 +1,42 @@
package commands
import (
"testing"
"goyco/internal/testutils"
)
func TestHandleMigrateCommand(t *testing.T) {
cfg := testutils.NewTestConfig()
t.Run("help requested", func(t *testing.T) {
err := HandleMigrateCommand(cfg, "migrate", []string{"--help"})
if err != nil {
t.Errorf("unexpected error for help: %v", err)
}
})
t.Run("unexpected arguments", func(t *testing.T) {
err := HandleMigrateCommand(cfg, "migrate", []string{"extra", "args"})
if err == nil {
t.Error("expected error for unexpected arguments")
}
if err.Error() != "unexpected arguments for migrate command" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("runs migrations", func(t *testing.T) {
cfg := testutils.NewTestConfig()
setInMemoryDBConnector(t)
err := HandleMigrateCommand(cfg, "migrate", []string{})
if err != nil {
t.Fatalf("unexpected error running migrations: %v", err)
}
})
}

434
cmd/goyco/commands/parallel_processor.go Normal file
View File

@@ -0,0 +1,434 @@
package commands
import (
"context"
"crypto/rand"
"fmt"
"math/big"
"runtime"
"sync"
"time"
"golang.org/x/crypto/bcrypt"
"goyco/internal/database"
"goyco/internal/repositories"
)
type ParallelProcessor struct {
maxWorkers int
timeout time.Duration
}
func NewParallelProcessor() *ParallelProcessor {
maxWorkers := max(min(runtime.NumCPU(), 8), 2)
return &ParallelProcessor{
maxWorkers: maxWorkers,
timeout: 30 * time.Second,
}
}
func (p *ParallelProcessor) CreateUsersInParallel(userRepo repositories.UserRepository, count int, progress *ProgressIndicator) ([]database.User, error) {
ctx, cancel := context.WithTimeout(context.Background(), p.timeout)
defer cancel()
results := make(chan userResult, count)
errors := make(chan error, count)
semaphore := make(chan struct{}, p.maxWorkers)
var wg sync.WaitGroup
for i := range count {
wg.Add(1)
go func(index int) {
defer wg.Done()
select {
case semaphore <- struct{}{}:
case <-ctx.Done():
errors <- ctx.Err()
return
}
defer func() { <-semaphore }()
user, err := p.createSingleUser(userRepo, index+1)
if err != nil {
errors <- fmt.Errorf("create user %d: %w", index+1, err)
return
}
results <- userResult{user: user, index: index}
}(i)
}
go func() {
wg.Wait()
close(results)
close(errors)
}()
users := make([]database.User, count)
completed := 0
for {
select {
case result, ok := <-results:
if !ok {
return users, nil
}
users[result.index] = result.user
completed++
if progress != nil {
progress.Update(completed)
}
case err := <-errors:
if err != nil {
return nil, err
}
case <-ctx.Done():
return nil, fmt.Errorf("timeout creating users: %w", ctx.Err())
}
}
}
func (p *ParallelProcessor) CreatePostsInParallel(postRepo repositories.PostRepository, authorID uint, count int, progress *ProgressIndicator) ([]database.Post, error) {
ctx, cancel := context.WithTimeout(context.Background(), p.timeout)
defer cancel()
results := make(chan postResult, count)
errors := make(chan error, count)
semaphore := make(chan struct{}, p.maxWorkers)
var wg sync.WaitGroup
for i := range count {
wg.Add(1)
go func(index int) {
defer wg.Done()
select {
case semaphore <- struct{}{}:
case <-ctx.Done():
errors <- ctx.Err()
return
}
defer func() { <-semaphore }()
post, err := p.createSinglePost(postRepo, authorID, index+1)
if err != nil {
errors <- fmt.Errorf("create post %d: %w", index+1, err)
return
}
results <- postResult{post: post, index: index}
}(i)
}
go func() {
wg.Wait()
close(results)
close(errors)
}()
posts := make([]database.Post, count)
completed := 0
for {
select {
case result, ok := <-results:
if !ok {
return posts, nil
}
posts[result.index] = result.post
completed++
if progress != nil {
progress.Update(completed)
}
case err := <-errors:
if err != nil {
return nil, err
}
case <-ctx.Done():
return nil, fmt.Errorf("timeout creating posts: %w", ctx.Err())
}
}
}
func (p *ParallelProcessor) CreateVotesInParallel(voteRepo repositories.VoteRepository, users []database.User, posts []database.Post, avgVotesPerPost int, progress *ProgressIndicator) (int, error) {
ctx, cancel := context.WithTimeout(context.Background(), p.timeout)
defer cancel()
results := make(chan voteResult, len(posts))
errors := make(chan error, len(posts))
semaphore := make(chan struct{}, p.maxWorkers)
var wg sync.WaitGroup
for i, post := range posts {
wg.Add(1)
go func(index int, post database.Post) {
defer wg.Done()
select {
case semaphore <- struct{}{}:
case <-ctx.Done():
errors <- ctx.Err()
return
}
defer func() { <-semaphore }()
votes, err := p.createVotesForPost(voteRepo, users, post, avgVotesPerPost)
if err != nil {
errors <- fmt.Errorf("create votes for post %d: %w", post.ID, err)
return
}
results <- voteResult{votes: votes, index: index}
}(i, post)
}
go func() {
wg.Wait()
close(results)
close(errors)
}()
totalVotes := 0
completed := 0
for {
select {
case result, ok := <-results:
if !ok {
return totalVotes, nil
}
totalVotes += result.votes
completed++
if progress != nil {
progress.Update(completed)
}
case err := <-errors:
if err != nil {
return 0, err
}
case <-ctx.Done():
return 0, fmt.Errorf("timeout creating votes: %w", ctx.Err())
}
}
}
func (p *ParallelProcessor) UpdatePostScoresInParallel(postRepo repositories.PostRepository, voteRepo repositories.VoteRepository, posts []database.Post, progress *ProgressIndicator) error {
ctx, cancel := context.WithTimeout(context.Background(), p.timeout)
defer cancel()
errors := make(chan error, len(posts))
semaphore := make(chan struct{}, p.maxWorkers)
var wg sync.WaitGroup
for i, post := range posts {
wg.Add(1)
go func(index int, post database.Post) {
defer wg.Done()
select {
case semaphore <- struct{}{}:
case <-ctx.Done():
errors <- ctx.Err()
return
}
defer func() { <-semaphore }()
err := p.updateSinglePostScore(postRepo, voteRepo, post)
if err != nil {
errors <- fmt.Errorf("update post %d scores: %w", post.ID, err)
return
}
if progress != nil {
progress.Update(index + 1)
}
}(i, post)
}
go func() {
wg.Wait()
close(errors)
}()
for err := range errors {
if err != nil {
return err
}
}
return nil
}
type userResult struct {
user database.User
index int
}
type postResult struct {
post database.Post
index int
}
type voteResult struct {
votes int
index int
}
func (p *ParallelProcessor) createSingleUser(userRepo repositories.UserRepository, index int) (database.User, error) {
username := fmt.Sprintf("user_%d", index)
email := fmt.Sprintf("user_%d@goyco.local", index)
password := "password123"
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return database.User{}, fmt.Errorf("hash password: %w", err)
}
user := &database.User{
Username: username,
Email: email,
Password: string(hashedPassword),
EmailVerified: true,
}
if err := userRepo.Create(user); err != nil {
return database.User{}, fmt.Errorf("create user: %w", err)
}
return *user, nil
}
func (p *ParallelProcessor) createSinglePost(postRepo repositories.PostRepository, authorID uint, index int) (database.Post, error) {
sampleTitles := []string{
"Amazing JavaScript Framework",
"Python Best Practices",
"Go Performance Tips",
"Database Optimization",
"Web Security Guide",
"Machine Learning Basics",
"Cloud Architecture",
"DevOps Automation",
"API Design Patterns",
"Frontend Optimization",
"Backend Scaling",
"Container Orchestration",
"Microservices Architecture",
"Testing Strategies",
"Code Review Process",
"Version Control Best Practices",
"Continuous Integration",
"Monitoring and Alerting",
"Error Handling Patterns",
"Data Structures Explained",
}
sampleDomains := []string{
"example.com",
"techblog.org",
"devguide.net",
"programming.io",
"codeexamples.com",
"tutorialhub.org",
"bestpractices.dev",
"learnprogramming.net",
"codingtips.org",
"softwareengineering.com",
}
title := sampleTitles[index%len(sampleTitles)]
if index >= len(sampleTitles) {
title = fmt.Sprintf("%s - Part %d", title, (index/len(sampleTitles))+1)
}
domain := sampleDomains[index%len(sampleDomains)]
path := generateRandomPath()
url := fmt.Sprintf("https://%s%s", domain, path)
content := fmt.Sprintf("Autogenerated seed post #%d\n\nThis is sample content for testing purposes. The post discusses %s and provides valuable insights.", index, title)
post := &database.Post{
Title: title,
URL: url,
Content: content,
AuthorID: &authorID,
UpVotes: 0,
DownVotes: 0,
Score: 0,
}
if err := postRepo.Create(post); err != nil {
return database.Post{}, fmt.Errorf("create post: %w", err)
}
return *post, nil
}
func (p *ParallelProcessor) createVotesForPost(voteRepo repositories.VoteRepository, users []database.User, post database.Post, avgVotesPerPost int) (int, error) {
voteCount, _ := rand.Int(rand.Reader, big.NewInt(int64(avgVotesPerPost*2)+1))
numVotes := int(voteCount.Int64())
if numVotes == 0 && avgVotesPerPost > 0 {
chance, _ := rand.Int(rand.Reader, big.NewInt(5))
if chance.Int64() > 0 {
numVotes = 1
}
}
totalVotes := 0
usedUsers := make(map[uint]bool)
for i := 0; i < numVotes && len(usedUsers) < len(users); i++ {
userIdx, _ := rand.Int(rand.Reader, big.NewInt(int64(len(users))))
user := users[userIdx.Int64()]
if usedUsers[user.ID] {
continue
}
usedUsers[user.ID] = true
voteTypeInt, _ := rand.Int(rand.Reader, big.NewInt(10))
var voteType database.VoteType
if voteTypeInt.Int64() < 7 {
voteType = database.VoteUp
} else {
voteType = database.VoteDown
}
vote := &database.Vote{
UserID: &user.ID,
PostID: post.ID,
Type: voteType,
}
if err := voteRepo.Create(vote); err != nil {
return totalVotes, fmt.Errorf("create vote: %w", err)
}
totalVotes++
}
return totalVotes, nil
}
func (p *ParallelProcessor) updateSinglePostScore(postRepo repositories.PostRepository, voteRepo repositories.VoteRepository, post database.Post) error {
upVotes, downVotes, err := getVoteCounts(voteRepo, post.ID)
if err != nil {
return fmt.Errorf("get vote counts: %w", err)
}
post.UpVotes = upVotes
post.DownVotes = downVotes
post.Score = upVotes - downVotes
if err := postRepo.Update(&post); err != nil {
return fmt.Errorf("update post: %w", err)
}
return nil
}

130
cmd/goyco/commands/parallel_processor_test.go Normal file
View File

@@ -0,0 +1,130 @@
package commands_test
import (
"errors"
"fmt"
"sync"
"testing"
"golang.org/x/crypto/bcrypt"
"goyco/cmd/goyco/commands"
"goyco/internal/database"
"goyco/internal/repositories"
"goyco/internal/testutils"
)
func TestParallelProcessor_CreateUsersInParallel(t *testing.T) {
const successCount = 4
tests := []struct {
name string
count int
repoFactory func() repositories.UserRepository
progress *commands.ProgressIndicator
validate func(t *testing.T, got []database.User)
wantErr bool
}{
{
name: "creates users with deterministic fields",
count: successCount,
repoFactory: func() repositories.UserRepository {
base := testutils.NewMockUserRepository()
return newFakeUserRepo(base, 0, nil)
},
progress: nil,
validate: func(t *testing.T, got []database.User) {
t.Helper()
if len(got) != successCount {
t.Fatalf("expected %d users, got %d", successCount, len(got))
}
for i, user := range got {
expectedUsername := fmt.Sprintf("user_%d", i+1)
expectedEmail := fmt.Sprintf("user_%d@goyco.local", i+1)
if user.Username != expectedUsername {
t.Errorf("user %d username mismatch: got %q want %q", i, user.Username, expectedUsername)
}
if user.Email != expectedEmail {
t.Errorf("user %d email mismatch: got %q want %q", i, user.Email, expectedEmail)
}
if !user.EmailVerified {
t.Errorf("user %d expected EmailVerified to be true", i)
}
if user.ID == 0 {
t.Errorf("user %d expected non-zero ID", i)
}
if user.Password == "" {
t.Errorf("user %d expected hashed password to be populated", i)
}
if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte("password123")); err != nil {
t.Errorf("user %d password not hashed correctly: %v", i, err)
}
if user.CreatedAt.IsZero() {
t.Errorf("user %d expected CreatedAt to be set", i)
}
if user.UpdatedAt.IsZero() {
t.Errorf("user %d expected UpdatedAt to be set", i)
}
}
},
},
{
name: "returns error when repository create fails",
count: 3,
repoFactory: func() repositories.UserRepository {
base := testutils.NewMockUserRepository()
return newFakeUserRepo(base, 1, errors.New("create failure"))
},
progress: nil,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
repo := tt.repoFactory()
p := commands.NewParallelProcessor()
got, gotErr := p.CreateUsersInParallel(repo, tt.count, tt.progress)
if gotErr != nil {
if !tt.wantErr {
t.Errorf("CreateUsersInParallel() failed: %v", gotErr)
}
if got != nil {
t.Error("expected nil result when error occurs")
}
return
}
if tt.wantErr {
t.Fatal("CreateUsersInParallel() succeeded unexpectedly")
}
if tt.validate != nil {
tt.validate(t, got)
}
})
}
}
type fakeUserRepo struct {
repositories.UserRepository
mu sync.Mutex
failAt int
err error
calls int
}
func newFakeUserRepo(base repositories.UserRepository, failAt int, err error) *fakeUserRepo {
return &fakeUserRepo{
UserRepository: base,
failAt: failAt,
err: err,
}
}
func (r *fakeUserRepo) Create(user *database.User) error {
r.mu.Lock()
defer r.mu.Unlock()
r.calls++
if r.failAt > 0 && r.calls >= r.failAt {
return r.err
}
return r.UserRepository.Create(user)
}

254
cmd/goyco/commands/post.go Normal file
View File

@@ -0,0 +1,254 @@
package commands
import (
"errors"
"flag"
"fmt"
"os"
"strconv"
"goyco/internal/config"
"goyco/internal/database"
"goyco/internal/repositories"
"goyco/internal/security"
"goyco/internal/services"
"gorm.io/gorm"
)
func HandlePostCommand(cfg *config.Config, name string, args []string) error {
fs := newFlagSet(name, printPostUsage)
if err := parseCommand(fs, args, name); err != nil {
if errors.Is(err, ErrHelpRequested) {
return nil
}
return err
}
return withDatabase(cfg, func(db *gorm.DB) error {
repo := repositories.NewPostRepository(db)
voteRepo := repositories.NewVoteRepository(db)
voteService := services.NewVoteService(voteRepo, repo, db)
postQueries := services.NewPostQueries(repo, voteService)
return runPostCommand(postQueries, repo, fs.Args())
})
}
func runPostCommand(postQueries *services.PostQueries, repo repositories.PostRepository, args []string) error {
if len(args) == 0 {
printPostUsage()
return errors.New("missing post subcommand")
}
switch args[0] {
case "delete":
return postDelete(repo, args[1:])
case "list":
return postList(postQueries, args[1:])
case "search":
return postSearch(postQueries, args[1:])
case "help", "-h", "--help":
printPostUsage()
return nil
default:
printPostUsage()
return fmt.Errorf("unknown post subcommand: %s", args[0])
}
}
func printPostUsage() {
fmt.Fprintln(os.Stderr, "Post subcommands:")
fmt.Fprintln(os.Stderr, " delete <id>")
fmt.Fprintln(os.Stderr, " list [--limit <n>] [--offset <n>] [--user-id <id>]")
fmt.Fprintln(os.Stderr, " search <term> [--limit <n>] [--offset <n>]")
}
func postDelete(repo repositories.PostRepository, args []string) error {
fs := flag.NewFlagSet("post delete", flag.ContinueOnError)
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
if fs.NArg() == 0 {
fs.Usage()
return errors.New("post ID is required")
}
idStr := fs.Arg(0)
id, err := strconv.ParseUint(idStr, 10, 32)
if err != nil {
return fmt.Errorf("invalid post ID: %s", idStr)
}
if id == 0 {
return errors.New("post ID must be greater than 0")
}
if err := repo.Delete(uint(id)); err != nil {
return fmt.Errorf("delete post: %w", err)
}
fmt.Printf("Post deleted: ID=%d\n", id)
return nil
}
func postList(postQueries *services.PostQueries, args []string) error {
fs := flag.NewFlagSet("post list", flag.ContinueOnError)
limit := fs.Int("limit", 0, "max number of posts to list")
offset := fs.Int("offset", 0, "number of posts to skip")
userID := fs.Uint("user-id", 0, "filter posts by author id")
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
opts := services.QueryOptions{
Limit: *limit,
Offset: *offset,
}
ctx := services.VoteContext{}
var (
posts []database.Post
err error
)
if *userID > 0 {
posts, err = postQueries.GetByUserID(*userID, opts, ctx)
} else {
posts, err = postQueries.GetAll(opts, ctx)
}
if err != nil {
return fmt.Errorf("list posts: %w", err)
}
if len(posts) == 0 {
fmt.Println("No posts found")
return nil
}
maxIDWidth := 2
maxTitleWidth := 5
maxAuthorIDWidth := 8
maxScoreWidth := 5
maxCreatedAtWidth := 10
for _, p := range posts {
authorID := uint(0)
if p.AuthorID != nil {
authorID = *p.AuthorID
}
if p.Author.ID != 0 {
authorID = p.Author.ID
}
truncatedTitle := truncate(p.Title, 40)
createdAtStr := p.CreatedAt.Format("2006-01-02 15:04:05")
if len(fmt.Sprintf("%d", p.ID)) > maxIDWidth {
maxIDWidth = len(fmt.Sprintf("%d", p.ID))
}
if len(truncatedTitle) > maxTitleWidth {
maxTitleWidth = len(truncatedTitle)
}
if len(fmt.Sprintf("%d", authorID)) > maxAuthorIDWidth {
maxAuthorIDWidth = len(fmt.Sprintf("%d", authorID))
}
if len(fmt.Sprintf("%d", p.Score)) > maxScoreWidth {
maxScoreWidth = len(fmt.Sprintf("%d", p.Score))
}
if len(createdAtStr) > maxCreatedAtWidth {
maxCreatedAtWidth = len(createdAtStr)
}
}
fmt.Printf("%-*s %-*s %-*s %-*s %s\n",
maxIDWidth, "ID",
maxTitleWidth, "Title",
maxAuthorIDWidth, "AuthorID",
maxScoreWidth, "Score",
"CreatedAt")
for _, p := range posts {
authorID := uint(0)
if p.AuthorID != nil {
authorID = *p.AuthorID
}
if p.Author.ID != 0 {
authorID = p.Author.ID
}
truncatedTitle := truncate(p.Title, 40)
createdAtStr := p.CreatedAt.Format("2006-01-02 15:04:05")
fmt.Printf("%-*d %-*s %-*d %-*d %s\n",
maxIDWidth, p.ID,
maxTitleWidth, truncatedTitle,
maxAuthorIDWidth, authorID,
maxScoreWidth, p.Score,
createdAtStr)
}
return nil
}
func postSearch(postQueries *services.PostQueries, args []string) error {
fs := flag.NewFlagSet("post search", flag.ContinueOnError)
limit := fs.Int("limit", 10, "max number of posts to return")
offset := fs.Int("offset", 0, "number of posts to skip")
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
if fs.NArg() == 0 {
fs.Usage()
return errors.New("search term is required")
}
if *limit < 0 {
return errors.New("limit must be non-negative")
}
if *offset < 0 {
return errors.New("offset must be non-negative")
}
sanitizer := security.NewInputSanitizer()
term := fs.Arg(0)
sanitizedTerm, err := sanitizer.SanitizeSearchTerm(term)
if err != nil {
return fmt.Errorf("search term validation: %w", err)
}
opts := services.QueryOptions{
Limit: *limit,
Offset: *offset,
}
ctx := services.VoteContext{}
posts, err := postQueries.GetSearch(sanitizedTerm, opts, ctx)
if err != nil {
return fmt.Errorf("search posts: %w", err)
}
if len(posts) == 0 {
fmt.Println("No posts found matching your search")
return nil
}
fmt.Printf("%-4s %-40s %-12s %-6s %-19s\n", "ID", "Title", "AuthorID", "Score", "CreatedAt")
for _, p := range posts {
authorID := uint(0)
if p.AuthorID != nil {
authorID = *p.AuthorID
}
if p.Author.ID != 0 {
authorID = p.Author.ID
}
fmt.Printf("%-4d %-40s %-12d %-6d %-19s\n", p.ID, truncate(p.Title, 40), authorID, p.Score, p.CreatedAt.Format("2006-01-02 15:04:05"))
}
return nil
}

567
cmd/goyco/commands/post_test.go Normal file
View File

@@ -0,0 +1,567 @@
package commands
import (
"errors"
"strings"
"testing"
"time"
"goyco/internal/database"
"goyco/internal/repositories"
"goyco/internal/services"
"goyco/internal/testutils"
"gorm.io/gorm"
)
func createPostQueries(repo repositories.PostRepository) *services.PostQueries {
voteRepo := testutils.NewMockVoteRepository()
voteService := services.NewVoteService(voteRepo, repo, nil)
return services.NewPostQueries(repo, voteService)
}
func TestHandlePostCommand(t *testing.T) {
cfg := testutils.NewTestConfig()
t.Run("help requested", func(t *testing.T) {
err := HandlePostCommand(cfg, "post", []string{"--help"})
if err != nil {
t.Errorf("unexpected error for help: %v", err)
}
})
}
func TestRunPostCommand(t *testing.T) {
mockRepo := testutils.NewMockPostRepository()
postQueries := createPostQueries(mockRepo)
t.Run("missing subcommand", func(t *testing.T) {
err := runPostCommand(postQueries, mockRepo, []string{})
if err == nil {
t.Error("expected error for missing subcommand")
}
if err.Error() != "missing post subcommand" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("unknown subcommand", func(t *testing.T) {
err := runPostCommand(postQueries, mockRepo, []string{"unknown"})
if err == nil {
t.Error("expected error for unknown subcommand")
}
expectedErr := "unknown post subcommand: unknown"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("help subcommand", func(t *testing.T) {
err := runPostCommand(postQueries, mockRepo, []string{"help"})
if err != nil {
t.Errorf("unexpected error for help: %v", err)
}
})
}
func TestPostDelete(t *testing.T) {
mockRepo := testutils.NewMockPostRepository()
testPost := &database.Post{
Title: "Test Post",
Content: "Test Content",
AuthorID: &[]uint{1}[0],
Score: 0,
}
_ = mockRepo.Create(testPost)
t.Run("successful delete", func(t *testing.T) {
err := postDelete(mockRepo, []string{"1"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("missing id", func(t *testing.T) {
err := postDelete(mockRepo, []string{})
if err == nil {
t.Error("expected error for missing id")
}
if err.Error() != "post ID is required" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("invalid id", func(t *testing.T) {
err := postDelete(mockRepo, []string{"0"})
if err == nil {
t.Error("expected error for invalid id")
}
if err.Error() != "post ID must be greater than 0" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("non-existent post", func(t *testing.T) {
err := postDelete(mockRepo, []string{"999"})
if err == nil {
t.Error("expected error for non-existent post")
}
if !errors.Is(err, gorm.ErrRecordNotFound) {
t.Errorf("expected record not found error, got: %v", err)
}
})
t.Run("repository error", func(t *testing.T) {
mockRepo.DeleteErr = errors.New("database error")
err := postDelete(mockRepo, []string{"1"})
if err == nil {
t.Error("expected error from repository")
}
expectedErr := "delete post: database error"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
}
func TestPostList(t *testing.T) {
mockRepo := testutils.NewMockPostRepository()
testPosts := []*database.Post{
{
Title: "First Post",
Content: "First Content",
AuthorID: &[]uint{1}[0],
Score: 10,
CreatedAt: time.Now().Add(-2 * time.Hour),
},
{
Title: "Second Post",
Content: "Second Content",
AuthorID: &[]uint{2}[0],
Score: 5,
CreatedAt: time.Now().Add(-1 * time.Hour),
},
}
for _, post := range testPosts {
_ = mockRepo.Create(post)
}
postQueries := createPostQueries(mockRepo)
t.Run("list all posts", func(t *testing.T) {
err := postList(postQueries, []string{})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("list with limit", func(t *testing.T) {
err := postList(postQueries, []string{"--limit", "1"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("list with offset", func(t *testing.T) {
err := postList(postQueries, []string{"--offset", "1"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("list with user filter", func(t *testing.T) {
err := postList(postQueries, []string{"--user-id", "1"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("list with all filters", func(t *testing.T) {
err := postList(postQueries, []string{"--limit", "1", "--offset", "0", "--user-id", "1"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("empty result", func(t *testing.T) {
emptyRepo := testutils.NewMockPostRepository()
emptyPostQueries := createPostQueries(emptyRepo)
err := postList(emptyPostQueries, []string{})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("repository error", func(t *testing.T) {
mockRepo.GetErr = errors.New("database error")
err := postList(postQueries, []string{})
if err == nil {
t.Error("expected error from repository")
}
expectedErr := "list posts: database error"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
}
func TestPostSearch(t *testing.T) {
mockRepo := testutils.NewMockPostRepository()
postQueries := createPostQueries(mockRepo)
testPosts := []*database.Post{
{
Title: "Golang Tutorial",
Content: "Learn Go programming language",
AuthorID: &[]uint{1}[0],
Score: 10,
CreatedAt: time.Now().Add(-2 * time.Hour),
},
{
Title: "Python Guide",
Content: "Learn Python programming",
AuthorID: &[]uint{2}[0],
Score: 5,
CreatedAt: time.Now().Add(-1 * time.Hour),
},
{
Title: "Go Best Practices",
Content: "Advanced Go techniques and patterns",
AuthorID: &[]uint{1}[0],
Score: 15,
CreatedAt: time.Now().Add(-30 * time.Minute),
},
}
for _, post := range testPosts {
_ = mockRepo.Create(post)
}
t.Run("search with results", func(t *testing.T) {
err := postSearch(postQueries, []string{"Go"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("case insensitive search", func(t *testing.T) {
mockRepo.SearchCalls = nil
err := postSearch(postQueries, []string{"golang"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(mockRepo.SearchCalls) != 1 {
t.Errorf("expected 1 search call, got %d", len(mockRepo.SearchCalls))
} else {
call := mockRepo.SearchCalls[0]
if call.Query != "golang" {
t.Errorf("expected query 'golang', got %q", call.Query)
}
}
})
t.Run("search with no results", func(t *testing.T) {
err := postSearch(postQueries, []string{"nonexistent"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("search with limit", func(t *testing.T) {
mockRepo.SearchCalls = nil
err := postSearch(postQueries, []string{"--limit", "1", "Go"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(mockRepo.SearchCalls) != 1 {
t.Errorf("expected 1 search call, got %d", len(mockRepo.SearchCalls))
} else {
call := mockRepo.SearchCalls[0]
if call.Query != "Go" {
t.Errorf("expected query 'Go', got %q", call.Query)
}
if call.Limit != 1 {
t.Errorf("expected limit 1, got %d", call.Limit)
}
if call.Offset != 0 {
t.Errorf("expected offset 0, got %d", call.Offset)
}
}
})
t.Run("search with offset", func(t *testing.T) {
mockRepo.SearchCalls = nil
err := postSearch(postQueries, []string{"--offset", "1", "Go"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(mockRepo.SearchCalls) != 1 {
t.Errorf("expected 1 search call, got %d", len(mockRepo.SearchCalls))
} else {
call := mockRepo.SearchCalls[0]
if call.Query != "Go" {
t.Errorf("expected query 'Go', got %q", call.Query)
}
if call.Limit != 10 {
t.Errorf("expected limit 10, got %d", call.Limit)
}
if call.Offset != 1 {
t.Errorf("expected offset 1, got %d", call.Offset)
}
}
})
t.Run("search with limit and offset", func(t *testing.T) {
mockRepo.SearchCalls = nil
err := postSearch(postQueries, []string{"--limit", "1", "--offset", "1", "Go"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(mockRepo.SearchCalls) != 1 {
t.Errorf("expected 1 search call, got %d", len(mockRepo.SearchCalls))
} else {
call := mockRepo.SearchCalls[0]
if call.Query != "Go" {
t.Errorf("expected query 'Go', got %q", call.Query)
}
if call.Limit != 1 {
t.Errorf("expected limit 1, got %d", call.Limit)
}
if call.Offset != 1 {
t.Errorf("expected offset 1, got %d", call.Offset)
}
}
})
t.Run("missing search term", func(t *testing.T) {
err := postSearch(postQueries, []string{})
if err == nil {
t.Error("expected error for missing search term")
}
expectedErr := "search term is required"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("invalid limit flag", func(t *testing.T) {
err := postSearch(postQueries, []string{"--limit", "invalid", "Go"})
if err == nil {
t.Error("expected error for invalid limit")
}
})
t.Run("invalid offset flag", func(t *testing.T) {
err := postSearch(postQueries, []string{"--offset", "invalid", "Go"})
if err == nil {
t.Error("expected error for invalid offset")
}
})
t.Run("negative limit", func(t *testing.T) {
err := postSearch(postQueries, []string{"--limit", "-1", "Go"})
if err == nil {
t.Error("expected error for negative limit")
}
expectedErr := "limit must be non-negative"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("negative offset", func(t *testing.T) {
err := postSearch(postQueries, []string{"--offset", "-1", "Go"})
if err == nil {
t.Error("expected error for negative offset")
}
expectedErr := "offset must be non-negative"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("repository error", func(t *testing.T) {
mockRepo.SearchErr = errors.New("database error")
err := postSearch(postQueries, []string{"Go"})
if err == nil {
t.Error("expected error from repository")
}
expectedErr := "search posts: database error"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("unknown flag", func(t *testing.T) {
err := postSearch(postQueries, []string{"--unknown-flag", "Go"})
if err == nil {
t.Error("expected error for unknown flag")
}
})
t.Run("missing limit value", func(t *testing.T) {
err := postSearch(postQueries, []string{"--limit"})
if err == nil {
t.Error("expected error for missing limit value")
}
})
t.Run("missing offset value", func(t *testing.T) {
err := postSearch(postQueries, []string{"--offset"})
if err == nil {
t.Error("expected error for missing offset value")
}
})
}
func TestPostListFlagParsing(t *testing.T) {
mockRepo := testutils.NewMockPostRepository()
postQueries := createPostQueries(mockRepo)
testPosts := []*database.Post{
{
Title: "First Post",
Content: "First Content",
AuthorID: &[]uint{1}[0],
Score: 10,
CreatedAt: time.Now().Add(-2 * time.Hour),
},
}
for _, post := range testPosts {
_ = mockRepo.Create(post)
}
t.Run("invalid limit type", func(t *testing.T) {
err := postList(postQueries, []string{"--limit", "abc"})
if err == nil {
t.Error("expected error for invalid limit type")
}
})
t.Run("invalid offset type", func(t *testing.T) {
err := postList(postQueries, []string{"--offset", "xyz"})
if err == nil {
t.Error("expected error for invalid offset type")
}
})
t.Run("invalid user-id type", func(t *testing.T) {
err := postList(postQueries, []string{"--user-id", "invalid"})
if err == nil {
t.Error("expected error for invalid user-id type")
}
})
t.Run("unknown flag", func(t *testing.T) {
err := postList(postQueries, []string{"--unknown-flag"})
if err == nil {
t.Error("expected error for unknown flag")
}
})
t.Run("missing limit value", func(t *testing.T) {
err := postList(postQueries, []string{"--limit"})
if err == nil {
t.Error("expected error for missing limit value")
}
})
t.Run("missing offset value", func(t *testing.T) {
err := postList(postQueries, []string{"--offset"})
if err == nil {
t.Error("expected error for missing offset value")
}
})
t.Run("missing user-id value", func(t *testing.T) {
err := postList(postQueries, []string{"--user-id"})
if err == nil {
t.Error("expected error for missing user-id value")
}
})
}
func TestPostDeleteFlagParsing(t *testing.T) {
mockRepo := testutils.NewMockPostRepository()
t.Run("invalid id type", func(t *testing.T) {
err := postDelete(mockRepo, []string{"abc"})
if err == nil {
t.Error("expected error for invalid id type")
}
if !strings.Contains(err.Error(), "invalid post ID") {
t.Errorf("expected invalid post ID error, got: %v", err)
}
})
t.Run("non-numeric id", func(t *testing.T) {
err := postDelete(mockRepo, []string{"not-a-number"})
if err == nil {
t.Error("expected error for non-numeric id")
}
})
}

321
cmd/goyco/commands/progress_indicator.go Normal file
View File

@@ -0,0 +1,321 @@
package commands
import (
"fmt"
"os"
"strings"
"sync"
"time"
)
type clock interface {
Now() time.Time
}
type realClock struct{}
func (c *realClock) Now() time.Time {
return time.Now()
}
type ProgressIndicator struct {
total int
current int
startTime time.Time
lastUpdate time.Time
description string
showETA bool
mu sync.Mutex
clock clock
}
func NewProgressIndicator(total int, description string) *ProgressIndicator {
return &ProgressIndicator{
total: total,
current: 0,
startTime: time.Now(),
lastUpdate: time.Now(),
description: description,
showETA: true,
clock: &realClock{},
}
}
func newProgressIndicatorWithClock(total int, description string, c clock) *ProgressIndicator {
now := c.Now()
return &ProgressIndicator{
total: total,
current: 0,
startTime: now,
lastUpdate: now,
description: description,
showETA: true,
clock: c,
}
}
func (p *ProgressIndicator) Update(current int) {
p.mu.Lock()
defer p.mu.Unlock()
p.current = current
now := p.clock.Now()
if now.Sub(p.lastUpdate) < 100*time.Millisecond {
return
}
p.lastUpdate = now
p.display()
}
func (p *ProgressIndicator) Increment() {
p.mu.Lock()
p.current++
current := p.current
now := p.clock.Now()
shouldUpdate := now.Sub(p.lastUpdate) >= 100*time.Millisecond
if shouldUpdate {
p.lastUpdate = now
}
p.mu.Unlock()
if shouldUpdate {
p.displayWithValue(current)
}
}
func (p *ProgressIndicator) SetDescription(description string) {
p.mu.Lock()
defer p.mu.Unlock()
p.description = description
}
func (p *ProgressIndicator) Current() int {
p.mu.Lock()
defer p.mu.Unlock()
return p.current
}
func (p *ProgressIndicator) Complete() {
p.mu.Lock()
p.current = p.total
p.mu.Unlock()
p.display()
fmt.Println()
}
func (p *ProgressIndicator) display() {
p.mu.Lock()
current := p.current
p.mu.Unlock()
p.displayWithValue(current)
}
func (p *ProgressIndicator) displayWithValue(current int) {
p.mu.Lock()
total := p.total
description := p.description
showETA := p.showETA
startTime := p.startTime
now := p.clock.Now()
p.mu.Unlock()
percentage := float64(current) / float64(total) * 100
barWidth := 50
filled := int(float64(barWidth) * percentage / 100)
bar := strings.Repeat("=", filled) + strings.Repeat("-", barWidth-filled)
var etaStr string
if showETA && current > 0 {
elapsed := now.Sub(startTime)
rate := float64(current) / elapsed.Seconds()
if rate > 0 {
remaining := float64(total-current) / rate
eta := time.Duration(remaining) * time.Second
etaStr = fmt.Sprintf(" ETA: %s", formatDuration(eta))
}
}
elapsed := now.Sub(startTime)
elapsedStr := formatDuration(elapsed)
fmt.Printf("\r%s [%s] %d/%d (%.1f%%) %s%s",
description, bar, current, total, percentage, elapsedStr, etaStr)
_ = os.Stdout.Sync()
}
func formatDuration(d time.Duration) string {
if d < time.Minute {
return fmt.Sprintf("%.0fs", d.Seconds())
} else if d < time.Hour {
return fmt.Sprintf("%.1fm", d.Minutes())
} else {
return fmt.Sprintf("%.1fh", d.Hours())
}
}
type SimpleProgressIndicator struct {
description string
startTime time.Time
current int
clock clock
}
func NewSimpleProgressIndicator(description string) *SimpleProgressIndicator {
now := time.Now()
return &SimpleProgressIndicator{
description: description,
startTime: now,
current: 0,
clock: &realClock{},
}
}
func newSimpleProgressIndicatorWithClock(description string, c clock) *SimpleProgressIndicator {
now := c.Now()
return &SimpleProgressIndicator{
description: description,
startTime: now,
current: 0,
clock: c,
}
}
func (s *SimpleProgressIndicator) Update(current int) {
s.current = current
elapsed := s.clock.Now().Sub(s.startTime)
fmt.Printf("\r%s: %d items processed in %s",
s.description, s.current, formatDuration(elapsed))
_ = os.Stdout.Sync()
}
func (s *SimpleProgressIndicator) Increment() {
s.Update(s.current + 1)
}
func (s *SimpleProgressIndicator) Complete() {
elapsed := s.clock.Now().Sub(s.startTime)
fmt.Printf("\r%s: Completed %d items in %s\n",
s.description, s.current, formatDuration(elapsed))
}
type Spinner struct {
chars []string
index int
message string
startTime time.Time
}
func NewSpinner(message string) *Spinner {
return &Spinner{
chars: []string{"|", "/", "-", "\\"},
index: 0,
message: message,
startTime: time.Now(),
}
}
func (s *Spinner) Spin() {
elapsed := time.Since(s.startTime)
fmt.Printf("\r%s %s (%s)", s.message, s.chars[s.index], formatDuration(elapsed))
s.index = (s.index + 1) % len(s.chars)
_ = os.Stdout.Sync()
}
func (s *Spinner) Complete() {
elapsed := time.Since(s.startTime)
fmt.Printf("\r%s âś“ (%s)\n", s.message, formatDuration(elapsed))
}
type ProgressTracker struct {
description string
startTime time.Time
current int
lastUpdate time.Time
}
func NewProgressTracker(description string) *ProgressTracker {
return &ProgressTracker{
description: description,
startTime: time.Now(),
current: 0,
lastUpdate: time.Now(),
}
}
func (pt *ProgressTracker) Update(current int) {
pt.current = current
now := time.Now()
if now.Sub(pt.lastUpdate) < 200*time.Millisecond {
return
}
pt.lastUpdate = now
elapsed := time.Since(pt.startTime)
rate := float64(current) / elapsed.Seconds()
fmt.Printf("\r%s: %d items processed (%.1f items/sec)",
pt.description, current, rate)
_ = os.Stdout.Sync()
}
func (pt *ProgressTracker) Increment() {
pt.Update(pt.current + 1)
}
func (pt *ProgressTracker) Complete() {
elapsed := time.Since(pt.startTime)
rate := float64(pt.current) / elapsed.Seconds()
fmt.Printf("\r%s: Completed %d items in %s (%.1f items/sec)\n",
pt.description, pt.current, formatDuration(elapsed), rate)
}
type BatchProgressIndicator struct {
totalBatches int
currentBatch int
batchSize int
description string
startTime time.Time
}
func NewBatchProgressIndicator(totalBatches, batchSize int, description string) *BatchProgressIndicator {
return &BatchProgressIndicator{
totalBatches: totalBatches,
currentBatch: 0,
batchSize: batchSize,
description: description,
startTime: time.Now(),
}
}
func (b *BatchProgressIndicator) UpdateBatch(currentBatch int) {
b.currentBatch = currentBatch
elapsed := time.Since(b.startTime)
var etaStr string
if currentBatch > 0 {
rate := float64(currentBatch) / elapsed.Seconds()
if rate > 0 {
remaining := float64(b.totalBatches-currentBatch) / rate
eta := time.Duration(remaining) * time.Second
etaStr = fmt.Sprintf(" ETA: %s", formatDuration(eta))
}
}
fmt.Printf("\r%s: Batch %d/%d (%d items) %s%s",
b.description, currentBatch, b.totalBatches, currentBatch*b.batchSize,
formatDuration(elapsed), etaStr)
_ = os.Stdout.Sync()
}
func (b *BatchProgressIndicator) Complete() {
elapsed := time.Since(b.startTime)
totalItems := b.totalBatches * b.batchSize
fmt.Printf("\r%s: Completed %d batches (%d items) in %s\n",
b.description, b.totalBatches, totalItems, formatDuration(elapsed))
}

557
cmd/goyco/commands/progress_indicator_test.go Normal file
View File

@@ -0,0 +1,557 @@
package commands
import (
"bytes"
"io"
"os"
"strings"
"sync"
"testing"
"time"
)
type mockClock struct {
mu sync.RWMutex
now time.Time
}
func newMockClock() *mockClock {
return &mockClock{
now: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
}
}
func (c *mockClock) Now() time.Time {
c.mu.RLock()
defer c.mu.RUnlock()
return c.now
}
func (c *mockClock) Advance(d time.Duration) {
c.mu.Lock()
defer c.mu.Unlock()
c.now = c.now.Add(d)
}
func (c *mockClock) Set(t time.Time) {
c.mu.Lock()
defer c.mu.Unlock()
c.now = t
}
func captureOutput(fn func()) string {
old := os.Stdout
r, w, _ := os.Pipe()
os.Stdout = w
defer func() {
_ = w.Close()
os.Stdout = old
}()
fn()
var buf bytes.Buffer
_, _ = io.Copy(&buf, r)
return buf.String()
}
func TestNewProgressIndicator(t *testing.T) {
tests := []struct {
name string
total int
description string
expected *ProgressIndicator
}{
{
name: "basic progress indicator",
total: 100,
description: "Test operation",
expected: &ProgressIndicator{
total: 100,
current: 0,
description: "Test operation",
showETA: true,
},
},
{
name: "zero total",
total: 0,
description: "Empty operation",
expected: &ProgressIndicator{
total: 0,
current: 0,
description: "Empty operation",
showETA: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
pi := NewProgressIndicator(tt.total, tt.description)
if pi.total != tt.expected.total {
t.Errorf("expected total %d, got %d", tt.expected.total, pi.total)
}
if pi.current != tt.expected.current {
t.Errorf("expected current %d, got %d", tt.expected.current, pi.current)
}
if pi.description != tt.expected.description {
t.Errorf("expected description %q, got %q", tt.expected.description, pi.description)
}
if pi.showETA != tt.expected.showETA {
t.Errorf("expected showETA %v, got %v", tt.expected.showETA, pi.showETA)
}
if pi.startTime.IsZero() {
t.Error("expected startTime to be set")
}
if pi.lastUpdate.IsZero() {
t.Error("expected lastUpdate to be set")
}
})
}
}
func TestProgressIndicator_Update(t *testing.T) {
clock := newMockClock()
pi := newProgressIndicatorWithClock(10, "Test", clock)
pi.Update(5)
if pi.current != 5 {
t.Errorf("expected current to be 5, got %d", pi.current)
}
originalLastUpdate := pi.lastUpdate
clock.Advance(50 * time.Millisecond)
pi.Update(6)
if pi.current != 6 {
t.Errorf("expected current to be 6, got %d", pi.current)
}
if !pi.lastUpdate.Equal(originalLastUpdate) {
t.Error("expected lastUpdate to remain unchanged due to throttling")
}
clock.Advance(150 * time.Millisecond)
lastUpdateBefore := pi.lastUpdate
pi.Update(7)
if pi.current != 7 {
t.Errorf("expected current to be 7, got %d", pi.current)
}
if pi.lastUpdate.Equal(lastUpdateBefore) {
t.Error("expected lastUpdate to be updated after throttling period")
}
}
func TestProgressIndicator_Increment(t *testing.T) {
pi := NewProgressIndicator(10, "Test")
originalCurrent := pi.current
pi.Increment()
if pi.current != originalCurrent+1 {
t.Errorf("expected current to be %d, got %d", originalCurrent+1, pi.current)
}
}
func TestProgressIndicator_SetDescription(t *testing.T) {
pi := NewProgressIndicator(10, "Original")
newDesc := "New description"
pi.SetDescription(newDesc)
if pi.description != newDesc {
t.Errorf("expected description %q, got %q", newDesc, pi.description)
}
}
func TestProgressIndicator_Complete(t *testing.T) {
pi := NewProgressIndicator(10, "Test")
pi.current = 5
output := captureOutput(func() {
pi.Complete()
})
if pi.current != pi.total {
t.Errorf("expected current to be %d, got %d", pi.total, pi.current)
}
if !strings.Contains(output, "Test") {
t.Error("expected output to contain description")
}
if !strings.Contains(output, "10/10") {
t.Error("expected output to contain final count")
}
if !strings.Contains(output, "100.0%") {
t.Error("expected output to contain 100%")
}
}
func TestProgressIndicator_display(t *testing.T) {
pi := NewProgressIndicator(10, "Test")
pi.current = 3
output := captureOutput(func() {
pi.display()
})
if !strings.Contains(output, "Test") {
t.Error("expected output to contain description")
}
if !strings.Contains(output, "3/10") {
t.Error("expected output to contain current/total")
}
if !strings.Contains(output, "30.0%") {
t.Error("expected output to contain percentage")
}
if !strings.Contains(output, "[") && !strings.Contains(output, "]") {
t.Error("expected output to contain progress bar")
}
}
func TestNewSimpleProgressIndicator(t *testing.T) {
clock := newMockClock()
spi := newSimpleProgressIndicatorWithClock("Test operation", clock)
if spi.description != "Test operation" {
t.Errorf("expected description %q, got %q", "Test operation", spi.description)
}
if spi.current != 0 {
t.Errorf("expected current 0, got %d", spi.current)
}
if spi.startTime.IsZero() {
t.Error("expected startTime to be set")
}
}
func TestSimpleProgressIndicator_Update(t *testing.T) {
clock := newMockClock()
spi := newSimpleProgressIndicatorWithClock("Test", clock)
clock.Advance(2 * time.Second)
output := captureOutput(func() {
spi.Update(5)
})
if spi.current != 5 {
t.Errorf("expected current 5, got %d", spi.current)
}
if !strings.Contains(output, "Test") {
t.Error("expected output to contain description")
}
if !strings.Contains(output, "5 items processed") {
t.Error("expected output to contain item count")
}
if !strings.Contains(output, "2s") {
t.Error("expected output to contain elapsed time (2s)")
}
}
func TestSimpleProgressIndicator_Increment(t *testing.T) {
clock := newMockClock()
spi := newSimpleProgressIndicatorWithClock("Test", clock)
originalCurrent := spi.current
spi.Increment()
if spi.current != originalCurrent+1 {
t.Errorf("expected current to be %d, got %d", originalCurrent+1, spi.current)
}
}
func TestSimpleProgressIndicator_Complete(t *testing.T) {
clock := newMockClock()
spi := newSimpleProgressIndicatorWithClock("Test", clock)
spi.current = 5
clock.Advance(5 * time.Second)
output := captureOutput(func() {
spi.Complete()
})
if !strings.Contains(output, "Test") {
t.Error("expected output to contain description")
}
if !strings.Contains(output, "Completed 5 items") {
t.Error("expected output to contain completion message")
}
if !strings.Contains(output, "5s") {
t.Error("expected output to contain elapsed time (5s)")
}
}
func TestNewSpinner(t *testing.T) {
spinner := NewSpinner("Loading")
if spinner.message != "Loading" {
t.Errorf("expected message %q, got %q", "Loading", spinner.message)
}
if spinner.index != 0 {
t.Errorf("expected index 0, got %d", spinner.index)
}
if len(spinner.chars) != 4 {
t.Errorf("expected 4 chars, got %d", len(spinner.chars))
}
if spinner.startTime.IsZero() {
t.Error("expected startTime to be set")
}
}
func TestSpinner_Spin(t *testing.T) {
spinner := NewSpinner("Loading")
originalIndex := spinner.index
output := captureOutput(func() {
spinner.Spin()
})
if spinner.index != (originalIndex+1)%len(spinner.chars) {
t.Errorf("expected index to increment, got %d", spinner.index)
}
if !strings.Contains(output, "Loading") {
t.Error("expected output to contain message")
}
if !strings.Contains(output, spinner.chars[originalIndex]) {
t.Error("expected output to contain current char")
}
}
func TestSpinner_Complete(t *testing.T) {
spinner := NewSpinner("Loading")
output := captureOutput(func() {
spinner.Complete()
})
if !strings.Contains(output, "Loading") {
t.Error("expected output to contain message")
}
if !strings.Contains(output, "âś“") {
t.Error("expected output to contain checkmark")
}
}
func TestNewProgressTracker(t *testing.T) {
pt := NewProgressTracker("Processing")
if pt.description != "Processing" {
t.Errorf("expected description %q, got %q", "Processing", pt.description)
}
if pt.current != 0 {
t.Errorf("expected current 0, got %d", pt.current)
}
if pt.startTime.IsZero() {
t.Error("expected startTime to be set")
}
if pt.lastUpdate.IsZero() {
t.Error("expected lastUpdate to be set")
}
}
func TestProgressTracker_Update(t *testing.T) {
pt := NewProgressTracker("Processing")
pt.Update(5)
if pt.current != 5 {
t.Errorf("expected current to be 5, got %d", pt.current)
}
originalLastUpdate := pt.lastUpdate
pt.Update(6)
if pt.current != 6 {
t.Errorf("expected current to be 6, got %d", pt.current)
}
if !pt.lastUpdate.Equal(originalLastUpdate) {
t.Error("expected lastUpdate to remain unchanged due to throttling")
}
time.Sleep(250 * time.Millisecond)
lastUpdateBefore := pt.lastUpdate
pt.Update(10)
if pt.current != 10 {
t.Errorf("expected current to be 10, got %d", pt.current)
}
if pt.lastUpdate.Equal(lastUpdateBefore) {
t.Error("expected lastUpdate to be updated after throttling period")
}
}
func TestProgressTracker_Increment(t *testing.T) {
pt := NewProgressTracker("Processing")
originalCurrent := pt.current
pt.Increment()
if pt.current != originalCurrent+1 {
t.Errorf("expected current to be %d, got %d", originalCurrent+1, pt.current)
}
}
func TestProgressTracker_Complete(t *testing.T) {
pt := NewProgressTracker("Processing")
pt.current = 10
output := captureOutput(func() {
pt.Complete()
})
if !strings.Contains(output, "Processing") {
t.Error("expected output to contain description")
}
if !strings.Contains(output, "Completed 10 items") {
t.Error("expected output to contain completion message")
}
if !strings.Contains(output, "items/sec") {
t.Error("expected output to contain rate information")
}
}
func TestNewBatchProgressIndicator(t *testing.T) {
bpi := NewBatchProgressIndicator(5, 10, "Batch processing")
if bpi.totalBatches != 5 {
t.Errorf("expected totalBatches 5, got %d", bpi.totalBatches)
}
if bpi.currentBatch != 0 {
t.Errorf("expected currentBatch 0, got %d", bpi.currentBatch)
}
if bpi.batchSize != 10 {
t.Errorf("expected batchSize 10, got %d", bpi.batchSize)
}
if bpi.description != "Batch processing" {
t.Errorf("expected description %q, got %q", "Batch processing", bpi.description)
}
if bpi.startTime.IsZero() {
t.Error("expected startTime to be set")
}
}
func TestBatchProgressIndicator_UpdateBatch(t *testing.T) {
bpi := NewBatchProgressIndicator(5, 10, "Batch processing")
output := captureOutput(func() {
bpi.UpdateBatch(2)
})
if bpi.currentBatch != 2 {
t.Errorf("expected currentBatch 2, got %d", bpi.currentBatch)
}
if !strings.Contains(output, "Batch processing") {
t.Error("expected output to contain description")
}
if !strings.Contains(output, "Batch 2/5") {
t.Error("expected output to contain batch progress")
}
if !strings.Contains(output, "(20 items)") {
t.Error("expected output to contain item count")
}
}
func TestBatchProgressIndicator_Complete(t *testing.T) {
bpi := NewBatchProgressIndicator(5, 10, "Batch processing")
output := captureOutput(func() {
bpi.Complete()
})
if !strings.Contains(output, "Batch processing") {
t.Error("expected output to contain description")
}
if !strings.Contains(output, "Completed 5 batches") {
t.Error("expected output to contain completion message")
}
if !strings.Contains(output, "(50 items)") {
t.Error("expected output to contain total items")
}
}
func TestFormatDuration(t *testing.T) {
tests := []struct {
name string
duration time.Duration
expected string
}{
{
name: "seconds",
duration: 30 * time.Second,
expected: "30s",
},
{
name: "minutes",
duration: 2*time.Minute + 30*time.Second,
expected: "2.5m",
},
{
name: "hours",
duration: 1*time.Hour + 30*time.Minute,
expected: "1.5h",
},
{
name: "zero duration",
duration: 0,
expected: "0s",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := formatDuration(tt.duration)
if result != tt.expected {
t.Errorf("expected %q, got %q", tt.expected, result)
}
})
}
}
func TestProgressIndicator_Concurrency(t *testing.T) {
pi := NewProgressIndicator(100, "Concurrent test")
done := make(chan bool)
for i := 0; i < 10; i++ {
go func() {
for j := 0; j < 10; j++ {
pi.Increment()
time.Sleep(1 * time.Millisecond)
}
done <- true
}()
}
for i := 0; i < 10; i++ {
<-done
}
if pi.current != 100 {
t.Errorf("expected current to be exactly 100, got %d", pi.current)
}
}
func TestProgressIndicator_EdgeCases(t *testing.T) {
t.Run("zero total constructor", func(t *testing.T) {
pi := NewProgressIndicator(0, "Zero total")
if pi.total != 0 {
t.Errorf("expected total 0, got %d", pi.total)
}
if pi.current != 0 {
t.Errorf("expected current 0, got %d", pi.current)
}
})
t.Run("negative current", func(t *testing.T) {
pi := NewProgressIndicator(10, "Negative test")
pi.current = -1
if pi.current != -1 {
t.Errorf("expected current -1, got %d", pi.current)
}
})
t.Run("current greater than total", func(t *testing.T) {
pi := NewProgressIndicator(10, "Overflow test")
pi.current = 15
if pi.current != 15 {
t.Errorf("expected current 15, got %d", pi.current)
}
})
}

242
cmd/goyco/commands/prune.go Normal file
View File

@@ -0,0 +1,242 @@
package commands
import (
"errors"
"flag"
"fmt"
"os"
"gorm.io/gorm"
"goyco/internal/config"
"goyco/internal/repositories"
)
func HandlePruneCommand(cfg *config.Config, name string, args []string) error {
fs := newFlagSet(name, printPruneUsage)
if err := parseCommand(fs, args, name); err != nil {
if errors.Is(err, ErrHelpRequested) {
return nil
}
return err
}
return withDatabase(cfg, func(db *gorm.DB) error {
userRepo := repositories.NewUserRepository(db)
postRepo := repositories.NewPostRepository(db)
return runPruneCommand(cfg, userRepo, postRepo, fs.Args())
})
}
func runPruneCommand(_ *config.Config, userRepo repositories.UserRepository, postRepo repositories.PostRepository, args []string) error {
if len(args) == 0 {
printPruneUsage()
return errors.New("missing prune subcommand")
}
switch args[0] {
case "posts":
return prunePosts(postRepo, args[1:])
case "users":
return pruneUsers(userRepo, postRepo, args[1:])
case "all":
return pruneAll(userRepo, postRepo, args[1:])
case "help", "-h", "--help":
printPruneUsage()
return nil
default:
printPruneUsage()
return fmt.Errorf("unknown prune subcommand: %s", args[0])
}
}
func printPruneUsage() {
fmt.Fprintln(os.Stderr, "Prune subcommands:")
fmt.Fprintln(os.Stderr, " posts hard delete posts of deleted users")
fmt.Fprintln(os.Stderr, " users hard delete all users [--with-posts]")
fmt.Fprintln(os.Stderr, " all hard delete all users and posts")
fmt.Fprintln(os.Stderr, "")
fmt.Fprintln(os.Stderr, "WARNING: These operations are irreversible!")
fmt.Fprintln(os.Stderr, "Use --dry-run to preview what would be deleted without actually deleting.")
}
func prunePosts(postRepo repositories.PostRepository, args []string) error {
fs := flag.NewFlagSet("prune posts", flag.ContinueOnError)
dryRun := fs.Bool("dry-run", false, "preview what would be deleted without actually deleting")
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
posts, err := postRepo.GetPostsByDeletedUsers()
if err != nil {
return fmt.Errorf("get posts by deleted users: %w", err)
}
if len(posts) == 0 {
fmt.Println("No posts found for deleted users")
return nil
}
fmt.Printf("Found %d posts by deleted users:\n", len(posts))
for _, post := range posts {
authorName := "(deleted)"
if post.Author.ID != 0 {
authorName = post.Author.Username
}
fmt.Printf(" ID=%d Title=%s Author=%s URL=%s\n",
post.ID, post.Title, authorName, post.URL)
}
if *dryRun {
fmt.Println("\nDry run: No posts were actually deleted")
return nil
}
fmt.Printf("\nAre you sure you want to permanently delete %d posts? (yes/no): ", len(posts))
var confirmation string
if _, err := fmt.Scanln(&confirmation); err != nil {
return fmt.Errorf("read confirmation: %w", err)
}
if confirmation != "yes" {
fmt.Println("Operation cancelled")
return nil
}
deletedCount, err := postRepo.HardDeletePostsByDeletedUsers()
if err != nil {
return fmt.Errorf("hard delete posts: %w", err)
}
fmt.Printf("Successfully deleted %d posts\n", deletedCount)
return nil
}
func pruneUsers(userRepo repositories.UserRepository, postRepo repositories.PostRepository, args []string) error {
fs := flag.NewFlagSet("prune users", flag.ContinueOnError)
dryRun := fs.Bool("dry-run", false, "preview what would be deleted without actually deleting")
deletePosts := fs.Bool("with-posts", false, "also delete all posts when deleting users")
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
users, err := userRepo.GetAll(0, 0)
if err != nil {
return fmt.Errorf("get users: %w", err)
}
userCount := len(users)
if userCount == 0 {
fmt.Println("No users found to delete")
return nil
}
var postCount int64 = 0
if *deletePosts {
postCount, err = postRepo.Count()
if err != nil {
return fmt.Errorf("get post count: %w", err)
}
}
fmt.Printf("Found %d users", userCount)
if *deletePosts {
fmt.Printf(" and %d posts", postCount)
}
fmt.Println(" to delete")
fmt.Println("\nUsers to be deleted:")
for _, user := range users {
fmt.Printf(" ID=%d Username=%s Email=%s\n", user.ID, user.Username, user.Email)
}
if *dryRun {
fmt.Println("\nDry run: No data was actually deleted")
return nil
}
confirmMsg := fmt.Sprintf("\nAre you sure you want to permanently delete %d users", userCount)
if *deletePosts {
confirmMsg += fmt.Sprintf(" and %d posts", postCount)
}
confirmMsg += "? (yes/no): "
fmt.Print(confirmMsg)
var confirmation string
if _, err := fmt.Scanln(&confirmation); err != nil {
return fmt.Errorf("read confirmation: %w", err)
}
if confirmation != "yes" {
fmt.Println("Operation cancelled")
return nil
}
if *deletePosts {
totalDeleted, err := userRepo.HardDeleteAll()
if err != nil {
return fmt.Errorf("hard delete all users and posts: %w", err)
}
fmt.Printf("Successfully deleted %d total records (users, posts, votes, etc.)\n", totalDeleted)
} else {
deletedCount := 0
for _, user := range users {
if err := userRepo.SoftDeleteWithPosts(user.ID); err != nil {
return fmt.Errorf("soft delete user %d: %w", user.ID, err)
}
deletedCount++
}
fmt.Printf("Successfully soft deleted %d users (posts preserved)\n", deletedCount)
}
return nil
}
func pruneAll(userRepo repositories.UserRepository, postRepo repositories.PostRepository, args []string) error {
fs := flag.NewFlagSet("prune all", flag.ContinueOnError)
dryRun := fs.Bool("dry-run", false, "preview what would be deleted without actually deleting")
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
userCount, err := userRepo.GetAll(0, 0)
if err != nil {
return fmt.Errorf("get user count: %w", err)
}
postCount, err := postRepo.Count()
if err != nil {
return fmt.Errorf("get post count: %w", err)
}
fmt.Printf("Found %d users and %d posts to delete\n", len(userCount), postCount)
if *dryRun {
fmt.Println("\nDry run: No data was actually deleted")
return nil
}
fmt.Printf("\nAre you sure you want to permanently delete ALL %d users and %d posts? (yes/no): ", len(userCount), postCount)
var confirmation string
if _, err := fmt.Scanln(&confirmation); err != nil {
return fmt.Errorf("read confirmation: %w", err)
}
if confirmation != "yes" {
fmt.Println("Operation cancelled")
return nil
}
totalDeleted, err := userRepo.HardDeleteAll()
if err != nil {
return fmt.Errorf("hard delete all: %w", err)
}
fmt.Printf("Successfully deleted %d total records (users, posts, votes, etc.)\n", totalDeleted)
return nil
}

419
cmd/goyco/commands/prune_test.go Normal file
View File

@@ -0,0 +1,419 @@
package commands
import (
"fmt"
"os"
"strings"
"testing"
"goyco/internal/database"
"goyco/internal/testutils"
)
func TestHandlePruneCommand(t *testing.T) {
tests := []struct {
name string
args []string
wantErr bool
}{
{
name: "help requested",
args: []string{"help"},
wantErr: false,
},
{
name: "missing subcommand",
args: []string{},
wantErr: true,
},
{
name: "unknown subcommand",
args: []string{"unknown"},
wantErr: true,
},
{
name: "posts subcommand",
args: []string{"posts", "--dry-run"},
wantErr: false,
},
{
name: "all subcommand",
args: []string{"all", "--dry-run"},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cfg := testutils.NewTestConfig()
userRepo := testutils.NewMockUserRepository()
postRepo := testutils.NewMockPostRepository()
err := runPruneCommand(cfg, userRepo, postRepo, tt.args)
if (err != nil) != tt.wantErr {
t.Errorf("runPruneCommand() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestRunPruneCommand(t *testing.T) {
tests := []struct {
name string
args []string
wantErr bool
}{
{
name: "help requested",
args: []string{"help"},
wantErr: false,
},
{
name: "missing subcommand",
args: []string{},
wantErr: true,
},
{
name: "unknown subcommand",
args: []string{"unknown"},
wantErr: true,
},
{
name: "posts subcommand",
args: []string{"posts", "--dry-run"},
wantErr: false,
},
{
name: "all subcommand",
args: []string{"all", "--dry-run"},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cfg := testutils.NewTestConfig()
userRepo := testutils.NewMockUserRepository()
postRepo := testutils.NewMockPostRepository()
err := runPruneCommand(cfg, userRepo, postRepo, tt.args)
if (err != nil) != tt.wantErr {
t.Errorf("runPruneCommand() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestPrunePosts(t *testing.T) {
postRepo := testutils.NewMockPostRepository()
err := prunePosts(postRepo, []string{"--dry-run"})
if err != nil {
t.Errorf("prunePosts() with dry-run error = %v", err)
}
post1 := database.Post{
ID: 1,
Title: "Post by deleted user 1",
URL: "http://example.com/1",
AuthorID: nil,
}
post2 := database.Post{
ID: 2,
Title: "Post by deleted user 2",
URL: "http://example.com/2",
AuthorID: nil,
}
postRepo.Posts[post1.ID] = &post1
postRepo.Posts[post2.ID] = &post2
postRepo.GetPostsByDeletedUsersFunc = func() ([]database.Post, error) {
return []database.Post{post1, post2}, nil
}
postRepo.HardDeletePostsByDeletedUsersFunc = func() (int64, error) {
delete(postRepo.Posts, post1.ID)
delete(postRepo.Posts, post2.ID)
return 2, nil
}
err = prunePosts(postRepo, []string{"--dry-run"})
if err != nil {
t.Errorf("prunePosts() with dry-run error = %v", err)
}
}
func TestPruneAll(t *testing.T) {
userRepo := testutils.NewMockUserRepository()
postRepo := testutils.NewMockPostRepository()
err := pruneAll(userRepo, postRepo, []string{"--dry-run"})
if err != nil {
t.Errorf("pruneAll() with dry-run error = %v", err)
}
user1 := database.User{ID: 1, Username: "user1", Email: "user1@example.com"}
user2 := database.User{ID: 2, Username: "user2", Email: "user2@example.com"}
post1 := database.Post{ID: 1, Title: "Post 1", URL: "http://example.com/1", AuthorID: &user1.ID}
post2 := database.Post{ID: 2, Title: "Post 2", URL: "http://example.com/2", AuthorID: &user2.ID}
userRepo.Users[user1.ID] = &user1
userRepo.Users[user2.ID] = &user2
postRepo.Posts[post1.ID] = &post1
postRepo.Posts[post2.ID] = &post2
userRepo.HardDeleteAllFunc = func() (int64, error) {
count := int64(len(userRepo.Users) + len(userRepo.DeletedUsers))
userRepo.Users = make(map[uint]*database.User)
userRepo.DeletedUsers = make(map[uint]*database.User)
return count, nil
}
postRepo.HardDeleteAllFunc = func() (int64, error) {
count := int64(len(postRepo.Posts))
postRepo.Posts = make(map[uint]*database.Post)
return count, nil
}
err = pruneAll(userRepo, postRepo, []string{"--dry-run"})
if err != nil {
t.Errorf("pruneAll() with dry-run error = %v", err)
}
}
func TestPrunePostsWithError(t *testing.T) {
postRepo := testutils.NewMockPostRepository()
postRepo.GetPostsByDeletedUsersFunc = func() ([]database.Post, error) {
return nil, fmt.Errorf("database error")
}
err := prunePosts(postRepo, []string{"--dry-run"})
if err == nil {
t.Errorf("Expected error from GetPostsByDeletedUsers, got nil")
}
if !strings.Contains(err.Error(), "get posts by deleted users") {
t.Errorf("Expected error message to contain 'get posts by deleted users', got: %v", err)
}
}
func TestPruneAllWithUserError(t *testing.T) {
userRepo := testutils.NewMockUserRepository()
postRepo := testutils.NewMockPostRepository()
userRepo.GetAllFunc = func(limit, offset int) ([]database.User, error) {
return nil, fmt.Errorf("user get error")
}
err := pruneAll(userRepo, postRepo, []string{"--dry-run"})
if err == nil {
t.Errorf("Expected error from GetAll, got nil")
}
if !strings.Contains(err.Error(), "get user count") {
t.Errorf("Expected error message to contain 'get user count', got: %v", err)
}
}
func TestPruneAllWithPostError(t *testing.T) {
userRepo := testutils.NewMockUserRepository()
postRepo := testutils.NewMockPostRepository()
postRepo.CountFunc = func() (int64, error) {
return 0, fmt.Errorf("post count error")
}
err := pruneAll(userRepo, postRepo, []string{"--dry-run"})
if err == nil {
t.Errorf("Expected error from Count, got nil")
}
if !strings.Contains(err.Error(), "get post count") {
t.Errorf("Expected error message to contain 'get post count', got: %v", err)
}
}
func TestPrintPruneUsage(t *testing.T) {
printPruneUsage()
}
func TestPruneFlagParsing(t *testing.T) {
userRepo := testutils.NewMockUserRepository()
postRepo := testutils.NewMockPostRepository()
t.Run("prunePosts unknown flag", func(t *testing.T) {
err := prunePosts(postRepo, []string{"--unknown-flag"})
if err == nil {
t.Error("expected error for unknown flag in prunePosts")
}
})
t.Run("prunePosts missing dry-run value (bool)", func(t *testing.T) {
err := prunePosts(postRepo, []string{"--dry-run"})
if err != nil {
t.Errorf("unexpected error for dry-run: %v", err)
}
})
t.Run("pruneUsers unknown flag", func(t *testing.T) {
err := pruneUsers(userRepo, postRepo, []string{"--unknown-flag"})
if err == nil {
t.Error("expected error for unknown flag in pruneUsers")
}
})
t.Run("pruneUsers with-posts as non-bool", func(t *testing.T) {
err := pruneUsers(userRepo, postRepo, []string{"--with-posts", "true"})
if err != nil {
t.Errorf("unexpected error for with-posts: %v", err)
}
})
t.Run("pruneAll unknown flag", func(t *testing.T) {
err := pruneAll(userRepo, postRepo, []string{"--unknown-flag"})
if err == nil {
t.Error("expected error for unknown flag in pruneAll")
}
})
}
func TestPrunePostsWithMockData(t *testing.T) {
postRepo := testutils.NewMockPostRepository()
post1 := database.Post{
ID: 1,
Title: "Test Post 1",
URL: "http://example.com/1",
AuthorID: nil,
}
post2 := database.Post{
ID: 2,
Title: "Test Post 2",
URL: "http://example.com/2",
AuthorID: nil,
}
postRepo.GetPostsByDeletedUsersFunc = func() ([]database.Post, error) {
return []database.Post{post1, post2}, nil
}
err := prunePosts(postRepo, []string{"--dry-run"})
if err != nil {
t.Errorf("prunePosts() with mock data error = %v", err)
}
}
func TestPruneAllWithMockData(t *testing.T) {
userRepo := testutils.NewMockUserRepository()
postRepo := testutils.NewMockPostRepository()
userRepo.HardDeleteAllFunc = func() (int64, error) {
return 5, nil
}
postRepo.HardDeleteAllFunc = func() (int64, error) {
return 10, nil
}
err := pruneAll(userRepo, postRepo, []string{"--dry-run"})
if err != nil {
t.Errorf("pruneAll() with mock data error = %v", err)
}
}
func TestPrunePostsActualDeletion(t *testing.T) {
postRepo := testutils.NewMockPostRepository()
post1 := database.Post{
ID: 1,
Title: "Test Post 1",
URL: "http://example.com/1",
AuthorID: nil,
}
post2 := database.Post{
ID: 2,
Title: "Test Post 2",
URL: "http://example.com/2",
AuthorID: nil,
}
postRepo.GetPostsByDeletedUsersFunc = func() ([]database.Post, error) {
return []database.Post{post1, post2}, nil
}
var deletedCount int64
postRepo.HardDeletePostsByDeletedUsersFunc = func() (int64, error) {
deletedCount = 2
return 2, nil
}
originalStdin := os.Stdin
defer func() { os.Stdin = originalStdin }()
r, w, err := os.Pipe()
if err != nil {
t.Fatalf("Failed to create pipe: %v", err)
}
defer func() { _ = r.Close() }()
defer func() { _ = w.Close() }()
os.Stdin = r
go func() {
_, _ = w.WriteString("yes\n")
_ = w.Close()
}()
err = prunePosts(postRepo, []string{})
if err != nil {
t.Errorf("prunePosts() actual deletion error = %v", err)
}
if deletedCount != 2 {
t.Errorf("Expected 2 posts to be deleted, got %d", deletedCount)
}
}
func TestPruneAllActualDeletion(t *testing.T) {
userRepo := testutils.NewMockUserRepository()
postRepo := testutils.NewMockPostRepository()
user1 := database.User{ID: 1, Username: "user1", Email: "user1@example.com"}
user2 := database.User{ID: 2, Username: "user2", Email: "user2@example.com"}
post1 := database.Post{ID: 1, Title: "Post 1", URL: "http://example.com/1", AuthorID: &user1.ID}
post2 := database.Post{ID: 2, Title: "Post 2", URL: "http://example.com/2", AuthorID: &user2.ID}
userRepo.Users[user1.ID] = &user1
userRepo.Users[user2.ID] = &user2
postRepo.Posts[post1.ID] = &post1
postRepo.Posts[post2.ID] = &post2
var totalDeleted int64
userRepo.HardDeleteAllFunc = func() (int64, error) {
totalDeleted = 2
return 2, nil
}
originalStdin := os.Stdin
defer func() { os.Stdin = originalStdin }()
reader, writer, err := os.Pipe()
if err != nil {
t.Fatalf("Failed to create pipe: %v", err)
}
defer func() { _ = reader.Close() }()
defer func() { _ = writer.Close() }()
os.Stdin = reader
go func() {
_, _ = writer.WriteString("yes\n")
_ = writer.Close()
}()
err = pruneAll(userRepo, postRepo, []string{})
if err != nil {
t.Errorf("pruneAll() actual deletion error = %v", err)
}
if totalDeleted != 2 {
t.Errorf("Expected 2 users to be deleted, got %d", totalDeleted)
}
}

353
cmd/goyco/commands/seed.go Normal file
View File

@@ -0,0 +1,353 @@
package commands
import (
"crypto/rand"
"errors"
"flag"
"fmt"
"math/big"
"os"
"golang.org/x/crypto/bcrypt"
"gorm.io/gorm"
"goyco/internal/config"
"goyco/internal/database"
"goyco/internal/repositories"
)
func HandleSeedCommand(cfg *config.Config, name string, args []string) error {
fs := newFlagSet(name, printSeedUsage)
if err := parseCommand(fs, args, name); err != nil {
if errors.Is(err, ErrHelpRequested) {
return nil
}
return err
}
return withDatabase(cfg, func(db *gorm.DB) error {
userRepo := repositories.NewUserRepository(db)
postRepo := repositories.NewPostRepository(db)
voteRepo := repositories.NewVoteRepository(db)
return runSeedCommand(userRepo, postRepo, voteRepo, fs.Args())
})
}
func runSeedCommand(userRepo repositories.UserRepository, postRepo repositories.PostRepository, voteRepo repositories.VoteRepository, args []string) error {
if len(args) == 0 {
printSeedUsage()
return errors.New("missing seed subcommand")
}
switch args[0] {
case "database":
return seedDatabase(userRepo, postRepo, voteRepo, args[1:])
case "help", "-h", "--help":
printSeedUsage()
return nil
default:
printSeedUsage()
return fmt.Errorf("unknown seed subcommand: %s", args[0])
}
}
func printSeedUsage() {
fmt.Fprintln(os.Stderr, "Seed subcommands:")
fmt.Fprintln(os.Stderr, " database [--posts <n>] [--users <n>] [--votes-per-post <n>]")
fmt.Fprintln(os.Stderr, " --posts: number of posts to create (default: 40)")
fmt.Fprintln(os.Stderr, " --users: number of additional users to create (default: 5)")
fmt.Fprintln(os.Stderr, " --votes-per-post: average votes per post (default: 15)")
}
func seedDatabase(userRepo repositories.UserRepository, postRepo repositories.PostRepository, voteRepo repositories.VoteRepository, args []string) error {
fs := flag.NewFlagSet("seed database", flag.ContinueOnError)
numPosts := fs.Int("posts", 40, "number of posts to create")
numUsers := fs.Int("users", 5, "number of additional users to create")
votesPerPost := fs.Int("votes-per-post", 15, "average votes per post")
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
fmt.Println("Starting database seeding...")
spinner := NewSpinner("Creating seed user")
spinner.Spin()
seedUser, err := ensureSeedUser(userRepo)
if err != nil {
spinner.Complete()
return fmt.Errorf("ensure seed user: %w", err)
}
spinner.Complete()
fmt.Printf("Seed user ready: ID=%d Username=%s\n", seedUser.ID, seedUser.Username)
processor := NewParallelProcessor()
progress := NewProgressIndicator(*numUsers, "Creating users (parallel)")
users, err := processor.CreateUsersInParallel(userRepo, *numUsers, progress)
if err != nil {
return fmt.Errorf("create random users: %w", err)
}
progress.Complete()
allUsers := append([]database.User{*seedUser}, users...)
progress = NewProgressIndicator(*numPosts, "Creating posts (parallel)")
posts, err := processor.CreatePostsInParallel(postRepo, seedUser.ID, *numPosts, progress)
if err != nil {
return fmt.Errorf("create random posts: %w", err)
}
progress.Complete()
progress = NewProgressIndicator(len(posts), "Creating votes (parallel)")
votes, err := processor.CreateVotesInParallel(voteRepo, allUsers, posts, *votesPerPost, progress)
if err != nil {
return fmt.Errorf("create random votes: %w", err)
}
progress.Complete()
progress = NewProgressIndicator(len(posts), "Updating scores (parallel)")
err = processor.UpdatePostScoresInParallel(postRepo, voteRepo, posts, progress)
if err != nil {
return fmt.Errorf("update post scores: %w", err)
}
progress.Complete()
fmt.Println("Database seeding completed successfully!")
fmt.Printf("Created %d users, %d posts, and %d votes\n", len(allUsers), len(posts), votes)
return nil
}
func ensureSeedUser(userRepo repositories.UserRepository) (*database.User, error) {
seedUsername := "seed_admin"
seedEmail := "seed_admin@goyco.local"
seedPassword := "seed-password"
user, err := userRepo.GetByEmail(seedEmail)
if err == nil {
return user, nil
}
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(seedPassword), bcrypt.DefaultCost)
if err != nil {
return nil, fmt.Errorf("hash password: %w", err)
}
user = &database.User{
Username: seedUsername,
Email: seedEmail,
Password: string(hashedPassword),
EmailVerified: true,
}
if err := userRepo.Create(user); err != nil {
return nil, fmt.Errorf("create seed user: %w", err)
}
return user, nil
}
func createRandomUsers(userRepo repositories.UserRepository, count int) ([]database.User, error) {
var users []database.User
for i := range count {
username := fmt.Sprintf("user_%d", i+1)
email := fmt.Sprintf("user_%d@goyco.local", i+1)
password := "password123"
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return nil, fmt.Errorf("hash password for user %d: %w", i+1, err)
}
user := &database.User{
Username: username,
Email: email,
Password: string(hashedPassword),
EmailVerified: true,
}
if err := userRepo.Create(user); err != nil {
return nil, fmt.Errorf("create user %d: %w", i+1, err)
}
users = append(users, *user)
}
return users, nil
}
func createRandomPosts(postRepo repositories.PostRepository, authorID uint, count int) ([]database.Post, error) {
var posts []database.Post
sampleTitles := []string{
"Amazing JavaScript Framework",
"Python Best Practices",
"Go Performance Tips",
"Database Optimization",
"Web Security Guide",
"Machine Learning Basics",
"Cloud Architecture",
"DevOps Automation",
"API Design Patterns",
"Frontend Optimization",
"Backend Scaling",
"Container Orchestration",
"Microservices Architecture",
"Testing Strategies",
"Code Review Process",
"Version Control Best Practices",
"Continuous Integration",
"Monitoring and Alerting",
"Error Handling Patterns",
"Data Structures Explained",
}
sampleDomains := []string{
"example.com",
"techblog.org",
"devguide.net",
"programming.io",
"codeexamples.com",
"tutorialhub.org",
"bestpractices.dev",
"learnprogramming.net",
"codingtips.org",
"softwareengineering.com",
}
for i := range count {
title := sampleTitles[i%len(sampleTitles)]
if i >= len(sampleTitles) {
title = fmt.Sprintf("%s - Part %d", title, (i/len(sampleTitles))+1)
}
domain := sampleDomains[i%len(sampleDomains)]
path := generateRandomPath()
url := fmt.Sprintf("https://%s%s", domain, path)
content := fmt.Sprintf("Autogenerated seed post #%d\n\nThis is sample content for testing purposes. The post discusses %s and provides valuable insights.", i+1, title)
post := &database.Post{
Title: title,
URL: url,
Content: content,
AuthorID: &authorID,
UpVotes: 0,
DownVotes: 0,
Score: 0,
}
if err := postRepo.Create(post); err != nil {
return nil, fmt.Errorf("create post %d: %w", i+1, err)
}
posts = append(posts, *post)
}
return posts, nil
}
func generateRandomPath() string {
pathLength, _ := rand.Int(rand.Reader, big.NewInt(20))
path := "/article/"
for i := int64(0); i < pathLength.Int64()+5; i++ {
randomChar, _ := rand.Int(rand.Reader, big.NewInt(26))
path += string(rune('a' + randomChar.Int64()))
}
return path
}
func createRandomVotes(voteRepo repositories.VoteRepository, users []database.User, posts []database.Post, avgVotesPerPost int) (int, error) {
totalVotes := 0
for _, post := range posts {
voteCount, _ := rand.Int(rand.Reader, big.NewInt(int64(avgVotesPerPost*2)+1))
numVotes := int(voteCount.Int64())
if numVotes == 0 && avgVotesPerPost > 0 {
chance, _ := rand.Int(rand.Reader, big.NewInt(5))
if chance.Int64() > 0 {
numVotes = 1
}
}
usedUsers := make(map[uint]bool)
for i := 0; i < numVotes && len(usedUsers) < len(users); i++ {
userIdx, _ := rand.Int(rand.Reader, big.NewInt(int64(len(users))))
user := users[userIdx.Int64()]
if usedUsers[user.ID] {
continue
}
usedUsers[user.ID] = true
voteTypeInt, _ := rand.Int(rand.Reader, big.NewInt(10))
var voteType database.VoteType
if voteTypeInt.Int64() < 7 {
voteType = database.VoteUp
} else {
voteType = database.VoteDown
}
vote := &database.Vote{
UserID: &user.ID,
PostID: post.ID,
Type: voteType,
}
if err := voteRepo.Create(vote); err != nil {
return totalVotes, fmt.Errorf("create vote for post %d: %w", post.ID, err)
}
totalVotes++
}
}
return totalVotes, nil
}
func updatePostScores(postRepo repositories.PostRepository, voteRepo repositories.VoteRepository, posts []database.Post) error {
for _, post := range posts {
upVotes, downVotes, err := getVoteCounts(voteRepo, post.ID)
if err != nil {
return fmt.Errorf("get vote counts for post %d: %w", post.ID, err)
}
post.UpVotes = upVotes
post.DownVotes = downVotes
post.Score = upVotes - downVotes
if err := postRepo.Update(&post); err != nil {
return fmt.Errorf("update post %d scores: %w", post.ID, err)
}
}
return nil
}
func getVoteCounts(voteRepo repositories.VoteRepository, postID uint) (int, int, error) {
votes, err := voteRepo.GetByPostID(postID)
if err != nil {
return 0, 0, err
}
upVotes := 0
downVotes := 0
for _, vote := range votes {
switch vote.Type {
case database.VoteUp:
upVotes++
case database.VoteDown:
downVotes++
}
}
return upVotes, downVotes, nil
}

181
cmd/goyco/commands/seed_test.go Normal file
View File

@@ -0,0 +1,181 @@
package commands
import (
"testing"
"gorm.io/driver/sqlite"
"gorm.io/gorm"
"goyco/internal/database"
"goyco/internal/repositories"
"goyco/internal/testutils"
)
func TestSeedCommand(t *testing.T) {
db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
if err != nil {
t.Fatalf("Failed to connect to database: %v", err)
}
err = db.AutoMigrate(&database.User{}, &database.Post{}, &database.Vote{})
if err != nil {
t.Fatalf("Failed to migrate database: %v", err)
}
userRepo := repositories.NewUserRepository(db)
postRepo := repositories.NewPostRepository(db)
voteRepo := repositories.NewVoteRepository(db)
seedUser, err := ensureSeedUser(userRepo)
if err != nil {
t.Fatalf("Failed to ensure seed user: %v", err)
}
if seedUser.Username != "seed_admin" {
t.Errorf("Expected username 'seed_admin', got '%s'", seedUser.Username)
}
if seedUser.Email != "seed_admin@goyco.local" {
t.Errorf("Expected email 'seed_admin@goyco.local', got '%s'", seedUser.Email)
}
if !seedUser.EmailVerified {
t.Error("Expected seed user to be email verified")
}
users, err := createRandomUsers(userRepo, 2)
if err != nil {
t.Fatalf("Failed to create random users: %v", err)
}
if len(users) != 2 {
t.Errorf("Expected 2 users, got %d", len(users))
}
posts, err := createRandomPosts(postRepo, seedUser.ID, 5)
if err != nil {
t.Fatalf("Failed to create random posts: %v", err)
}
if len(posts) != 5 {
t.Errorf("Expected 5 posts, got %d", len(posts))
}
for i, post := range posts {
if post.Title == "" {
t.Errorf("Post %d has empty title", i)
}
if post.URL == "" {
t.Errorf("Post %d has empty URL", i)
}
if post.AuthorID == nil || *post.AuthorID != seedUser.ID {
t.Errorf("Post %d has wrong author ID: expected %d, got %v", i, seedUser.ID, post.AuthorID)
}
}
allUsers := append([]database.User{*seedUser}, users...)
votes, err := createRandomVotes(voteRepo, allUsers, posts, 3)
if err != nil {
t.Fatalf("Failed to create random votes: %v", err)
}
if votes == 0 {
t.Error("Expected some votes to be created")
}
err = updatePostScores(postRepo, voteRepo, posts)
if err != nil {
t.Fatalf("Failed to update post scores: %v", err)
}
for i, post := range posts {
updatedPost, err := postRepo.GetByID(post.ID)
if err != nil {
t.Errorf("Failed to get updated post %d: %v", i, err)
continue
}
expectedScore := updatedPost.UpVotes - updatedPost.DownVotes
if updatedPost.Score != expectedScore {
t.Errorf("Post %d has incorrect score: expected %d, got %d", i, expectedScore, updatedPost.Score)
}
}
}
func TestGenerateRandomPath(t *testing.T) {
path := generateRandomPath()
if path == "" {
t.Error("Generated path should not be empty")
}
if len(path) < 8 {
t.Errorf("Generated path too short: %s", path)
}
secondPath := generateRandomPath()
if path == secondPath {
t.Error("Generated paths should be different")
}
}
func TestSeedDatabaseFlagParsing(t *testing.T) {
userRepo := testutils.NewMockUserRepository()
postRepo := testutils.NewMockPostRepository()
voteRepo := testutils.NewMockVoteRepository()
t.Run("invalid posts type", func(t *testing.T) {
err := seedDatabase(userRepo, postRepo, voteRepo, []string{"--posts", "abc"})
if err == nil {
t.Error("expected error for invalid posts type")
}
})
t.Run("invalid users type", func(t *testing.T) {
err := seedDatabase(userRepo, postRepo, voteRepo, []string{"--users", "xyz"})
if err == nil {
t.Error("expected error for invalid users type")
}
})
t.Run("invalid votes-per-post type", func(t *testing.T) {
err := seedDatabase(userRepo, postRepo, voteRepo, []string{"--votes-per-post", "invalid"})
if err == nil {
t.Error("expected error for invalid votes-per-post type")
}
})
t.Run("unknown flag", func(t *testing.T) {
err := seedDatabase(userRepo, postRepo, voteRepo, []string{"--unknown-flag"})
if err == nil {
t.Error("expected error for unknown flag")
}
})
t.Run("missing posts value", func(t *testing.T) {
err := seedDatabase(userRepo, postRepo, voteRepo, []string{"--posts"})
if err == nil {
t.Error("expected error for missing posts value")
}
})
t.Run("missing users value", func(t *testing.T) {
err := seedDatabase(userRepo, postRepo, voteRepo, []string{"--users"})
if err == nil {
t.Error("expected error for missing users value")
}
})
t.Run("missing votes-per-post value", func(t *testing.T) {
err := seedDatabase(userRepo, postRepo, voteRepo, []string{"--votes-per-post"})
if err == nil {
t.Error("expected error for missing votes-per-post value")
}
})
}

907
cmd/goyco/commands/user.go Normal file
View File

@@ -0,0 +1,907 @@
package commands
import (
"crypto/rand"
"errors"
"flag"
"fmt"
"math/big"
"os"
"strconv"
"strings"
"time"
"github.com/lib/pq"
"golang.org/x/crypto/bcrypt"
"gorm.io/gorm"
"goyco/internal/config"
"goyco/internal/database"
"goyco/internal/repositories"
"goyco/internal/security"
"goyco/internal/services"
)
func HandleUserCommand(cfg *config.Config, name string, args []string) error {
fs := newFlagSet(name, printUserUsage)
if err := parseCommand(fs, args, name); err != nil {
if errors.Is(err, ErrHelpRequested) {
return nil
}
return err
}
return withDatabase(cfg, func(db *gorm.DB) error {
repo := repositories.NewUserRepository(db)
refreshTokenRepo := repositories.NewRefreshTokenRepository(db)
return runUserCommand(cfg, repo, refreshTokenRepo, fs.Args())
})
}
func runUserCommand(cfg *config.Config, repo repositories.UserRepository, refreshTokenRepo repositories.RefreshTokenRepositoryInterface, args []string) error {
if len(args) == 0 {
printUserUsage()
return errors.New("missing user subcommand")
}
switch args[0] {
case "create":
return userCreate(cfg, repo, args[1:])
case "update":
return userUpdate(cfg, repo, refreshTokenRepo, args[1:])
case "delete":
return userDelete(cfg, repo, args[1:])
case "lock":
return userLock(cfg, repo, args[1:])
case "unlock":
return userUnlock(cfg, repo, args[1:])
case "list":
return userList(repo, args[1:])
case "help", "-h", "--help":
printUserUsage()
return nil
default:
printUserUsage()
return fmt.Errorf("unknown user subcommand: %s", args[0])
}
}
func printUserUsage() {
fmt.Fprintln(os.Stderr, "User subcommands:")
fmt.Fprintln(os.Stderr, " create --username <name> --email <email> --password <password>")
fmt.Fprintln(os.Stderr, " update <id> [--username <name>] [--email <email>] [--password <password>] [--reset-password]")
fmt.Fprintln(os.Stderr, " delete <id> [--with-posts]")
fmt.Fprintln(os.Stderr, " lock <id>")
fmt.Fprintln(os.Stderr, " unlock <id>")
fmt.Fprintln(os.Stderr, " list [--limit <n>] [--offset <n>]")
}
func createSessionService(cfg *config.Config, userRepo repositories.UserRepository, refreshTokenRepo repositories.RefreshTokenRepositoryInterface) *services.SessionService {
jwtService := services.NewJWTService(&cfg.JWT, userRepo, refreshTokenRepo)
return services.NewSessionService(jwtService, userRepo)
}
func userCreate(cfg *config.Config, repo repositories.UserRepository, args []string) error {
fs := flag.NewFlagSet("user create", flag.ContinueOnError)
username := fs.String("username", "", "username")
email := fs.String("email", "", "email")
password := fs.String("password", "", "password")
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
if *username == "" || *email == "" || *password == "" {
fs.Usage()
return errors.New("username, email, and password are required")
}
auditLogger, err := NewAuditLogger(cfg.LogDir)
if err != nil {
fmt.Printf("Warning: Could not initialize audit logging: %v\n", err)
auditLogger = nil
}
sanitizer := security.NewInputSanitizer()
sanitizedUsername, err := sanitizer.SanitizeUsernameCLI(*username)
if err != nil {
if auditLogger != nil {
auditLogger.LogUserCreation(0, *username, *email, false, err)
}
return fmt.Errorf("username validation: %w", err)
}
sanitizedEmail, err := sanitizer.SanitizeEmailCLI(*email)
if err != nil {
if auditLogger != nil {
auditLogger.LogUserCreation(0, sanitizedUsername, *email, false, err)
}
return fmt.Errorf("email validation: %w", err)
}
if err := sanitizer.SanitizePasswordCLI(*password); err != nil {
if auditLogger != nil {
auditLogger.LogUserCreation(0, sanitizedUsername, sanitizedEmail, false, err)
}
return fmt.Errorf("password validation: %w", err)
}
_, err = repo.GetByUsername(sanitizedUsername)
if err == nil {
return fmt.Errorf("username %s already exists", sanitizedUsername)
}
if !errors.Is(err, gorm.ErrRecordNotFound) {
return fmt.Errorf("check username: %w", err)
}
_, err = repo.GetByEmail(sanitizedEmail)
if err == nil {
return fmt.Errorf("email %s already exists", sanitizedEmail)
}
if !errors.Is(err, gorm.ErrRecordNotFound) {
return fmt.Errorf("check email: %w", err)
}
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(*password), bcrypt.DefaultCost)
if err != nil {
return fmt.Errorf("hash password: %w", err)
}
now := time.Now()
user := &database.User{
Username: sanitizedUsername,
Email: sanitizedEmail,
Password: string(hashedPassword),
EmailVerified: true,
EmailVerifiedAt: &now,
}
if err := repo.Create(user); err != nil {
if auditLogger != nil {
auditLogger.LogUserCreation(0, sanitizedUsername, sanitizedEmail, false, err)
}
return handleDatabaseConstraintError(err)
}
if auditLogger != nil {
auditLogger.LogUserCreation(user.ID, user.Username, user.Email, true, nil)
}
fmt.Printf("User created: %s (%s)\n", user.Username, user.Email)
return nil
}
func userUpdate(cfg *config.Config, repo repositories.UserRepository, refreshTokenRepo repositories.RefreshTokenRepositoryInterface, args []string) error {
if len(args) == 0 {
return errors.New("user ID is required")
}
idStr := args[0]
id, err := strconv.ParseUint(idStr, 10, 32)
if err != nil {
return fmt.Errorf("invalid user ID: %s", idStr)
}
if id == 0 {
return errors.New("user ID must be greater than 0")
}
fs := flag.NewFlagSet("user update", flag.ContinueOnError)
username := fs.String("username", "", "new username")
email := fs.String("email", "", "new email")
password := fs.String("password", "", "new password")
resetPassword := fs.Bool("reset-password", false, "reset password and send temporary password via email")
fs.SetOutput(os.Stderr)
fs.Usage = func() {
fmt.Fprintf(os.Stderr, "Usage of user update:\n")
fmt.Fprintf(os.Stderr, " --email string\n")
fmt.Fprintf(os.Stderr, " new email\n")
fmt.Fprintf(os.Stderr, " --password string\n")
fmt.Fprintf(os.Stderr, " new password\n")
fmt.Fprintf(os.Stderr, " --reset-password\n")
fmt.Fprintf(os.Stderr, " reset password and send temporary password via email\n")
fmt.Fprintf(os.Stderr, " --username string\n")
fmt.Fprintf(os.Stderr, " new username\n")
}
if err := fs.Parse(args[1:]); err != nil {
return err
}
if *username == "" && *email == "" && *password == "" && !*resetPassword {
fs.Usage()
return errors.New("no update options provided")
}
sanitizer := security.NewInputSanitizer()
if *username != "" {
sanitizedUsername, err := sanitizer.SanitizeUsernameCLI(*username)
if err != nil {
return fmt.Errorf("username validation: %w", err)
}
*username = sanitizedUsername
}
if *email != "" {
sanitizedEmail, err := sanitizer.SanitizeEmailCLI(*email)
if err != nil {
return fmt.Errorf("email validation: %w", err)
}
*email = sanitizedEmail
}
if *password != "" {
if err := sanitizer.SanitizePasswordCLI(*password); err != nil {
return fmt.Errorf("password validation: %w", err)
}
}
if *resetPassword {
sessionService := createSessionService(cfg, repo, refreshTokenRepo)
return resetUserPassword(cfg, repo, sessionService, uint(id))
}
user, err := repo.GetByID(uint(id))
if err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
return fmt.Errorf("user %d not found", id)
}
return fmt.Errorf("fetch user: %w", err)
}
if *username != "" && *username != user.Username {
if err := checkUsernameAvailable(repo, *username, uint(id)); err != nil {
return err
}
user.Username = *username
}
if *email != "" && *email != user.Email {
if err := checkEmailAvailable(repo, *email, uint(id)); err != nil {
return err
}
user.Email = *email
}
if *password != "" {
if len(*password) < 8 {
return errors.New("password must be at least 8 characters")
}
hashedPassword, hashErr := bcrypt.GenerateFromPassword([]byte(*password), bcrypt.DefaultCost)
if hashErr != nil {
return fmt.Errorf("hash password: %w", hashErr)
}
user.Password = string(hashedPassword)
sessionService := createSessionService(cfg, repo, refreshTokenRepo)
if err := sessionService.InvalidateAllSessions(user.ID); err != nil {
return fmt.Errorf("invalidate sessions: %w", err)
}
}
if err := repo.Update(user); err != nil {
return handleDatabaseConstraintError(err)
}
fmt.Printf("User updated: %s (%s)\n", user.Username, user.Email)
return nil
}
func checkUsernameAvailable(repo repositories.UserRepository, username string, excludeID uint) error {
existing, err := repo.GetByUsernameIncludingDeleted(username)
if err == nil && existing.ID != excludeID {
return fmt.Errorf("username %s is already taken", username)
}
if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
return fmt.Errorf("check username availability: %w", err)
}
return nil
}
func checkEmailAvailable(repo repositories.UserRepository, email string, excludeID uint) error {
existing, err := repo.GetByEmail(email)
if err == nil && existing.ID != excludeID {
return fmt.Errorf("email %s is already registered", email)
}
if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
return fmt.Errorf("check email availability: %w", err)
}
return nil
}
func handleDatabaseConstraintError(err error) error {
var pqErr *pq.Error
if errors.As(err, &pqErr) && pqErr.Code == "23505" {
if strings.Contains(pqErr.Constraint, "username") {
return fmt.Errorf("username is already taken")
}
if strings.Contains(pqErr.Constraint, "email") {
return fmt.Errorf("email is already registered")
}
return fmt.Errorf("data already exists (constraint violation)")
}
return fmt.Errorf("update user: %w", err)
}
func userDelete(cfg *config.Config, repo repositories.UserRepository, args []string) error {
var userID string
var flagArgs []string
for _, arg := range args {
if strings.HasPrefix(arg, "-") {
flagArgs = append(flagArgs, arg)
} else if userID == "" {
userID = arg
} else {
flagArgs = append(flagArgs, arg)
}
}
fs := flag.NewFlagSet("user delete", flag.ContinueOnError)
deletePosts := fs.Bool("with-posts", false, "also delete user's posts (default: keep posts)")
fs.SetOutput(os.Stderr)
fs.Usage = func() {
fmt.Fprintf(os.Stderr, "Usage of user delete:\n")
fmt.Fprintf(os.Stderr, " --with-posts\n")
fmt.Fprintf(os.Stderr, " also delete user's posts (default: keep posts)\n")
}
if err := fs.Parse(flagArgs); err != nil {
return err
}
if userID == "" {
fs.Usage()
return errors.New("user ID is required")
}
idStr := userID
id, err := strconv.ParseUint(idStr, 10, 32)
if err != nil {
return fmt.Errorf("invalid user ID: %s", idStr)
}
if id == 0 {
return errors.New("user ID must be greater than 0")
}
user, err := repo.GetByID(uint(id))
if err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
_, deletedErr := repo.GetByIDIncludingDeleted(uint(id))
if deletedErr == nil {
return fmt.Errorf("user with ID %d is already deleted", id)
}
return fmt.Errorf("user with ID %d not found", id)
}
return fmt.Errorf("get user: %w", err)
}
var deleteErr error
if *deletePosts {
deleteErr = repo.HardDelete(uint(id))
if deleteErr == nil {
fmt.Printf("User deleted: ID=%d (posts also deleted)\n", id)
}
} else {
deleteErr = repo.SoftDeleteWithPosts(uint(id))
if deleteErr == nil {
fmt.Printf("User deleted: ID=%d (posts kept)\n", id)
}
}
if deleteErr != nil {
return fmt.Errorf("delete user: %w", deleteErr)
}
emailSender := services.NewSMTPSenderWithTimeout(cfg.SMTP.Host, cfg.SMTP.Port, cfg.SMTP.Username, cfg.SMTP.Password, cfg.SMTP.From, cfg.SMTP.Timeout)
subject, body := services.GenerateAdminAccountDeletionNotificationEmail(user.Username, cfg.App.AdminEmail, cfg.App.BaseURL, cfg.App.Title, *deletePosts)
if err := emailSender.Send(user.Email, subject, body); err != nil {
fmt.Printf("Warning: Could not send notification email to %s: %v\n", user.Email, err)
} else {
fmt.Printf("Notification email sent to %s\n", user.Email)
}
return nil
}
func userList(repo repositories.UserRepository, args []string) error {
fs := flag.NewFlagSet("user list", flag.ContinueOnError)
limit := fs.Int("limit", 0, "max number of users to list")
offset := fs.Int("offset", 0, "number of users to skip")
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
users, err := repo.GetAll(*limit, *offset)
if err != nil {
return fmt.Errorf("list users: %w", err)
}
if len(users) == 0 {
fmt.Println("No users found")
return nil
}
maxIDWidth := 2
maxUsernameWidth := 8
maxEmailWidth := 5
maxLockedWidth := 6
maxCreatedAtWidth := 10
for _, u := range users {
lockedStatus := "No"
if u.Locked {
lockedStatus = "Yes"
}
createdAtStr := u.CreatedAt.Format("2006-01-02 15:04:05")
if len(fmt.Sprintf("%d", u.ID)) > maxIDWidth {
maxIDWidth = len(fmt.Sprintf("%d", u.ID))
}
if len(u.Username) > maxUsernameWidth {
maxUsernameWidth = len(u.Username)
}
if len(u.Email) > maxEmailWidth {
maxEmailWidth = len(u.Email)
}
if len(lockedStatus) > maxLockedWidth {
maxLockedWidth = len(lockedStatus)
}
if len(createdAtStr) > maxCreatedAtWidth {
maxCreatedAtWidth = len(createdAtStr)
}
}
fmt.Printf("%-*s %-*s %-*s %-*s %s\n",
maxIDWidth, "ID",
maxUsernameWidth, "Username",
maxEmailWidth, "Email",
maxLockedWidth, "Locked",
"CreatedAt")
for _, u := range users {
lockedStatus := "No"
if u.Locked {
lockedStatus = "Yes"
}
createdAtStr := u.CreatedAt.Format("2006-01-02 15:04:05")
fmt.Printf("%-*d %-*s %-*s %-*s %s\n",
maxIDWidth, u.ID,
maxUsernameWidth, u.Username,
maxEmailWidth, u.Email,
maxLockedWidth, lockedStatus,
createdAtStr)
}
return nil
}
func userLock(cfg *config.Config, repo repositories.UserRepository, args []string) error {
fs := flag.NewFlagSet("user lock", flag.ContinueOnError)
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
if fs.NArg() == 0 {
fs.Usage()
return errors.New("user ID is required")
}
idStr := fs.Arg(0)
id, err := strconv.ParseUint(idStr, 10, 32)
if err != nil {
return fmt.Errorf("invalid user ID: %s", idStr)
}
if id == 0 {
return errors.New("user ID must be greater than 0")
}
user, err := repo.GetByID(uint(id))
if err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
return fmt.Errorf("user with ID %d not found", id)
}
return fmt.Errorf("get user: %w", err)
}
if user.Locked {
fmt.Printf("User is already locked: %s\n", user.Username)
return nil
}
if err := repo.Lock(uint(id)); err != nil {
return fmt.Errorf("lock user: %w", err)
}
fmt.Printf("User locked: %s\n", user.Username)
emailSender := services.NewSMTPSenderWithTimeout(cfg.SMTP.Host, cfg.SMTP.Port, cfg.SMTP.Username, cfg.SMTP.Password, cfg.SMTP.From, cfg.SMTP.Timeout)
subject, body := services.GenerateAccountLockNotificationEmail(user.Username, cfg.App.AdminEmail, cfg.App.Title)
if err := emailSender.Send(user.Email, subject, body); err != nil {
fmt.Printf("Warning: Could not send notification email to %s: %v\n", user.Email, err)
} else {
fmt.Printf("Notification email sent to %s\n", user.Email)
}
return nil
}
func userUnlock(cfg *config.Config, repo repositories.UserRepository, args []string) error {
fs := flag.NewFlagSet("user unlock", flag.ContinueOnError)
fs.SetOutput(os.Stderr)
if err := fs.Parse(args); err != nil {
return err
}
if fs.NArg() == 0 {
fs.Usage()
return errors.New("user ID is required")
}
idStr := fs.Arg(0)
id, err := strconv.ParseUint(idStr, 10, 32)
if err != nil {
return fmt.Errorf("invalid user ID: %s", idStr)
}
if id == 0 {
return errors.New("user ID must be greater than 0")
}
user, err := repo.GetByID(uint(id))
if err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
return fmt.Errorf("user with ID %d not found", id)
}
return fmt.Errorf("get user: %w", err)
}
if !user.Locked {
fmt.Printf("User is already unlocked: %s\n", user.Username)
return nil
}
if err := repo.Unlock(uint(id)); err != nil {
return fmt.Errorf("unlock user: %w", err)
}
fmt.Printf("User unlocked: %s\n", user.Username)
emailSender := services.NewSMTPSenderWithTimeout(cfg.SMTP.Host, cfg.SMTP.Port, cfg.SMTP.Username, cfg.SMTP.Password, cfg.SMTP.From, cfg.SMTP.Timeout)
subject, body := services.GenerateAccountUnlockNotificationEmail(user.Username, cfg.App.AdminEmail, cfg.App.BaseURL, cfg.App.Title)
if err := emailSender.Send(user.Email, subject, body); err != nil {
fmt.Printf("Warning: Could not send notification email to %s: %v\n", user.Email, err)
} else {
fmt.Printf("Notification email sent to %s\n", user.Email)
}
return nil
}
func resetUserPassword(cfg *config.Config, repo repositories.UserRepository, sessionService *services.SessionService, userID uint) error {
user, err := repo.GetByID(userID)
if err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
return fmt.Errorf("user %d not found", userID)
}
return fmt.Errorf("fetch user: %w", err)
}
tempPassword, err := generateTemporaryPassword()
if err != nil {
return fmt.Errorf("generate temporary password: %w", err)
}
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(tempPassword), bcrypt.DefaultCost)
if err != nil {
return fmt.Errorf("hash password: %w", err)
}
user.Password = string(hashedPassword)
if err := repo.Update(user); err != nil {
return fmt.Errorf("update password: %w", err)
}
if err := sessionService.InvalidateAllSessions(userID); err != nil {
return fmt.Errorf("invalidate sessions: %w", err)
}
emailSender := services.NewSMTPSenderWithTimeout(cfg.SMTP.Host, cfg.SMTP.Port, cfg.SMTP.Username, cfg.SMTP.Password, cfg.SMTP.From, cfg.SMTP.Timeout)
subject := fmt.Sprintf("Password Reset - %s", cfg.App.Title)
body := generatePasswordResetEmailBody(user.Username, tempPassword, cfg.App.BaseURL, cfg.App.AdminEmail, cfg.App.Title)
if err := emailSender.Send(user.Email, subject, body); err != nil {
return fmt.Errorf("send password reset email: %w", err)
}
fmt.Printf("Password reset for user %s: Temporary password sent to %s\n", user.Username, user.Email)
fmt.Printf("⚠️ User must change this password on next login!\n")
return nil
}
func generateTemporaryPassword() (string, error) {
const (
length = 16
chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*"
)
password := make([]byte, length)
for i := range password {
num, err := rand.Int(rand.Reader, big.NewInt(int64(len(chars))))
if err != nil {
return "", err
}
password[i] = chars[num.Int64()]
}
passwordStr := string(password)
hasUpper := false
hasLower := false
hasDigit := false
hasSpecial := false
for _, char := range passwordStr {
switch {
case char >= 'A' && char <= 'Z':
hasUpper = true
case char >= 'a' && char <= 'z':
hasLower = true
case char >= '0' && char <= '9':
hasDigit = true
case strings.ContainsRune("!@#$%^&*", char):
hasSpecial = true
}
}
passwordBytes := []byte(passwordStr)
if !hasUpper {
passwordBytes[0] = 'A'
}
if !hasLower {
passwordBytes[1] = 'a'
}
if !hasDigit {
passwordBytes[2] = '1'
}
if !hasSpecial {
passwordBytes[3] = '!'
}
hasUpper = false
hasLower = false
hasDigit = false
hasSpecial = false
for _, char := range passwordBytes {
switch {
case char >= 'A' && char <= 'Z':
hasUpper = true
case char >= 'a' && char <= 'z':
hasLower = true
case char >= '0' && char <= '9':
hasDigit = true
case char == '!' || char == '@' || char == '#' || char == '$' || char == '%' || char == '^' || char == '&' || char == '*':
hasSpecial = true
}
}
if !hasUpper {
passwordBytes[4] = 'A'
}
if !hasLower {
passwordBytes[5] = 'a'
}
if !hasDigit {
passwordBytes[6] = '1'
}
if !hasSpecial {
passwordBytes[7] = '!'
}
return string(passwordBytes), nil
}
func generatePasswordResetEmailBody(username, tempPassword, baseURL, adminEmail, siteTitle string) string {
return fmt.Sprintf(`<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Password Reset - %s</title>
<style>
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;
line-height: 1.6;
color: #333;
max-width: 600px;
margin: 0 auto;
padding: 20px;
background-color: #f8fafc;
}
.email-container {
background: white;
border-radius: 12px;
padding: 40px;
box-shadow: 0 4px 6px rgba(0, 0, 0, 0.05);
border: 1px solid #e2e8f0;
}
.header {
text-align: center;
margin-bottom: 30px;
}
.logo {
font-size: 28px;
font-weight: 700;
color: #0fb9b1;
margin-bottom: 10px;
}
.title {
font-size: 24px;
font-weight: 600;
color: #1a202c;
margin: 0;
}
.content {
margin-bottom: 30px;
}
.greeting {
font-size: 16px;
margin-bottom: 20px;
color: #2d3748;
}
.message {
font-size: 16px;
margin-bottom: 30px;
color: #4a5568;
white-space: pre-line;
}
.password-box {
background: #f7fafc;
border: 2px solid #e2e8f0;
border-radius: 8px;
padding: 20px;
margin: 20px 0;
text-align: center;
}
.password-label {
font-size: 14px;
color: #718096;
margin-bottom: 10px;
}
.password-value {
font-size: 24px;
font-weight: 700;
color: #2d3748;
font-family: 'Courier New', monospace;
letter-spacing: 2px;
}
.action-button {
display: inline-block;
background: #0fb9b1;
color: white;
text-decoration: none;
padding: 12px 24px;
border-radius: 8px;
font-weight: 600;
font-size: 16px;
text-align: center;
margin: 20px 0;
transition: background-color 0.2s;
}
.action-button:hover {
background: #0ea5a0;
}
.security-notice {
background: #fef5e7;
border: 1px solid #f6ad55;
border-radius: 8px;
padding: 20px;
margin: 20px 0;
}
.security-title {
font-weight: 600;
color: #c05621;
margin-bottom: 10px;
}
.security-list {
margin: 0;
padding-left: 20px;
color: #744210;
}
.footer {
font-size: 14px;
color: #718096;
margin-top: 30px;
padding-top: 20px;
border-top: 1px solid #e2e8f0;
white-space: pre-line;
}
.link {
color: #0fb9b1;
text-decoration: none;
}
.link:hover {
text-decoration: underline;
}
@media (max-width: 600px) {
body {
padding: 10px;
}
.email-container {
padding: 20px;
}
.title {
font-size: 20px;
}
}
</style>
</head>
<body>
<div class="email-container">
<div class="header">
<div class="logo">%s</div>
<h1 class="title">Password Reset - Temporary Password</h1>
</div>
<div class="content">
<div class="greeting">Hello %s,</div>
<div class="message">Your password has been reset by an administrator.
A temporary password has been generated for your account.</div>
<div class="password-box">
<div class="password-label">Your temporary password is:</div>
<div class="password-value">%s</div>
</div>
<div class="security-notice">
<div class="security-title">IMPORTANT SECURITY NOTICE:</div>
<ul class="security-list">
<li>You MUST change this password immediately after logging in</li>
<li>This temporary password will expire and should not be used long-term</li>
<li>Do not share this password with anyone</li>
<li>If you did not request this password reset, contact support immediately</li>
</ul>
</div>
<div style="text-align: center;">
<a href="%s/login" class="action-button">Login to %s</a>
</div>
<div class="message">To change your password:
1. Log in to your account using the temporary password above
2. Go to your account settings
3. Change your password to a new, secure password</div>
</div>
<div class="footer">
If you have any questions or concerns, please <a href="mailto:%s" class="link">contact our support team</a>.<br>
Best regards,<br>
The %s Team
</div>
<div class="powered-by" style="text-align: center; margin-top: 30px; padding-top: 20px; border-top: 1px solid #e2e8f0; font-size: 12px; color: #718096;">
Powered with ❤️ by <a href="https://goyco" style="color: #0fb9b1; text-decoration: none;">Goyco</a>
</div>
</div>
</body>
</html>`, siteTitle, siteTitle, username, tempPassword, baseURL, siteTitle, adminEmail, siteTitle)
}

801
cmd/goyco/commands/user_test.go Normal file
View File

@@ -0,0 +1,801 @@
package commands
import (
"errors"
"strings"
"testing"
"time"
"goyco/internal/config"
"goyco/internal/database"
"goyco/internal/services"
"goyco/internal/testutils"
)
func TestHandleUserCommand(t *testing.T) {
cfg := testutils.NewTestConfig()
t.Run("help requested", func(t *testing.T) {
err := HandleUserCommand(cfg, "user", []string{"--help"})
if err != nil {
t.Errorf("unexpected error for help: %v", err)
}
})
}
func TestRunUserCommand(t *testing.T) {
cfg := testutils.NewTestConfig()
mockRepo := testutils.NewMockUserRepository()
t.Run("missing subcommand", func(t *testing.T) {
mockRefreshRepo := &mockRefreshTokenRepo{}
err := runUserCommand(cfg, mockRepo, mockRefreshRepo, []string{})
if err == nil {
t.Error("expected error for missing subcommand")
}
if err.Error() != "missing user subcommand" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("unknown subcommand", func(t *testing.T) {
mockRefreshRepo := &mockRefreshTokenRepo{}
err := runUserCommand(cfg, mockRepo, mockRefreshRepo, []string{"unknown"})
if err == nil {
t.Error("expected error for unknown subcommand")
}
expectedErr := "unknown user subcommand: unknown"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("help subcommand", func(t *testing.T) {
mockRefreshRepo := &mockRefreshTokenRepo{}
err := runUserCommand(cfg, mockRepo, mockRefreshRepo, []string{"help"})
if err != nil {
t.Errorf("unexpected error for help: %v", err)
}
})
}
func TestUserCreate(t *testing.T) {
cfg := testutils.NewTestConfig()
t.Run("successful creation", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--username", "testuser",
"--email", "test@example.com",
"--password", "StrongPass123!",
})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("missing username", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--email", "test@example.com",
"--password", "StrongPass123!",
})
if err == nil {
t.Error("expected error for missing username")
}
if err.Error() != "username, email, and password are required" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("missing email", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--username", "testuser",
"--password", "StrongPass123!",
})
if err == nil {
t.Error("expected error for missing email")
}
if err.Error() != "username, email, and password are required" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("missing password", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--username", "testuser",
"--email", "test@example.com",
})
if err == nil {
t.Error("expected error for missing password")
}
if err.Error() != "username, email, and password are required" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("password too short", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--username", "testuser",
"--email", "test@example.com",
"--password", "short",
})
if err == nil {
t.Error("expected error for short password")
}
if !strings.Contains(err.Error(), "password must be at least 8 characters") {
t.Errorf("expected password length error, got: %v", err)
}
})
t.Run("missing username value", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--username",
"--email", "test@example.com",
"--password", "StrongPass123!",
})
if err == nil {
t.Error("expected error for missing username value")
}
})
t.Run("missing email value", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--username", "testuser",
"--email",
"--password", "StrongPass123!",
})
if err == nil {
t.Error("expected error for missing email value")
}
})
t.Run("missing password value", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--username", "testuser",
"--email", "test@example.com",
"--password",
})
if err == nil {
t.Error("expected error for missing password value")
}
})
t.Run("unknown flag", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--username", "testuser",
"--email", "test@example.com",
"--password", "StrongPass123!",
"--unknown-flag",
})
if err == nil {
t.Error("expected error for unknown flag")
}
})
t.Run("duplicate flag", func(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
err := userCreate(cfg, mockRepo, []string{
"--username", "testuser",
"--email", "test@example.com",
"--password", "StrongPass123!",
"--username", "duplicate",
})
if err != nil {
if !strings.Contains(err.Error(), "required") && !strings.Contains(err.Error(), "validation") {
t.Errorf("unexpected error type: %v", err)
}
}
})
}
func TestUserUpdate(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
testUser := &database.User{
Username: "testuser",
Email: "test@example.com",
Password: "hashedpassword",
}
_ = mockRepo.Create(testUser)
t.Run("successful update username", func(t *testing.T) {
cfg := &config.Config{}
mockRefreshRepo := &mockRefreshTokenRepo{}
err := userUpdate(cfg, mockRepo, mockRefreshRepo, []string{
"1",
"--username", "newusername",
})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("successful update email", func(t *testing.T) {
cfg := &config.Config{}
mockRefreshRepo := &mockRefreshTokenRepo{}
err := userUpdate(cfg, mockRepo, mockRefreshRepo, []string{
"1",
"--email", "newemail@example.com",
})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("successful update password", func(t *testing.T) {
cfg := testutils.NewTestConfig()
mockRefreshRepo := &mockRefreshTokenRepo{}
err := userUpdate(cfg, mockRepo, mockRefreshRepo, []string{
"1",
"--password", "NewStrongPass123!",
})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("missing id", func(t *testing.T) {
cfg := &config.Config{}
mockRefreshRepo := &mockRefreshTokenRepo{}
err := userUpdate(cfg, mockRepo, mockRefreshRepo, []string{})
if err == nil {
t.Error("expected error for missing id")
}
if err.Error() != "user ID is required" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("invalid id", func(t *testing.T) {
cfg := &config.Config{}
mockRefreshRepo := &mockRefreshTokenRepo{}
err := userUpdate(cfg, mockRepo, mockRefreshRepo, []string{
"0",
"--username", "newusername",
})
if err == nil {
t.Error("expected error for invalid id")
}
if err.Error() != "user ID must be greater than 0" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("user not found", func(t *testing.T) {
cfg := &config.Config{}
mockRefreshRepo := &mockRefreshTokenRepo{}
err := userUpdate(cfg, mockRepo, mockRefreshRepo, []string{
"999",
"--username", "newusername",
})
if err == nil {
t.Error("expected error for non-existent user")
}
expectedErr := "user 999 not found"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("password too short", func(t *testing.T) {
cfg := &config.Config{}
mockRefreshRepo := &mockRefreshTokenRepo{}
err := userUpdate(cfg, mockRepo, mockRefreshRepo, []string{
"1",
"--password", "short",
})
if err == nil {
t.Error("expected error for short password")
}
if !strings.Contains(err.Error(), "password must be at least 8 characters") {
t.Errorf("expected password length error, got: %v", err)
}
})
}
func TestUserDelete(t *testing.T) {
cfg := testutils.NewTestConfig()
mockRepo := testutils.NewMockUserRepository()
testUser := &database.User{
Username: "testuser",
Email: "test@example.com",
Password: "hashedpassword",
}
_ = mockRepo.Create(testUser)
t.Run("successful delete (keep posts)", func(t *testing.T) {
err := userDelete(cfg, mockRepo, []string{"1"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("successful delete with posts", func(t *testing.T) {
testUser2 := &database.User{
Username: "testuser2",
Email: "test2@example.com",
Password: "hashedpassword",
}
_ = mockRepo.Create(testUser2)
err := userDelete(cfg, mockRepo, []string{"2", "--with-posts"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("missing id", func(t *testing.T) {
err := userDelete(cfg, mockRepo, []string{})
if err == nil {
t.Error("expected error for missing id")
}
if err.Error() != "user ID is required" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("invalid id", func(t *testing.T) {
err := userDelete(cfg, mockRepo, []string{"0"})
if err == nil {
t.Error("expected error for invalid id")
}
if err.Error() != "user ID must be greater than 0" {
t.Errorf("expected specific error, got: %v", err)
}
})
t.Run("user not found", func(t *testing.T) {
err := userDelete(cfg, mockRepo, []string{"999"})
if err == nil {
t.Error("expected error for non-existent user")
}
if !strings.Contains(err.Error(), "not found") {
t.Errorf("expected 'not found' error, got: %v", err)
}
})
t.Run("user already deleted", func(t *testing.T) {
freshMockRepo := testutils.NewMockUserRepository()
testUser := &database.User{
Username: "deleteduser",
Email: "deleted@example.com",
Password: "hashedpassword",
}
_ = freshMockRepo.Create(testUser)
err := userDelete(cfg, freshMockRepo, []string{"1"})
if err != nil {
t.Errorf("unexpected error on first deletion: %v", err)
}
err = userDelete(cfg, freshMockRepo, []string{"1"})
if err == nil {
t.Error("expected error for already deleted user")
}
if !strings.Contains(err.Error(), "not found") {
t.Errorf("expected 'not found' error, got: %v", err)
}
})
}
func TestUserList(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
testUsers := []*database.User{
{
Username: "user1",
Email: "user1@example.com",
Password: "password1",
CreatedAt: time.Now().Add(-2 * time.Hour),
},
{
Username: "user2",
Email: "user2@example.com",
Password: "password2",
CreatedAt: time.Now().Add(-1 * time.Hour),
},
}
for _, user := range testUsers {
_ = mockRepo.Create(user)
}
t.Run("list all users", func(t *testing.T) {
err := userList(mockRepo, []string{})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("list with limit", func(t *testing.T) {
err := userList(mockRepo, []string{"--limit", "1"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("list with offset", func(t *testing.T) {
err := userList(mockRepo, []string{"--offset", "1"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("list with all filters", func(t *testing.T) {
err := userList(mockRepo, []string{"--limit", "1", "--offset", "0"})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("empty result", func(t *testing.T) {
emptyRepo := testutils.NewMockUserRepository()
err := userList(emptyRepo, []string{})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("repository error", func(t *testing.T) {
mockRepo.GetErr = errors.New("database error")
err := userList(mockRepo, []string{})
if err == nil {
t.Error("expected error from repository")
}
expectedErr := "list users: database error"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("invalid limit type", func(t *testing.T) {
err := userList(mockRepo, []string{"--limit", "abc"})
if err == nil {
t.Error("expected error for invalid limit type")
}
})
t.Run("invalid offset type", func(t *testing.T) {
err := userList(mockRepo, []string{"--offset", "xyz"})
if err == nil {
t.Error("expected error for invalid offset type")
}
})
t.Run("unknown flag", func(t *testing.T) {
err := userList(mockRepo, []string{"--unknown-flag"})
if err == nil {
t.Error("expected error for unknown flag")
}
})
t.Run("missing limit value", func(t *testing.T) {
err := userList(mockRepo, []string{"--limit"})
if err == nil {
t.Error("expected error for missing limit value")
}
})
t.Run("missing offset value", func(t *testing.T) {
err := userList(mockRepo, []string{"--offset"})
if err == nil {
t.Error("expected error for missing offset value")
}
})
}
func TestCheckUsernameAvailable(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
testUser := &database.User{
Username: "existinguser",
Email: "test@example.com",
Password: "password",
}
_ = mockRepo.Create(testUser)
t.Run("username available", func(t *testing.T) {
err := checkUsernameAvailable(mockRepo, "newuser", 0)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("username taken by different user", func(t *testing.T) {
err := checkUsernameAvailable(mockRepo, "existinguser", 2)
if err == nil {
t.Error("expected error for taken username")
}
expectedErr := "username existinguser is already taken"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("username taken by same user (should be ok)", func(t *testing.T) {
err := checkUsernameAvailable(mockRepo, "existinguser", 1)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
}
func TestCheckEmailAvailable(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
testUser := &database.User{
Username: "testuser",
Email: "existing@example.com",
Password: "password",
}
_ = mockRepo.Create(testUser)
t.Run("email available", func(t *testing.T) {
err := checkEmailAvailable(mockRepo, "new@example.com", 0)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
t.Run("email taken by different user", func(t *testing.T) {
err := checkEmailAvailable(mockRepo, "existing@example.com", 2)
if err == nil {
t.Error("expected error for taken email")
}
expectedErr := "email existing@example.com is already registered"
if err.Error() != expectedErr {
t.Errorf("expected error %q, got %q", expectedErr, err.Error())
}
})
t.Run("email taken by same user (should be ok)", func(t *testing.T) {
err := checkEmailAvailable(mockRepo, "existing@example.com", 1)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
})
}
func TestGenerateTemporaryPassword(t *testing.T) {
for range 10 {
password, err := generateTemporaryPassword()
if err != nil {
t.Fatalf("generateTemporaryPassword() error = %v", err)
}
if len(password) != 16 {
t.Errorf("Password length = %d, want 16", len(password))
}
hasUpper := false
hasLower := false
hasDigit := false
hasSpecial := false
for _, char := range password {
switch {
case char >= 'A' && char <= 'Z':
hasUpper = true
case char >= 'a' && char <= 'z':
hasLower = true
case char >= '0' && char <= '9':
hasDigit = true
case char == '!' || char == '@' || char == '#' || char == '$' || char == '%' || char == '^' || char == '&' || char == '*':
hasSpecial = true
}
}
if !hasUpper {
t.Errorf("Password %s missing uppercase letter", password)
}
if !hasLower {
t.Errorf("Password %s missing lowercase letter", password)
}
if !hasDigit {
t.Errorf("Password %s missing digit", password)
}
if !hasSpecial {
t.Errorf("Password %s missing special character", password)
}
}
}
func TestGenerateTemporaryPassword_Uniqueness(t *testing.T) {
passwords := make(map[string]bool)
for range 100 {
password, err := generateTemporaryPassword()
if err != nil {
t.Fatalf("generateTemporaryPassword() error = %v", err)
}
if passwords[password] {
t.Errorf("Duplicate password generated: %s", password)
}
passwords[password] = true
}
}
func TestResetUserPassword_WithoutEmail(t *testing.T) {
tempPassword, err := generateTemporaryPassword()
if err != nil {
t.Fatalf("generateTemporaryPassword() error = %v", err)
}
if len(tempPassword) != 16 {
t.Errorf("Password length = %d, want 16", len(tempPassword))
}
hasUpper := false
hasLower := false
hasDigit := false
hasSpecial := false
for _, char := range tempPassword {
switch {
case char >= 'A' && char <= 'Z':
hasUpper = true
case char >= 'a' && char <= 'z':
hasLower = true
case char >= '0' && char <= '9':
hasDigit = true
case char == '!' || char == '@' || char == '#' || char == '$' || char == '%' || char == '^' || char == '&' || char == '*':
hasSpecial = true
}
}
if !hasUpper {
t.Error("Password missing uppercase letter")
}
if !hasLower {
t.Error("Password missing lowercase letter")
}
if !hasDigit {
t.Error("Password missing digit")
}
if !hasSpecial {
t.Error("Password missing special character")
}
}
type mockRefreshTokenRepo struct{}
func (m *mockRefreshTokenRepo) Create(token *database.RefreshToken) error { return nil }
func (m *mockRefreshTokenRepo) GetByTokenHash(tokenHash string) (*database.RefreshToken, error) {
return nil, nil
}
func (m *mockRefreshTokenRepo) DeleteByUserID(userID uint) error { return nil }
func (m *mockRefreshTokenRepo) DeleteExpired() error { return nil }
func (m *mockRefreshTokenRepo) DeleteByID(id uint) error { return nil }
func (m *mockRefreshTokenRepo) GetByUserID(userID uint) ([]database.RefreshToken, error) {
return nil, nil
}
func (m *mockRefreshTokenRepo) CountByUserID(userID uint) (int64, error) { return 0, nil }
func TestResetUserPassword_UserNotFound(t *testing.T) {
mockRepo := testutils.NewMockUserRepository()
mockRefreshRepo := &mockRefreshTokenRepo{}
cfg := &config.Config{
JWT: config.JWTConfig{Secret: "test-secret", Expiration: 24},
}
jwtService := services.NewJWTService(&cfg.JWT, mockRepo, mockRefreshRepo)
mockSessionService := services.NewSessionService(jwtService, mockRepo)
err := resetUserPassword(cfg, mockRepo, mockSessionService, 999)
if err == nil {
t.Error("Expected error for non-existent user, got nil")
}
expectedError := "user 999 not found"
if err.Error() != expectedError {
t.Errorf("Expected error '%s', got '%s'", expectedError, err.Error())
}
}
func TestGeneratePasswordResetEmailBody(t *testing.T) {
username := "testuser"
title := "Test Title"
tempPassword := "TempPass123!"
baseURL := "https://example.com"
adminEmail := "admin@example.com"
body := generatePasswordResetEmailBody(username, tempPassword, baseURL, adminEmail, title)
if !strings.Contains(body, username) {
t.Error("Email body does not contain username")
}
if !strings.Contains(body, tempPassword) {
t.Error("Email body does not contain temporary password")
}
if !strings.Contains(body, baseURL) {
t.Error("Email body does not contain base URL")
}
if !strings.Contains(body, "IMPORTANT SECURITY NOTICE") {
t.Error("Email body does not contain security notice")
}
if !strings.Contains(body, "<!DOCTYPE html>") {
t.Error("Email body is not HTML")
}
if !strings.Contains(body, "mailto:"+adminEmail) {
t.Error("Email body does not contain admin contact link")
}
}

208
cmd/goyco/fuzz_test.go Normal file
View File

@@ -0,0 +1,208 @@
package main
import (
"flag"
"fmt"
"os"
"strings"
"testing"
"unicode/utf8"
"goyco/cmd/goyco/commands"
"goyco/internal/config"
"goyco/internal/testutils"
"gorm.io/gorm"
)
func FuzzCLIArgs(f *testing.F) {
f.Add("")
f.Add("run")
f.Add("--help")
f.Add("user list")
f.Add("post search")
f.Add("migrate")
f.Fuzz(func(t *testing.T, input string) {
if !isValidUTF8(input) {
return
}
if len(input) > 1000 {
input = input[:1000]
}
args := strings.Fields(input)
if len(args) == 0 {
return
}
fs := flag.NewFlagSet("goyco", flag.ContinueOnError)
fs.SetOutput(os.Stderr)
fs.Usage = printRootUsage
showHelp := fs.Bool("help", false, "show this help message")
err := fs.Parse(args)
if err != nil {
if !strings.Contains(err.Error(), "flag") && !strings.Contains(err.Error(), "help") {
t.Logf("Unexpected error format from flag parsing: %v", err)
}
}
if *showHelp && err != nil {
return
}
remaining := fs.Args()
if len(remaining) > 0 {
cmdName := remaining[0]
if len(cmdName) == 0 {
t.Fatal("Command name cannot be empty")
}
if !isValidUTF8(cmdName) {
t.Fatal("Command name must be valid UTF-8")
}
}
})
}
func FuzzCommandDispatch(f *testing.F) {
cfg := testutils.NewTestConfig()
setRunServer(func(_ *config.Config, _ bool) error {
return nil
})
defer setRunServer(runServerImpl)
originalRunServer := runServerImpl
commands.SetRunServer(func(_ *config.Config, _ bool) error {
return nil
})
defer commands.SetRunServer(originalRunServer)
commands.SetDaemonize(func() (int, error) {
return 999, nil
})
defer commands.SetDaemonize(nil)
commands.SetSetupDaemonLogging(func(_ *config.Config, _ string) error {
return nil
})
defer commands.SetSetupDaemonLogging(nil)
commands.SetDBConnector(func(_ *config.Config) (*gorm.DB, func() error, error) {
return nil, nil, fmt.Errorf("database connection disabled in fuzzer")
})
defer commands.SetDBConnector(nil)
daemonCommands := map[string]bool{
"start": true,
"stop": true,
"status": true,
}
f.Add("run")
f.Add("help")
f.Add("user")
f.Add("post")
f.Add("migrate")
f.Add("unknown_command")
f.Add("--help")
f.Add("-h")
f.Fuzz(func(t *testing.T, input string) {
if !isValidUTF8(input) {
return
}
parts := strings.Fields(input)
if len(parts) == 0 {
return
}
cmdName := parts[0]
args := parts[1:]
if daemonCommands[cmdName] {
return
}
err := dispatchCommand(cfg, cmdName, args)
knownCommands := map[string]bool{
"run": true, "user": true, "post": true, "prune": true, "migrate": true,
"migrations": true, "seed": true, "help": true, "-h": true, "--help": true,
}
if knownCommands[cmdName] {
if err != nil && !strings.Contains(err.Error(), cmdName) {
t.Logf("Known command %q returned unexpected error: %v", cmdName, err)
}
} else {
if err == nil {
t.Fatalf("Unknown command %q should return an error", cmdName)
}
if !strings.Contains(err.Error(), cmdName) {
t.Fatalf("Error for unknown command should contain command name: %v", err)
}
}
})
}
func FuzzRunCommandHandler(f *testing.F) {
cfg := testutils.NewTestConfig()
setRunServer(func(_ *config.Config, _ bool) error {
return nil
})
defer setRunServer(runServerImpl)
f.Add("")
f.Add("--help")
f.Add("extra arg")
f.Add("--invalid")
f.Fuzz(func(t *testing.T, input string) {
if !isValidUTF8(input) {
return
}
args := strings.Fields(input)
err := handleRunCommand(cfg, args)
if len(args) > 0 && args[0] == "--help" {
if err != nil {
t.Logf("Help flag should not error, got: %v", err)
}
} else if len(args) > 0 {
if err == nil {
return
}
errMsg := err.Error()
if strings.Contains(errMsg, "flag provided but not defined") ||
strings.Contains(errMsg, "failed to parse") {
return
}
if !strings.Contains(errMsg, "unexpected arguments") {
t.Logf("Got error (may be acceptable for server setup): %v", err)
}
} else {
if err != nil && strings.Contains(err.Error(), "unexpected arguments") {
t.Fatalf("Empty args should not trigger 'unexpected arguments' error: %v", err)
}
}
})
}
func isValidUTF8(s string) bool {
for _, r := range s {
if r == utf8.RuneError {
return false
}
}
return true
}

136
cmd/goyco/main.go Normal file
View File

@@ -0,0 +1,136 @@
// @title Goyco API
// @version 0.1.0
// @description Goyco is a Y Combinator-style news aggregation platform API.
// @contact.name Goyco Team
// @contact.email sandro@cazzaniga.fr
// @license.name GPLv3
// @license.url https://www.gnu.org/licenses/gpl-3.0.html
// @host localhost:8080
// @schemes http
// @BasePath /api
package main
import (
"errors"
"flag"
"fmt"
"log"
"os"
"goyco/cmd/goyco/commands"
"goyco/docs"
"goyco/internal/config"
"goyco/internal/version"
)
func main() {
loadDotEnv()
commands.SetRunServer(runServerImpl)
if len(os.Args) > 1 && os.Args[len(os.Args)-1] == "--daemon" {
args := os.Args[1 : len(os.Args)-1]
if err := commands.RunDaemonProcessDirect(args); err != nil {
log.Fatalf("daemon error: %v", err)
}
return
}
if err := run(os.Args[1:]); err != nil {
log.Fatalf("error: %v", err)
}
}
func run(args []string) error {
cfg, err := config.Load()
if err != nil {
return fmt.Errorf("load configuration: %w", err)
}
validator := commands.NewConfigValidator(nil)
if err := validator.ValidateConfiguration(cfg); err != nil {
return fmt.Errorf("configuration validation failed: %w", err)
}
docs.SwaggerInfo.Title = fmt.Sprintf("%s API", cfg.App.Title)
docs.SwaggerInfo.Description = "Y Combinator-style news board API."
docs.SwaggerInfo.Version = version.Version
docs.SwaggerInfo.BasePath = "/api"
docs.SwaggerInfo.Host = fmt.Sprintf("%s:%s", cfg.Server.Host, cfg.Server.Port)
docs.SwaggerInfo.Schemes = []string{"http"}
if cfg.Server.EnableTLS {
docs.SwaggerInfo.Schemes = append(docs.SwaggerInfo.Schemes, "https")
}
rootFS := flag.NewFlagSet("goyco", flag.ContinueOnError)
rootFS.SetOutput(os.Stderr)
rootFS.Usage = printRootUsage
showHelp := rootFS.Bool("help", false, "show this help message")
if err := rootFS.Parse(args); err != nil {
if errors.Is(err, flag.ErrHelp) {
return nil
}
return fmt.Errorf("failed to parse arguments: %w", err)
}
if *showHelp {
printRootUsage()
return nil
}
remaining := rootFS.Args()
if len(remaining) == 0 {
printRootUsage()
return nil
}
return dispatchCommand(cfg, remaining[0], remaining[1:])
}
func dispatchCommand(cfg *config.Config, name string, args []string) error {
switch name {
case "run":
return handleRunCommand(cfg, args)
case "start":
return commands.HandleStartCommand(cfg, args)
case "stop":
return commands.HandleStopCommand(cfg, args)
case "status":
return commands.HandleStatusCommand(cfg, name, args)
case "user":
return commands.HandleUserCommand(cfg, name, args)
case "post":
return commands.HandlePostCommand(cfg, name, args)
case "prune":
return commands.HandlePruneCommand(cfg, name, args)
case "migrate", "migrations":
return commands.HandleMigrateCommand(cfg, name, args)
case "seed":
return commands.HandleSeedCommand(cfg, name, args)
case "help", "-h", "--help":
printRootUsage()
return nil
default:
printRootUsage()
return fmt.Errorf("unknown command: %s", name)
}
}
func handleRunCommand(cfg *config.Config, args []string) error {
fs := newFlagSet("run", printRunUsage)
if err := parseCommand(fs, args, "run"); err != nil {
if errors.Is(err, commands.ErrHelpRequested) {
return nil
}
return err
}
if fs.NArg() > 0 {
printRunUsage()
return errors.New("unexpected arguments for run command")
}
return runServer(cfg, false)
}

149
cmd/goyco/server.go Normal file
View File

@@ -0,0 +1,149 @@
package main
import (
"crypto/tls"
"fmt"
"log"
"net/http"
"goyco/cmd/goyco/commands"
"goyco/internal/config"
"goyco/internal/database"
"goyco/internal/handlers"
"goyco/internal/middleware"
"goyco/internal/repositories"
"goyco/internal/server"
"goyco/internal/services"
_ "goyco/docs"
)
func runServerImpl(cfg *config.Config, daemon bool) error {
if daemon {
if err := commands.SetupDaemonLogging(cfg, cfg.LogDir); err != nil {
return fmt.Errorf("setup daemon logging: %w", err)
}
}
dbMonitor := middleware.NewInMemoryDBMonitor()
poolManager, err := database.ConnectWithPool(cfg)
if err != nil {
return fmt.Errorf("connect to database: %w", err)
}
defer func() {
middleware.StopAllRateLimiters()
if err := poolManager.Close(); err != nil {
log.Printf("Error closing database pool: %v", err)
}
}()
db := poolManager.GetDB()
if err := database.Migrate(db); err != nil {
return fmt.Errorf("run migrations: %w", err)
}
if monitor := dbMonitor; monitor != nil {
monitoringPlugin := database.NewGormDBMonitor(monitor)
if err := db.Use(monitoringPlugin); err != nil {
return fmt.Errorf("failed to add monitoring plugin: %w", err)
}
}
voteRepository := repositories.NewVoteRepository(db)
postRepository := repositories.NewPostRepository(db)
userRepository := repositories.NewUserRepository(db)
deletionRepository := repositories.NewAccountDeletionRepository(db)
refreshTokenRepository := repositories.NewRefreshTokenRepository(db)
emailSender := services.NewSMTPSender(cfg.SMTP.Host, cfg.SMTP.Port, cfg.SMTP.Username, cfg.SMTP.Password, cfg.SMTP.From)
emailService, err := services.NewEmailService(cfg, emailSender)
if err != nil {
return fmt.Errorf("create email service: %w", err)
}
jwtService := services.NewJWTService(&cfg.JWT, userRepository, refreshTokenRepository)
registrationService := services.NewRegistrationService(userRepository, emailService, cfg)
passwordResetService := services.NewPasswordResetService(userRepository, emailService)
deletionService := services.NewAccountDeletionService(userRepository, postRepository, deletionRepository, emailService)
sessionService := services.NewSessionService(jwtService, userRepository)
userManagementService := services.NewUserManagementService(userRepository, postRepository, emailService)
authFacade := services.NewAuthFacade(
registrationService,
passwordResetService,
deletionService,
sessionService,
userManagementService,
cfg,
)
voteService := services.NewVoteService(voteRepository, postRepository, db)
voteHandler := handlers.NewVoteHandler(voteService)
metadataService := services.NewURLMetadataService()
postHandler := handlers.NewPostHandler(postRepository, metadataService, voteService)
userHandler := handlers.NewUserHandler(userRepository, authFacade)
authHandler := handlers.NewAuthHandler(authFacade, userRepository)
apiHandler := handlers.NewAPIHandlerWithMonitoring(cfg, postRepository, userRepository, voteService, db, dbMonitor)
pageHandler, err := handlers.NewPageHandler("./internal/templates", authFacade, postRepository, voteService, userRepository, metadataService, cfg)
if err != nil {
return fmt.Errorf("load templates: %w", err)
}
router := server.NewRouter(server.RouterConfig{
AuthHandler: authHandler,
PostHandler: postHandler,
VoteHandler: voteHandler,
UserHandler: userHandler,
APIHandler: apiHandler,
AuthService: authFacade,
PageHandler: pageHandler,
StaticDir: "./internal/static/",
Debug: cfg.App.Debug,
DBMonitor: dbMonitor,
RateLimitConfig: cfg.RateLimit,
})
serverAddr := cfg.Server.Host + ":" + cfg.Server.Port
log.Printf("Server starting on %s", serverAddr)
srv := &http.Server{
Addr: serverAddr,
Handler: router,
ReadTimeout: cfg.Server.ReadTimeout,
WriteTimeout: cfg.Server.WriteTimeout,
IdleTimeout: cfg.Server.IdleTimeout,
MaxHeaderBytes: cfg.Server.MaxHeaderBytes,
}
if cfg.Server.EnableTLS {
log.Printf("TLS enabled")
srv.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
},
}
return srv.ListenAndServeTLS(cfg.Server.TLSCertFile, cfg.Server.TLSKeyFile)
}
log.Printf("WARNING: Server is running on plain HTTP. Enable TLS for production use.")
return srv.ListenAndServe()
}
var runServer = runServerImpl
func setRunServer(fn func(cfg *config.Config, daemon bool) error) {
runServer = fn
}

393
cmd/goyco/server_test.go Normal file
View File

@@ -0,0 +1,393 @@
package main
import (
"crypto/tls"
"errors"
"flag"
"net/http"
"net/http/httptest"
"os"
"testing"
"time"
"goyco/internal/config"
"goyco/internal/database"
"goyco/internal/handlers"
"goyco/internal/repositories"
"goyco/internal/server"
"goyco/internal/services"
"goyco/internal/testutils"
)
func TestServerConfigurationFromConfig(t *testing.T) {
cfg := testutils.NewTestConfig()
cfg.Server.ReadTimeout = 30 * time.Second
cfg.Server.WriteTimeout = 30 * time.Second
cfg.Server.IdleTimeout = 120 * time.Second
cfg.Server.MaxHeaderBytes = 1 << 20
db := testutils.NewTestDB(t)
defer func() {
sqlDB, _ := db.DB()
_ = sqlDB.Close()
}()
userRepo := repositories.NewUserRepository(db)
postRepo := repositories.NewPostRepository(db)
voteRepo := repositories.NewVoteRepository(db)
deletionRepo := repositories.NewAccountDeletionRepository(db)
refreshTokenRepo := repositories.NewRefreshTokenRepository(db)
emailSender := &testutils.MockEmailSender{}
authService, err := services.NewAuthFacadeForTest(cfg, userRepo, postRepo, deletionRepo, refreshTokenRepo, emailSender)
if err != nil {
t.Fatalf("Failed to create auth service: %v", err)
}
voteService := services.NewVoteService(voteRepo, postRepo, db)
metadataService := services.NewURLMetadataService()
authHandler := handlers.NewAuthHandler(authService, userRepo)
postHandler := handlers.NewPostHandler(postRepo, metadataService, voteService)
voteHandler := handlers.NewVoteHandler(voteService)
userHandler := handlers.NewUserHandler(userRepo, authService)
apiHandler := handlers.NewAPIHandler(cfg, postRepo, userRepo, voteService)
router := server.NewRouter(server.RouterConfig{
AuthHandler: authHandler,
PostHandler: postHandler,
VoteHandler: voteHandler,
UserHandler: userHandler,
APIHandler: apiHandler,
AuthService: authService,
StaticDir: "./internal/static/",
Debug: cfg.App.Debug,
DisableCache: true,
DisableCompression: true,
RateLimitConfig: cfg.RateLimit,
})
srv := &http.Server{
Addr: cfg.Server.Host + ":" + cfg.Server.Port,
Handler: router,
ReadTimeout: cfg.Server.ReadTimeout,
WriteTimeout: cfg.Server.WriteTimeout,
IdleTimeout: cfg.Server.IdleTimeout,
MaxHeaderBytes: cfg.Server.MaxHeaderBytes,
}
if srv.ReadTimeout != 30*time.Second {
t.Errorf("Expected ReadTimeout to be 30s, got %v", srv.ReadTimeout)
}
if srv.WriteTimeout != 30*time.Second {
t.Errorf("Expected WriteTimeout to be 30s, got %v", srv.WriteTimeout)
}
if srv.IdleTimeout != 120*time.Second {
t.Errorf("Expected IdleTimeout to be 120s, got %v", srv.IdleTimeout)
}
if srv.MaxHeaderBytes != 1<<20 {
t.Errorf("Expected MaxHeaderBytes to be 1MB, got %d", srv.MaxHeaderBytes)
}
testServer := httptest.NewServer(srv.Handler)
defer testServer.Close()
resp, err := http.Get(testServer.URL + "/health")
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer func() {
_ = resp.Body.Close()
}()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected status 200, got %d", resp.StatusCode)
}
}
func TestTLSWiringFromConfig(t *testing.T) {
cfg := testutils.NewTestConfig()
cfg.Server.EnableTLS = true
cfg.Server.TLSCertFile = "/tmp/nonexistent-cert.pem"
cfg.Server.TLSKeyFile = "/tmp/nonexistent-key.pem"
db := testutils.NewTestDB(t)
defer func() {
sqlDB, _ := db.DB()
_ = sqlDB.Close()
}()
userRepo := repositories.NewUserRepository(db)
postRepo := repositories.NewPostRepository(db)
voteRepo := repositories.NewVoteRepository(db)
deletionRepo := repositories.NewAccountDeletionRepository(db)
refreshTokenRepo := repositories.NewRefreshTokenRepository(db)
emailSender := &testutils.MockEmailSender{}
authService, err := services.NewAuthFacadeForTest(cfg, userRepo, postRepo, deletionRepo, refreshTokenRepo, emailSender)
if err != nil {
t.Fatalf("Failed to create auth service: %v", err)
}
voteService := services.NewVoteService(voteRepo, postRepo, db)
metadataService := services.NewURLMetadataService()
authHandler := handlers.NewAuthHandler(authService, userRepo)
postHandler := handlers.NewPostHandler(postRepo, metadataService, voteService)
voteHandler := handlers.NewVoteHandler(voteService)
userHandler := handlers.NewUserHandler(userRepo, authService)
apiHandler := handlers.NewAPIHandler(cfg, postRepo, userRepo, voteService)
router := server.NewRouter(server.RouterConfig{
AuthHandler: authHandler,
PostHandler: postHandler,
VoteHandler: voteHandler,
UserHandler: userHandler,
APIHandler: apiHandler,
AuthService: authService,
StaticDir: "./internal/static/",
Debug: cfg.App.Debug,
DisableCache: true,
DisableCompression: true,
RateLimitConfig: cfg.RateLimit,
})
expectedAddr := cfg.Server.Host + ":" + cfg.Server.Port
srv := &http.Server{
Addr: expectedAddr,
Handler: router,
}
if srv.Addr != expectedAddr {
t.Errorf("Expected server address to be %q, got %q", expectedAddr, srv.Addr)
}
if cfg.Server.EnableTLS {
srv.TLSConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
},
}
if srv.TLSConfig == nil {
t.Error("Expected TLS config to be set")
}
if srv.TLSConfig.MinVersion < tls.VersionTLS12 {
t.Error("Expected minimum TLS version to be 1.2 or higher")
}
if len(srv.TLSConfig.CipherSuites) == 0 {
t.Error("Expected cipher suites to be configured")
}
testServer := httptest.NewUnstartedServer(srv.Handler)
testServer.TLS = srv.TLSConfig
testServer.StartTLS()
defer testServer.Close()
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
}
resp, err := client.Get(testServer.URL + "/health")
if err != nil {
t.Fatalf("Failed to make TLS request: %v", err)
}
defer func() {
_ = resp.Body.Close()
}()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected status 200 over TLS, got %d", resp.StatusCode)
}
if resp.TLS == nil {
t.Error("Expected TLS connection info to be present in response")
} else {
if resp.TLS.Version < tls.VersionTLS12 {
t.Errorf("Expected TLS version 1.2 or higher, got %x", resp.TLS.Version)
}
}
}
}
func TestConfigLoadingInCLI(t *testing.T) {
originalEnv := os.Environ()
defer func() {
os.Clearenv()
for _, env := range originalEnv {
parts := splitEnv(env)
if len(parts) == 2 {
_ = os.Setenv(parts[0], parts[1])
}
}
}()
os.Clearenv()
_ = os.Setenv("DB_PASSWORD", "test-password-123")
_ = os.Setenv("SMTP_HOST", "smtp.example.com")
_ = os.Setenv("SMTP_FROM", "test@example.com")
_ = os.Setenv("ADMIN_EMAIL", "admin@example.com")
_ = os.Setenv("JWT_SECRET", "test-jwt-secret-key-that-is-long-enough-for-validation")
cfg, err := config.Load()
if err != nil {
t.Fatalf("Failed to load config: %v", err)
}
if cfg.Server.Port == "" {
t.Error("Expected server port to be set")
}
if cfg.Database.Host == "" {
t.Error("Expected database host to be set")
}
}
func TestFlagParsingInCLI(t *testing.T) {
originalArgs := os.Args
defer func() {
os.Args = originalArgs
}()
t.Run("help flag", func(t *testing.T) {
os.Args = []string{"goyco", "--help"}
fs := flag.NewFlagSet("goyco", flag.ContinueOnError)
fs.SetOutput(os.Stderr)
showHelp := fs.Bool("help", false, "show help")
err := fs.Parse([]string{"--help"})
if err != nil && !errors.Is(err, flag.ErrHelp) {
t.Errorf("Expected help flag parsing, got error: %v", err)
}
if !*showHelp {
t.Error("Expected help flag to be true")
}
})
t.Run("command dispatch", func(t *testing.T) {
cfg := testutils.NewTestConfig()
err := dispatchCommand(cfg, "unknown", []string{})
if err == nil {
t.Error("Expected error for unknown command")
}
err = dispatchCommand(cfg, "help", []string{})
if err != nil {
t.Errorf("Help command should not error: %v", err)
}
})
}
func TestServerInitializationFlow(t *testing.T) {
cfg := testutils.NewTestConfig()
cfg.Server.Port = "0"
db := testutils.NewTestDB(t)
defer func() {
sqlDB, _ := db.DB()
_ = sqlDB.Close()
}()
if err := database.Migrate(db); err != nil {
t.Fatalf("Failed to run migrations: %v", err)
}
userRepo := repositories.NewUserRepository(db)
postRepo := repositories.NewPostRepository(db)
voteRepo := repositories.NewVoteRepository(db)
deletionRepo := repositories.NewAccountDeletionRepository(db)
refreshTokenRepo := repositories.NewRefreshTokenRepository(db)
emailSender := &testutils.MockEmailSender{}
authService, err := services.NewAuthFacadeForTest(cfg, userRepo, postRepo, deletionRepo, refreshTokenRepo, emailSender)
if err != nil {
t.Fatalf("Failed to create auth service: %v", err)
}
voteService := services.NewVoteService(voteRepo, postRepo, db)
metadataService := services.NewURLMetadataService()
authHandler := handlers.NewAuthHandler(authService, userRepo)
postHandler := handlers.NewPostHandler(postRepo, metadataService, voteService)
voteHandler := handlers.NewVoteHandler(voteService)
userHandler := handlers.NewUserHandler(userRepo, authService)
apiHandler := handlers.NewAPIHandler(cfg, postRepo, userRepo, voteService)
router := server.NewRouter(server.RouterConfig{
AuthHandler: authHandler,
PostHandler: postHandler,
VoteHandler: voteHandler,
UserHandler: userHandler,
APIHandler: apiHandler,
AuthService: authService,
StaticDir: "./internal/static/",
Debug: cfg.App.Debug,
DisableCache: true,
DisableCompression: true,
RateLimitConfig: cfg.RateLimit,
})
srv := &http.Server{
Addr: cfg.Server.Host + ":" + cfg.Server.Port,
Handler: router,
ReadTimeout: cfg.Server.ReadTimeout,
WriteTimeout: cfg.Server.WriteTimeout,
IdleTimeout: cfg.Server.IdleTimeout,
MaxHeaderBytes: cfg.Server.MaxHeaderBytes,
}
if srv.Handler == nil {
t.Error("Expected server handler to be set")
}
testServer := httptest.NewServer(srv.Handler)
defer testServer.Close()
resp, err := http.Get(testServer.URL + "/health")
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer func() {
_ = resp.Body.Close()
}()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected status 200, got %d", resp.StatusCode)
}
resp, err = http.Get(testServer.URL + "/api")
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer func() {
_ = resp.Body.Close()
}()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected status 200 for API endpoint, got %d", resp.StatusCode)
}
}
func splitEnv(env string) []string {
for i := 0; i < len(env); i++ {
if env[i] == '=' {
return []string{env[:i], env[i+1:]}
}
}
return []string{env}
}

29
docker/compose.dependencies.yml Normal file
View File

@@ -0,0 +1,29 @@
services:
db:
image: postgres:17-alpine
restart: unless-stopped
env_file:
- ../.env
environment:
POSTGRES_USER: ${DB_USER:-goyco}
POSTGRES_PASSWORD: ${DB_PASSWORD:-goyco}
POSTGRES_DB: ${DB_NAME:-goyco}
healthcheck:
test: ["CMD-SHELL", "pg_isready -U goyco -d goyco"]
interval: 10s
timeout: 5s
retries: 5
volumes:
- pgdata:/var/lib/postgresql/data
ports:
- "5432:5432"
mail:
image: axllent/mailpit:latest
restart: unless-stopped
ports:
- "1025:1025"
- "8025:8025"
volumes:
pgdata:

55
docker/compose.prod.yml Normal file
View File

@@ -0,0 +1,55 @@
services:
app:
image: goyco:latest
depends_on:
db:
condition: service_healthy
env_file:
- ../.env
environment:
DB_HOST: db
DB_PORT: ${DB_PORT:-5432}
DB_USER: ${DB_USER:-goyco}
DB_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD is required}
DB_NAME: ${DB_NAME:?DB_NAME is required}
DB_SSLMODE: ${DB_SSLMODE:-disable}
JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required}
JWT_EXPIRATION: ${JWT_EXPIRATION:-24}
SERVER_HOST: ${SERVER_HOST:-0.0.0.0}
SERVER_PORT: ${SERVER_PORT:-8080}
SMTP_HOST: ${SMTP_HOST:?SMTP_HOST is required}
SMTP_PORT: ${SMTP_PORT:-857}
SMTP_USERNAME: ${SMTP_USERNAME:-}
SMTP_PASSWORD: ${SMTP_PASSWORD:-}
SMTP_FROM: ${SMTP_FROM:?SMTP_FROM is required}
APP_BASE_URL: ${APP_BASE_URL:-http://127.0.0.1:8080}
ports:
- "8080:8080"
restart: always
networks:
- goyco
db:
image: postgres:17-alpine
restart: always
env_file:
- ../.env
environment:
POSTGRES_USER: ${DB_USER:?DB_USER is required}
POSTGRES_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD is required}
POSTGRES_DB: ${DB_NAME:?DB_NAME is required}
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${DB_USER} -d ${DB_NAME}"]
interval: 10s
timeout: 5s
retries: 5
volumes:
- pgdata:/var/lib/postgresql/data
networks:
- goyco
volumes:
pgdata:
networks:
goyco:

2127
docs/docs.go Normal file
View File

File diff suppressed because it is too large Load Diff

1892
docs/swagger.json Normal file
View File

File diff suppressed because it is too large Load Diff

1408
docs/swagger.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

49
go.mod Normal file
View File

@@ -0,0 +1,49 @@
module goyco
go 1.25.4
require (
github.com/go-chi/chi/v5 v5.2.3
github.com/golang-jwt/jwt/v5 v5.3.0
github.com/jackc/pgconn v1.14.3
github.com/joho/godotenv v1.5.1
github.com/lib/pq v1.10.9
github.com/mattn/go-sqlite3 v1.14.32
github.com/stretchr/testify v1.11.1
github.com/swaggo/http-swagger v1.3.4
github.com/swaggo/swag v1.16.6
golang.org/x/crypto v0.43.0
golang.org/x/net v0.46.0
gorm.io/driver/postgres v1.6.0
gorm.io/driver/sqlite v1.6.0
gorm.io/gorm v1.31.1
)
require (
github.com/KyleBanks/depth v1.2.1 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
github.com/go-openapi/spec v0.20.6 // indirect
github.com/go-openapi/swag v0.19.15 // indirect
github.com/jackc/chunkreader/v2 v2.0.1 // indirect
github.com/jackc/pgio v1.0.0 // indirect
github.com/jackc/pgpassfile v1.0.0 // indirect
github.com/jackc/pgproto3/v2 v2.3.3 // indirect
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
github.com/jackc/pgx/v5 v5.6.0 // indirect
github.com/jackc/puddle/v2 v2.2.2 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect
github.com/jinzhu/now v1.1.5 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/mailru/easyjson v0.7.6 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/rogpeppe/go-internal v1.14.1 // indirect
github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe // indirect
golang.org/x/mod v0.28.0 // indirect
golang.org/x/sync v0.17.0 // indirect
golang.org/x/text v0.30.0 // indirect
golang.org/x/tools v0.37.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

118
go.sum Normal file
View File

@@ -0,0 +1,118 @@
github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
github.com/go-openapi/spec v0.20.6 h1:ich1RQ3WDbfoeTqTAb+5EIxNmpKVJZWBNah9RAT0jIQ=
github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
github.com/jackc/chunkreader/v2 v2.0.1/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
github.com/jackc/pgconn v1.14.3 h1:bVoTr12EGANZz66nZPkMInAV/KHD2TxH9npjXXgiB3w=
github.com/jackc/pgconn v1.14.3/go.mod h1:RZbme4uasqzybK2RK5c65VsHxoyaml09lx3tXOcO/VM=
github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65 h1:DadwsjnMwFjfWc9y5Wi/+Zz7xoE5ALHsRQlOctkOiHc=
github.com/jackc/pgmock v0.0.0-20210724152146-4ad1a8207f65/go.mod h1:5R2h2EEX+qri8jOWMbJCtaPWkrrNc7OHwsp2TCqp7ak=
github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
github.com/jackc/pgproto3/v2 v2.3.3 h1:1HLSx5H+tXR9pW3in3zaztoEwQYRC9SQaYUHjTSUOag=
github.com/jackc/pgproto3/v2 v2.3.3/go.mod h1:WfJCnwN3HIg9Ish/j3sgWXnAfK8A9Y0bwXYU5xKaEdA=
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY=
github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw=
github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe h1:K8pHPVoTgxFJt1lXuIzzOX7zZhZFldJQK/CgKx9BFIc=
github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe/go.mod h1:lKJPbtWzJ9JhsTN1k1gZgleJWY/cqq0psdoMmaThG3w=
github.com/swaggo/http-swagger v1.3.4 h1:q7t/XLx0n15H1Q9/tk3Y9L4n210XzJF5WtnDX64a5ww=
github.com/swaggo/http-swagger v1.3.4/go.mod h1:9dAh0unqMBAlbp1uE2Uc2mQTxNMU/ha4UbucIg1MFkQ=
github.com/swaggo/swag v1.16.6 h1:qBNcx53ZaX+M5dxVyTrgQ0PJ/ACK+NzhwcbieTt+9yI=
github.com/swaggo/swag v1.16.6/go.mod h1:ngP2etMK5a0P3QBizic5MEwpRmluJZPHjXcMoj4Xesg=
golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
gorm.io/driver/sqlite v1.6.0/go.mod h1:AO9V1qIQddBESngQUKWL9yoH93HIeA1X6V633rBwyT8=
gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=

318
internal/config/config.go Normal file
View File

@@ -0,0 +1,318 @@
package config
import (
"fmt"
"os"
"strconv"
"strings"
"time"
)
type Config struct {
Database DatabaseConfig
Server ServerConfig
JWT JWTConfig
SMTP SMTPConfig
App AppConfig
RateLimit RateLimitConfig
LogDir string
PIDDir string
}
type DatabaseConfig struct {
Host string
Port string
User string
Password string
Name string
SSLMode string
}
type ServerConfig struct {
Port string
Host string
ReadTimeout time.Duration
WriteTimeout time.Duration
IdleTimeout time.Duration
MaxHeaderBytes int
EnableTLS bool
TLSCertFile string
TLSKeyFile string
}
type JWTConfig struct {
Secret string
Expiration int
RefreshExpiration int
Issuer string
Audience string
KeyRotation KeyRotationConfig
}
type KeyRotationConfig struct {
Enabled bool
CurrentKey string
PreviousKey string
KeyID string
}
type SMTPConfig struct {
Host string
Port int
Username string
Password string
From string
Timeout time.Duration
}
type AppConfig struct {
BaseURL string
Debug bool
AdminEmail string
BcryptCost int
Title string
}
type RateLimitConfig struct {
AuthLimit int
GeneralLimit int
HealthLimit int
MetricsLimit int
TrustProxyHeaders bool
}
func Load() (*Config, error) {
config := &Config{
Database: DatabaseConfig{
Host: getEnv("DB_HOST", "localhost"),
Port: getEnv("DB_PORT", "5432"),
User: getEnv("DB_USER", "postgres"),
Password: getEnv("DB_PASSWORD", ""),
Name: getEnv("DB_NAME", "goyco"),
SSLMode: getEnv("DB_SSLMODE", "disable"),
},
Server: ServerConfig{
Port: getEnv("SERVER_PORT", "8080"),
Host: getEnv("SERVER_HOST", "0.0.0.0"),
ReadTimeout: time.Duration(getEnvAsInt("SERVER_READ_TIMEOUT", 30)) * time.Second,
WriteTimeout: time.Duration(getEnvAsInt("SERVER_WRITE_TIMEOUT", 30)) * time.Second,
IdleTimeout: time.Duration(getEnvAsInt("SERVER_IDLE_TIMEOUT", 120)) * time.Second,
MaxHeaderBytes: getEnvAsInt("SERVER_MAX_HEADER_BYTES", 1<<20),
EnableTLS: getEnvAsBool("SERVER_ENABLE_TLS", false),
TLSCertFile: getEnv("SERVER_TLS_CERT_FILE", ""),
TLSKeyFile: getEnv("SERVER_TLS_KEY_FILE", ""),
},
JWT: JWTConfig{
Secret: getEnv("JWT_SECRET", "your-secret-key"),
Expiration: getEnvAsInt("JWT_EXPIRATION", 1),
RefreshExpiration: getEnvAsInt("JWT_REFRESH_EXPIRATION", 168),
Issuer: getEnv("JWT_ISSUER", "goyco"),
Audience: getEnv("JWT_AUDIENCE", "goyco-users"),
KeyRotation: KeyRotationConfig{
Enabled: getEnvAsBool("JWT_KEY_ROTATION_ENABLED", false),
CurrentKey: getEnv("JWT_CURRENT_KEY", ""),
PreviousKey: getEnv("JWT_PREVIOUS_KEY", ""),
KeyID: getEnv("JWT_KEY_ID", "default"),
},
},
SMTP: SMTPConfig{
Host: getEnv("SMTP_HOST", ""),
Port: getEnvAsInt("SMTP_PORT", 587),
Username: getEnv("SMTP_USERNAME", ""),
Password: getEnv("SMTP_PASSWORD", ""),
From: getEnv("SMTP_FROM", ""),
Timeout: time.Duration(getEnvAsInt("SMTP_TIMEOUT", 30)) * time.Second,
},
App: AppConfig{
BaseURL: getEnv("APP_BASE_URL", ""),
Debug: getEnvAsBool("DEBUG", false),
AdminEmail: getEnv("ADMIN_EMAIL", ""),
BcryptCost: getEnvAsInt("BCRYPT_COST", 10),
Title: getEnv("TITLE", "Goyco"),
},
RateLimit: RateLimitConfig{
AuthLimit: getEnvAsInt("RATE_LIMIT_AUTH", 5),
GeneralLimit: getEnvAsInt("RATE_LIMIT_GENERAL", 100),
HealthLimit: getEnvAsInt("RATE_LIMIT_HEALTH", 60),
MetricsLimit: getEnvAsInt("RATE_LIMIT_METRICS", 10),
TrustProxyHeaders: getEnvAsBool("RATE_LIMIT_TRUST_PROXY", false),
},
LogDir: getEnv("LOG_DIR", "/var/log/"),
PIDDir: getEnv("PID_DIR", "/run"),
}
if config.App.BaseURL == "" {
config.App.BaseURL = fmt.Sprintf("http://%s:%s", config.Server.Host, config.Server.Port)
}
if config.Database.Password == "" {
return nil, fmt.Errorf("DB_PASSWORD is required")
}
if strings.TrimSpace(config.SMTP.Host) == "" {
return nil, fmt.Errorf("SMTP_HOST is required")
}
if config.SMTP.Port <= 0 {
return nil, fmt.Errorf("SMTP_PORT must be greater than 0")
}
if strings.TrimSpace(config.SMTP.From) == "" {
return nil, fmt.Errorf("SMTP_FROM is required")
}
if strings.TrimSpace(config.App.AdminEmail) == "" {
return nil, fmt.Errorf("ADMIN_EMAIL is required")
}
if config.Server.EnableTLS {
if strings.TrimSpace(config.Server.TLSCertFile) == "" {
return nil, fmt.Errorf("SERVER_TLS_CERT_FILE is required when SERVER_ENABLE_TLS is true")
}
if strings.TrimSpace(config.Server.TLSKeyFile) == "" {
return nil, fmt.Errorf("SERVER_TLS_KEY_FILE is required when SERVER_ENABLE_TLS is true")
}
}
if err := validateJWTConfig(&config.JWT); err != nil {
return nil, err
}
if err := validateAppConfig(&config.App); err != nil {
return nil, err
}
return config, nil
}
func (c *Config) GetConnectionString() string {
return fmt.Sprintf("host=%s port=%s user=%s password=%s dbname=%s sslmode=%s client_encoding=UTF8",
c.Database.Host,
c.Database.Port,
c.Database.User,
c.Database.Password,
c.Database.Name,
c.Database.SSLMode,
)
}
func getEnv(key, defaultValue string) string {
if value := os.Getenv(key); value != "" {
return value
}
return defaultValue
}
func getEnvAsInt(key string, defaultValue int) int {
if value := os.Getenv(key); value != "" {
if intValue, err := strconv.Atoi(value); err == nil {
return intValue
}
}
return defaultValue
}
func getEnvAsBool(key string, defaultValue bool) bool {
if value := os.Getenv(key); value != "" {
if boolValue, err := strconv.ParseBool(value); err == nil {
return boolValue
}
}
return defaultValue
}
func validateJWTConfig(jwt *JWTConfig) error {
if err := validateJWTSecret(jwt.Secret); err != nil {
return err
}
if strings.TrimSpace(jwt.Issuer) == "" {
return fmt.Errorf("JWT_ISSUER is required and cannot be empty")
}
if strings.TrimSpace(jwt.Audience) == "" {
return fmt.Errorf("JWT_AUDIENCE is required and cannot be empty")
}
if jwt.Expiration <= 0 {
return fmt.Errorf("JWT_EXPIRATION must be greater than 0")
}
if jwt.RefreshExpiration <= 0 {
return fmt.Errorf("JWT_REFRESH_EXPIRATION must be greater than 0")
}
if jwt.RefreshExpiration <= jwt.Expiration {
return fmt.Errorf("JWT_REFRESH_EXPIRATION must be greater than JWT_EXPIRATION")
}
if jwt.KeyRotation.Enabled {
if strings.TrimSpace(jwt.KeyRotation.CurrentKey) == "" {
return fmt.Errorf("JWT_CURRENT_KEY is required when key rotation is enabled")
}
if err := validateJWTSecret(jwt.KeyRotation.CurrentKey); err != nil {
return fmt.Errorf("JWT_CURRENT_KEY validation failed: %w", err)
}
if jwt.KeyRotation.PreviousKey != "" {
if err := validateJWTSecret(jwt.KeyRotation.PreviousKey); err != nil {
return fmt.Errorf("JWT_PREVIOUS_KEY validation failed: %w", err)
}
}
if strings.TrimSpace(jwt.KeyRotation.KeyID) == "" {
return fmt.Errorf("JWT_KEY_ID is required when key rotation is enabled")
}
}
return nil
}
func validateJWTSecret(secret string) error {
trimmed := strings.TrimSpace(secret)
if trimmed == "" {
return fmt.Errorf("JWT secret is required and cannot be empty")
}
invalidSecrets := []string{
"your-secret-key",
"secret",
"jwt-secret",
"my-secret",
"change-me",
"default-secret",
"123456",
"password",
"admin",
"test",
"development",
"production",
"staging",
}
for _, invalid := range invalidSecrets {
if strings.EqualFold(trimmed, invalid) {
return fmt.Errorf("JWT secret cannot be a placeholder value like %q - please set a secure, random secret", invalid)
}
}
if len(trimmed) < 32 {
return fmt.Errorf("JWT secret must be at least 32 characters long for security (current length: %d)", len(trimmed))
}
return nil
}
func validateAppConfig(app *AppConfig) error {
if app.BcryptCost < 10 {
return fmt.Errorf("BCRYPT_COST must be at least 10 for security (current: %d)", app.BcryptCost)
}
if app.BcryptCost > 14 {
return fmt.Errorf("BCRYPT_COST must be at most 14 to avoid performance issues (current: %d)", app.BcryptCost)
}
return nil
}

997
internal/config/config_test.go Normal file
View File

@@ -0,0 +1,997 @@
package config
import (
"os"
"strconv"
"strings"
"testing"
"time"
)
func TestLoadSuccess(t *testing.T) {
t.Setenv("DB_HOST", "db.example.com")
t.Setenv("DB_PORT", "5439")
t.Setenv("DB_USER", "goyco")
t.Setenv("DB_PASSWORD", "super-secret")
t.Setenv("DB_NAME", "goycodb")
t.Setenv("DB_SSLMODE", "require")
t.Setenv("SERVER_PORT", "9090")
t.Setenv("SERVER_HOST", "127.0.0.1")
t.Setenv("JWT_SECRET", "this-is-a-very-secure-jwt-secret-key-that-is-long-enough")
t.Setenv("JWT_EXPIRATION", "12")
t.Setenv("SMTP_HOST", "smtp.example.com")
t.Setenv("SMTP_PORT", "2525")
t.Setenv("SMTP_USERNAME", "mailer")
t.Setenv("SMTP_PASSWORD", "mail-secret")
t.Setenv("SMTP_FROM", "no-reply@example.com")
t.Setenv("APP_BASE_URL", "https://goyco.example.com")
t.Setenv("ADMIN_EMAIL", "admin@example.com")
t.Setenv("TITLE", "My Custom Site")
cfg, err := Load()
if err != nil {
t.Fatalf("Load returned error: %v", err)
}
if cfg.Database.Host != "db.example.com" || cfg.Database.Port != "5439" || cfg.Database.User != "goyco" {
t.Fatalf("unexpected database config: %+v", cfg.Database)
}
if cfg.Database.Password != "super-secret" || cfg.Database.Name != "goycodb" || cfg.Database.SSLMode != "require" {
t.Fatalf("unexpected database credentials: %+v", cfg.Database)
}
if cfg.Server.Port != "9090" || cfg.Server.Host != "127.0.0.1" {
t.Fatalf("unexpected server config: %+v", cfg.Server)
}
if cfg.JWT.Secret != "this-is-a-very-secure-jwt-secret-key-that-is-long-enough" {
t.Fatalf("unexpected jwt secret: %q", cfg.JWT.Secret)
}
if cfg.JWT.Expiration != 12 {
t.Fatalf("expected JWT expiration 12, got %d", cfg.JWT.Expiration)
}
if cfg.SMTP.Host != "smtp.example.com" || cfg.SMTP.Port != 2525 {
t.Fatalf("unexpected smtp host/port: %+v", cfg.SMTP)
}
if cfg.SMTP.Username != "mailer" || cfg.SMTP.Password != "mail-secret" || cfg.SMTP.From != "no-reply@example.com" {
t.Fatalf("unexpected smtp credentials: %+v", cfg.SMTP)
}
if cfg.App.BaseURL != "https://goyco.example.com" {
t.Fatalf("expected base url to be overridden, got %q", cfg.App.BaseURL)
}
if cfg.App.Title != "My Custom Site" {
t.Fatalf("expected title to be 'My Custom Site', got %q", cfg.App.Title)
}
}
func TestLoadMissingPassword(t *testing.T) {
t.Setenv("DB_PASSWORD", "")
t.Setenv("SMTP_HOST", "smtp.example.com")
t.Setenv("SMTP_PORT", "2525")
t.Setenv("SMTP_FROM", "no-reply@example.com")
if _, err := Load(); err == nil {
t.Fatalf("expected error when DB_PASSWORD is missing")
}
}
func TestLoadDefaultBaseURL(t *testing.T) {
t.Setenv("DB_PASSWORD", "pw")
t.Setenv("SMTP_HOST", "smtp.example.com")
t.Setenv("SMTP_PORT", "2525")
t.Setenv("SMTP_FROM", "no-reply@example.com")
t.Setenv("JWT_SECRET", "this-is-a-very-secure-jwt-secret-key-that-is-long-enough")
t.Setenv("ADMIN_EMAIL", "admin@example.com")
cfg, err := Load()
if err != nil {
t.Fatalf("expected load to succeed, got %v", err)
}
if cfg.App.BaseURL != "http://0.0.0.0:8080" {
t.Fatalf("expected default base url http://0.0.0.0:8080, got %q", cfg.App.BaseURL)
}
if cfg.App.Title != "Goyco" {
t.Fatalf("expected default title to be 'Goyco', got %q", cfg.App.Title)
}
}
func TestConfigGetConnectionString(t *testing.T) {
cfg := &Config{
Database: DatabaseConfig{
Host: "db",
Port: "5432",
User: "user",
Password: "pass",
Name: "dbname",
SSLMode: "disable",
},
}
got := cfg.GetConnectionString()
expected := "host=db port=5432 user=user password=pass dbname=dbname sslmode=disable client_encoding=UTF8"
if got != expected {
t.Fatalf("expected connection string %q, got %q", expected, got)
}
}
func TestGetEnv(t *testing.T) {
const key = "CONFIG_TEST_ENV"
t.Setenv(key, "value")
if got := getEnv(key, "default"); got != "value" {
t.Fatalf("expected %q, got %q", "value", got)
}
if got := getEnv(key+"_MISSING", "fallback"); got != "fallback" {
t.Fatalf("expected fallback value, got %q", got)
}
}
func TestGetEnvAsInt(t *testing.T) {
const key = "CONFIG_TEST_INT"
t.Setenv(key, "42")
if got := getEnvAsInt(key, 1); got != 42 {
t.Fatalf("expected 42, got %d", got)
}
t.Setenv(key, "not-a-number")
if got := getEnvAsInt(key, 5); got != 5 {
t.Fatalf("expected default 5 when invalid int, got %d", got)
}
t.Setenv(key, "")
if got := getEnvAsInt(key, 7); got != 7 {
t.Fatalf("expected default 7 when env empty, got %d", got)
}
}
func TestValidateJWTSecret(t *testing.T) {
tests := []struct {
name string
secret string
expectError bool
errorMsg string
}{
{
name: "valid long secret",
secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
expectError: false,
},
{
name: "valid secret with special chars",
secret: "MyV3ry$ecure&JWT!Secret#Key@2024-With-Special-Chars",
expectError: false,
},
{
name: "empty secret",
secret: "",
expectError: true,
errorMsg: "JWT secret is required and cannot be empty",
},
{
name: "whitespace only secret",
secret: " ",
expectError: true,
errorMsg: "JWT secret is required and cannot be empty",
},
{
name: "too short secret",
secret: "short",
expectError: true,
errorMsg: "JWT secret must be at least 32 characters long for security",
},
{
name: "default placeholder secret",
secret: "your-secret-key",
expectError: true,
errorMsg: "JWT secret cannot be a placeholder value like \"your-secret-key\"",
},
{
name: "common placeholder secret",
secret: "secret",
expectError: true,
errorMsg: "JWT secret cannot be a placeholder value like \"secret\"",
},
{
name: "test placeholder secret",
secret: "test",
expectError: true,
errorMsg: "JWT secret cannot be a placeholder value like \"test\"",
},
{
name: "development placeholder secret",
secret: "development",
expectError: true,
errorMsg: "JWT secret cannot be a placeholder value like \"development\"",
},
{
name: "case insensitive placeholder",
secret: "SECRET",
expectError: true,
errorMsg: "JWT secret cannot be a placeholder value like \"secret\"",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validateJWTSecret(tt.secret)
if tt.expectError {
if err == nil {
t.Fatalf("expected error for secret %q, got nil", tt.secret)
}
if tt.errorMsg != "" && !strings.Contains(err.Error(), tt.errorMsg) {
t.Fatalf("expected error message to contain %q, got %q", tt.errorMsg, err.Error())
}
} else {
if err != nil {
t.Fatalf("unexpected error for secret %q: %v", tt.secret, err)
}
}
})
}
}
func TestLoadWithInvalidJWTSecret(t *testing.T) {
t.Setenv("DB_PASSWORD", "password")
t.Setenv("SMTP_HOST", "smtp.example.com")
t.Setenv("SMTP_PORT", "2525")
t.Setenv("SMTP_FROM", "no-reply@example.com")
t.Setenv("ADMIN_EMAIL", "admin@example.com")
t.Setenv("JWT_SECRET", "your-secret-key")
_, err := Load()
if err == nil {
t.Fatal("expected error when JWT_SECRET is placeholder value")
}
if !strings.Contains(err.Error(), "your-secret-key") {
t.Fatalf("expected error message to mention placeholder value, got: %v", err)
}
}
func TestValidateJWTConfig(t *testing.T) {
tests := []struct {
name string
config JWTConfig
expectError bool
errorMsg string
}{
{
name: "valid config",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "goyco-users",
},
expectError: false,
},
{
name: "empty issuer",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: "",
Audience: "goyco-users",
},
expectError: true,
errorMsg: "JWT_ISSUER is required and cannot be empty",
},
{
name: "whitespace only issuer",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: " ",
Audience: "goyco-users",
},
expectError: true,
errorMsg: "JWT_ISSUER is required and cannot be empty",
},
{
name: "empty audience",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "",
},
expectError: true,
errorMsg: "JWT_AUDIENCE is required and cannot be empty",
},
{
name: "whitespace only audience",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: " ",
},
expectError: true,
errorMsg: "JWT_AUDIENCE is required and cannot be empty",
},
{
name: "zero expiration",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 0,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "goyco-users",
},
expectError: true,
errorMsg: "JWT_EXPIRATION must be greater than 0",
},
{
name: "negative expiration",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: -1,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "goyco-users",
},
expectError: true,
errorMsg: "JWT_EXPIRATION must be greater than 0",
},
{
name: "zero refresh expiration",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 0,
Issuer: "goyco",
Audience: "goyco-users",
},
expectError: true,
errorMsg: "JWT_REFRESH_EXPIRATION must be greater than 0",
},
{
name: "negative refresh expiration",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: -1,
Issuer: "goyco",
Audience: "goyco-users",
},
expectError: true,
errorMsg: "JWT_REFRESH_EXPIRATION must be greater than 0",
},
{
name: "refresh expiration not greater than access expiration",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 24,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "goyco-users",
},
expectError: true,
errorMsg: "JWT_REFRESH_EXPIRATION must be greater than JWT_EXPIRATION",
},
{
name: "refresh expiration less than access expiration",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 24,
RefreshExpiration: 12,
Issuer: "goyco",
Audience: "goyco-users",
},
expectError: true,
errorMsg: "JWT_REFRESH_EXPIRATION must be greater than JWT_EXPIRATION",
},
{
name: "key rotation enabled but no current key",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "goyco-users",
KeyRotation: KeyRotationConfig{
Enabled: true,
CurrentKey: "",
PreviousKey: "",
KeyID: "test-key",
},
},
expectError: true,
errorMsg: "JWT_CURRENT_KEY is required when key rotation is enabled",
},
{
name: "key rotation enabled but no key ID",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "goyco-users",
KeyRotation: KeyRotationConfig{
Enabled: true,
CurrentKey: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
PreviousKey: "",
KeyID: "",
},
},
expectError: true,
errorMsg: "JWT_KEY_ID is required when key rotation is enabled",
},
{
name: "key rotation enabled with invalid current key",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "goyco-users",
KeyRotation: KeyRotationConfig{
Enabled: true,
CurrentKey: "short",
PreviousKey: "",
KeyID: "test-key",
},
},
expectError: true,
errorMsg: "JWT_CURRENT_KEY validation failed",
},
{
name: "key rotation enabled with invalid previous key",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "goyco-users",
KeyRotation: KeyRotationConfig{
Enabled: true,
CurrentKey: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
PreviousKey: "short",
KeyID: "test-key",
},
},
expectError: true,
errorMsg: "JWT_PREVIOUS_KEY validation failed",
},
{
name: "valid key rotation config",
config: JWTConfig{
Secret: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
Expiration: 1,
RefreshExpiration: 24,
Issuer: "goyco",
Audience: "goyco-users",
KeyRotation: KeyRotationConfig{
Enabled: true,
CurrentKey: "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
PreviousKey: "this-is-another-very-secure-jwt-secret-key-that-is-long-enough",
KeyID: "test-key",
},
},
expectError: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validateJWTConfig(&tt.config)
if tt.expectError {
if err == nil {
t.Fatalf("expected error for config %+v, got nil", tt.config)
}
if tt.errorMsg != "" && !strings.Contains(err.Error(), tt.errorMsg) {
t.Fatalf("expected error message to contain %q, got %q", tt.errorMsg, err.Error())
}
} else {
if err != nil {
t.Fatalf("unexpected error for config %+v: %v", tt.config, err)
}
}
})
}
}
func TestLoadWithInvalidJWTConfig(t *testing.T) {
tests := []struct {
name string
envVars map[string]string
expectError bool
errorMsg string
}{
{
name: "whitespace only issuer",
envVars: map[string]string{
"DB_PASSWORD": "password",
"SMTP_HOST": "smtp.example.com",
"SMTP_PORT": "2525",
"SMTP_FROM": "no-reply@example.com",
"ADMIN_EMAIL": "admin@example.com",
"JWT_SECRET": "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
"JWT_ISSUER": " ",
"JWT_AUDIENCE": "goyco-users",
"JWT_EXPIRATION": "1",
"JWT_REFRESH_EXPIRATION": "24",
},
expectError: true,
errorMsg: "JWT_ISSUER is required and cannot be empty",
},
{
name: "whitespace only audience",
envVars: map[string]string{
"DB_PASSWORD": "password",
"SMTP_HOST": "smtp.example.com",
"SMTP_PORT": "2525",
"SMTP_FROM": "no-reply@example.com",
"ADMIN_EMAIL": "admin@example.com",
"JWT_SECRET": "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
"JWT_ISSUER": "goyco",
"JWT_AUDIENCE": " ",
"JWT_EXPIRATION": "1",
"JWT_REFRESH_EXPIRATION": "24",
},
expectError: true,
errorMsg: "JWT_AUDIENCE is required and cannot be empty",
},
{
name: "zero expiration",
envVars: map[string]string{
"DB_PASSWORD": "password",
"SMTP_HOST": "smtp.example.com",
"SMTP_PORT": "2525",
"SMTP_FROM": "no-reply@example.com",
"ADMIN_EMAIL": "admin@example.com",
"JWT_SECRET": "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
"JWT_ISSUER": "goyco",
"JWT_AUDIENCE": "goyco-users",
"JWT_EXPIRATION": "0",
"JWT_REFRESH_EXPIRATION": "24",
},
expectError: true,
errorMsg: "JWT_EXPIRATION must be greater than 0",
},
{
name: "refresh expiration not greater than access expiration",
envVars: map[string]string{
"DB_PASSWORD": "password",
"SMTP_HOST": "smtp.example.com",
"SMTP_PORT": "2525",
"SMTP_FROM": "no-reply@example.com",
"ADMIN_EMAIL": "admin@example.com",
"JWT_SECRET": "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
"JWT_ISSUER": "goyco",
"JWT_AUDIENCE": "goyco-users",
"JWT_EXPIRATION": "24",
"JWT_REFRESH_EXPIRATION": "24",
},
expectError: true,
errorMsg: "JWT_REFRESH_EXPIRATION must be greater than JWT_EXPIRATION",
},
{
name: "key rotation enabled but no current key",
envVars: map[string]string{
"DB_PASSWORD": "password",
"SMTP_HOST": "smtp.example.com",
"SMTP_PORT": "2525",
"SMTP_FROM": "no-reply@example.com",
"ADMIN_EMAIL": "admin@example.com",
"JWT_SECRET": "this-is-a-very-secure-jwt-secret-key-that-is-long-enough",
"JWT_ISSUER": "goyco",
"JWT_AUDIENCE": "goyco-users",
"JWT_EXPIRATION": "1",
"JWT_REFRESH_EXPIRATION": "24",
"JWT_KEY_ROTATION_ENABLED": "true",
"JWT_CURRENT_KEY": "",
"JWT_KEY_ID": "test-key",
},
expectError: true,
errorMsg: "JWT_CURRENT_KEY is required when key rotation is enabled",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
envVars := []string{
"JWT_SECRET", "JWT_ISSUER", "JWT_AUDIENCE", "JWT_EXPIRATION", "JWT_REFRESH_EXPIRATION",
"JWT_KEY_ROTATION_ENABLED", "JWT_CURRENT_KEY", "JWT_PREVIOUS_KEY", "JWT_KEY_ID",
}
for _, envVar := range envVars {
t.Setenv(envVar, "")
}
for key, value := range tt.envVars {
t.Setenv(key, value)
}
_, err := Load()
if tt.expectError {
if err == nil {
t.Fatal("expected error but got nil")
}
if tt.errorMsg != "" && !strings.Contains(err.Error(), tt.errorMsg) {
t.Fatalf("expected error message to contain %q, got %q", tt.errorMsg, err.Error())
}
} else {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
}
})
}
}
func TestServerConfigDefaults(t *testing.T) {
envVars := []string{
"SERVER_READ_TIMEOUT",
"SERVER_WRITE_TIMEOUT",
"SERVER_IDLE_TIMEOUT",
"SERVER_MAX_HEADER_BYTES",
"SERVER_ENABLE_TLS",
"SERVER_TLS_CERT_FILE",
"SERVER_TLS_KEY_FILE",
}
for _, envVar := range envVars {
os.Unsetenv(envVar)
}
os.Setenv("DB_PASSWORD", "testpassword")
os.Setenv("SMTP_HOST", "smtp.example.com")
os.Setenv("SMTP_FROM", "test@example.com")
os.Setenv("ADMIN_EMAIL", "admin@example.com")
os.Setenv("JWT_SECRET", "this-is-a-very-long-secret-key-for-testing-purposes-only")
config, err := Load()
if err != nil {
t.Fatalf("Failed to load config: %v", err)
}
if config.Server.ReadTimeout != 30*time.Second {
t.Errorf("Expected ReadTimeout to be 30s, got %v", config.Server.ReadTimeout)
}
if config.Server.WriteTimeout != 30*time.Second {
t.Errorf("Expected WriteTimeout to be 30s, got %v", config.Server.WriteTimeout)
}
if config.Server.IdleTimeout != 120*time.Second {
t.Errorf("Expected IdleTimeout to be 120s, got %v", config.Server.IdleTimeout)
}
if config.Server.MaxHeaderBytes != 1<<20 {
t.Errorf("Expected MaxHeaderBytes to be 1MB, got %d", config.Server.MaxHeaderBytes)
}
if config.Server.EnableTLS {
t.Error("Expected EnableTLS to be false by default")
}
for _, envVar := range envVars {
os.Unsetenv(envVar)
}
}
func TestServerConfigCustomValues(t *testing.T) {
os.Setenv("DB_PASSWORD", "testpassword")
os.Setenv("SMTP_HOST", "smtp.example.com")
os.Setenv("SMTP_FROM", "test@example.com")
os.Setenv("ADMIN_EMAIL", "admin@example.com")
os.Setenv("JWT_SECRET", "this-is-a-very-long-secret-key-for-testing-purposes-only")
os.Setenv("SERVER_READ_TIMEOUT", "60")
os.Setenv("SERVER_WRITE_TIMEOUT", "45")
os.Setenv("SERVER_IDLE_TIMEOUT", "180")
os.Setenv("SERVER_MAX_HEADER_BYTES", "2097152")
os.Setenv("SERVER_ENABLE_TLS", "true")
os.Setenv("SERVER_TLS_CERT_FILE", "/path/to/cert.pem")
os.Setenv("SERVER_TLS_KEY_FILE", "/path/to/key.pem")
config, err := Load()
if err != nil {
t.Fatalf("Failed to load config: %v", err)
}
if config.Server.ReadTimeout != 60*time.Second {
t.Errorf("Expected ReadTimeout to be 60s, got %v", config.Server.ReadTimeout)
}
if config.Server.WriteTimeout != 45*time.Second {
t.Errorf("Expected WriteTimeout to be 45s, got %v", config.Server.WriteTimeout)
}
if config.Server.IdleTimeout != 180*time.Second {
t.Errorf("Expected IdleTimeout to be 180s, got %v", config.Server.IdleTimeout)
}
if config.Server.MaxHeaderBytes != 2<<20 {
t.Errorf("Expected MaxHeaderBytes to be 2MB, got %d", config.Server.MaxHeaderBytes)
}
if !config.Server.EnableTLS {
t.Error("Expected EnableTLS to be true")
}
if config.Server.TLSCertFile != "/path/to/cert.pem" {
t.Errorf("Expected TLSCertFile to be /path/to/cert.pem, got %s", config.Server.TLSCertFile)
}
if config.Server.TLSKeyFile != "/path/to/key.pem" {
t.Errorf("Expected TLSKeyFile to be /path/to/key.pem, got %s", config.Server.TLSKeyFile)
}
envVars := []string{
"SERVER_READ_TIMEOUT",
"SERVER_WRITE_TIMEOUT",
"SERVER_IDLE_TIMEOUT",
"SERVER_MAX_HEADER_BYTES",
"SERVER_ENABLE_TLS",
"SERVER_TLS_CERT_FILE",
"SERVER_TLS_KEY_FILE",
}
for _, envVar := range envVars {
os.Unsetenv(envVar)
}
}
func TestServerConfigEdgeCases(t *testing.T) {
os.Setenv("DB_PASSWORD", "testpassword")
os.Setenv("SMTP_HOST", "smtp.example.com")
os.Setenv("SMTP_FROM", "test@example.com")
os.Setenv("ADMIN_EMAIL", "admin@example.com")
os.Setenv("JWT_SECRET", "this-is-a-very-long-secret-key-for-testing-purposes-only")
os.Setenv("SERVER_READ_TIMEOUT", "0")
os.Setenv("SERVER_WRITE_TIMEOUT", "0")
os.Setenv("SERVER_IDLE_TIMEOUT", "0")
config, err := Load()
if err != nil {
t.Fatalf("Failed to load config: %v", err)
}
if config.Server.ReadTimeout != 0 {
t.Errorf("Expected ReadTimeout to be 0, got %v", config.Server.ReadTimeout)
}
if config.Server.WriteTimeout != 0 {
t.Errorf("Expected WriteTimeout to be 0, got %v", config.Server.WriteTimeout)
}
if config.Server.IdleTimeout != 0 {
t.Errorf("Expected IdleTimeout to be 0, got %v", config.Server.IdleTimeout)
}
os.Setenv("SERVER_MAX_HEADER_BYTES", "10485760")
config, err = Load()
if err != nil {
t.Fatalf("Failed to load config: %v", err)
}
if config.Server.MaxHeaderBytes != 10485760 {
t.Errorf("Expected MaxHeaderBytes to be 10MB, got %d", config.Server.MaxHeaderBytes)
}
envVars := []string{
"SERVER_READ_TIMEOUT",
"SERVER_WRITE_TIMEOUT",
"SERVER_IDLE_TIMEOUT",
"SERVER_MAX_HEADER_BYTES",
}
for _, envVar := range envVars {
os.Unsetenv(envVar)
}
}
func TestTLSValidation(t *testing.T) {
os.Setenv("DB_PASSWORD", "testpassword")
os.Setenv("SMTP_HOST", "smtp.example.com")
os.Setenv("SMTP_FROM", "test@example.com")
os.Setenv("ADMIN_EMAIL", "admin@example.com")
os.Setenv("JWT_SECRET", "this-is-a-very-long-secret-key-for-testing-purposes-only")
os.Setenv("SERVER_ENABLE_TLS", "true")
_, err := Load()
if err == nil {
t.Error("Expected error when TLS is enabled without cert files")
}
if err.Error() != "SERVER_TLS_CERT_FILE is required when SERVER_ENABLE_TLS is true" {
t.Errorf("Expected specific error message, got: %v", err)
}
os.Setenv("SERVER_TLS_CERT_FILE", "/path/to/cert.pem")
_, err = Load()
if err == nil {
t.Error("Expected error when TLS is enabled without key file")
}
if err.Error() != "SERVER_TLS_KEY_FILE is required when SERVER_ENABLE_TLS is true" {
t.Errorf("Expected specific error message, got: %v", err)
}
os.Setenv("SERVER_TLS_KEY_FILE", "/path/to/key.pem")
cfg, err := Load()
if err != nil {
t.Fatalf("Failed to load config with TLS: %v", err)
}
if !cfg.Server.EnableTLS {
t.Error("Expected EnableTLS to be true")
}
envVars := []string{
"SERVER_ENABLE_TLS",
"SERVER_TLS_CERT_FILE",
"SERVER_TLS_KEY_FILE",
}
for _, envVar := range envVars {
os.Unsetenv(envVar)
}
}
func TestValidateBcryptCost(t *testing.T) {
tests := []struct {
name string
bcryptCost int
expectError bool
errorMsg string
}{
{
name: "valid cost at minimum (10)",
bcryptCost: 10,
expectError: false,
},
{
name: "valid cost at maximum (14)",
bcryptCost: 14,
expectError: false,
},
{
name: "valid cost in middle (12)",
bcryptCost: 12,
expectError: false,
},
{
name: "cost too low (9)",
bcryptCost: 9,
expectError: true,
errorMsg: "BCRYPT_COST must be at least 10 for security",
},
{
name: "cost too low (5)",
bcryptCost: 5,
expectError: true,
errorMsg: "BCRYPT_COST must be at least 10 for security",
},
{
name: "cost too low (0)",
bcryptCost: 0,
expectError: true,
errorMsg: "BCRYPT_COST must be at least 10 for security",
},
{
name: "cost too high (15)",
bcryptCost: 15,
expectError: true,
errorMsg: "BCRYPT_COST must be at most 14 to avoid performance issues",
},
{
name: "cost too high (20)",
bcryptCost: 20,
expectError: true,
errorMsg: "BCRYPT_COST must be at most 14 to avoid performance issues",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
appConfig := AppConfig{
BcryptCost: tt.bcryptCost,
}
err := validateAppConfig(&appConfig)
if tt.expectError {
if err == nil {
t.Fatalf("expected error for BCRYPT_COST %d, got nil", tt.bcryptCost)
}
if tt.errorMsg != "" && !strings.Contains(err.Error(), tt.errorMsg) {
t.Fatalf("expected error message to contain %q, got %q", tt.errorMsg, err.Error())
}
} else {
if err != nil {
t.Fatalf("unexpected error for BCRYPT_COST %d: %v", tt.bcryptCost, err)
}
}
})
}
}
func TestLoadWithInvalidBcryptCost(t *testing.T) {
tests := []struct {
name string
bcryptCost string
expectError bool
errorMsg string
}{
{
name: "cost too low",
bcryptCost: "9",
expectError: true,
errorMsg: "BCRYPT_COST must be at least 10",
},
{
name: "cost too high",
bcryptCost: "15",
expectError: true,
errorMsg: "BCRYPT_COST must be at most 14",
},
{
name: "valid cost",
bcryptCost: "12",
expectError: false,
},
{
name: "default cost",
bcryptCost: "",
expectError: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
t.Setenv("DB_PASSWORD", "password")
t.Setenv("SMTP_HOST", "smtp.example.com")
t.Setenv("SMTP_PORT", "2525")
t.Setenv("SMTP_FROM", "no-reply@example.com")
t.Setenv("ADMIN_EMAIL", "admin@example.com")
t.Setenv("JWT_SECRET", "this-is-a-very-secure-jwt-secret-key-that-is-long-enough")
if tt.bcryptCost != "" {
t.Setenv("BCRYPT_COST", tt.bcryptCost)
} else {
os.Unsetenv("BCRYPT_COST")
}
cfg, err := Load()
if tt.expectError {
if err == nil {
t.Fatal("expected error but got nil")
}
if tt.errorMsg != "" && !strings.Contains(err.Error(), tt.errorMsg) {
t.Fatalf("expected error message to contain %q, got %q", tt.errorMsg, err.Error())
}
} else {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
expectedCost := 12
if tt.bcryptCost == "" {
expectedCost = 10
} else {
if costInt, err := strconv.Atoi(tt.bcryptCost); err == nil {
expectedCost = costInt
}
}
if cfg.App.BcryptCost != expectedCost {
t.Fatalf("expected BCRYPT_COST %d, got %d", expectedCost, cfg.App.BcryptCost)
}
}
})
}
}

77
internal/database/connection.go Normal file
View File

@@ -0,0 +1,77 @@
package database
import (
"fmt"
"goyco/internal/config"
"goyco/internal/middleware"
"gorm.io/driver/postgres"
"gorm.io/gorm"
)
func connectDB(cfg *config.Config) (*gorm.DB, error) {
dsn := cfg.GetConnectionString()
gormLogger := CreateSecureLogger(!cfg.App.Debug)
db, err := gorm.Open(postgres.Open(dsn), &gorm.Config{
Logger: gormLogger,
})
if err != nil {
return nil, fmt.Errorf("failed to connect to database: %w", err)
}
return db, nil
}
func Connect(cfg *config.Config) (*gorm.DB, error) {
return connectDB(cfg)
}
func ConnectWithMonitoring(cfg *config.Config, monitor middleware.DBMonitor) (*gorm.DB, error) {
db, err := connectDB(cfg)
if err != nil {
return nil, err
}
if monitor != nil {
monitoringPlugin := NewGormDBMonitor(monitor)
if err := db.Use(monitoringPlugin); err != nil {
return nil, fmt.Errorf("failed to add monitoring plugin: %w", err)
}
}
return db, nil
}
func Migrate(db *gorm.DB) error {
if db == nil {
return fmt.Errorf("database connection is nil")
}
err := db.AutoMigrate(
&User{},
&Post{},
&Vote{},
&AccountDeletionRequest{},
&RefreshToken{},
)
if err != nil {
return fmt.Errorf("failed to migrate database: %w", err)
}
return nil
}
func Close(db *gorm.DB) error {
if db == nil {
return nil
}
sqlDB, err := db.DB()
if err != nil {
return fmt.Errorf("failed to get underlying sql.DB: %w", err)
}
return sqlDB.Close()
}

169
internal/database/connection_pool.go Normal file
View File

@@ -0,0 +1,169 @@
package database
import (
"context"
"database/sql"
"fmt"
"log"
"time"
"gorm.io/driver/postgres"
"gorm.io/gorm"
"goyco/internal/config"
)
type ConnectionPoolConfig struct {
MaxOpenConns int
MaxIdleConns int
ConnMaxLifetime time.Duration
ConnMaxIdleTime time.Duration
ConnTimeout time.Duration
HealthCheckInterval time.Duration
}
func DefaultConnectionPoolConfig() ConnectionPoolConfig {
return ConnectionPoolConfig{
MaxOpenConns: 25,
MaxIdleConns: 10,
ConnMaxLifetime: 5 * time.Minute,
ConnMaxIdleTime: 1 * time.Minute,
ConnTimeout: 30 * time.Second,
HealthCheckInterval: 30 * time.Second,
}
}
func ProductionConnectionPoolConfig() ConnectionPoolConfig {
return ConnectionPoolConfig{
MaxOpenConns: 100,
MaxIdleConns: 25,
ConnMaxLifetime: 10 * time.Minute,
ConnMaxIdleTime: 2 * time.Minute,
ConnTimeout: 10 * time.Second,
HealthCheckInterval: 15 * time.Second,
}
}
func HighTrafficConnectionPoolConfig() ConnectionPoolConfig {
return ConnectionPoolConfig{
MaxOpenConns: 200,
MaxIdleConns: 50,
ConnMaxLifetime: 15 * time.Minute,
ConnMaxIdleTime: 5 * time.Minute,
ConnTimeout: 5 * time.Second,
HealthCheckInterval: 10 * time.Second,
}
}
type ConnectionPoolManager struct {
db *gorm.DB
sqlDB *sql.DB
config ConnectionPoolConfig
ctx context.Context
cancel context.CancelFunc
}
func NewConnectionPoolManager(cfg *config.Config, poolConfig ConnectionPoolConfig) (*ConnectionPoolManager, error) {
dsn := cfg.GetConnectionString()
secureLogger := CreateSecureLogger(!cfg.App.Debug)
db, err := gorm.Open(postgres.Open(dsn), &gorm.Config{
Logger: secureLogger,
})
if err != nil {
return nil, fmt.Errorf("failed to connect to database: %w", err)
}
sqlDB, err := db.DB()
if err != nil {
return nil, fmt.Errorf("failed to get underlying sql.DB: %w", err)
}
sqlDB.SetMaxOpenConns(poolConfig.MaxOpenConns)
sqlDB.SetMaxIdleConns(poolConfig.MaxIdleConns)
sqlDB.SetConnMaxLifetime(poolConfig.ConnMaxLifetime)
sqlDB.SetConnMaxIdleTime(poolConfig.ConnMaxIdleTime)
ctx, cancel := context.WithTimeout(context.Background(), poolConfig.ConnTimeout)
if err := sqlDB.PingContext(ctx); err != nil {
cancel()
return nil, fmt.Errorf("failed to ping database: %w", err)
}
cancel()
managerCtx, managerCancel := context.WithCancel(context.Background())
manager := &ConnectionPoolManager{
db: db,
sqlDB: sqlDB,
config: poolConfig,
ctx: managerCtx,
cancel: managerCancel,
}
go manager.startHealthCheck()
return manager, nil
}
func (m *ConnectionPoolManager) GetDB() *gorm.DB {
return m.db
}
func (m *ConnectionPoolManager) GetSQLDB() *sql.DB {
return m.sqlDB
}
func (m *ConnectionPoolManager) GetPoolStats() sql.DBStats {
return m.sqlDB.Stats()
}
func (m *ConnectionPoolManager) startHealthCheck() {
ticker := time.NewTicker(m.config.HealthCheckInterval)
defer ticker.Stop()
for {
select {
case <-m.ctx.Done():
return
case <-ticker.C:
m.performHealthCheck()
}
}
}
func (m *ConnectionPoolManager) performHealthCheck() {
ctx, cancel := context.WithTimeout(m.ctx, m.config.ConnTimeout)
defer cancel()
if err := m.sqlDB.PingContext(ctx); err != nil {
log.Printf("Database health check failed: %v", err)
}
}
func (m *ConnectionPoolManager) Close() error {
if m.cancel != nil {
m.cancel()
}
if m.sqlDB != nil {
return m.sqlDB.Close()
}
return nil
}
func ConnectWithPool(cfg *config.Config) (*ConnectionPoolManager, error) {
var poolConfig ConnectionPoolConfig
if cfg.App.Debug {
poolConfig = DefaultConnectionPoolConfig()
} else {
poolConfig = ProductionConnectionPoolConfig()
}
if cfg.App.BaseURL != "" && !cfg.App.Debug {
poolConfig = HighTrafficConnectionPoolConfig()
}
return NewConnectionPoolManager(cfg, poolConfig)
}

253
internal/database/connection_pool_test.go Normal file
View File

@@ -0,0 +1,253 @@
package database
import (
"strings"
"testing"
"time"
"goyco/internal/config"
)
func TestConnectionPoolConfig(t *testing.T) {
t.Run("default_config", func(t *testing.T) {
config := DefaultConnectionPoolConfig()
if config.MaxOpenConns <= 0 {
t.Error("MaxOpenConns should be positive")
}
if config.MaxIdleConns <= 0 {
t.Error("MaxIdleConns should be positive")
}
if config.ConnMaxLifetime <= 0 {
t.Error("ConnMaxLifetime should be positive")
}
if config.ConnMaxIdleTime <= 0 {
t.Error("ConnMaxIdleTime should be positive")
}
if config.ConnTimeout <= 0 {
t.Error("ConnTimeout should be positive")
}
if config.HealthCheckInterval <= 0 {
t.Error("HealthCheckInterval should be positive")
}
})
t.Run("production_config", func(t *testing.T) {
config := ProductionConnectionPoolConfig()
if config.MaxOpenConns < 50 {
t.Error("Production MaxOpenConns should be higher")
}
if config.MaxIdleConns < 10 {
t.Error("Production MaxIdleConns should be higher")
}
})
t.Run("high_traffic_config", func(t *testing.T) {
config := HighTrafficConnectionPoolConfig()
if config.MaxOpenConns < 100 {
t.Error("High traffic MaxOpenConns should be very high")
}
if config.MaxIdleConns < 25 {
t.Error("High traffic MaxIdleConns should be high")
}
})
}
func TestConnectionPoolManager_Stats(t *testing.T) {
t.Run("config_validation", func(t *testing.T) {
config := DefaultConnectionPoolConfig()
if config.MaxOpenConns < config.MaxIdleConns {
t.Error("MaxOpenConns should be >= MaxIdleConns")
}
if config.ConnMaxLifetime < config.ConnMaxIdleTime {
t.Error("ConnMaxLifetime should be >= ConnMaxIdleTime")
}
if config.ConnTimeout > 60*time.Second {
t.Error("ConnTimeout should be reasonable")
}
})
}
func TestConnectionPoolConfig_Values(t *testing.T) {
tests := []struct {
name string
config ConnectionPoolConfig
}{
{
name: "default",
config: DefaultConnectionPoolConfig(),
},
{
name: "production",
config: ProductionConnectionPoolConfig(),
},
{
name: "high_traffic",
config: HighTrafficConnectionPoolConfig(),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
config := tt.config
if config.MaxOpenConns <= 0 {
t.Errorf("MaxOpenConns should be positive, got %d", config.MaxOpenConns)
}
if config.MaxIdleConns <= 0 {
t.Errorf("MaxIdleConns should be positive, got %d", config.MaxIdleConns)
}
if config.ConnMaxLifetime <= 0 {
t.Errorf("ConnMaxLifetime should be positive, got %v", config.ConnMaxLifetime)
}
if config.ConnMaxIdleTime <= 0 {
t.Errorf("ConnMaxIdleTime should be positive, got %v", config.ConnMaxIdleTime)
}
if config.ConnTimeout <= 0 {
t.Errorf("ConnTimeout should be positive, got %v", config.ConnTimeout)
}
if config.HealthCheckInterval <= 0 {
t.Errorf("HealthCheckInterval should be positive, got %v", config.HealthCheckInterval)
}
if config.MaxOpenConns < config.MaxIdleConns {
t.Errorf("MaxOpenConns (%d) should be >= MaxIdleConns (%d)", config.MaxOpenConns, config.MaxIdleConns)
}
if config.ConnMaxLifetime < config.ConnMaxIdleTime {
t.Errorf("ConnMaxLifetime (%v) should be >= ConnMaxIdleTime (%v)", config.ConnMaxLifetime, config.ConnMaxIdleTime)
}
})
}
}
func TestNewConnectionPoolManager(t *testing.T) {
t.Run("invalid_database_config", func(t *testing.T) {
cfg := &config.Config{
Database: config.DatabaseConfig{
Host: "invalid-host",
Port: "9999",
User: "invalid",
Password: "invalid",
Name: "invalid",
SSLMode: "disable",
},
App: config.AppConfig{
Debug: true,
},
}
poolConfig := DefaultConnectionPoolConfig()
manager, err := NewConnectionPoolManager(cfg, poolConfig)
if err == nil {
t.Error("Expected error with invalid database config")
}
if manager != nil {
t.Error("Expected nil manager with invalid database config")
}
if !strings.Contains(err.Error(), "failed to connect to database") {
t.Errorf("Expected connection error, got: %v", err)
}
})
}
func TestConnectionPoolManager_Methods(t *testing.T) {
t.Run("get_db_methods", func(t *testing.T) {
manager := &ConnectionPoolManager{
db: nil,
sqlDB: nil,
}
if manager.GetDB() != nil {
t.Error("Expected nil DB from uninitialized manager")
}
if manager.GetSQLDB() != nil {
t.Error("Expected nil SQLDB from uninitialized manager")
}
})
}
func TestConnectWithPool(t *testing.T) {
t.Run("debug_mode_config", func(t *testing.T) {
cfg := &config.Config{
Database: config.DatabaseConfig{
Host: "localhost",
Port: "5432",
User: "test",
Password: "test",
Name: "test_db",
SSLMode: "disable",
},
App: config.AppConfig{
Debug: true,
},
}
manager, err := ConnectWithPool(cfg)
if err == nil {
t.Error("Expected error with invalid database config")
}
if manager != nil {
t.Error("Expected nil manager with invalid database config")
}
})
t.Run("production_mode_config", func(t *testing.T) {
cfg := &config.Config{
Database: config.DatabaseConfig{
Host: "localhost",
Port: "5432",
User: "test",
Password: "test",
Name: "test_db",
SSLMode: "disable",
},
App: config.AppConfig{
Debug: false,
},
}
manager, err := ConnectWithPool(cfg)
if err == nil {
t.Error("Expected error with invalid database config")
}
if manager != nil {
t.Error("Expected nil manager with invalid database config")
}
})
t.Run("high_traffic_config", func(t *testing.T) {
cfg := &config.Config{
Database: config.DatabaseConfig{
Host: "localhost",
Port: "5432",
User: "test",
Password: "test",
Name: "test_db",
SSLMode: "disable",
},
App: config.AppConfig{
Debug: false,
BaseURL: "https://example.com",
},
}
manager, err := ConnectWithPool(cfg)
if err == nil {
t.Error("Expected error with invalid database config")
}
if manager != nil {
t.Error("Expected nil manager with invalid database config")
}
})
}

156
internal/database/connection_test.go Normal file
View File

@@ -0,0 +1,156 @@
package database
import (
"context"
"strings"
"testing"
"time"
"gorm.io/driver/sqlite"
"gorm.io/gorm"
"gorm.io/gorm/logger"
"goyco/internal/config"
"goyco/internal/middleware"
)
func TestConnectReturnsErrorWhenUnableToReachDatabase(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
done := make(chan error, 1)
go func() {
cfg := &config.Config{
Database: config.DatabaseConfig{
Host: "127.0.0.1",
Port: "1",
User: "postgres",
Password: "password",
Name: "goyco_test",
SSLMode: "disable",
},
}
_, err := Connect(cfg)
done <- err
}()
select {
case err := <-done:
if err == nil {
t.Fatalf("expected connection error but got nil")
}
if !strings.Contains(err.Error(), "failed to connect to database") {
t.Fatalf("unexpected error: %v", err)
}
case <-ctx.Done():
t.Fatalf("connection test timed out after 5 seconds")
}
}
func TestMigrateFailsWhenDBNil(t *testing.T) {
err := Migrate(nil)
if err == nil {
t.Fatalf("expected error when DB is nil")
}
}
func TestMigrateCreatesTables(t *testing.T) {
dbName := "file:memdb_" + t.Name() + "?mode=memory&cache=private"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{
Logger: logger.Default.LogMode(logger.Silent),
})
if err != nil {
t.Fatalf("failed to open sqlite in-memory database: %v", err)
}
if err := Migrate(db); err != nil {
t.Fatalf("expected migrations to succeed, got error: %v", err)
}
migrator := db.Migrator()
models := []any{&User{}, &Post{}, &Vote{}}
for _, model := range models {
if !migrator.HasTable(model) {
t.Fatalf("expected table for %T to exist after migration", model)
}
}
}
func TestCloseReturnsNilWhenDBNil(t *testing.T) {
if err := Close(nil); err != nil {
t.Fatalf("expected nil error when DB is nil, got %v", err)
}
}
func TestCloseClosesUnderlyingConnection(t *testing.T) {
dbName := "file:memdb_" + t.Name() + "?mode=memory&cache=private"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{
Logger: logger.Default.LogMode(logger.Silent),
})
if err != nil {
t.Fatalf("failed to open sqlite in-memory database: %v", err)
}
sqlDB, err := db.DB()
if err != nil {
t.Fatalf("failed to get sql.DB: %v", err)
}
if err := Close(db); err != nil {
t.Fatalf("expected close to succeed, got %v", err)
}
if err := sqlDB.Ping(); err == nil {
t.Fatalf("expected ping on closed connection to fail")
}
}
func TestConnectWithMonitoring(t *testing.T) {
cfg := &config.Config{
Database: config.DatabaseConfig{
Host: "localhost",
Port: "5432",
User: "test",
Password: "test",
Name: "test_db",
SSLMode: "disable",
},
App: config.AppConfig{
Debug: true,
},
}
_, err := ConnectWithMonitoring(cfg, nil)
if err == nil {
t.Fatalf("expected connection error with invalid database config")
}
if !strings.Contains(err.Error(), "failed to connect to database") {
t.Fatalf("unexpected error: %v", err)
}
}
func TestConnectWithMonitoringWithValidMonitor(t *testing.T) {
mockMonitor := middleware.NewInMemoryDBMonitor()
cfg := &config.Config{
Database: config.DatabaseConfig{
Host: "localhost",
Port: "5432",
User: "test",
Password: "test",
Name: "test_db",
SSLMode: "disable",
},
App: config.AppConfig{
Debug: true,
},
}
_, err := ConnectWithMonitoring(cfg, mockMonitor)
if err == nil {
t.Fatalf("expected connection error with invalid database config")
}
if !strings.Contains(err.Error(), "failed to connect to database") {
t.Fatalf("unexpected error: %v", err)
}
}

88
internal/database/models.go Normal file
View File

@@ -0,0 +1,88 @@
package database
import (
"time"
"gorm.io/gorm"
)
type Post struct {
ID uint `gorm:"primaryKey"`
Title string `gorm:"not null"`
URL string `gorm:"uniqueIndex"`
Content string
AuthorID *uint
AuthorName string
Author User `gorm:"foreignKey:AuthorID;constraint:OnDelete:CASCADE"`
UpVotes int `gorm:"default:0"`
DownVotes int `gorm:"default:0"`
Score int `gorm:"default:0"`
Votes []Vote `gorm:"foreignKey:PostID;constraint:OnDelete:CASCADE"`
CurrentVote VoteType `gorm:"-"`
CreatedAt time.Time
UpdatedAt time.Time
DeletedAt gorm.DeletedAt `gorm:"index"`
}
type User struct {
ID uint `gorm:"primaryKey"`
Username string `gorm:"uniqueIndex;not null"`
Email string `gorm:"uniqueIndex;not null"`
Password string `gorm:"not null"`
EmailVerified bool `gorm:"default:false;not null"`
EmailVerifiedAt *time.Time
EmailVerificationToken string `gorm:"index"`
EmailVerificationSentAt *time.Time
PasswordResetToken string `gorm:"index"`
PasswordResetSentAt *time.Time
PasswordResetExpiresAt *time.Time
Locked bool `gorm:"default:false"`
SessionVersion uint `gorm:"default:1;not null"`
RefreshTokens []RefreshToken `gorm:"foreignKey:UserID;constraint:OnDelete:CASCADE"`
Posts []Post `gorm:"foreignKey:AuthorID"`
Votes []Vote `gorm:"foreignKey:UserID"`
CreatedAt time.Time
UpdatedAt time.Time
DeletedAt gorm.DeletedAt `gorm:"index"`
}
type RefreshToken struct {
ID uint `gorm:"primaryKey"`
UserID uint `gorm:"not null;index"`
User User `gorm:"constraint:OnDelete:CASCADE"`
TokenHash string `gorm:"uniqueIndex;not null"`
ExpiresAt time.Time `gorm:"not null;index"`
CreatedAt time.Time
UpdatedAt time.Time
DeletedAt gorm.DeletedAt `gorm:"index"`
}
type AccountDeletionRequest struct {
ID uint `gorm:"primaryKey"`
UserID uint `gorm:"uniqueIndex"`
User User `gorm:"constraint:OnDelete:CASCADE"`
TokenHash string `gorm:"uniqueIndex;not null"`
ExpiresAt time.Time `gorm:"not null"`
CreatedAt time.Time
}
type Vote struct {
ID uint `gorm:"primaryKey"`
UserID *uint `gorm:"uniqueIndex:idx_user_post_vote,where:deleted_at IS NULL AND user_id IS NOT NULL"`
User *User `gorm:"foreignKey:UserID;constraint:OnDelete:CASCADE"`
PostID uint `gorm:"not null;uniqueIndex:idx_user_post_vote,where:deleted_at IS NULL AND user_id IS NOT NULL;uniqueIndex:idx_hash_post_vote,where:deleted_at IS NULL AND vote_hash IS NOT NULL"`
Post Post `gorm:"foreignKey:PostID;constraint:OnDelete:CASCADE"`
Type VoteType `gorm:"not null"`
VoteHash *string `gorm:"uniqueIndex:idx_hash_post_vote,where:deleted_at IS NULL AND vote_hash IS NOT NULL"`
CreatedAt time.Time
UpdatedAt time.Time
DeletedAt gorm.DeletedAt `gorm:"index"`
}
type VoteType string
const (
VoteUp VoteType = "up"
VoteDown VoteType = "down"
VoteNone VoteType = "none"
)

603
internal/database/models_test.go Normal file
View File

@@ -0,0 +1,603 @@
package database
import (
"fmt"
"testing"
"time"
"gorm.io/driver/sqlite"
"gorm.io/gorm"
"gorm.io/gorm/logger"
)
func newTestDB(t *testing.T) *gorm.DB {
t.Helper()
dbName := "file:memdb_" + t.Name() + "?mode=memory&cache=shared&_journal_mode=WAL&_synchronous=NORMAL"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{
Logger: logger.Default.LogMode(logger.Silent),
})
if err != nil {
t.Fatalf("Failed to connect to test database: %v", err)
}
err = db.AutoMigrate(
&User{},
&Post{},
&Vote{},
&AccountDeletionRequest{},
&RefreshToken{},
)
if err != nil {
t.Fatalf("Failed to migrate database: %v", err)
}
if execErr := db.Exec("PRAGMA busy_timeout = 5000").Error; execErr != nil {
t.Fatalf("Failed to configure busy timeout: %v", execErr)
}
if execErr := db.Exec("PRAGMA foreign_keys = ON").Error; execErr != nil {
t.Fatalf("Failed to enable foreign keys: %v", execErr)
}
sqlDB, err := db.DB()
if err != nil {
t.Fatalf("Failed to access SQL DB: %v", err)
}
sqlDB.SetMaxOpenConns(1)
sqlDB.SetMaxIdleConns(1)
sqlDB.SetConnMaxLifetime(5 * time.Minute)
return db
}
func createTestUser(t *testing.T, db *gorm.DB) *User {
t.Helper()
uniqueID := time.Now().UnixNano()
user := &User{
Username: fmt.Sprintf("testuser%d", uniqueID),
Email: fmt.Sprintf("test%d@example.com", uniqueID),
Password: "hashedpassword123",
EmailVerified: true,
}
if err := db.Create(user).Error; err != nil {
t.Fatalf("Failed to create test user: %v", err)
}
return user
}
func createTestPost(t *testing.T, db *gorm.DB, authorID uint) *Post {
t.Helper()
post := &Post{
Title: "Test Post " + t.Name(),
URL: "https://example.com/test" + t.Name(),
Content: "Test content",
AuthorID: &authorID,
}
if err := db.Create(post).Error; err != nil {
t.Fatalf("Failed to create test post: %v", err)
}
return post
}
func TestUser_Model(t *testing.T) {
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
t.Run("create_user", func(t *testing.T) {
user := &User{
Username: "testuser",
Email: "test@example.com",
Password: "hashedpassword",
EmailVerified: true,
}
if err := db.Create(user).Error; err != nil {
t.Fatalf("Failed to create user: %v", err)
}
if user.ID == 0 {
t.Error("Expected user ID to be set")
}
if user.CreatedAt.IsZero() {
t.Error("Expected CreatedAt to be set")
}
if user.UpdatedAt.IsZero() {
t.Error("Expected UpdatedAt to be set")
}
})
t.Run("user_constraints", func(t *testing.T) {
user1 := &User{
Username: "duplicate",
Email: "user1@example.com",
Password: "hashedpassword",
EmailVerified: true,
}
user2 := &User{
Username: "duplicate",
Email: "user2@example.com",
Password: "hashedpassword",
EmailVerified: true,
}
if err := db.Create(user1).Error; err != nil {
t.Fatalf("Failed to create first user: %v", err)
}
if err := db.Create(user2).Error; err == nil {
t.Error("Expected error when creating user with duplicate username")
}
user3 := &User{
Username: "unique",
Email: "user1@example.com",
Password: "hashedpassword",
EmailVerified: true,
}
if err := db.Create(user3).Error; err == nil {
t.Error("Expected error when creating user with duplicate email")
}
})
t.Run("user_relationships", func(t *testing.T) {
user := &User{
Username: "author",
Email: "author@example.com",
Password: "hashedpassword",
EmailVerified: true,
}
if err := db.Create(user).Error; err != nil {
t.Fatalf("Failed to create user: %v", err)
}
post1 := &Post{
Title: "Post 1",
URL: "https://example.com/1",
Content: "Content 1",
AuthorID: &user.ID,
}
post2 := &Post{
Title: "Post 2",
URL: "https://example.com/2",
Content: "Content 2",
AuthorID: &user.ID,
}
if err := db.Create(post1).Error; err != nil {
t.Fatalf("Failed to create post 1: %v", err)
}
if err := db.Create(post2).Error; err != nil {
t.Fatalf("Failed to create post 2: %v", err)
}
var foundUser User
if err := db.Preload("Posts").First(&foundUser, user.ID).Error; err != nil {
t.Fatalf("Failed to load user with posts: %v", err)
}
if len(foundUser.Posts) != 2 {
t.Errorf("Expected 2 posts, got %d", len(foundUser.Posts))
}
})
}
func TestPost_Model(t *testing.T) {
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
t.Run("create_post", func(t *testing.T) {
user := createTestUser(t, db)
post := &Post{
Title: "Test Post",
URL: "https://example.com/test",
Content: "Test content",
AuthorID: &user.ID,
}
if err := db.Create(post).Error; err != nil {
t.Fatalf("Failed to create post: %v", err)
}
if post.ID == 0 {
t.Error("Expected post ID to be set")
}
if post.CreatedAt.IsZero() {
t.Error("Expected CreatedAt to be set")
}
if post.UpdatedAt.IsZero() {
t.Error("Expected UpdatedAt to be set")
}
if post.UpVotes != 0 {
t.Error("Expected UpVotes to be 0 by default")
}
if post.DownVotes != 0 {
t.Error("Expected DownVotes to be 0 by default")
}
if post.Score != 0 {
t.Error("Expected Score to be 0 by default")
}
})
t.Run("post_constraints", func(t *testing.T) {
user := createTestUser(t, db)
post1 := &Post{
Title: "Post 1",
URL: "https://example.com/unique",
Content: "Content 1",
AuthorID: &user.ID,
}
post2 := &Post{
Title: "Post 2",
URL: "https://example.com/unique",
Content: "Content 2",
AuthorID: &user.ID,
}
if err := db.Create(post1).Error; err != nil {
t.Fatalf("Failed to create first post: %v", err)
}
if err := db.Create(post2).Error; err == nil {
t.Error("Expected error when creating post with duplicate URL")
}
})
t.Run("post_relationships", func(t *testing.T) {
user1 := createTestUser(t, db)
user2 := createTestUser(t, db)
post := createTestPost(t, db, user1.ID)
vote1 := &Vote{
UserID: &user1.ID,
PostID: post.ID,
Type: VoteUp,
}
vote2 := &Vote{
UserID: &user2.ID,
PostID: post.ID,
Type: VoteDown,
}
if err := db.Create(vote1).Error; err != nil {
t.Fatalf("Failed to create vote 1: %v", err)
}
if err := db.Create(vote2).Error; err != nil {
t.Fatalf("Failed to create vote 2: %v", err)
}
var foundPost Post
if err := db.Preload("Votes").First(&foundPost, post.ID).Error; err != nil {
t.Fatalf("Failed to load post with votes: %v", err)
}
if len(foundPost.Votes) != 2 {
t.Errorf("Expected 2 votes, got %d", len(foundPost.Votes))
}
})
}
func TestVote_Model(t *testing.T) {
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
t.Run("create_vote", func(t *testing.T) {
user := createTestUser(t, db)
post := createTestPost(t, db, user.ID)
vote := &Vote{
UserID: &user.ID,
PostID: post.ID,
Type: VoteUp,
}
if err := db.Create(vote).Error; err != nil {
t.Fatalf("Failed to create vote: %v", err)
}
if vote.ID == 0 {
t.Error("Expected vote ID to be set")
}
if vote.CreatedAt.IsZero() {
t.Error("Expected CreatedAt to be set")
}
if vote.UpdatedAt.IsZero() {
t.Error("Expected UpdatedAt to be set")
}
})
t.Run("vote_constraints", func(t *testing.T) {
user := createTestUser(t, db)
post := createTestPost(t, db, user.ID)
vote1 := &Vote{
UserID: &user.ID,
PostID: post.ID,
Type: VoteUp,
}
vote2 := &Vote{
UserID: &user.ID,
PostID: post.ID,
Type: VoteDown,
}
if err := db.Create(vote1).Error; err != nil {
t.Fatalf("Failed to create first vote: %v", err)
}
if err := db.Create(vote2).Error; err == nil {
t.Error("Expected error when creating vote with duplicate user-post combination")
}
})
t.Run("vote_types", func(t *testing.T) {
user := createTestUser(t, db)
voteTypes := []VoteType{VoteUp, VoteDown, VoteNone}
for i, voteType := range voteTypes {
post := &Post{
Title: "Test Post " + string(rune(i)),
URL: "https://example.com/test" + string(rune(i)),
Content: "Test content",
AuthorID: &user.ID,
}
if err := db.Create(post).Error; err != nil {
t.Fatalf("Failed to create post %d: %v", i, err)
}
vote := &Vote{
UserID: &user.ID,
PostID: post.ID,
Type: voteType,
}
if err := db.Create(vote).Error; err != nil {
t.Fatalf("Failed to create vote with type %s: %v", voteType, err)
}
}
})
t.Run("vote_relationships", func(t *testing.T) {
user := createTestUser(t, db)
post := createTestPost(t, db, user.ID)
vote := &Vote{
UserID: &user.ID,
PostID: post.ID,
Type: VoteUp,
}
if err := db.Create(vote).Error; err != nil {
t.Fatalf("Failed to create vote: %v", err)
}
var foundVote Vote
if err := db.Preload("User").Preload("Post").First(&foundVote, vote.ID).Error; err != nil {
t.Fatalf("Failed to load vote with relationships: %v", err)
}
if foundVote.User.ID != user.ID {
t.Error("Expected vote to be associated with correct user")
}
if foundVote.Post.ID != post.ID {
t.Error("Expected vote to be associated with correct post")
}
})
}
func TestRefreshToken_Model(t *testing.T) {
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
t.Run("create_refresh_token", func(t *testing.T) {
user := createTestUser(t, db)
token := &RefreshToken{
UserID: user.ID,
TokenHash: "hashedtoken123",
ExpiresAt: time.Now().Add(24 * time.Hour),
}
if err := db.Create(token).Error; err != nil {
t.Fatalf("Failed to create refresh token: %v", err)
}
if token.ID == 0 {
t.Error("Expected token ID to be set")
}
if token.CreatedAt.IsZero() {
t.Error("Expected CreatedAt to be set")
}
if token.UpdatedAt.IsZero() {
t.Error("Expected UpdatedAt to be set")
}
})
t.Run("refresh_token_constraints", func(t *testing.T) {
user := createTestUser(t, db)
token1 := &RefreshToken{
UserID: user.ID,
TokenHash: "uniquehash",
ExpiresAt: time.Now().Add(24 * time.Hour),
}
token2 := &RefreshToken{
UserID: user.ID,
TokenHash: "uniquehash",
ExpiresAt: time.Now().Add(24 * time.Hour),
}
if err := db.Create(token1).Error; err != nil {
t.Fatalf("Failed to create first token: %v", err)
}
if err := db.Create(token2).Error; err == nil {
t.Error("Expected error when creating token with duplicate hash")
}
})
}
func TestAccountDeletionRequest_Model(t *testing.T) {
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
t.Run("create_account_deletion_request", func(t *testing.T) {
user := createTestUser(t, db)
request := &AccountDeletionRequest{
UserID: user.ID,
TokenHash: "deletiontoken123",
ExpiresAt: time.Now().Add(24 * time.Hour),
}
if err := db.Create(request).Error; err != nil {
t.Fatalf("Failed to create account deletion request: %v", err)
}
if request.ID == 0 {
t.Error("Expected request ID to be set")
}
if request.CreatedAt.IsZero() {
t.Error("Expected CreatedAt to be set")
}
})
t.Run("account_deletion_request_constraints", func(t *testing.T) {
user := createTestUser(t, db)
request1 := &AccountDeletionRequest{
UserID: user.ID,
TokenHash: "token1",
ExpiresAt: time.Now().Add(24 * time.Hour),
}
request2 := &AccountDeletionRequest{
UserID: user.ID,
TokenHash: "token2",
ExpiresAt: time.Now().Add(24 * time.Hour),
}
if err := db.Create(request1).Error; err != nil {
t.Fatalf("Failed to create first request: %v", err)
}
if err := db.Create(request2).Error; err == nil {
t.Error("Expected error when creating request with duplicate user")
}
})
}
func TestVoteType_Constants(t *testing.T) {
t.Run("vote_type_constants", func(t *testing.T) {
if VoteUp != "up" {
t.Errorf("Expected VoteUp to be 'up', got '%s'", VoteUp)
}
if VoteDown != "down" {
t.Errorf("Expected VoteDown to be 'down', got '%s'", VoteDown)
}
if VoteNone != "none" {
t.Errorf("Expected VoteNone to be 'none', got '%s'", VoteNone)
}
})
}
func TestModel_SoftDelete(t *testing.T) {
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
t.Run("user_soft_delete", func(t *testing.T) {
user := createTestUser(t, db)
if err := db.Delete(user).Error; err != nil {
t.Fatalf("Failed to soft delete user: %v", err)
}
var foundUser User
if err := db.First(&foundUser, user.ID).Error; err == nil {
t.Error("Expected user to be soft deleted")
}
if err := db.Unscoped().First(&foundUser, user.ID).Error; err != nil {
t.Fatalf("Expected to find soft deleted user with Unscoped: %v", err)
}
if foundUser.DeletedAt.Time.IsZero() {
t.Error("Expected DeletedAt to be set")
}
})
t.Run("post_soft_delete", func(t *testing.T) {
user := createTestUser(t, db)
post := createTestPost(t, db, user.ID)
if err := db.Delete(post).Error; err != nil {
t.Fatalf("Failed to soft delete post: %v", err)
}
var foundPost Post
if err := db.First(&foundPost, post.ID).Error; err == nil {
t.Error("Expected post to be soft deleted")
}
if err := db.Unscoped().First(&foundPost, post.ID).Error; err != nil {
t.Fatalf("Expected to find soft deleted post with Unscoped: %v", err)
}
if foundPost.DeletedAt.Time.IsZero() {
t.Error("Expected DeletedAt to be set")
}
})
}

190
internal/database/monitoring_plugin.go Normal file
View File

@@ -0,0 +1,190 @@
package database
import (
"context"
"time"
"gorm.io/gorm"
"goyco/internal/middleware"
)
type contextKey string
const gormOperationStartKey contextKey = "gorm_operation_start"
type GormDBMonitor struct {
monitor middleware.DBMonitor
}
func NewGormDBMonitor(monitor middleware.DBMonitor) *GormDBMonitor {
return &GormDBMonitor{
monitor: monitor,
}
}
func (g *GormDBMonitor) Name() string {
return "db_monitor"
}
func (g *GormDBMonitor) Initialize(db *gorm.DB) error {
db.Callback().Create().Before("gorm:create").Register("db_monitor:before_create", g.beforeCreate)
db.Callback().Create().After("gorm:create").Register("db_monitor:after_create", g.afterCreate)
db.Callback().Query().Before("gorm:query").Register("db_monitor:before_query", g.beforeQuery)
db.Callback().Query().After("gorm:query").Register("db_monitor:after_query", g.afterQuery)
db.Callback().Update().Before("gorm:update").Register("db_monitor:before_update", g.beforeUpdate)
db.Callback().Update().After("gorm:update").Register("db_monitor:after_update", g.afterUpdate)
db.Callback().Delete().Before("gorm:delete").Register("db_monitor:before_delete", g.beforeDelete)
db.Callback().Delete().After("gorm:delete").Register("db_monitor:after_delete", g.afterDelete)
db.Callback().Row().Before("gorm:row").Register("db_monitor:before_row", g.beforeRow)
db.Callback().Row().After("gorm:row").Register("db_monitor:after_row", g.afterRow)
db.Callback().Raw().Before("gorm:raw").Register("db_monitor:before_raw", g.beforeRaw)
db.Callback().Raw().After("gorm:raw").Register("db_monitor:after_raw", g.afterRaw)
return nil
}
func (g *GormDBMonitor) beforeCreate(db *gorm.DB) {
if g.monitor == nil {
return
}
ctx := context.WithValue(db.Statement.Context, gormOperationStartKey, time.Now())
db.Statement.Context = ctx
}
func (g *GormDBMonitor) afterCreate(db *gorm.DB) {
if g.monitor == nil {
return
}
g.logOperation(db, "CREATE")
}
func (g *GormDBMonitor) beforeQuery(db *gorm.DB) {
if g.monitor == nil {
return
}
ctx := context.WithValue(db.Statement.Context, gormOperationStartKey, time.Now())
db.Statement.Context = ctx
}
func (g *GormDBMonitor) afterQuery(db *gorm.DB) {
if g.monitor == nil {
return
}
g.logOperation(db, "SELECT")
}
func (g *GormDBMonitor) beforeUpdate(db *gorm.DB) {
if g.monitor == nil {
return
}
ctx := context.WithValue(db.Statement.Context, gormOperationStartKey, time.Now())
db.Statement.Context = ctx
}
func (g *GormDBMonitor) afterUpdate(db *gorm.DB) {
if g.monitor == nil {
return
}
g.logOperation(db, "UPDATE")
}
func (g *GormDBMonitor) beforeDelete(db *gorm.DB) {
if g.monitor == nil {
return
}
ctx := context.WithValue(db.Statement.Context, gormOperationStartKey, time.Now())
db.Statement.Context = ctx
}
func (g *GormDBMonitor) afterDelete(db *gorm.DB) {
if g.monitor == nil {
return
}
g.logOperation(db, "DELETE")
}
func (g *GormDBMonitor) beforeRow(db *gorm.DB) {
if g.monitor == nil {
return
}
ctx := context.WithValue(db.Statement.Context, gormOperationStartKey, time.Now())
db.Statement.Context = ctx
}
func (g *GormDBMonitor) afterRow(db *gorm.DB) {
if g.monitor == nil {
return
}
g.logOperation(db, "ROW")
}
func (g *GormDBMonitor) beforeRaw(db *gorm.DB) {
if g.monitor == nil {
return
}
ctx := context.WithValue(db.Statement.Context, gormOperationStartKey, time.Now())
db.Statement.Context = ctx
}
func (g *GormDBMonitor) afterRaw(db *gorm.DB) {
if g.monitor == nil {
return
}
g.logOperation(db, "RAW")
}
func (g *GormDBMonitor) logOperation(db *gorm.DB, operation string) {
if g.monitor == nil {
return
}
startTime, ok := db.Statement.Context.Value(gormOperationStartKey).(time.Time)
if !ok {
return
}
duration := time.Since(startTime)
query := g.buildQueryString(db, operation)
g.monitor.LogQuery(query, duration, db.Error)
}
func (g *GormDBMonitor) buildQueryString(db *gorm.DB, operation string) string {
if db.Statement.SQL.String() != "" {
return db.Statement.SQL.String()
}
query := operation
if db.Statement.Table != "" {
query += " FROM " + db.Statement.Table
}
if db.Statement.Model != nil {
if stmt := db.Statement; stmt.Schema != nil {
query = operation + " " + stmt.Schema.Table
}
}
return query
}

325
internal/database/monitoring_plugin_test.go Normal file
View File

@@ -0,0 +1,325 @@
package database
import (
"context"
"testing"
"time"
"gorm.io/driver/sqlite"
"gorm.io/gorm"
"gorm.io/gorm/logger"
"goyco/internal/middleware"
)
func TestNewGormDBMonitor(t *testing.T) {
monitor := middleware.NewInMemoryDBMonitor()
gormMonitor := NewGormDBMonitor(monitor)
if gormMonitor == nil {
t.Fatal("Expected non-nil GormDBMonitor")
}
if gormMonitor.monitor != monitor {
t.Error("Expected monitor to be set correctly")
}
}
func TestGormDBMonitor_Name(t *testing.T) {
monitor := middleware.NewInMemoryDBMonitor()
gormMonitor := NewGormDBMonitor(monitor)
if gormMonitor.Name() != "db_monitor" {
t.Errorf("Expected name 'db_monitor', got '%s'", gormMonitor.Name())
}
}
func TestGormDBMonitor_Initialize(t *testing.T) {
monitor := middleware.NewInMemoryDBMonitor()
gormMonitor := NewGormDBMonitor(monitor)
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
err := gormMonitor.Initialize(db)
if err != nil {
t.Fatalf("Expected Initialize to succeed, got error: %v", err)
}
}
func TestGormDBMonitor_InitializeWithNilMonitor(t *testing.T) {
gormMonitor := NewGormDBMonitor(nil)
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
err := gormMonitor.Initialize(db)
if err != nil {
t.Fatalf("Expected Initialize to succeed with nil monitor, got error: %v", err)
}
}
func TestGormDBMonitor_Callbacks(t *testing.T) {
monitor := middleware.NewInMemoryDBMonitor()
gormMonitor := NewGormDBMonitor(monitor)
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
err := gormMonitor.Initialize(db)
if err != nil {
t.Fatalf("Failed to initialize plugin: %v", err)
}
user := &User{
Username: "testuser",
Email: "test@example.com",
Password: "hashedpassword",
EmailVerified: true,
}
if err := db.Create(user).Error; err != nil {
t.Fatalf("Failed to create user: %v", err)
}
var foundUser User
if err := db.First(&foundUser, user.ID).Error; err != nil {
t.Fatalf("Failed to find user: %v", err)
}
foundUser.Username = "updateduser"
if err := db.Save(&foundUser).Error; err != nil {
t.Fatalf("Failed to update user: %v", err)
}
if err := db.Delete(&foundUser).Error; err != nil {
t.Fatalf("Failed to delete user: %v", err)
}
}
func TestGormDBMonitor_CallbacksWithNilMonitor(t *testing.T) {
gormMonitor := NewGormDBMonitor(nil)
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
err := gormMonitor.Initialize(db)
if err != nil {
t.Fatalf("Failed to initialize plugin: %v", err)
}
user := &User{
Username: "testuser",
Email: "test@example.com",
Password: "hashedpassword",
EmailVerified: true,
}
if err := db.Create(user).Error; err != nil {
t.Fatalf("Failed to create user: %v", err)
}
}
func TestGormDBMonitor_BuildQueryString(t *testing.T) {
monitor := middleware.NewInMemoryDBMonitor()
gormMonitor := NewGormDBMonitor(monitor)
db := newTestDB(t)
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
err := gormMonitor.Initialize(db)
if err != nil {
t.Fatalf("Failed to initialize plugin: %v", err)
}
tests := []struct {
name string
operation string
table string
expected string
}{
{
name: "create_operation",
operation: "CREATE",
table: "users",
expected: "CREATE FROM users",
},
{
name: "select_operation",
operation: "SELECT",
table: "posts",
expected: "SELECT FROM posts",
},
{
name: "update_operation",
operation: "UPDATE",
table: "votes",
expected: "UPDATE FROM votes",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
stmt := &gorm.Statement{
Table: tt.table,
}
mockDB := &gorm.DB{
Statement: stmt,
}
result := gormMonitor.buildQueryString(mockDB, tt.operation)
if result != tt.expected {
t.Errorf("Expected '%s', got '%s'", tt.expected, result)
}
})
}
}
func TestGormDBMonitor_LogOperation(t *testing.T) {
monitor := middleware.NewInMemoryDBMonitor()
gormMonitor := NewGormDBMonitor(monitor)
startTime := time.Now()
ctx := context.WithValue(context.Background(), gormOperationStartKey, startTime)
stmt := &gorm.Statement{
Context: ctx,
Table: "users",
}
mockDB := &gorm.DB{
Statement: stmt,
}
gormMonitor.logOperation(mockDB, "CREATE")
gormMonitor.monitor = nil
gormMonitor.logOperation(mockDB, "CREATE")
}
func TestGormDBMonitor_LogOperationWithoutStartTime(t *testing.T) {
monitor := middleware.NewInMemoryDBMonitor()
gormMonitor := NewGormDBMonitor(monitor)
ctx := context.Background()
stmt := &gorm.Statement{
Context: ctx,
Table: "users",
}
mockDB := &gorm.DB{
Statement: stmt,
}
gormMonitor.logOperation(mockDB, "CREATE")
}
func TestGormDBMonitor_AllCallbackMethods(t *testing.T) {
monitor := middleware.NewInMemoryDBMonitor()
gormMonitor := NewGormDBMonitor(monitor)
gormMonitor.monitor = nil
ctx := context.Background()
stmt := &gorm.Statement{
Context: ctx,
Table: "users",
}
mockDB := &gorm.DB{
Statement: stmt,
}
gormMonitor.beforeCreate(mockDB)
gormMonitor.beforeQuery(mockDB)
gormMonitor.beforeUpdate(mockDB)
gormMonitor.beforeDelete(mockDB)
gormMonitor.beforeRow(mockDB)
gormMonitor.beforeRaw(mockDB)
gormMonitor.afterCreate(mockDB)
gormMonitor.afterQuery(mockDB)
gormMonitor.afterUpdate(mockDB)
gormMonitor.afterDelete(mockDB)
gormMonitor.afterRow(mockDB)
gormMonitor.afterRaw(mockDB)
}
func TestGormDBMonitor_WithRealDatabase(t *testing.T) {
monitor := middleware.NewInMemoryDBMonitor()
gormMonitor := NewGormDBMonitor(monitor)
dbName := "file:memdb_" + t.Name() + "?mode=memory&cache=private"
db, err := gorm.Open(sqlite.Open(dbName), &gorm.Config{
Logger: logger.Default.LogMode(logger.Silent),
})
if err != nil {
t.Fatalf("Failed to open database: %v", err)
}
defer func() {
if sqlDB, err := db.DB(); err == nil {
sqlDB.Close()
}
}()
if err := db.AutoMigrate(&User{}); err != nil {
t.Fatalf("Failed to migrate database: %v", err)
}
err = gormMonitor.Initialize(db)
if err != nil {
t.Fatalf("Failed to initialize plugin: %v", err)
}
user := &User{
Username: "testuser",
Email: "test@example.com",
Password: "hashedpassword",
EmailVerified: true,
}
if err := db.Create(user).Error; err != nil {
t.Fatalf("Failed to create user: %v", err)
}
var foundUser User
if err := db.First(&foundUser, user.ID).Error; err != nil {
t.Fatalf("Failed to find user: %v", err)
}
foundUser.Username = "updateduser"
if err := db.Save(&foundUser).Error; err != nil {
t.Fatalf("Failed to update user: %v", err)
}
if err := db.Delete(&foundUser).Error; err != nil {
t.Fatalf("Failed to delete user: %v", err)
}
stats := monitor.GetStats()
if stats.TotalQueries == 0 {
t.Error("Expected monitor to have recorded some queries")
}
}

175
internal/database/secure_logger.go Normal file
View File

@@ -0,0 +1,175 @@
package database
import (
"context"
"fmt"
"log"
"os"
"regexp"
"strings"
"time"
"gorm.io/gorm/logger"
)
type SecureLogger struct {
writer logger.Writer
config logger.Config
sensitiveFields []string
sensitivePattern *regexp.Regexp
productionMode bool
}
func NewSecureLogger(writer logger.Writer, config logger.Config, productionMode bool) *SecureLogger {
sensitiveFields := []string{
"password", "token", "secret", "key", "hash", "salt",
"email_verification_token", "password_reset_token",
"token_hash", "jwt_secret", "api_key", "access_token",
"refresh_token", "session_id", "cookie", "auth",
}
sensitivePattern := regexp.MustCompile(`(?i)(password|token|secret|key|hash|salt|email_verification_token|password_reset_token|token_hash|jwt_secret|api_key|access_token|refresh_token|session_id|cookie|auth)`)
return &SecureLogger{
writer: writer,
config: config,
sensitiveFields: sensitiveFields,
sensitivePattern: sensitivePattern,
productionMode: productionMode,
}
}
func (l *SecureLogger) LogMode(level logger.LogLevel) logger.Interface {
newLogger := *l
newLogger.config.LogLevel = level
return &newLogger
}
func (l *SecureLogger) Info(ctx context.Context, msg string, data ...any) {
if l.config.LogLevel >= logger.Info {
l.log(ctx, "info", msg, data...)
}
}
func (l *SecureLogger) Warn(ctx context.Context, msg string, data ...any) {
if l.config.LogLevel >= logger.Warn {
l.log(ctx, "warn", msg, data...)
}
}
func (l *SecureLogger) Error(ctx context.Context, msg string, data ...any) {
if l.config.LogLevel >= logger.Error {
l.log(ctx, "error", msg, data...)
}
}
func (l *SecureLogger) Trace(ctx context.Context, begin time.Time, fc func() (string, int64), err error) {
if l.config.LogLevel <= logger.Silent {
return
}
elapsed := time.Since(begin)
switch {
case err != nil && l.config.LogLevel >= logger.Error && (!l.config.IgnoreRecordNotFoundError || !IsRecordNotFoundError(err)):
sql, rows := fc()
l.log(ctx, "error", fmt.Sprintf("[%.3fms] [rows:%v] %s", float64(elapsed.Nanoseconds())/1e6, rows, sql))
case elapsed > l.config.SlowThreshold && l.config.SlowThreshold != 0 && l.config.LogLevel >= logger.Warn:
sql, rows := fc()
l.log(ctx, "warn", fmt.Sprintf("[%.3fms] [rows:%v] %s", float64(elapsed.Nanoseconds())/1e6, rows, sql))
case l.config.LogLevel == logger.Info:
sql, rows := fc()
l.log(ctx, "info", fmt.Sprintf("[%.3fms] [rows:%v] %s", float64(elapsed.Nanoseconds())/1e6, rows, sql))
}
}
func (l *SecureLogger) log(_ context.Context, level, msg string, data ...any) {
if l.productionMode {
msg = l.maskSensitiveData(msg)
maskedData := make([]any, len(data))
for i, d := range data {
maskedData[i] = l.maskSensitiveData(fmt.Sprintf("%v", d))
}
data = maskedData
}
formattedMsg := fmt.Sprintf(msg, data...)
l.writer.Printf("[%s] %s", strings.ToUpper(level), formattedMsg)
}
func (l *SecureLogger) maskSensitiveData(data string) string {
if l.productionMode {
data = regexp.MustCompile(`\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b`).ReplaceAllString(data, "[EMAIL_MASKED]")
data = regexp.MustCompile(`\b[A-Za-z0-9]{20,}\b`).ReplaceAllStringFunc(data, func(match string) string {
if l.sensitivePattern.MatchString(match) {
return "[TOKEN_MASKED]"
}
return match
})
data = l.maskSQLValues(data)
}
return data
}
func (l *SecureLogger) maskSQLValues(sql string) string {
paramPattern := regexp.MustCompile(`'([^']*)'`)
return paramPattern.ReplaceAllStringFunc(sql, func(match string) string {
value := strings.Trim(match, "'")
if l.isSensitiveValue(value) {
return "'[MASKED]'"
}
return match
})
}
func (l *SecureLogger) isSensitiveValue(value string) bool {
if regexp.MustCompile(`\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b`).MatchString(value) {
return true
}
if len(value) > 20 && regexp.MustCompile(`^[A-Za-z0-9+/]{20,}={0,2}$`).MatchString(value) {
return true
}
if regexp.MustCompile(`^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`).MatchString(value) {
return true
}
if regexp.MustCompile(`^[A-Za-z0-9+/]+={0,2}$`).MatchString(value) && len(value) > 10 {
return true
}
return false
}
func IsRecordNotFoundError(err error) bool {
if err == nil {
return false
}
return strings.Contains(strings.ToLower(err.Error()), "record not found") ||
strings.Contains(strings.ToLower(err.Error()), "not found")
}
func CreateSecureLogger(productionMode bool) logger.Interface {
config := logger.Config{
SlowThreshold: time.Second,
LogLevel: logger.Info,
IgnoreRecordNotFoundError: true,
Colorful: false,
}
if productionMode {
config.LogLevel = logger.Error
config.SlowThreshold = 2 * time.Second
}
writer := log.New(os.Stdout, "\r\n", log.LstdFlags)
return NewSecureLogger(writer, config, productionMode)
}

368
internal/database/secure_logger_test.go Normal file
View File

@@ -0,0 +1,368 @@
package database
import (
"context"
"errors"
"log"
"os"
"strings"
"testing"
"time"
"gorm.io/gorm/logger"
)
func TestSecureLogger_MaskSensitiveData(t *testing.T) {
writer := log.New(os.Stdout, "\r\n", log.LstdFlags)
config := logger.Config{
SlowThreshold: time.Second,
LogLevel: logger.Info,
IgnoreRecordNotFoundError: true,
Colorful: false,
}
tests := []struct {
name string
production bool
input string
expected string
}{
{
name: "development_mode_no_masking",
production: false,
input: "SELECT * FROM users WHERE email = 'user@example.com'",
expected: "SELECT * FROM users WHERE email = 'user@example.com'",
},
{
name: "production_mode_mask_email",
production: true,
input: "SELECT * FROM users WHERE email = 'user@example.com'",
expected: "SELECT * FROM users WHERE email = '[EMAIL_MASKED]'",
},
{
name: "production_mode_mask_token",
production: true,
input: "SELECT * FROM users WHERE password_reset_token = 'abc123def456ghi789'",
expected: "SELECT * FROM users WHERE password_reset_token = '[TOKEN_MASKED]'",
},
{
name: "production_mode_mask_uuid",
production: true,
input: "SELECT * FROM users WHERE id = '550e8400-e29b-41d4-a716-446655440000'",
expected: "SELECT * FROM users WHERE id = '[TOKEN_MASKED]'",
},
{
name: "production_mode_no_masking_short_values",
production: true,
input: "SELECT * FROM users WHERE id = 123",
expected: "SELECT * FROM users WHERE id = 123",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
secureLogger := NewSecureLogger(writer, config, tt.production)
result := secureLogger.maskSensitiveData(tt.input)
if tt.production {
if strings.Contains(result, "user@example.com") {
t.Errorf("Email should be masked in production mode")
}
if strings.Contains(result, "abc123def456ghi789") {
t.Errorf("Token should be masked in production mode")
}
} else {
if result != tt.input {
t.Errorf("Expected %q, got %q", tt.input, result)
}
}
})
}
}
func TestSecureLogger_IsSensitiveValue(t *testing.T) {
writer := log.New(os.Stdout, "\r\n", log.LstdFlags)
config := logger.Config{
SlowThreshold: time.Second,
LogLevel: logger.Info,
IgnoreRecordNotFoundError: true,
Colorful: false,
}
secureLogger := NewSecureLogger(writer, config, true)
tests := []struct {
name string
value string
expected bool
}{
{
name: "email_address",
value: "user@example.com",
expected: true,
},
{
name: "long_token",
value: "abc123def456ghi789jkl012mno345pqr678stu901vwx234yz",
expected: true,
},
{
name: "uuid",
value: "550e8400-e29b-41d4-a716-446655440000",
expected: true,
},
{
name: "short_value",
value: "123",
expected: false,
},
{
name: "normal_text",
value: "golang programming",
expected: false,
},
{
name: "base64_like",
value: "SGVsbG8gV29ybGQ=",
expected: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := secureLogger.isSensitiveValue(tt.value)
if result != tt.expected {
t.Errorf("Expected %v for value %q, got %v", tt.expected, tt.value, result)
}
})
}
}
func TestSecureLogger_LogLevels(t *testing.T) {
writer := log.New(os.Stdout, "\r\n", log.LstdFlags)
config := logger.Config{
SlowThreshold: time.Second,
LogLevel: logger.Info,
IgnoreRecordNotFoundError: true,
Colorful: false,
}
secureLogger := NewSecureLogger(writer, config, false)
ctx := context.Background()
secureLogger.Info(ctx, "Test info message")
secureLogger.Warn(ctx, "Test warn message")
secureLogger.Error(ctx, "Test error message")
}
func TestCreateSecureLogger(t *testing.T) {
prodLogger := CreateSecureLogger(true)
if prodLogger == nil {
t.Error("Expected non-nil logger for production mode")
}
devLogger := CreateSecureLogger(false)
if devLogger == nil {
t.Error("Expected non-nil logger for development mode")
}
}
func TestSecureLogger_LogMode(t *testing.T) {
writer := log.New(os.Stdout, "\r\n", log.LstdFlags)
config := logger.Config{
SlowThreshold: time.Second,
LogLevel: logger.Info,
IgnoreRecordNotFoundError: true,
Colorful: false,
}
secureLogger := NewSecureLogger(writer, config, false)
newLogger := secureLogger.LogMode(logger.Error)
if newLogger == nil {
t.Error("Expected non-nil logger from LogMode")
}
if secureLogger.config.LogLevel != logger.Info {
t.Error("Original logger should be unchanged")
}
}
func TestSecureLogger_Trace(t *testing.T) {
writer := log.New(os.Stdout, "\r\n", log.LstdFlags)
config := logger.Config{
SlowThreshold: time.Second,
LogLevel: logger.Info,
IgnoreRecordNotFoundError: true,
Colorful: false,
}
secureLogger := NewSecureLogger(writer, config, false)
ctx := context.Background()
t.Run("silent_level", func(t *testing.T) {
silentLogger := secureLogger.LogMode(logger.Silent)
silentLogger.Trace(ctx, time.Now(), func() (string, int64) {
return "SELECT * FROM users", 1
}, nil)
})
t.Run("error_level_with_error", func(t *testing.T) {
errorLogger := secureLogger.LogMode(logger.Error)
errorLogger.Trace(ctx, time.Now(), func() (string, int64) {
return "SELECT * FROM users", 1
}, errors.New("test error"))
})
t.Run("warn_level_slow_query", func(t *testing.T) {
warnLogger := secureLogger.LogMode(logger.Warn)
startTime := time.Now().Add(-2 * time.Second)
warnLogger.Trace(ctx, startTime, func() (string, int64) {
return "SELECT * FROM users", 1
}, nil)
})
t.Run("info_level", func(t *testing.T) {
infoLogger := secureLogger.LogMode(logger.Info)
infoLogger.Trace(ctx, time.Now(), func() (string, int64) {
return "SELECT * FROM users", 1
}, nil)
})
}
func TestSecureLogger_MaskSQLValues(t *testing.T) {
writer := log.New(os.Stdout, "\r\n", log.LstdFlags)
config := logger.Config{
SlowThreshold: time.Second,
LogLevel: logger.Info,
IgnoreRecordNotFoundError: true,
Colorful: false,
}
secureLogger := NewSecureLogger(writer, config, true)
tests := []struct {
name string
sql string
expected string
}{
{
name: "email_in_sql",
sql: "SELECT * FROM users WHERE email = 'user@example.com'",
expected: "SELECT * FROM users WHERE email = '[MASKED]'",
},
{
name: "token_in_sql",
sql: "SELECT * FROM users WHERE token = 'abc123def456ghi789'",
expected: "SELECT * FROM users WHERE token = '[MASKED]'",
},
{
name: "uuid_in_sql",
sql: "SELECT * FROM users WHERE id = '550e8400-e29b-41d4-a716-446655440000'",
expected: "SELECT * FROM users WHERE id = '[MASKED]'",
},
{
name: "normal_value",
sql: "SELECT * FROM users WHERE id = 123",
expected: "SELECT * FROM users WHERE id = 123",
},
{
name: "multiple_values",
sql: "SELECT * FROM users WHERE email = 'user@example.com' AND id = 123",
expected: "SELECT * FROM users WHERE email = '[MASKED]' AND id = 123",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := secureLogger.maskSQLValues(tt.sql)
if result != tt.expected {
t.Errorf("Expected '%s', got '%s'", tt.expected, result)
}
})
}
}
func TestSecureLogger_IsRecordNotFoundError(t *testing.T) {
tests := []struct {
name string
err error
expected bool
}{
{
name: "record_not_found",
err: errors.New("record not found"),
expected: true,
},
{
name: "not_found",
err: errors.New("not found"),
expected: true,
},
{
name: "RECORD NOT FOUND",
err: errors.New("RECORD NOT FOUND"),
expected: true,
},
{
name: "NOT FOUND",
err: errors.New("NOT FOUND"),
expected: true,
},
{
name: "other_error",
err: errors.New("connection failed"),
expected: false,
},
{
name: "nil_error",
err: nil,
expected: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := IsRecordNotFoundError(tt.err)
if result != tt.expected {
t.Errorf("Expected %v for error '%v', got %v", tt.expected, tt.err, result)
}
})
}
}
func TestSecureLogger_ProductionMode(t *testing.T) {
writer := log.New(os.Stdout, "\r\n", log.LstdFlags)
config := logger.Config{
SlowThreshold: time.Second,
LogLevel: logger.Error,
IgnoreRecordNotFoundError: true,
Colorful: false,
}
secureLogger := NewSecureLogger(writer, config, true)
ctx := context.Background()
secureLogger.Info(ctx, "User login: %s", "user@example.com")
secureLogger.Warn(ctx, "Token validation: %s", "abc123def456ghi789")
secureLogger.Error(ctx, "Database error: %s", "connection failed")
}
func TestSecureLogger_DevelopmentMode(t *testing.T) {
writer := log.New(os.Stdout, "\r\n", log.LstdFlags)
config := logger.Config{
SlowThreshold: time.Second,
LogLevel: logger.Info,
IgnoreRecordNotFoundError: true,
Colorful: false,
}
secureLogger := NewSecureLogger(writer, config, false)
ctx := context.Background()
secureLogger.Info(ctx, "User login: %s", "user@example.com")
secureLogger.Warn(ctx, "Token validation: %s", "abc123def456ghi789")
secureLogger.Error(ctx, "Database error: %s", "connection failed")
}

69
internal/dto/post.go Normal file
View File

@@ -0,0 +1,69 @@
package dto
import (
"time"
"goyco/internal/database"
)
type PostDTO struct {
ID uint `json:"id"`
Title string `json:"title"`
URL string `json:"url"`
Content string `json:"content,omitempty"`
AuthorID *uint `json:"author_id,omitempty"`
AuthorName string `json:"author_name,omitempty"`
Author *UserDTO `json:"author,omitempty"`
UpVotes int `json:"up_votes"`
DownVotes int `json:"down_votes"`
Score int `json:"score"`
CurrentVote string `json:"current_vote,omitempty"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
type PostListDTO struct {
Posts []PostDTO `json:"posts"`
Count int `json:"count"`
Limit int `json:"limit"`
Offset int `json:"offset"`
}
func ToPostDTO(post *database.Post) PostDTO {
if post == nil {
return PostDTO{}
}
dto := PostDTO{
ID: post.ID,
Title: post.Title,
URL: post.URL,
Content: post.Content,
AuthorID: post.AuthorID,
AuthorName: post.AuthorName,
UpVotes: post.UpVotes,
DownVotes: post.DownVotes,
Score: post.Score,
CreatedAt: post.CreatedAt,
UpdatedAt: post.UpdatedAt,
}
if post.CurrentVote != "" {
dto.CurrentVote = string(post.CurrentVote)
}
if post.Author.ID != 0 {
authorDTO := ToUserDTO(&post.Author)
dto.Author = &authorDTO
}
return dto
}
func ToPostDTOs(posts []database.Post) []PostDTO {
dtos := make([]PostDTO, len(posts))
for i := range posts {
dtos[i] = ToPostDTO(&posts[i])
}
return dtos
}

183
internal/dto/post_test.go Normal file
View File

@@ -0,0 +1,183 @@
package dto
import (
"testing"
"time"
"goyco/internal/database"
)
func TestToPostDTO(t *testing.T) {
t.Run("nil post", func(t *testing.T) {
dto := ToPostDTO(nil)
if dto.ID != 0 {
t.Errorf("Expected zero value for nil post, got ID %d", dto.ID)
}
})
t.Run("valid post without author", func(t *testing.T) {
post := &database.Post{
ID: 1,
Title: "Test Post",
URL: "https://example.com",
Content: "Test content",
AuthorID: nil,
AuthorName: "",
UpVotes: 5,
DownVotes: 2,
Score: 3,
CurrentVote: database.VoteUp,
CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
UpdatedAt: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC),
}
dto := ToPostDTO(post)
if dto.ID != post.ID {
t.Errorf("Expected ID %d, got %d", post.ID, dto.ID)
}
if dto.Title != post.Title {
t.Errorf("Expected Title %q, got %q", post.Title, dto.Title)
}
if dto.URL != post.URL {
t.Errorf("Expected URL %q, got %q", post.URL, dto.URL)
}
if dto.Content != post.Content {
t.Errorf("Expected Content %q, got %q", post.Content, dto.Content)
}
if dto.UpVotes != post.UpVotes {
t.Errorf("Expected UpVotes %d, got %d", post.UpVotes, dto.UpVotes)
}
if dto.DownVotes != post.DownVotes {
t.Errorf("Expected DownVotes %d, got %d", post.DownVotes, dto.DownVotes)
}
if dto.Score != post.Score {
t.Errorf("Expected Score %d, got %d", post.Score, dto.Score)
}
if dto.CurrentVote != string(post.CurrentVote) {
t.Errorf("Expected CurrentVote %q, got %q", post.CurrentVote, dto.CurrentVote)
}
if !dto.CreatedAt.Equal(post.CreatedAt) {
t.Errorf("Expected CreatedAt %v, got %v", post.CreatedAt, dto.CreatedAt)
}
if !dto.UpdatedAt.Equal(post.UpdatedAt) {
t.Errorf("Expected UpdatedAt %v, got %v", post.UpdatedAt, dto.UpdatedAt)
}
if dto.Author != nil {
t.Error("Expected Author to be nil when post.Author.ID is 0")
}
})
t.Run("post with author", func(t *testing.T) {
authorID := uint(42)
post := &database.Post{
ID: 1,
Title: "Test Post",
URL: "https://example.com",
AuthorID: &authorID,
AuthorName: "Test Author",
Author: database.User{
ID: authorID,
Username: "testuser",
Email: "test@example.com",
},
CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
UpdatedAt: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC),
}
dto := ToPostDTO(post)
if dto.AuthorID == nil || *dto.AuthorID != authorID {
t.Errorf("Expected AuthorID %d, got %v", authorID, dto.AuthorID)
}
if dto.AuthorName != post.AuthorName {
t.Errorf("Expected AuthorName %q, got %q", post.AuthorName, dto.AuthorName)
}
if dto.Author == nil {
t.Fatal("Expected Author to be set")
}
if dto.Author.ID != authorID {
t.Errorf("Expected Author.ID %d, got %d", authorID, dto.Author.ID)
}
if dto.Author.Username != post.Author.Username {
t.Errorf("Expected Author.Username %q, got %q", post.Author.Username, dto.Author.Username)
}
})
t.Run("post with VoteNone", func(t *testing.T) {
post := &database.Post{
ID: 1,
Title: "Test Post",
CurrentVote: database.VoteNone,
CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
UpdatedAt: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC),
}
dto := ToPostDTO(post)
if dto.CurrentVote != "none" {
t.Errorf("Expected CurrentVote %q, got %q", "none", dto.CurrentVote)
}
})
t.Run("post without CurrentVote set", func(t *testing.T) {
post := &database.Post{
ID: 1,
Title: "Test Post",
CurrentVote: "",
CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
UpdatedAt: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC),
}
dto := ToPostDTO(post)
if dto.CurrentVote != "" {
t.Errorf("Expected empty CurrentVote, got %q", dto.CurrentVote)
}
})
}
func TestToPostDTOs(t *testing.T) {
t.Run("empty slice", func(t *testing.T) {
posts := []database.Post{}
dtos := ToPostDTOs(posts)
if len(dtos) != 0 {
t.Errorf("Expected empty slice, got %d items", len(dtos))
}
})
t.Run("multiple posts", func(t *testing.T) {
posts := []database.Post{
{
ID: 1,
Title: "Post 1",
URL: "https://example.com/1",
},
{
ID: 2,
Title: "Post 2",
URL: "https://example.com/2",
},
{
ID: 3,
Title: "Post 3",
URL: "https://example.com/3",
},
}
dtos := ToPostDTOs(posts)
if len(dtos) != len(posts) {
t.Fatalf("Expected %d DTOs, got %d", len(posts), len(dtos))
}
for i := range posts {
if dtos[i].ID != posts[i].ID {
t.Errorf("Post %d: Expected ID %d, got %d", i, posts[i].ID, dtos[i].ID)
}
if dtos[i].Title != posts[i].Title {
t.Errorf("Post %d: Expected Title %q, got %q", i, posts[i].Title, dtos[i].Title)
}
}
})
}

76
internal/dto/user.go Normal file
View File

@@ -0,0 +1,76 @@
package dto
import (
"time"
"goyco/internal/database"
)
type UserDTO struct {
ID uint `json:"id"`
Username string `json:"username"`
Email string `json:"email,omitempty"`
EmailVerified bool `json:"email_verified,omitempty"`
EmailVerifiedAt *time.Time `json:"email_verified_at,omitempty"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
type UserListDTO struct {
Users []UserDTO `json:"users"`
Count int `json:"count"`
Limit int `json:"limit"`
Offset int `json:"offset"`
}
func ToUserDTO(user *database.User) UserDTO {
if user == nil {
return UserDTO{}
}
return UserDTO{
ID: user.ID,
Username: user.Username,
Email: user.Email,
EmailVerified: user.EmailVerified,
EmailVerifiedAt: user.EmailVerifiedAt,
CreatedAt: user.CreatedAt,
UpdatedAt: user.UpdatedAt,
}
}
func ToUserDTOs(users []database.User) []UserDTO {
dtos := make([]UserDTO, len(users))
for i := range users {
dtos[i] = ToUserDTO(&users[i])
}
return dtos
}
type SanitizedUserDTO struct {
ID uint `json:"id"`
Username string `json:"username"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
func ToSanitizedUserDTO(user *database.User) SanitizedUserDTO {
if user == nil {
return SanitizedUserDTO{}
}
return SanitizedUserDTO{
ID: user.ID,
Username: user.Username,
CreatedAt: user.CreatedAt,
UpdatedAt: user.UpdatedAt,
}
}
func ToSanitizedUserDTOs(users []database.User) []SanitizedUserDTO {
dtos := make([]SanitizedUserDTO, len(users))
for i := range users {
dtos[i] = ToSanitizedUserDTO(&users[i])
}
return dtos
}

187
internal/dto/user_test.go Normal file
View File

@@ -0,0 +1,187 @@
package dto
import (
"testing"
"time"
"goyco/internal/database"
)
func TestToUserDTO(t *testing.T) {
t.Run("nil user", func(t *testing.T) {
dto := ToUserDTO(nil)
if dto.ID != 0 {
t.Errorf("Expected zero value for nil user, got ID %d", dto.ID)
}
})
t.Run("valid user", func(t *testing.T) {
verifiedAt := time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
user := &database.User{
ID: 42,
Username: "testuser",
Email: "test@example.com",
EmailVerified: true,
EmailVerifiedAt: &verifiedAt,
CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
UpdatedAt: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC),
}
dto := ToUserDTO(user)
if dto.ID != user.ID {
t.Errorf("Expected ID %d, got %d", user.ID, dto.ID)
}
if dto.Username != user.Username {
t.Errorf("Expected Username %q, got %q", user.Username, dto.Username)
}
if dto.Email != user.Email {
t.Errorf("Expected Email %q, got %q", user.Email, dto.Email)
}
if dto.EmailVerified != user.EmailVerified {
t.Errorf("Expected EmailVerified %v, got %v", user.EmailVerified, dto.EmailVerified)
}
if dto.EmailVerifiedAt == nil || !dto.EmailVerifiedAt.Equal(*user.EmailVerifiedAt) {
t.Errorf("Expected EmailVerifiedAt %v, got %v", user.EmailVerifiedAt, dto.EmailVerifiedAt)
}
if !dto.CreatedAt.Equal(user.CreatedAt) {
t.Errorf("Expected CreatedAt %v, got %v", user.CreatedAt, dto.CreatedAt)
}
if !dto.UpdatedAt.Equal(user.UpdatedAt) {
t.Errorf("Expected UpdatedAt %v, got %v", user.UpdatedAt, dto.UpdatedAt)
}
})
t.Run("user without email verified at", func(t *testing.T) {
user := &database.User{
ID: 1,
Username: "testuser",
Email: "test@example.com",
EmailVerified: false,
EmailVerifiedAt: nil,
CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
UpdatedAt: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC),
}
dto := ToUserDTO(user)
if dto.EmailVerifiedAt != nil {
t.Error("Expected EmailVerifiedAt to be nil")
}
})
}
func TestToUserDTOs(t *testing.T) {
t.Run("empty slice", func(t *testing.T) {
users := []database.User{}
dtos := ToUserDTOs(users)
if len(dtos) != 0 {
t.Errorf("Expected empty slice, got %d items", len(dtos))
}
})
t.Run("multiple users", func(t *testing.T) {
users := []database.User{
{
ID: 1,
Username: "user1",
Email: "user1@example.com",
},
{
ID: 2,
Username: "user2",
Email: "user2@example.com",
},
}
dtos := ToUserDTOs(users)
if len(dtos) != len(users) {
t.Fatalf("Expected %d DTOs, got %d", len(users), len(dtos))
}
for i := range users {
if dtos[i].ID != users[i].ID {
t.Errorf("User %d: Expected ID %d, got %d", i, users[i].ID, dtos[i].ID)
}
if dtos[i].Username != users[i].Username {
t.Errorf("User %d: Expected Username %q, got %q", i, users[i].Username, dtos[i].Username)
}
}
})
}
func TestToSanitizedUserDTO(t *testing.T) {
t.Run("nil user", func(t *testing.T) {
dto := ToSanitizedUserDTO(nil)
if dto.ID != 0 {
t.Errorf("Expected zero value for nil user, got ID %d", dto.ID)
}
})
t.Run("valid user", func(t *testing.T) {
user := &database.User{
ID: 42,
Username: "testuser",
Email: "test@example.com",
EmailVerified: true,
CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
UpdatedAt: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC),
}
dto := ToSanitizedUserDTO(user)
if dto.ID != user.ID {
t.Errorf("Expected ID %d, got %d", user.ID, dto.ID)
}
if dto.Username != user.Username {
t.Errorf("Expected Username %q, got %q", user.Username, dto.Username)
}
if !dto.CreatedAt.Equal(user.CreatedAt) {
t.Errorf("Expected CreatedAt %v, got %v", user.CreatedAt, dto.CreatedAt)
}
if !dto.UpdatedAt.Equal(user.UpdatedAt) {
t.Errorf("Expected UpdatedAt %v, got %v", user.UpdatedAt, dto.UpdatedAt)
}
})
}
func TestToSanitizedUserDTOs(t *testing.T) {
t.Run("empty slice", func(t *testing.T) {
users := []database.User{}
dtos := ToSanitizedUserDTOs(users)
if len(dtos) != 0 {
t.Errorf("Expected empty slice, got %d items", len(dtos))
}
})
t.Run("multiple users", func(t *testing.T) {
users := []database.User{
{
ID: 1,
Username: "user1",
Email: "user1@example.com",
},
{
ID: 2,
Username: "user2",
Email: "user2@example.com",
},
}
dtos := ToSanitizedUserDTOs(users)
if len(dtos) != len(users) {
t.Fatalf("Expected %d DTOs, got %d", len(users), len(dtos))
}
for i := range users {
if dtos[i].ID != users[i].ID {
t.Errorf("User %d: Expected ID %d, got %d", i, users[i].ID, dtos[i].ID)
}
if dtos[i].Username != users[i].Username {
t.Errorf("User %d: Expected Username %q, got %q", i, users[i].Username, dtos[i].Username)
}
}
})
}

39
internal/dto/vote.go Normal file
View File

@@ -0,0 +1,39 @@
package dto
import (
"time"
"goyco/internal/database"
)
type VoteDTO struct {
ID uint `json:"id"`
UserID *uint `json:"user_id,omitempty"`
PostID uint `json:"post_id"`
Type string `json:"type"`
CreatedAt time.Time `json:"created_at"`
UpdatedAt time.Time `json:"updated_at"`
}
func ToVoteDTO(vote *database.Vote) VoteDTO {
if vote == nil {
return VoteDTO{}
}
return VoteDTO{
ID: vote.ID,
UserID: vote.UserID,
PostID: vote.PostID,
Type: string(vote.Type),
CreatedAt: vote.CreatedAt,
UpdatedAt: vote.UpdatedAt,
}
}
func ToVoteDTOs(votes []database.Vote) []VoteDTO {
dtos := make([]VoteDTO, len(votes))
for i := range votes {
dtos[i] = ToVoteDTO(&votes[i])
}
return dtos
}

149
internal/dto/vote_test.go Normal file
View File

@@ -0,0 +1,149 @@
package dto
import (
"testing"
"time"
"goyco/internal/database"
)
func TestToVoteDTO(t *testing.T) {
t.Run("nil vote", func(t *testing.T) {
dto := ToVoteDTO(nil)
if dto.ID != 0 {
t.Errorf("Expected zero value for nil vote, got ID %d", dto.ID)
}
})
t.Run("vote with user ID", func(t *testing.T) {
userID := uint(42)
vote := &database.Vote{
ID: 1,
UserID: &userID,
PostID: 10,
Type: database.VoteUp,
CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
UpdatedAt: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC),
}
dto := ToVoteDTO(vote)
if dto.ID != vote.ID {
t.Errorf("Expected ID %d, got %d", vote.ID, dto.ID)
}
if dto.UserID == nil || *dto.UserID != userID {
t.Errorf("Expected UserID %d, got %v", userID, dto.UserID)
}
if dto.PostID != vote.PostID {
t.Errorf("Expected PostID %d, got %d", vote.PostID, dto.PostID)
}
if dto.Type != string(vote.Type) {
t.Errorf("Expected Type %q, got %q", vote.Type, dto.Type)
}
if !dto.CreatedAt.Equal(vote.CreatedAt) {
t.Errorf("Expected CreatedAt %v, got %v", vote.CreatedAt, dto.CreatedAt)
}
if !dto.UpdatedAt.Equal(vote.UpdatedAt) {
t.Errorf("Expected UpdatedAt %v, got %v", vote.UpdatedAt, dto.UpdatedAt)
}
})
t.Run("vote without user ID", func(t *testing.T) {
vote := &database.Vote{
ID: 2,
UserID: nil,
PostID: 20,
Type: database.VoteDown,
CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
UpdatedAt: time.Date(2024, 1, 2, 0, 0, 0, 0, time.UTC),
}
dto := ToVoteDTO(vote)
if dto.UserID != nil {
t.Errorf("Expected UserID to be nil, got %v", dto.UserID)
}
if dto.Type != string(database.VoteDown) {
t.Errorf("Expected Type %q, got %q", database.VoteDown, dto.Type)
}
})
t.Run("all vote types", func(t *testing.T) {
tests := []struct {
name string
voteType database.VoteType
expected string
}{
{"VoteUp", database.VoteUp, "up"},
{"VoteDown", database.VoteDown, "down"},
{"VoteNone", database.VoteNone, "none"},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
vote := &database.Vote{
ID: 1,
Type: tt.voteType,
}
dto := ToVoteDTO(vote)
if dto.Type != tt.expected {
t.Errorf("Expected Type %q, got %q", tt.expected, dto.Type)
}
})
}
})
}
func TestToVoteDTOs(t *testing.T) {
t.Run("empty slice", func(t *testing.T) {
votes := []database.Vote{}
dtos := ToVoteDTOs(votes)
if len(dtos) != 0 {
t.Errorf("Expected empty slice, got %d items", len(dtos))
}
})
t.Run("multiple votes", func(t *testing.T) {
userID1 := uint(1)
votes := []database.Vote{
{
ID: 1,
UserID: &userID1,
PostID: 10,
Type: database.VoteUp,
},
{
ID: 2,
UserID: nil,
PostID: 10,
Type: database.VoteDown,
},
{
ID: 3,
UserID: &userID1,
PostID: 20,
Type: database.VoteUp,
},
}
dtos := ToVoteDTOs(votes)
if len(dtos) != len(votes) {
t.Fatalf("Expected %d DTOs, got %d", len(votes), len(dtos))
}
for i := range votes {
if dtos[i].ID != votes[i].ID {
t.Errorf("Vote %d: Expected ID %d, got %d", i, votes[i].ID, dtos[i].ID)
}
if dtos[i].PostID != votes[i].PostID {
t.Errorf("Vote %d: Expected PostID %d, got %d", i, votes[i].PostID, dtos[i].PostID)
}
if dtos[i].Type != string(votes[i].Type) {
t.Errorf("Vote %d: Expected Type %q, got %q", i, votes[i].Type, dtos[i].Type)
}
}
})
}

271
internal/e2e/api_documentation_test.go Normal file
View File

@@ -0,0 +1,271 @@
package e2e
import (
"encoding/json"
"net/http"
"testing"
"goyco/internal/testutils"
)
func TestE2E_SwaggerDocumentation(t *testing.T) {
ctx := setupTestContext(t)
t.Run("swagger_json_is_valid", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/swagger/doc.json", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Skipf("Swagger JSON not available (status %d)", resp.StatusCode)
return
}
var swaggerDoc map[string]interface{}
if err := json.NewDecoder(resp.Body).Decode(&swaggerDoc); err != nil {
t.Fatalf("Failed to decode Swagger JSON: %v", err)
}
if swaggerDoc["swagger"] == nil && swaggerDoc["openapi"] == nil {
t.Error("Swagger JSON missing swagger/openapi version")
}
if swaggerDoc["info"] == nil {
t.Error("Swagger JSON missing info section")
}
if swaggerDoc["paths"] == nil {
t.Error("Swagger JSON missing paths section")
}
})
t.Run("swagger_yaml_is_valid", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/swagger/doc.yaml", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Logf("Swagger YAML endpoint returned status %d (may not be available)", resp.StatusCode)
}
})
t.Run("api_endpoints_documented", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/swagger/doc.json", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Skip("Swagger JSON not available")
return
}
var swaggerDoc map[string]interface{}
if err := json.NewDecoder(resp.Body).Decode(&swaggerDoc); err != nil {
t.Fatalf("Failed to decode Swagger JSON: %v", err)
}
paths, ok := swaggerDoc["paths"].(map[string]interface{})
if !ok {
t.Error("Paths section is not a map")
return
}
requiredPaths := []string{
"/api",
"/api/auth/login",
"/api/auth/register",
"/api/auth/me",
"/api/posts",
}
for _, requiredPath := range requiredPaths {
if paths[requiredPath] == nil {
t.Errorf("Required endpoint %s not documented", requiredPath)
}
}
})
t.Run("request_response_schemas_present", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/swagger/doc.json", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Skip("Swagger JSON not available")
return
}
var swaggerDoc map[string]interface{}
if err := json.NewDecoder(resp.Body).Decode(&swaggerDoc); err != nil {
t.Fatalf("Failed to decode Swagger JSON: %v", err)
}
definitions, ok := swaggerDoc["definitions"].(map[string]interface{})
if !ok {
definitions, ok = swaggerDoc["components"].(map[string]interface{})
if ok {
definitions, _ = definitions["schemas"].(map[string]interface{})
}
}
if definitions == nil {
t.Log("No definitions/schemas section found (may use inline schemas)")
return
}
if len(definitions) == 0 {
t.Error("Definitions/schemas section is empty")
}
})
t.Run("swagger_ui_accessible", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/swagger/index.html", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Logf("Swagger UI returned status %d (may not be available)", resp.StatusCode)
}
})
}
func TestE2E_APIEndpointDocumentation(t *testing.T) {
ctx := setupTestContext(t)
t.Run("api_info_endpoint_documented", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/swagger/doc.json", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Skip("Swagger JSON not available")
return
}
var swaggerDoc map[string]interface{}
if err := json.NewDecoder(resp.Body).Decode(&swaggerDoc); err != nil {
t.Fatalf("Failed to decode Swagger JSON: %v", err)
}
paths, ok := swaggerDoc["paths"].(map[string]interface{})
if !ok {
return
}
apiPath, ok := paths["/api"].(map[string]interface{})
if !ok {
t.Error("API endpoint not documented")
return
}
getMethod, ok := apiPath["get"].(map[string]interface{})
if !ok {
t.Error("API GET method not documented")
return
}
if getMethod["responses"] == nil {
t.Error("API endpoint missing responses")
}
})
t.Run("auth_endpoints_documented", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/swagger/doc.json", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Skip("Swagger JSON not available")
return
}
var swaggerDoc map[string]interface{}
if err := json.NewDecoder(resp.Body).Decode(&swaggerDoc); err != nil {
t.Fatalf("Failed to decode Swagger JSON: %v", err)
}
paths, ok := swaggerDoc["paths"].(map[string]interface{})
if !ok {
return
}
authEndpoints := []string{
"/api/auth/login",
"/api/auth/register",
}
for _, endpoint := range authEndpoints {
endpointData, ok := paths[endpoint].(map[string]interface{})
if !ok {
t.Errorf("Auth endpoint %s not documented", endpoint)
continue
}
postMethod, ok := endpointData["post"].(map[string]interface{})
if !ok {
t.Errorf("Auth endpoint %s missing POST method", endpoint)
continue
}
if postMethod["parameters"] == nil && postMethod["requestBody"] == nil {
t.Logf("Auth endpoint %s may use inline request body", endpoint)
}
}
})
}

1683
internal/e2e/auth_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

1191
internal/e2e/common.go Normal file
View File

File diff suppressed because it is too large Load Diff

258
internal/e2e/consistency_test.go Normal file
View File

@@ -0,0 +1,258 @@
package e2e
import (
"testing"
"goyco/internal/database"
)
func TestE2E_VoteCountConsistency(t *testing.T) {
ctx := setupTestContext(t)
t.Run("vote_count_consistency", func(t *testing.T) {
user1 := ctx.createUserWithCleanup(t, "voteuser1", "Password123!")
user2 := ctx.createUserWithCleanup(t, "voteuser2", "Password123!")
user3 := ctx.createUserWithCleanup(t, "voteuser3", "Password123!")
client1 := ctx.loginUser(t, user1.Username, user1.Password)
post := client1.CreatePost(t, "Vote Count Test", "https://example.com/votecount", "Content")
client1.VoteOnPost(t, post.ID, "up")
client2 := ctx.loginUser(t, user2.Username, user2.Password)
client2.VoteOnPost(t, post.ID, "up")
client3 := ctx.loginUser(t, user3.Username, user3.Password)
client3.VoteOnPost(t, post.ID, "down")
var dbPost database.Post
if err := ctx.server.DB.First(&dbPost, post.ID).Error; err != nil {
t.Fatalf("Failed to find post in database: %v", err)
}
var voteCount int64
ctx.server.DB.Model(&database.Vote{}).Where("post_id = ? AND type = ?", post.ID, database.VoteUp).Count(&voteCount)
if voteCount != int64(dbPost.UpVotes) {
t.Errorf("Expected upvote count %d to match database count %d", dbPost.UpVotes, voteCount)
}
ctx.server.DB.Model(&database.Vote{}).Where("post_id = ? AND type = ?", post.ID, database.VoteDown).Count(&voteCount)
if voteCount != int64(dbPost.DownVotes) {
t.Errorf("Expected downvote count %d to match database count %d", dbPost.DownVotes, voteCount)
}
postsResp := client1.GetPosts(t)
apiPost := findPostInList(postsResp, post.ID)
if apiPost == nil {
t.Fatalf("Expected to find post in API response")
}
if apiPost.UpVotes != dbPost.UpVotes {
t.Errorf("Expected API upvote count %d to match database %d", apiPost.UpVotes, dbPost.UpVotes)
}
if apiPost.DownVotes != dbPost.DownVotes {
t.Errorf("Expected API downvote count %d to match database %d", apiPost.DownVotes, dbPost.DownVotes)
}
})
}
func TestE2E_PostScoreCalculation(t *testing.T) {
ctx := setupTestContext(t)
t.Run("post_score_calculation", func(t *testing.T) {
user1 := ctx.createUserWithCleanup(t, "scoreuser1", "Password123!")
user2 := ctx.createUserWithCleanup(t, "scoreuser2", "Password123!")
user3 := ctx.createUserWithCleanup(t, "scoreuser3", "Password123!")
client1 := ctx.loginUser(t, user1.Username, user1.Password)
post := client1.CreatePost(t, "Score Test", "https://example.com/score", "Content")
client1.VoteOnPost(t, post.ID, "up")
client2 := ctx.loginUser(t, user2.Username, user2.Password)
client2.VoteOnPost(t, post.ID, "up")
client3 := ctx.loginUser(t, user3.Username, user3.Password)
client3.VoteOnPost(t, post.ID, "down")
var dbPost database.Post
if err := ctx.server.DB.First(&dbPost, post.ID).Error; err != nil {
t.Fatalf("Failed to find post in database: %v", err)
}
expectedScore := dbPost.UpVotes - dbPost.DownVotes
if dbPost.Score != expectedScore {
t.Errorf("Expected score %d (upvotes %d - downvotes %d), got %d", expectedScore, dbPost.UpVotes, dbPost.DownVotes, dbPost.Score)
}
postsResp := client1.GetPosts(t)
apiPost := findPostInList(postsResp, post.ID)
if apiPost == nil {
t.Fatalf("Expected to find post in API response")
}
if apiPost.Score != expectedScore {
t.Errorf("Expected API score %d to match calculated score %d", apiPost.Score, expectedScore)
}
})
}
func TestE2E_PostDeletionCascades(t *testing.T) {
ctx := setupTestContext(t)
t.Run("post_deletion_cascades", func(t *testing.T) {
user1 := ctx.createUserWithCleanup(t, "cascadeuser1", "Password123!")
user2 := ctx.createUserWithCleanup(t, "cascadeuser2", "Password123!")
client1 := ctx.loginUser(t, user1.Username, user1.Password)
post := client1.CreatePost(t, "Cascade Test", "https://example.com/cascade", "Content")
client1.VoteOnPost(t, post.ID, "up")
client2 := ctx.loginUser(t, user2.Username, user2.Password)
client2.VoteOnPost(t, post.ID, "down")
var voteCountBefore int64
ctx.server.DB.Model(&database.Vote{}).Where("post_id = ?", post.ID).Count(&voteCountBefore)
if voteCountBefore == 0 {
t.Fatalf("Expected votes to exist before deletion")
}
client1.DeletePost(t, post.ID)
var voteCountAfter int64
ctx.server.DB.Model(&database.Vote{}).Where("post_id = ?", post.ID).Count(&voteCountAfter)
if voteCountAfter != 0 {
t.Errorf("Expected votes to be deleted after post deletion, found %d votes", voteCountAfter)
}
var dbPost database.Post
if err := ctx.server.DB.First(&dbPost, post.ID).Error; err == nil {
t.Errorf("Expected post to be deleted from database")
}
})
}
func TestE2E_UserDeletionCascades(t *testing.T) {
ctx := setupTestContext(t)
t.Run("user_deletion_cascades", func(t *testing.T) {
user1 := ctx.createUserWithCleanup(t, "deleteuser1", "Password123!")
user2 := ctx.createUserWithCleanup(t, "deleteuser2", "Password123!")
client1 := ctx.loginUser(t, user1.Username, user1.Password)
post1 := client1.CreatePost(t, "Post 1", "https://example.com/post1", "Content 1")
post2 := client1.CreatePost(t, "Post 2", "https://example.com/post2", "Content 2")
client2 := ctx.loginUser(t, user2.Username, user2.Password)
client2.VoteOnPost(t, post1.ID, "up")
var postCountBefore int64
ctx.server.DB.Model(&database.Post{}).Where("author_id = ?", user1.ID).Count(&postCountBefore)
if postCountBefore == 0 {
t.Fatalf("Expected posts to exist before deletion")
}
var voteCountBefore int64
ctx.server.DB.Model(&database.Vote{}).Where("post_id IN (?)", []uint{post1.ID, post2.ID}).Count(&voteCountBefore)
if voteCountBefore == 0 {
t.Fatalf("Expected votes to exist before deletion")
}
ctx.server.EmailSender.Reset()
client1.RequestAccountDeletion(t)
deletionToken := ctx.server.EmailSender.DeletionToken()
if deletionToken == "" {
t.Fatalf("Expected deletion token")
}
client1.ConfirmAccountDeletion(t, deletionToken, false)
var postCountAfter int64
ctx.server.DB.Model(&database.Post{}).Where("author_id = ?", user1.ID).Count(&postCountAfter)
if postCountAfter != 0 {
t.Errorf("Expected posts to be deleted after user deletion, found %d posts", postCountAfter)
}
var voteCountAfter int64
ctx.server.DB.Model(&database.Vote{}).Where("post_id IN (?)", []uint{post1.ID, post2.ID}).Count(&voteCountAfter)
if voteCountAfter != 0 {
t.Errorf("Expected votes to be deleted after post deletion, found %d votes", voteCountAfter)
}
var dbUser database.User
if err := ctx.server.DB.First(&dbUser, user1.ID).Error; err == nil {
t.Errorf("Expected user to be deleted from database")
}
})
}
func TestE2E_ReferentialIntegrity(t *testing.T) {
ctx := setupTestContext(t)
t.Run("referential_integrity", func(t *testing.T) {
user1 := ctx.createUserWithCleanup(t, "refuser1", "Password123!")
user2 := ctx.createUserWithCleanup(t, "refuser2", "Password123!")
client1 := ctx.loginUser(t, user1.Username, user1.Password)
post := client1.CreatePost(t, "Ref Integrity Test", "https://example.com/ref", "Content")
client2 := ctx.loginUser(t, user2.Username, user2.Password)
client2.VoteOnPost(t, post.ID, "up")
var voteCount int64
ctx.server.DB.Model(&database.Vote{}).Where("post_id = ? AND user_id = ?", post.ID, user2.ID).Count(&voteCount)
if voteCount != 1 {
t.Errorf("Expected vote to exist with correct foreign keys")
}
var postCount int64
ctx.server.DB.Model(&database.Post{}).Where("author_id = ?", user1.ID).Count(&postCount)
if postCount == 0 {
t.Errorf("Expected post to exist with correct author foreign key")
}
})
}
func TestE2E_OrphanedRecordsPrevention(t *testing.T) {
ctx := setupTestContext(t)
t.Run("orphaned_records_prevention", func(t *testing.T) {
user1 := ctx.createUserWithCleanup(t, "orphanuser1", "Password123!")
user2 := ctx.createUserWithCleanup(t, "orphanuser2", "Password123!")
client1 := ctx.loginUser(t, user1.Username, user1.Password)
post := client1.CreatePost(t, "Orphan Test", "https://example.com/orphan", "Content")
client2 := ctx.loginUser(t, user2.Username, user2.Password)
client2.VoteOnPost(t, post.ID, "up")
var voteCountBefore int64
ctx.server.DB.Model(&database.Vote{}).Where("post_id = ?", post.ID).Count(&voteCountBefore)
client1.DeletePost(t, post.ID)
var orphanedVotes int64
ctx.server.DB.Unscoped().Model(&database.Vote{}).Where("post_id = ?", post.ID).Count(&orphanedVotes)
if orphanedVotes != 0 {
t.Errorf("Expected no orphaned votes after post deletion, found %d", orphanedVotes)
}
post2 := client1.CreatePost(t, "Orphan Test 2", "https://example.com/orphan2", "Content")
client2.VoteOnPost(t, post2.ID, "up")
ctx.server.EmailSender.Reset()
client1.RequestAccountDeletion(t)
deletionToken := ctx.server.EmailSender.DeletionToken()
if deletionToken == "" {
t.Fatalf("Expected deletion token")
}
client1.ConfirmAccountDeletion(t, deletionToken, false)
var orphanedPosts int64
ctx.server.DB.Unscoped().Model(&database.Post{}).Where("author_id = ?", user1.ID).Count(&orphanedPosts)
if orphanedPosts != 0 {
t.Errorf("Expected no posts with author_id = %d after user deletion, found %d", user1.ID, orphanedPosts)
}
var orphanedVotesAfter int64
ctx.server.DB.Unscoped().Model(&database.Vote{}).Where("post_id = ?", post2.ID).Count(&orphanedVotesAfter)
if orphanedVotesAfter != 0 {
t.Errorf("Expected no orphaned votes after post deletion via user deletion, found %d", orphanedVotesAfter)
}
})
}

216
internal/e2e/deployment_test.go Normal file
View File

@@ -0,0 +1,216 @@
package e2e
import (
"os"
"os/exec"
"path/filepath"
"strings"
"testing"
)
func TestE2E_DockerDeployment(t *testing.T) {
if testing.Short() {
t.Skip("Skipping Docker deployment tests in short mode")
}
wd, err := os.Getwd()
if err != nil {
t.Fatalf("Failed to get working directory: %v", err)
}
workspaceRoot := wd
for {
if _, err := os.Stat(filepath.Join(workspaceRoot, "go.mod")); err == nil {
break
}
parent := filepath.Dir(workspaceRoot)
if parent == workspaceRoot {
t.Skip("Could not find workspace root")
return
}
workspaceRoot = parent
}
t.Run("dockerfile_exists", func(t *testing.T) {
dockerfilePath := filepath.Join(workspaceRoot, "Dockerfile")
if _, err := os.Stat(dockerfilePath); os.IsNotExist(err) {
t.Skipf("Dockerfile not found at %s", dockerfilePath)
}
})
t.Run("dockerfile_valid", func(t *testing.T) {
dockerfilePath := filepath.Join(workspaceRoot, "Dockerfile")
content, err := os.ReadFile(dockerfilePath)
if err != nil {
t.Skipf("Failed to read Dockerfile: %v", err)
return
}
contentStr := string(content)
required := []string{
"FROM",
"WORKDIR",
"COPY",
"RUN",
"EXPOSE",
}
for _, req := range required {
if !strings.Contains(contentStr, req) {
t.Errorf("Dockerfile missing required directive: %s", req)
}
}
})
t.Run("service_file_exists", func(t *testing.T) {
servicePath := filepath.Join(workspaceRoot, "services/goyco.service")
if _, err := os.Stat(servicePath); os.IsNotExist(err) {
t.Skipf("Service file not found at %s", servicePath)
}
})
t.Run("service_file_valid", func(t *testing.T) {
servicePath := filepath.Join(workspaceRoot, "services/goyco.service")
content, err := os.ReadFile(servicePath)
if err != nil {
t.Skipf("Failed to read service file: %v", err)
return
}
contentStr := string(content)
required := []string{
"[Unit]",
"[Service]",
"ExecStart",
"Restart",
}
for _, req := range required {
if !strings.Contains(contentStr, req) {
t.Errorf("Service file missing required section: %s", req)
}
}
})
t.Run("static_files_exist", func(t *testing.T) {
staticDir := filepath.Join(workspaceRoot, "internal/static")
if _, err := os.Stat(staticDir); os.IsNotExist(err) {
t.Skipf("Static directory not found at %s", staticDir)
return
}
requiredFiles := []string{
"robots.txt",
}
for _, file := range requiredFiles {
filePath := filepath.Join(staticDir, file)
if _, err := os.Stat(filePath); os.IsNotExist(err) {
t.Errorf("Required static file not found: %s", filePath)
}
}
})
t.Run("templates_exist", func(t *testing.T) {
templatesDir := filepath.Join(workspaceRoot, "internal/templates")
if _, err := os.Stat(templatesDir); os.IsNotExist(err) {
t.Skipf("Templates directory not found at %s", templatesDir)
}
})
}
func TestE2E_EnvironmentVariables(t *testing.T) {
t.Run("config_loading", func(t *testing.T) {
envVars := []string{
"SERVER_HOST",
"SERVER_PORT",
"DATABASE_HOST",
"DATABASE_PORT",
"DATABASE_USER",
"DATABASE_PASSWORD",
"DATABASE_NAME",
"JWT_SECRET",
}
for _, envVar := range envVars {
if os.Getenv(envVar) == "" {
t.Logf("Environment variable %s not set (this is expected in test environment)", envVar)
}
}
})
}
func TestE2E_BinaryExists(t *testing.T) {
t.Run("binary_builds", func(t *testing.T) {
if testing.Short() {
t.Skip("Skipping binary build test in short mode")
}
wd, err := os.Getwd()
if err != nil {
t.Skipf("Failed to get working directory: %v", err)
return
}
workspaceRoot := wd
for {
if _, err := os.Stat(filepath.Join(workspaceRoot, "go.mod")); err == nil {
break
}
parent := filepath.Dir(workspaceRoot)
if parent == workspaceRoot {
t.Skip("Could not find workspace root")
return
}
workspaceRoot = parent
}
cmd := exec.Command("go", "build", "-o", "/tmp/goyco-test", "./cmd/goyco")
cmd.Dir = workspaceRoot
if err := cmd.Run(); err != nil {
t.Skipf("Failed to build binary: %v", err)
return
}
if _, err := os.Stat("/tmp/goyco-test"); os.IsNotExist(err) {
t.Error("Binary was not created")
} else {
os.Remove("/tmp/goyco-test")
}
})
}
func TestE2E_ConfigurationValidation(t *testing.T) {
t.Run("required_paths", func(t *testing.T) {
wd, err := os.Getwd()
if err != nil {
t.Fatalf("Failed to get working directory: %v", err)
}
workspaceRoot := wd
for {
if _, err := os.Stat(filepath.Join(workspaceRoot, "go.mod")); err == nil {
break
}
parent := filepath.Dir(workspaceRoot)
if parent == workspaceRoot {
t.Fatalf("Could not find workspace root (go.mod) starting from %s", wd)
}
workspaceRoot = parent
}
requiredPaths := []string{
"cmd/goyco",
"internal",
"go.mod",
"go.sum",
}
for _, path := range requiredPaths {
fullPath := filepath.Join(workspaceRoot, path)
if _, err := os.Stat(fullPath); os.IsNotExist(err) {
t.Errorf("Required path not found: %s (workspace root: %s)", path, workspaceRoot)
}
}
})
}

507
internal/e2e/error_handling_test.go Normal file
View File

@@ -0,0 +1,507 @@
package e2e
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"sync"
"testing"
"time"
"goyco/internal/database"
"goyco/internal/testutils"
)
func TestE2E_PartialFailureHandling(t *testing.T) {
ctx := setupTestContext(t)
t.Run("partial_failure_handling", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "partial", "Password123!")
post := authClient.CreatePost(t, "Partial Failure Test", "https://example.com/partial", "Content")
if post.ID == 0 {
t.Fatalf("Expected post creation to succeed")
}
postsResp := authClient.GetPosts(t)
foundPost := findPostInList(postsResp, post.ID)
if foundPost == nil {
t.Fatalf("Expected post to exist after creation")
}
invalidPostID := uint(999999)
voteResp, statusCode := authClient.VoteOnPostRaw(t, invalidPostID, "up")
if statusCode == http.StatusOK || voteResp.Success {
t.Errorf("Expected vote on non-existent post to fail")
}
postsRespAfter := authClient.GetPosts(t)
foundPostAfter := findPostInList(postsRespAfter, post.ID)
if foundPostAfter == nil {
t.Errorf("Expected post to still exist after vote failure")
}
})
}
func TestE2E_ConcurrentModification(t *testing.T) {
ctx := setupTestContext(t)
t.Run("concurrent_modification", func(t *testing.T) {
user1 := ctx.createUserWithCleanup(t, "concmode1", "Password123!")
user2 := ctx.createUserWithCleanup(t, "concmode2", "Password123!")
client1 := ctx.loginUser(t, user1.Username, user1.Password)
post := client1.CreatePost(t, "Concurrent Edit Test", "https://example.com/concmode", "Original content")
client2 := ctx.loginUser(t, user2.Username, user2.Password)
statusCode := client2.UpdatePostExpectStatus(t, post.ID, "Hacked Title", "https://example.com/concmode", "Hacked content")
if statusCode != http.StatusForbidden {
t.Errorf("Expected 403 Forbidden when user2 tries to edit user1's post, got %d", statusCode)
}
postsResp := client1.GetPosts(t)
updatedPost := findPostInList(postsResp, post.ID)
if updatedPost == nil {
t.Fatalf("Expected post to exist")
}
if updatedPost.Title != "Concurrent Edit Test" {
t.Errorf("Expected post title to remain unchanged after unauthorized edit attempt, got '%s'", updatedPost.Title)
}
})
}
func TestE2E_ResourceNotFound(t *testing.T) {
ctx := setupTestContext(t)
t.Run("resource_not_found", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "notfound", "Password123!")
post := authClient.CreatePost(t, "To Delete", "https://example.com/todelete", "Content")
authClient.DeletePost(t, post.ID)
statusCode := authClient.UpdatePostExpectStatus(t, post.ID, "Updated", "https://example.com/todelete", "Updated")
if statusCode != http.StatusNotFound {
t.Errorf("Expected 404 Not Found when accessing deleted post, got %d", statusCode)
}
voteResp, statusCode := authClient.VoteOnPostRaw(t, post.ID, "up")
if statusCode == http.StatusOK || voteResp.Success {
t.Errorf("Expected vote on deleted post to fail")
}
postsResp := authClient.GetPosts(t)
deletedPost := findPostInList(postsResp, post.ID)
if deletedPost != nil {
t.Errorf("Expected deleted post to not appear in posts list")
}
})
}
func TestE2E_InvalidStateTransitions(t *testing.T) {
ctx := setupTestContext(t)
t.Run("invalid_state_transitions", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "invalidstate", "Password123!")
post := authClient.CreatePost(t, "State Test", "https://example.com/state", "Content")
voteResp := authClient.VoteOnPost(t, post.ID, "up")
if !voteResp.Success {
t.Errorf("Expected vote to succeed")
}
authClient.DeletePost(t, post.ID)
voteRespAfter, statusCode := authClient.VoteOnPostRaw(t, post.ID, "down")
if statusCode == http.StatusOK || voteRespAfter.Success {
t.Errorf("Expected vote on deleted post to fail")
}
statusCode = authClient.UpdatePostExpectStatus(t, post.ID, "Updated", "https://example.com/state", "Updated")
if statusCode != http.StatusNotFound {
t.Errorf("Expected 404 when updating deleted post, got %d", statusCode)
}
})
}
func TestE2E_RequestTimeoutHandling(t *testing.T) {
ctx := setupTestContext(t)
t.Run("request_timeout_handling", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "timeout", "Password123!")
client := &http.Client{
Timeout: 1 * time.Nanosecond,
}
request, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
request.Header.Set("Authorization", "Bearer "+authClient.Token)
testutils.WithStandardHeaders(request)
_, err = client.Do(request)
if err == nil {
t.Log("Request completed despite timeout (acceptable if server is very fast)")
}
})
}
func TestE2E_SlowResponseHandling(t *testing.T) {
ctx := setupTestContext(t)
t.Run("slow_response_handling", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "slow", "Password123!")
start := time.Now()
postsResp := authClient.GetPosts(t)
duration := time.Since(start)
if postsResp == nil {
t.Errorf("Expected posts response even with slow response")
}
if duration > 30*time.Second {
t.Errorf("Request took too long: %v", duration)
}
})
}
func TestE2E_MalformedInput(t *testing.T) {
ctx := setupTestContext(t)
t.Run("malformed_input", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "malformed", "Password123!")
t.Run("very_long_title", func(t *testing.T) {
longTitle := make([]byte, 201)
for i := range longTitle {
longTitle[i] = 'A'
}
postData := map[string]string{
"title": string(longTitle),
"url": "https://example.com/long",
}
body, _ := json.Marshal(postData)
request, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", bytes.NewReader(body))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
request.Header.Set("Content-Type", "application/json")
request.Header.Set("Authorization", "Bearer "+authClient.Token)
testutils.WithStandardHeaders(request)
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusCreated {
t.Errorf("Expected long title to be rejected")
}
})
t.Run("very_long_content", func(t *testing.T) {
longContent := make([]byte, 10001)
for i := range longContent {
longContent[i] = 'B'
}
postData := map[string]string{
"title": "Test",
"url": "https://example.com/longcontent",
"content": string(longContent),
}
body, _ := json.Marshal(postData)
request, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", bytes.NewReader(body))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
request.Header.Set("Content-Type", "application/json")
request.Header.Set("Authorization", "Bearer "+authClient.Token)
testutils.WithStandardHeaders(request)
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusCreated {
t.Errorf("Expected long content to be rejected")
}
})
t.Run("special_characters", func(t *testing.T) {
specialChars := []string{
"<script>alert('XSS')</script>",
"'; DROP TABLE posts; --",
"测试中文",
"🚀 Emoji Test",
"Test\nNewline",
"Test\tTab",
}
for _, special := range specialChars {
postData := map[string]string{
"title": special,
"url": "https://example.com/special",
"content": special,
}
body, _ := json.Marshal(postData)
request, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", bytes.NewReader(body))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
request.Header.Set("Content-Type", "application/json")
request.Header.Set("Authorization", "Bearer "+authClient.Token)
testutils.WithStandardHeaders(request)
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
resp.Body.Close()
if resp.StatusCode == http.StatusCreated {
postsResp := authClient.GetPosts(t)
if postsResp != nil {
t.Logf("Special characters accepted: %s (may be sanitized)", special)
}
}
}
})
t.Run("missing_required_fields", func(t *testing.T) {
testCases := []struct {
name string
body map[string]any
}{
{"missing_url", map[string]any{"title": "Test"}},
{"empty_url", map[string]any{"title": "Test", "url": ""}},
{"missing_title_and_url", map[string]any{"content": "Content"}},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
body, _ := json.Marshal(tc.body)
request, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", bytes.NewReader(body))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
request.Header.Set("Content-Type", "application/json")
request.Header.Set("Authorization", "Bearer "+authClient.Token)
testutils.WithStandardHeaders(request)
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusCreated {
t.Errorf("Expected missing required fields to be rejected")
}
})
}
})
t.Run("wrong_data_types", func(t *testing.T) {
testCases := []struct {
name string
body string
}{
{"title_as_number", `{"title": 123, "url": "https://example.com"}`},
{"url_as_boolean", `{"title": "Test", "url": true}`},
{"content_as_array", `{"title": "Test", "url": "https://example.com", "content": []}`},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
request, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", bytes.NewReader([]byte(tc.body)))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
request.Header.Set("Content-Type", "application/json")
request.Header.Set("Authorization", "Bearer "+authClient.Token)
testutils.WithStandardHeaders(request)
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusCreated {
t.Errorf("Expected wrong data types to be rejected")
}
})
}
})
})
}
func TestE2E_ConcurrentVotes(t *testing.T) {
ctx := setupTestContext(t)
t.Run("concurrent_votes", func(t *testing.T) {
user1 := ctx.createUserWithCleanup(t, "concvote1", "Password123!")
user2 := ctx.createUserWithCleanup(t, "concvote2", "Password123!")
user3 := ctx.createUserWithCleanup(t, "concvote3", "Password123!")
client1 := ctx.loginUser(t, user1.Username, user1.Password)
post := client1.CreatePost(t, "Concurrent Vote Test", "https://example.com/concvote", "Content")
client2 := ctx.loginUser(t, user2.Username, user2.Password)
client3 := ctx.loginUser(t, user3.Username, user3.Password)
var wg sync.WaitGroup
results := make(chan bool, 3)
wg.Add(3)
go func() {
defer wg.Done()
voteResp := client1.VoteOnPost(t, post.ID, "up")
results <- voteResp.Success
}()
go func() {
defer wg.Done()
voteResp := client2.VoteOnPost(t, post.ID, "up")
results <- voteResp.Success
}()
go func() {
defer wg.Done()
voteResp := client3.VoteOnPost(t, post.ID, "down")
results <- voteResp.Success
}()
wg.Wait()
close(results)
successCount := 0
for success := range results {
if success {
successCount++
}
}
if successCount == 0 {
t.Errorf("Expected at least some concurrent votes to succeed")
}
var dbPost database.Post
if err := ctx.server.DB.First(&dbPost, post.ID).Error; err != nil {
t.Fatalf("Failed to find post in database: %v", err)
}
if dbPost.UpVotes+dbPost.DownVotes != successCount {
t.Logf("Vote counts may not match exactly due to race conditions (acceptable)")
}
})
}
func TestE2E_ConcurrentPostCreation(t *testing.T) {
ctx := setupTestContext(t)
t.Run("concurrent_post_creation", func(t *testing.T) {
users := ctx.createMultipleUsersWithCleanup(t, 5, "concpost", "Password123!")
var wg sync.WaitGroup
results := make(chan *TestPost, len(users))
var mu sync.Mutex
createdURLs := make(map[string]bool)
for _, user := range users {
u := user
wg.Add(1)
go func() {
defer wg.Done()
client, err := ctx.loginUserSafe(t, u.Username, u.Password)
if err != nil || client == nil {
results <- nil
return
}
url := fmt.Sprintf("https://example.com/concpost/%d", u.ID)
mu.Lock()
if createdURLs[url] {
mu.Unlock()
results <- nil
return
}
createdURLs[url] = true
mu.Unlock()
post, err := client.CreatePostSafe("Concurrent Post", url, "Content")
results <- post
}()
}
wg.Wait()
close(results)
successCount := 0
for post := range results {
if post != nil && post.ID != 0 {
successCount++
}
}
if successCount == 0 {
t.Errorf("Expected at least some concurrent post creations to succeed")
}
})
}
func TestE2E_ConcurrentProfileUpdates(t *testing.T) {
ctx := setupTestContext(t)
t.Run("concurrent_profile_updates", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "concprofile", "Password123!")
client1 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
client2 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
var wg sync.WaitGroup
results := make(chan bool, 2)
wg.Add(2)
go func() {
defer wg.Done()
newUsername := uniqueUsername(t, "update1")
client1.UpdateUsername(t, newUsername)
profile := client1.GetProfile(t)
results <- (profile != nil && profile.Data.Username == newUsername)
}()
go func() {
defer wg.Done()
newUsername := uniqueUsername(t, "update2")
client2.UpdateUsername(t, newUsername)
profile := client2.GetProfile(t)
results <- (profile != nil && profile.Data.Username == newUsername)
}()
wg.Wait()
close(results)
successCount := 0
for success := range results {
if success {
successCount++
}
}
if successCount == 0 {
t.Errorf("Expected at least some concurrent profile updates to succeed")
}
})
}

364
internal/e2e/error_recovery_test.go Normal file
View File

@@ -0,0 +1,364 @@
package e2e
import (
"context"
"errors"
"net/http"
"sync"
"testing"
"time"
"gorm.io/gorm"
"goyco/internal/database"
"goyco/internal/testutils"
)
func TestE2E_DatabaseFailureRecovery(t *testing.T) {
t.Run("database_unavailable_handles_gracefully", func(t *testing.T) {
ctx := setupTestContext(t)
sqlDB, err := ctx.server.DB.DB()
if err != nil {
t.Fatalf("Failed to get SQL DB: %v", err)
}
sqlDB.Close()
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
return
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusInternalServerError && resp.StatusCode != http.StatusServiceUnavailable {
t.Logf("Expected 500 or 503, got %d (acceptable for unavailable DB)", resp.StatusCode)
}
})
t.Run("connection_pool_exhaustion", func(t *testing.T) {
ctx := setupTestContext(t)
sqlDB, err := ctx.server.DB.DB()
if err != nil {
t.Fatalf("Failed to get SQL DB: %v", err)
}
originalMaxOpen := sqlDB.Stats().MaxOpenConnections
if originalMaxOpen == 0 {
originalMaxOpen = 1
}
sqlDB.SetMaxOpenConns(2)
var wg sync.WaitGroup
errors := make(chan error, 10)
for i := 0; i < 5; i++ {
wg.Add(1)
go func() {
defer wg.Done()
conn, err := sqlDB.Conn(context.Background())
if err != nil {
errors <- err
return
}
defer conn.Close()
time.Sleep(100 * time.Millisecond)
}()
}
wg.Wait()
close(errors)
errorCount := 0
for range errors {
errorCount++
}
if errorCount == 0 {
t.Log("No connection errors occurred (pool handled load)")
}
sqlDB.SetMaxOpenConns(int(originalMaxOpen))
})
t.Run("transaction_rollback_on_error", func(t *testing.T) {
ctx := setupTestContext(t)
testUser := ctx.createUserWithCleanup(t, "rollbackuser", "StrongPass123!")
tx := ctx.server.DB.Begin()
if tx.Error != nil {
t.Fatalf("Failed to begin transaction: %v", tx.Error)
}
post := &database.Post{
Title: "Rollback Test Post",
URL: "https://example.com/rollback",
Content: "This post should be rolled back",
AuthorID: &testUser.ID,
}
err := tx.Create(post).Error
if err != nil {
tx.Rollback()
t.Fatalf("Failed to create post in transaction: %v", err)
}
var postInTx database.Post
err = tx.First(&postInTx, post.ID).Error
if err != nil {
tx.Rollback()
t.Fatalf("Failed to retrieve post in transaction: %v", err)
}
tx.Rollback()
var postAfterRollback database.Post
err = ctx.server.DB.First(&postAfterRollback, post.ID).Error
if err == nil {
t.Error("Expected post to not exist after transaction rollback")
} else if !errors.Is(err, gorm.ErrRecordNotFound) {
t.Logf("Post correctly not found after rollback (error: %v)", err)
}
})
t.Run("transaction_commit_succeeds", func(t *testing.T) {
ctx := setupTestContext(t)
testUser := ctx.createUserWithCleanup(t, "commituser", "StrongPass123!")
tx := ctx.server.DB.Begin()
if tx.Error != nil {
t.Fatalf("Failed to begin transaction: %v", tx.Error)
}
post := &database.Post{
Title: "Commit Test Post",
URL: "https://example.com/commit",
Content: "This post should be committed",
AuthorID: &testUser.ID,
}
err := tx.Create(post).Error
if err != nil {
tx.Rollback()
t.Fatalf("Failed to create post in transaction: %v", err)
}
err = tx.Commit().Error
if err != nil {
t.Fatalf("Failed to commit transaction: %v", err)
}
var postAfterCommit database.Post
err = ctx.server.DB.First(&postAfterCommit, post.ID).Error
if err != nil {
t.Errorf("Expected post to exist after transaction commit, got error: %v", err)
}
})
t.Run("database_timeout_handling", func(t *testing.T) {
ctx := setupTestContext(t)
sqlDB, err := ctx.server.DB.DB()
if err != nil {
t.Fatalf("Failed to get SQL DB: %v", err)
}
ctxTimeout, cancel := context.WithTimeout(context.Background(), 1*time.Nanosecond)
defer cancel()
conn, err := sqlDB.Conn(ctxTimeout)
if err != nil {
return
}
defer conn.Close()
rows, err := conn.QueryContext(ctxTimeout, "SELECT 1")
if err != nil && !errors.Is(err, context.DeadlineExceeded) {
t.Logf("Timeout handled correctly: %v", err)
}
if rows != nil {
rows.Close()
}
})
t.Run("concurrent_transaction_isolation", func(t *testing.T) {
ctx := setupTestContext(t)
testUser := ctx.createUserWithCleanup(t, "isolationuser", "StrongPass123!")
var wg sync.WaitGroup
errors := make(chan error, 2)
wg.Add(2)
go func() {
defer wg.Done()
tx1 := ctx.server.DB.Begin()
if tx1.Error != nil {
errors <- tx1.Error
return
}
post1 := &database.Post{
Title: "Isolation Post 1",
URL: "https://example.com/isolation1",
Content: "First transaction",
AuthorID: &testUser.ID,
}
err := tx1.Create(post1).Error
if err != nil {
tx1.Rollback()
errors <- err
return
}
time.Sleep(50 * time.Millisecond)
tx1.Commit()
}()
go func() {
defer wg.Done()
time.Sleep(25 * time.Millisecond)
tx2 := ctx.server.DB.Begin()
if tx2.Error != nil {
errors <- tx2.Error
return
}
post2 := &database.Post{
Title: "Isolation Post 2",
URL: "https://example.com/isolation2",
Content: "Second transaction",
AuthorID: &testUser.ID,
}
err := tx2.Create(post2).Error
if err != nil {
tx2.Rollback()
errors <- err
return
}
tx2.Commit()
}()
wg.Wait()
close(errors)
for err := range errors {
if err != nil {
t.Errorf("Transaction error: %v", err)
}
}
})
}
func TestE2E_DatabaseConnectionPool(t *testing.T) {
ctx := setupTestContext(t)
t.Run("pool_stats_tracking", func(t *testing.T) {
sqlDB, err := ctx.server.DB.DB()
if err != nil {
t.Fatalf("Failed to get SQL DB: %v", err)
}
stats := sqlDB.Stats()
if stats.MaxOpenConnections == 0 {
t.Error("Expected MaxOpenConnections to be set")
}
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
resp.Body.Close()
newStats := sqlDB.Stats()
if newStats.OpenConnections > stats.OpenConnections {
t.Logf("Connection pool used: %d -> %d connections", stats.OpenConnections, newStats.OpenConnections)
}
})
t.Run("pool_reuses_connections", func(t *testing.T) {
sqlDB, err := ctx.server.DB.DB()
if err != nil {
t.Fatalf("Failed to get SQL DB: %v", err)
}
initialStats := sqlDB.Stats()
for i := 0; i < 5; i++ {
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
continue
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err == nil {
resp.Body.Close()
}
}
finalStats := sqlDB.Stats()
if finalStats.OpenConnections > initialStats.MaxOpenConnections {
t.Errorf("Pool exceeded max connections: %d > %d", finalStats.OpenConnections, initialStats.MaxOpenConnections)
}
})
}
func TestE2E_DatabaseErrorHandling(t *testing.T) {
ctx := setupTestContext(t)
t.Run("invalid_query_returns_error", func(t *testing.T) {
var result struct {
ID int
}
err := ctx.server.DB.Raw("SELECT * FROM nonexistent_table WHERE id = ?", 1).Scan(&result).Error
if err == nil {
t.Error("Expected error for invalid query")
}
})
t.Run("constraint_violation_handled", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "constraintuser", "StrongPass123!")
duplicateUser := &database.User{
Username: testUser.Username,
Email: "different@example.com",
Password: "DifferentPass123!",
EmailVerified: true,
}
err := ctx.server.DB.Create(duplicateUser).Error
if err == nil {
t.Error("Expected error for duplicate username")
}
})
t.Run("null_constraint_violation", func(t *testing.T) {
invalidPost := &database.Post{
Title: "",
URL: "",
Content: "",
}
err := ctx.server.DB.Create(invalidPost).Error
if err == nil {
t.Log("SQLite allows empty strings (constraint validation handled at application level)")
} else {
t.Logf("Database rejected empty values: %v", err)
}
})
}

327
internal/e2e/middleware_test.go Normal file
View File

@@ -0,0 +1,327 @@
package e2e
import (
"bytes"
"compress/gzip"
"io"
"net/http"
"strings"
"testing"
"goyco/internal/testutils"
)
func TestE2E_CompressionMiddleware(t *testing.T) {
ctx := setupTestContext(t)
t.Run("compression_enabled_with_accept_encoding", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Accept-Encoding", "gzip")
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
contentEncoding := resp.Header.Get("Content-Encoding")
if contentEncoding == "gzip" {
body, err := io.ReadAll(resp.Body)
if err != nil {
t.Fatalf("Failed to read response body: %v", err)
}
if isGzipCompressed(body) {
reader, err := gzip.NewReader(bytes.NewReader(body))
if err != nil {
t.Fatalf("Failed to create gzip reader: %v", err)
}
defer reader.Close()
decompressed, err := io.ReadAll(reader)
if err != nil {
t.Fatalf("Failed to decompress: %v", err)
}
if len(decompressed) == 0 {
t.Error("Decompressed body is empty")
}
}
} else {
t.Logf("Compression not applied (Content-Encoding: %s)", contentEncoding)
}
})
t.Run("no_compression_without_accept_encoding", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
contentEncoding := resp.Header.Get("Content-Encoding")
if contentEncoding == "gzip" {
t.Error("Expected no compression without Accept-Encoding header")
}
})
t.Run("decompression_handles_gzip_request", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "compressionuser", "StrongPass123!")
authClient := ctx.loginUser(t, testUser.Username, "StrongPass123!")
var buf bytes.Buffer
gz := gzip.NewWriter(&buf)
postData := `{"title":"Compressed Post","url":"https://example.com/compressed","content":"Test content"}`
gz.Write([]byte(postData))
gz.Close()
req, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", &buf)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Content-Encoding", "gzip")
testutils.WithStandardHeaders(req)
req.Header.Set("Authorization", "Bearer "+authClient.Token)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusBadRequest {
t.Log("Decompression middleware rejected invalid gzip")
} else if resp.StatusCode == http.StatusCreated || resp.StatusCode == http.StatusOK {
t.Log("Decompression middleware handled gzip request successfully")
}
})
}
func TestE2E_CacheMiddleware(t *testing.T) {
ctx := setupTestContext(t)
t.Run("cache_miss_then_hit", func(t *testing.T) {
req1, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req1)
resp1, err := ctx.client.Do(req1)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
resp1.Body.Close()
cacheStatus1 := resp1.Header.Get("X-Cache")
if cacheStatus1 == "HIT" {
t.Log("First request was cached (unexpected but acceptable)")
}
req2, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req2)
resp2, err := ctx.client.Do(req2)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp2.Body.Close()
cacheStatus2 := resp2.Header.Get("X-Cache")
if cacheStatus2 == "HIT" {
t.Log("Second request was served from cache")
}
})
t.Run("cache_invalidation_on_post", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "cacheuser", "StrongPass123!")
authClient := ctx.loginUser(t, testUser.Username, "StrongPass123!")
req1, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req1)
req1.Header.Set("Authorization", "Bearer "+authClient.Token)
resp1, err := ctx.client.Do(req1)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
resp1.Body.Close()
postData := `{"title":"Cache Invalidation Test","url":"https://example.com/cache","content":"Test"}`
req2, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", strings.NewReader(postData))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req2.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req2)
req2.Header.Set("Authorization", "Bearer "+authClient.Token)
resp2, err := ctx.client.Do(req2)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
resp2.Body.Close()
req3, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req3)
req3.Header.Set("Authorization", "Bearer "+authClient.Token)
resp3, err := ctx.client.Do(req3)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp3.Body.Close()
cacheStatus := resp3.Header.Get("X-Cache")
if cacheStatus == "HIT" {
t.Log("Cache was invalidated after POST")
}
})
}
func TestE2E_CSRFProtection(t *testing.T) {
ctx := setupTestContext(t)
t.Run("csrf_protection_for_non_api_routes", func(t *testing.T) {
req, err := http.NewRequest("POST", ctx.baseURL+"/auth/login", strings.NewReader(`{"username":"test","password":"test"}`))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusForbidden {
t.Log("CSRF protection active for non-API routes")
} else {
t.Logf("CSRF check result: status %d", resp.StatusCode)
}
})
t.Run("csrf_bypass_for_api_routes", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "csrfuser", "StrongPass123!")
authClient := ctx.loginUser(t, testUser.Username, "StrongPass123!")
postData := `{"title":"CSRF Test","url":"https://example.com/csrf","content":"Test"}`
req, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", strings.NewReader(postData))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req)
req.Header.Set("Authorization", "Bearer "+authClient.Token)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusForbidden {
t.Error("API routes should bypass CSRF protection")
}
})
t.Run("csrf_allows_get_requests", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/auth/login", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusForbidden {
t.Error("GET requests should not require CSRF token")
}
})
}
func TestE2E_RequestSizeLimit(t *testing.T) {
ctx := setupTestContext(t)
t.Run("request_within_size_limit", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "sizelimituser", "StrongPass123!")
authClient := ctx.loginUser(t, testUser.Username, "StrongPass123!")
smallData := strings.Repeat("a", 100)
postData := `{"title":"` + smallData + `","url":"https://example.com","content":"test"}`
req, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", strings.NewReader(postData))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req)
req.Header.Set("Authorization", "Bearer "+authClient.Token)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusRequestEntityTooLarge {
t.Error("Small request should not exceed size limit")
}
})
t.Run("request_exceeds_size_limit", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "sizelimituser2", "StrongPass123!")
authClient := ctx.loginUser(t, testUser.Username, "StrongPass123!")
largeData := strings.Repeat("a", 2*1024*1024)
postData := `{"title":"test","url":"https://example.com","content":"` + largeData + `"}`
req, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", strings.NewReader(postData))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req)
req.Header.Set("Authorization", "Bearer "+authClient.Token)
resp, err := ctx.client.Do(req)
if err != nil {
return
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusRequestEntityTooLarge {
t.Log("Request size limit enforced correctly")
} else {
t.Logf("Request size limit check result: status %d", resp.StatusCode)
}
})
}
func isGzipCompressed(data []byte) bool {
return len(data) >= 2 && data[0] == 0x1f && data[1] == 0x8b
}

375
internal/e2e/performance_test.go Normal file
View File

@@ -0,0 +1,375 @@
package e2e
import (
"bytes"
"compress/gzip"
"encoding/json"
"fmt"
"net/http"
"sync"
"sync/atomic"
"testing"
"time"
"goyco/internal/testutils"
)
func TestE2E_Performance(t *testing.T) {
ctx := setupTestContext(t)
t.Run("response_times", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "perfuser", "StrongPass123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
endpoints := []struct {
name string
req func() (*http.Request, error)
}{
{
name: "health",
req: func() (*http.Request, error) {
return http.NewRequest("GET", ctx.baseURL+"/health", nil)
},
},
{
name: "posts_list",
req: func() (*http.Request, error) {
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err == nil {
testutils.WithStandardHeaders(req)
}
return req, err
},
},
{
name: "profile",
req: func() (*http.Request, error) {
req, err := http.NewRequest("GET", ctx.baseURL+"/api/auth/me", nil)
if err == nil {
req.Header.Set("Authorization", "Bearer "+authClient.Token)
testutils.WithStandardHeaders(req)
}
return req, err
},
},
}
for _, endpoint := range endpoints {
t.Run(endpoint.name, func(t *testing.T) {
var totalTime time.Duration
iterations := 10
for i := 0; i < iterations; i++ {
req, err := endpoint.req()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
start := time.Now()
resp, err := ctx.client.Do(req)
duration := time.Since(start)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected 200, got %d", resp.StatusCode)
}
totalTime += duration
}
avgTime := totalTime / time.Duration(iterations)
if avgTime > 500*time.Millisecond {
t.Errorf("Average response time %v exceeds 500ms", avgTime)
}
})
}
})
t.Run("concurrent_requests", func(t *testing.T) {
ctx.createUserWithCleanup(t, "concurrentperf", "StrongPass123!")
concurrency := 20
requestsPerGoroutine := 5
var successCount int64
var errorCount int64
var wg sync.WaitGroup
for i := 0; i < concurrency; i++ {
wg.Add(1)
go func() {
defer wg.Done()
for j := 0; j < requestsPerGoroutine; j++ {
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
atomic.AddInt64(&errorCount, 1)
continue
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
atomic.AddInt64(&errorCount, 1)
continue
}
resp.Body.Close()
if resp.StatusCode == http.StatusOK {
atomic.AddInt64(&successCount, 1)
} else {
atomic.AddInt64(&errorCount, 1)
}
}
}()
}
wg.Wait()
totalRequests := int64(concurrency * requestsPerGoroutine)
if successCount < totalRequests*8/10 {
t.Errorf("Expected at least 80%% success rate, got %d/%d successful", successCount, totalRequests)
}
})
t.Run("database_query_performance", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "dbperf", "StrongPass123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
for i := 0; i < 10; i++ {
authClient.CreatePost(t, fmt.Sprintf("Post %d", i), fmt.Sprintf("https://example.com/%d", i), "Content")
}
start := time.Now()
postsResp := authClient.GetPosts(t)
duration := time.Since(start)
if len(postsResp.Data.Posts) < 10 {
t.Errorf("Expected at least 10 posts, got %d", len(postsResp.Data.Posts))
}
if duration > 1*time.Second {
t.Errorf("Posts query took %v, expected under 1s", duration)
}
})
t.Run("memory_usage", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "memuser", "StrongPass123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
initialPosts := 50
for i := 0; i < initialPosts; i++ {
authClient.CreatePost(t, fmt.Sprintf("Memory Test Post %d", i), fmt.Sprintf("https://example.com/mem%d", i), "Content")
}
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts?limit=100", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("Expected 200, got %d", resp.StatusCode)
}
var postsResp testutils.PostsListResponse
reader := resp.Body
if resp.Header.Get("Content-Encoding") == "gzip" {
gzReader, err := gzip.NewReader(resp.Body)
if err != nil {
t.Fatalf("Failed to create gzip reader: %v", err)
}
defer gzReader.Close()
reader = gzReader
}
if err := json.NewDecoder(reader).Decode(&postsResp); err != nil {
t.Fatalf("Failed to decode response: %v", err)
}
if len(postsResp.Data.Posts) < initialPosts {
t.Errorf("Expected at least %d posts, got %d", initialPosts, len(postsResp.Data.Posts))
}
})
}
func TestE2E_LoadTest(t *testing.T) {
ctx := setupTestContext(t)
t.Run("sustained_load", func(t *testing.T) {
ctx.createUserWithCleanup(t, "loaduser", "StrongPass123!")
duration := 5 * time.Second
requestsPerSecond := 10
ticker := time.NewTicker(time.Second / time.Duration(requestsPerSecond))
defer ticker.Stop()
var successCount int64
var errorCount int64
done := make(chan bool)
go func() {
time.Sleep(duration)
done <- true
}()
for {
select {
case <-done:
totalRequests := successCount + errorCount
if totalRequests == 0 {
t.Error("No requests were made")
return
}
successRate := float64(successCount) / float64(totalRequests)
if successRate < 0.9 {
t.Errorf("Success rate %.2f%% below 90%% threshold", successRate*100)
}
return
case <-ticker.C:
go func() {
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
atomic.AddInt64(&errorCount, 1)
return
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
atomic.AddInt64(&errorCount, 1)
return
}
resp.Body.Close()
if resp.StatusCode == http.StatusOK {
atomic.AddInt64(&successCount, 1)
} else {
atomic.AddInt64(&errorCount, 1)
}
}()
}
}
})
}
func TestE2E_ConcurrentWrites(t *testing.T) {
ctx := setupTestContext(t)
t.Run("concurrent_post_creation", func(t *testing.T) {
users := ctx.createMultipleUsersWithCleanup(t, 5, "writeuser", "StrongPass123!")
var wg sync.WaitGroup
var successCount int64
var errorCount int64
for _, user := range users {
u := user
wg.Add(1)
go func() {
defer wg.Done()
authClient, err := ctx.loginUserSafe(t, u.Username, u.Password)
if err != nil {
atomic.AddInt64(&errorCount, 1)
return
}
for i := 0; i < 5; i++ {
post, err := authClient.CreatePostSafe(
fmt.Sprintf("Concurrent Post %d", i),
fmt.Sprintf("https://example.com/concurrent%d-%d", u.ID, i),
"Content",
)
if err == nil && post != nil {
atomic.AddInt64(&successCount, 1)
} else {
atomic.AddInt64(&errorCount, 1)
}
}
}()
}
wg.Wait()
expectedPosts := int64(len(users) * 5)
if successCount < expectedPosts*7/10 {
t.Errorf("Expected at least 70%% success rate, got %d/%d successful (errors: %d)", successCount, expectedPosts, errorCount)
}
})
}
func TestE2E_ResponseSize(t *testing.T) {
ctx := setupTestContext(t)
t.Run("large_response", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "sizetest", "StrongPass123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
for i := 0; i < 100; i++ {
authClient.CreatePost(t, fmt.Sprintf("Post %d", i), fmt.Sprintf("https://example.com/%d", i), "Content")
}
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected 200, got %d", resp.StatusCode)
}
var buf bytes.Buffer
buf.ReadFrom(resp.Body)
responseSize := buf.Len()
if responseSize > 10*1024*1024 {
t.Errorf("Response size %d bytes exceeds 10MB limit", responseSize)
}
})
}
func TestE2E_Throughput(t *testing.T) {
ctx := setupTestContext(t)
t.Run("requests_per_second", func(t *testing.T) {
ctx.createUserWithCleanup(t, "throughput", "StrongPass123!")
duration := 3 * time.Second
start := time.Now()
var requestCount int64
for time.Since(start) < duration {
req, err := http.NewRequest("GET", ctx.baseURL+"/api/posts", nil)
if err != nil {
continue
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err == nil {
resp.Body.Close()
atomic.AddInt64(&requestCount, 1)
}
}
elapsed := time.Since(start)
rps := float64(requestCount) / elapsed.Seconds()
if rps < 10 {
t.Errorf("Throughput %.2f req/s below 10 req/s threshold", rps)
}
})
}

108
internal/e2e/posts_test.go Normal file
View File

@@ -0,0 +1,108 @@
package e2e
import (
"net/http"
"testing"
)
func TestE2E_PostManagement(t *testing.T) {
ctx := setupTestContext(t)
t.Run("post_crud_operations", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "testuser", "StrongPass123!")
createdPost := authClient.CreatePost(t, "Original Post", "https://example.com/original", "Original content")
updatedPost := authClient.UpdatePost(t, createdPost.ID, "Updated Post", "https://example.com/updated", "Updated content")
if updatedPost.Title != "Updated Post" {
t.Errorf("Expected updated title 'Updated Post', got '%s'", updatedPost.Title)
}
if updatedPost.Content != "Updated content" {
t.Errorf("Expected updated content 'Updated content', got '%s'", updatedPost.Content)
}
postsResp := authClient.GetPosts(t)
assertPostInList(t, postsResp, updatedPost)
authClient.DeletePost(t, createdPost.ID)
finalPostsResp := authClient.GetPosts(t)
if len(finalPostsResp.Data.Posts) > 0 {
for _, post := range finalPostsResp.Data.Posts {
if post.ID == createdPost.ID {
t.Errorf("Expected post to be deleted, but it still appears in posts list")
break
}
}
}
})
}
func TestE2E_PostOwnershipAuthorization(t *testing.T) {
ctx := setupTestContext(t)
t.Run("post_ownership_authorization", func(t *testing.T) {
createdUsers := ctx.createMultipleUsersWithCleanup(t, 2, "user", "StrongPass123!")
user1 := createdUsers[0]
user2 := createdUsers[1]
authClient1 := ctx.loginUser(t, user1.Username, user1.Password)
createdPost := authClient1.CreatePost(t, "User1's Post", "https://example.com/user1", "This is user1's post content")
authClient2 := ctx.loginUser(t, user2.Username, user2.Password)
t.Run("user2_cannot_update_user1_post", func(t *testing.T) {
statusCode := authClient2.UpdatePostExpectStatus(t, createdPost.ID, "Hacked Title", "https://evil.com", "Hacked content")
if statusCode != http.StatusForbidden {
t.Errorf("Expected 403 Forbidden when User2 tries to update User1's post, got %d", statusCode)
}
})
t.Run("user2_cannot_delete_user1_post", func(t *testing.T) {
statusCode := authClient2.DeletePostExpectStatus(t, createdPost.ID)
if statusCode != http.StatusForbidden {
t.Errorf("Expected 403 Forbidden when User2 tries to delete User1's post, got %d", statusCode)
}
})
t.Run("user1_post_unchanged", func(t *testing.T) {
postsResp := authClient1.GetPosts(t)
found := false
for _, post := range postsResp.Data.Posts {
if post.ID == createdPost.ID {
found = true
if post.Title != createdPost.Title {
t.Errorf("Expected post title to remain '%s', but it was modified to '%s'", createdPost.Title, post.Title)
}
if post.Content != createdPost.Content {
t.Errorf("Expected post content to remain unchanged, but it was modified")
}
break
}
}
if !found {
t.Errorf("Expected User1's post to still exist, but it was not found in the posts list")
}
})
t.Run("user1_can_update_own_post", func(t *testing.T) {
updatedPost := authClient1.UpdatePost(t, createdPost.ID, "Updated by User1", "https://example.com/updated", "Updated content by User1")
if updatedPost.Title != "Updated by User1" {
t.Errorf("Expected post title to be 'Updated by User1', got '%s'", updatedPost.Title)
}
})
t.Run("user1_can_delete_own_post", func(t *testing.T) {
deletablePost := authClient1.CreatePost(t, "Deletable Post", "https://example.com/deletable", "This post will be deleted")
authClient1.DeletePost(t, deletablePost.ID)
postsResp := authClient1.GetPosts(t)
for _, post := range postsResp.Data.Posts {
if post.ID == deletablePost.ID {
t.Errorf("Expected post %d to be deleted, but it still exists", deletablePost.ID)
break
}
}
})
})
}

254
internal/e2e/rate_limiting_test.go Normal file
View File

@@ -0,0 +1,254 @@
package e2e
import (
"encoding/json"
"io"
"net/http"
"strings"
"testing"
"time"
"goyco/internal/testutils"
)
func TestE2E_RateLimitingHeaders(t *testing.T) {
ctx := setupTestContextWithAuthRateLimit(t, 3)
t.Run("rate_limit_headers_present", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "ratelimituser", "StrongPass123!")
for i := 0; i < 3; i++ {
req, err := http.NewRequest("POST", ctx.baseURL+"/api/auth/login", strings.NewReader(`{"username":"`+testUser.Username+`","password":"StrongPass123!"}`))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req)
req.Header.Set("X-Forwarded-For", testutils.GenerateTestIP())
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
resp.Body.Close()
if resp.StatusCode == http.StatusTooManyRequests {
retryAfter := resp.Header.Get("Retry-After")
if retryAfter == "" {
t.Error("Expected Retry-After header when rate limited")
}
var jsonResponse map[string]interface{}
body, _ := json.Marshal(map[string]string{})
_ = json.Unmarshal(body, &jsonResponse)
if resp.Header.Get("Content-Type") != "application/json" {
t.Error("Expected Content-Type to be application/json")
}
}
}
})
t.Run("rate_limit_exceeded_response", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "ratelimituser2", "StrongPass123!")
testIP := testutils.GenerateTestIP()
for i := 0; i < 4; i++ {
req, err := http.NewRequest("POST", ctx.baseURL+"/api/auth/login", strings.NewReader(`{"username":"`+testUser.Username+`","password":"StrongPass123!"}`))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req)
req.Header.Set("X-Forwarded-For", testIP)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if i >= 3 {
if resp.StatusCode != http.StatusTooManyRequests {
t.Errorf("Expected status 429 on request %d, got %d", i+1, resp.StatusCode)
} else {
var errorResponse map[string]interface{}
body, _ := io.ReadAll(resp.Body)
if err := json.Unmarshal(body, &errorResponse); err == nil {
if errorResponse["error"] == nil {
t.Error("Expected error field in rate limit response")
}
if errorResponse["retry_after"] == nil {
t.Error("Expected retry_after field in rate limit response")
}
}
}
}
}
})
}
func TestE2E_RateLimitResetBehavior(t *testing.T) {
ctx := setupTestContextWithAuthRateLimit(t, 2)
t.Run("rate_limit_resets_after_window", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "resetuser", "StrongPass123!")
testIP := testutils.GenerateTestIP()
for i := 0; i < 2; i++ {
req, err := http.NewRequest("POST", ctx.baseURL+"/api/auth/login", strings.NewReader(`{"username":"`+testUser.Username+`","password":"StrongPass123!"}`))
if err != nil {
continue
}
req.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req)
req.Header.Set("X-Forwarded-For", testIP)
resp, err := ctx.client.Do(req)
if err == nil {
resp.Body.Close()
}
}
req, err := http.NewRequest("POST", ctx.baseURL+"/api/auth/login", strings.NewReader(`{"username":"`+testUser.Username+`","password":"StrongPass123!"}`))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req)
req.Header.Set("X-Forwarded-For", testIP)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusTooManyRequests {
t.Log("Rate limit correctly enforced")
}
ctx.assertEventually(t, func() bool {
req2, err := http.NewRequest("POST", ctx.baseURL+"/api/auth/login", strings.NewReader(`{"username":"`+testUser.Username+`","password":"StrongPass123!"}`))
if err != nil {
return false
}
req2.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req2)
req2.Header.Set("X-Forwarded-For", testIP)
resp2, err := ctx.client.Do(req2)
if err != nil {
return false
}
defer resp2.Body.Close()
return resp2.StatusCode == http.StatusOK || resp2.StatusCode == http.StatusUnauthorized
}, 70*time.Second)
req2, err := http.NewRequest("POST", ctx.baseURL+"/api/auth/login", strings.NewReader(`{"username":"`+testUser.Username+`","password":"StrongPass123!"}`))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req2.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req2)
req2.Header.Set("X-Forwarded-For", testIP)
resp2, err := ctx.client.Do(req2)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp2.Body.Close()
if resp2.StatusCode == http.StatusOK || resp2.StatusCode == http.StatusUnauthorized {
t.Log("Rate limit reset after window")
}
})
}
func TestE2E_RateLimitDifferentScenarios(t *testing.T) {
ctx := setupTestContextWithAuthRateLimit(t, 5)
t.Run("different_ips_have_separate_limits", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "multiuser", "StrongPass123!")
ip1 := testutils.GenerateTestIP()
ip2 := testutils.GenerateTestIP()
successCount1 := 0
successCount2 := 0
for i := 0; i < 5; i++ {
req1, _ := http.NewRequest("POST", ctx.baseURL+"/api/auth/login", strings.NewReader(`{"username":"`+testUser.Username+`","password":"StrongPass123!"}`))
req1.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req1)
req1.Header.Set("X-Forwarded-For", ip1)
resp1, err := ctx.client.Do(req1)
if err == nil {
if resp1.StatusCode == http.StatusOK || resp1.StatusCode == http.StatusUnauthorized {
successCount1++
}
resp1.Body.Close()
}
req2, _ := http.NewRequest("POST", ctx.baseURL+"/api/auth/login", strings.NewReader(`{"username":"`+testUser.Username+`","password":"StrongPass123!"}`))
req2.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(req2)
req2.Header.Set("X-Forwarded-For", ip2)
resp2, err := ctx.client.Do(req2)
if err == nil {
if resp2.StatusCode == http.StatusOK || resp2.StatusCode == http.StatusUnauthorized {
successCount2++
}
resp2.Body.Close()
}
}
if successCount1 > 0 && successCount2 > 0 {
t.Log("Different IPs have separate rate limits")
}
})
t.Run("authenticated_users_have_separate_limits", func(t *testing.T) {
user1 := ctx.createUserWithCleanup(t, "authuser1", "StrongPass123!")
user2 := ctx.createUserWithCleanup(t, "authuser2", "StrongPass123!")
authClient1 := ctx.loginUser(t, user1.Username, "StrongPass123!")
authClient2 := ctx.loginUser(t, user2.Username, "StrongPass123!")
successCount1 := 0
successCount2 := 0
for i := 0; i < 10; i++ {
req1, _ := http.NewRequest("GET", ctx.baseURL+"/api/auth/me", nil)
testutils.WithStandardHeaders(req1)
req1.Header.Set("Authorization", "Bearer "+authClient1.Token)
resp1, err := ctx.client.Do(req1)
if err == nil {
if resp1.StatusCode == http.StatusOK {
successCount1++
}
resp1.Body.Close()
}
req2, _ := http.NewRequest("GET", ctx.baseURL+"/api/auth/me", nil)
testutils.WithStandardHeaders(req2)
req2.Header.Set("Authorization", "Bearer "+authClient2.Token)
resp2, err := ctx.client.Do(req2)
if err == nil {
if resp2.StatusCode == http.StatusOK {
successCount2++
}
resp2.Body.Close()
}
}
if successCount1 > 5 && successCount2 > 5 {
t.Log("Authenticated users have separate rate limits")
}
})
}

167
internal/e2e/robots_txt_test.go Normal file
View File

@@ -0,0 +1,167 @@
package e2e
import (
"io"
"net/http"
"strings"
"testing"
"goyco/internal/testutils"
)
func TestE2E_RobotsTxt(t *testing.T) {
ctx := setupTestContext(t)
t.Run("robots_txt_served", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/robots.txt", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected status 200 for robots.txt, got %d", resp.StatusCode)
return
}
contentType := resp.Header.Get("Content-Type")
if !strings.Contains(contentType, "text/plain") && !strings.Contains(contentType, "text") {
t.Logf("Unexpected Content-Type for robots.txt: %s", contentType)
}
body, err := io.ReadAll(resp.Body)
if err != nil {
t.Fatalf("Failed to read robots.txt body: %v", err)
}
content := string(body)
if len(content) == 0 {
t.Error("robots.txt is empty")
return
}
if !strings.Contains(content, "User-agent") {
t.Error("robots.txt missing User-agent directive")
}
})
t.Run("robots_txt_content_validation", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/robots.txt", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Skip("robots.txt not available")
return
}
body, err := io.ReadAll(resp.Body)
if err != nil {
t.Fatalf("Failed to read robots.txt body: %v", err)
}
content := string(body)
lines := strings.Split(content, "\n")
hasUserAgent := false
hasDisallow := false
hasAllow := false
for _, line := range lines {
trimmed := strings.TrimSpace(line)
if strings.HasPrefix(trimmed, "User-agent:") {
hasUserAgent = true
}
if strings.HasPrefix(trimmed, "Disallow:") {
hasDisallow = true
}
if strings.HasPrefix(trimmed, "Allow:") {
hasAllow = true
}
}
if !hasUserAgent {
t.Error("robots.txt missing User-agent directive")
}
if !hasDisallow && !hasAllow {
t.Log("robots.txt missing Allow/Disallow directives (may be intentional)")
}
})
t.Run("robots_txt_api_disallowed", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/robots.txt", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Skip("robots.txt not available")
return
}
body, err := io.ReadAll(resp.Body)
if err != nil {
t.Fatalf("Failed to read robots.txt body: %v", err)
}
content := string(body)
if strings.Contains(content, "Disallow: /api/") {
t.Log("robots.txt correctly disallows /api/")
} else {
t.Log("robots.txt may not explicitly disallow /api/")
}
})
t.Run("robots_txt_health_allowed", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/robots.txt", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Skip("robots.txt not available")
return
}
body, err := io.ReadAll(resp.Body)
if err != nil {
t.Fatalf("Failed to read robots.txt body: %v", err)
}
content := string(body)
if strings.Contains(content, "Allow: /health") {
t.Log("robots.txt correctly allows /health")
} else {
t.Log("robots.txt may not explicitly allow /health")
}
})
}

602
internal/e2e/security_session_test.go Normal file
View File

@@ -0,0 +1,602 @@
package e2e
import (
"bytes"
"encoding/json"
"net/http"
"testing"
"time"
"goyco/internal/config"
"goyco/internal/testutils"
)
func TestE2E_SessionFixation(t *testing.T) {
ctx := setupTestContext(t)
t.Run("session_fixation", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "sessionfix", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
oldToken := authClient.Token
oldRefreshToken := authClient.RefreshToken
authClient.UpdatePassword(t, "Password123!", "NewPassword456!")
statusCode := ctx.makeRequestWithToken(t, oldToken)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected old token to be invalidated after password change, got status %d", statusCode)
}
oldClient := &AuthenticatedClient{
AuthenticatedClient: &testutils.AuthenticatedClient{
Client: ctx.client,
Token: oldToken,
RefreshToken: oldRefreshToken,
BaseURL: ctx.baseURL,
},
}
_, statusCode = oldClient.RefreshAccessToken(t)
if statusCode == http.StatusOK {
t.Errorf("Expected old refresh token to be invalidated after password change, but refresh succeeded")
}
newAuthClient := ctx.loginUser(t, createdUser.Username, "NewPassword456!")
if newAuthClient.Token == "" {
t.Errorf("Expected to be able to login with new password")
}
profile := newAuthClient.GetProfile(t)
if profile.Data.Username != createdUser.Username {
t.Errorf("Expected to access profile with new token, got username '%s'", profile.Data.Username)
}
})
}
func TestE2E_TokenInvalidationOnPasswordChange(t *testing.T) {
ctx := setupTestContext(t)
t.Run("token_invalidation_on_password_change", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "tokeninv", "Password123!")
authClient1 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
token1 := authClient1.Token
refreshToken1 := authClient1.RefreshToken
authClient2 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
token2 := authClient2.Token
refreshToken2 := authClient2.RefreshToken
authClient3 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
token3 := authClient3.Token
refreshToken3 := authClient3.RefreshToken
profile1 := authClient1.GetProfile(t)
if profile1.Data.Username != createdUser.Username {
t.Errorf("Expected token1 to work before password change")
}
authClient1.UpdatePassword(t, "Password123!", "NewPassword789!")
statusCode := ctx.makeRequestWithToken(t, token1)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected token1 to be invalidated after password change, got status %d", statusCode)
}
statusCode = ctx.makeRequestWithToken(t, token2)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected token2 to be invalidated after password change, got status %d", statusCode)
}
statusCode = ctx.makeRequestWithToken(t, token3)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected token3 to be invalidated after password change, got status %d", statusCode)
}
oldClient1 := &AuthenticatedClient{
AuthenticatedClient: &testutils.AuthenticatedClient{
Client: ctx.client,
Token: token1,
RefreshToken: refreshToken1,
BaseURL: ctx.baseURL,
},
}
_, statusCode = oldClient1.RefreshAccessToken(t)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected refreshToken1 to be invalidated after password change, got status %d", statusCode)
}
oldClient2 := &AuthenticatedClient{
AuthenticatedClient: &testutils.AuthenticatedClient{
Client: ctx.client,
Token: token2,
RefreshToken: refreshToken2,
BaseURL: ctx.baseURL,
},
}
_, statusCode = oldClient2.RefreshAccessToken(t)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected refreshToken2 to be invalidated after password change, got status %d", statusCode)
}
oldClient3 := &AuthenticatedClient{
AuthenticatedClient: &testutils.AuthenticatedClient{
Client: ctx.client,
Token: token3,
RefreshToken: refreshToken3,
BaseURL: ctx.baseURL,
},
}
_, statusCode = oldClient3.RefreshAccessToken(t)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected refreshToken3 to be invalidated after password change, got status %d", statusCode)
}
newAuthClient := ctx.loginUser(t, createdUser.Username, "NewPassword789!")
if newAuthClient.Token == "" {
t.Errorf("Expected to be able to login with new password")
}
})
}
func TestE2E_TokenInvalidationOnEmailChange(t *testing.T) {
ctx := setupTestContext(t)
t.Run("token_invalidation_on_email_change", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "emailchange", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
oldToken := authClient.Token
ctx.server.EmailSender.Reset()
authClient.UpdateEmail(t, uniqueEmail(t, "newemail"))
statusCode := ctx.makeRequestWithToken(t, oldToken)
if statusCode == http.StatusOK {
t.Log("Email change does not invalidate tokens (acceptable behavior)")
}
_, statusCode = authClient.RefreshAccessToken(t)
if statusCode == http.StatusOK {
t.Log("Email change does not invalidate refresh tokens (acceptable behavior)")
}
})
}
func TestE2E_SessionVersionIncrements(t *testing.T) {
ctx := setupTestContext(t)
t.Run("session_version_increments", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "sessionver", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
user, err := ctx.server.UserRepo.GetByID(createdUser.ID)
if err != nil {
t.Fatalf("Failed to get user: %v", err)
}
initialVersion := user.SessionVersion
if initialVersion == 0 {
t.Errorf("Expected initial session version to be >= 1, got %d", initialVersion)
}
authClient.UpdatePassword(t, "Password123!", "NewPassword999!")
user, err = ctx.server.UserRepo.GetByID(createdUser.ID)
if err != nil {
t.Fatalf("Failed to get user after password change: %v", err)
}
if user.SessionVersion <= initialVersion {
t.Errorf("Expected session version to increment after password change, got %d (was %d)", user.SessionVersion, initialVersion)
}
})
}
func TestE2E_OldTokensRejectedAfterSessionVersionChange(t *testing.T) {
ctx := setupTestContext(t)
t.Run("old_tokens_rejected_after_session_version_change", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "oldtoken", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
user, err := ctx.server.UserRepo.GetByID(createdUser.ID)
if err != nil {
t.Fatalf("Failed to get user: %v", err)
}
oldSessionVersion := user.SessionVersion
oldToken := authClient.Token
cfg := &config.Config{
JWT: config.JWTConfig{
Secret: "test-secret-key-for-testing-purposes-only",
Expiration: 24,
RefreshExpiration: 168,
Issuer: "goyco",
Audience: "goyco-users",
},
}
authClient.UpdatePassword(t, "Password123!", "NewPassword888!")
user, err = ctx.server.UserRepo.GetByID(createdUser.ID)
if err != nil {
t.Fatalf("Failed to get user after password change: %v", err)
}
if user.SessionVersion == oldSessionVersion {
t.Errorf("Expected session version to change after password update")
}
statusCode := ctx.makeRequestWithToken(t, oldToken)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected old token to be rejected after session version change, got status %d", statusCode)
}
tokenWithOldVersion := generateTokenWithSessionVersion(t, user, &cfg.JWT, oldSessionVersion)
statusCode = ctx.makeRequestWithToken(t, tokenWithOldVersion)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected token with old session version to be rejected, got status %d", statusCode)
}
})
}
func TestE2E_TokenRefreshWithOldSessionVersion(t *testing.T) {
ctx := setupTestContext(t)
t.Run("token_refresh_with_old_session_version", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "refreshold", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
oldRefreshToken := authClient.RefreshToken
authClient.UpdatePassword(t, "Password123!", "NewPassword777!")
oldClient := &AuthenticatedClient{
AuthenticatedClient: &testutils.AuthenticatedClient{
Client: ctx.client,
Token: authClient.Token,
RefreshToken: oldRefreshToken,
BaseURL: ctx.baseURL,
},
}
_, statusCode := oldClient.RefreshAccessToken(t)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected refresh with old refresh token to fail after password change, got status %d", statusCode)
}
})
}
func TestE2E_MultiDeviceSession(t *testing.T) {
ctx := setupTestContext(t)
t.Run("multi_device_session", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "multidev", "Password123!")
deviceA := ctx.loginUser(t, createdUser.Username, createdUser.Password)
tokenA := deviceA.Token
deviceB := ctx.loginUser(t, createdUser.Username, createdUser.Password)
tokenB := deviceB.Token
profileA := deviceA.GetProfile(t)
if profileA.Data.Username != createdUser.Username {
t.Errorf("Expected device A to access profile")
}
profileB := deviceB.GetProfile(t)
if profileB.Data.Username != createdUser.Username {
t.Errorf("Expected device B to access profile")
}
deviceA.Logout(t)
statusCode := ctx.makeRequestWithToken(t, tokenA)
if statusCode == http.StatusOK {
t.Log("Logout may not invalidate tokens immediately (acceptable)")
}
profileBAfter := deviceB.GetProfile(t)
if profileBAfter.Data.Username != createdUser.Username {
t.Errorf("Expected device B to still work after device A logout")
}
deviceB.RevokeAllTokens(t)
_, statusCode = deviceB.RefreshAccessToken(t)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected device B refresh token to be revoked after revoke-all, got status %d", statusCode)
}
statusCode = ctx.makeRequestWithToken(t, tokenB)
if statusCode == http.StatusOK {
t.Log("Access token may still work after refresh token revocation (acceptable)")
}
})
}
func TestE2E_RevokeAllInvalidatesAllDevices(t *testing.T) {
ctx := setupTestContext(t)
t.Run("revoke_all_invalidates_all_devices", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "revokeall", "Password123!")
device1 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
refreshToken1 := device1.RefreshToken
device2 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
refreshToken2 := device2.RefreshToken
device3 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
refreshToken3 := device3.RefreshToken
device1.RevokeAllTokens(t)
oldDevice1 := &AuthenticatedClient{
AuthenticatedClient: &testutils.AuthenticatedClient{
Client: ctx.client,
Token: device1.Token,
RefreshToken: refreshToken1,
BaseURL: ctx.baseURL,
},
}
_, statusCode := oldDevice1.RefreshAccessToken(t)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected device1 refresh token to be revoked, got status %d", statusCode)
}
oldDevice2 := &AuthenticatedClient{
AuthenticatedClient: &testutils.AuthenticatedClient{
Client: ctx.client,
Token: device2.Token,
RefreshToken: refreshToken2,
BaseURL: ctx.baseURL,
},
}
_, statusCode = oldDevice2.RefreshAccessToken(t)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected device2 refresh token to be revoked, got status %d", statusCode)
}
oldDevice3 := &AuthenticatedClient{
AuthenticatedClient: &testutils.AuthenticatedClient{
Client: ctx.client,
Token: device3.Token,
RefreshToken: refreshToken3,
BaseURL: ctx.baseURL,
},
}
_, statusCode = oldDevice3.RefreshAccessToken(t)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected device3 refresh token to be revoked, got status %d", statusCode)
}
})
}
func TestE2E_TokenTiming(t *testing.T) {
ctx := setupTestContext(t)
t.Run("token_timing", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "timing", "Password123!")
cfg := &config.Config{
JWT: config.JWTConfig{
Secret: "test-secret-key-for-testing-purposes-only",
Expiration: 24,
RefreshExpiration: 168,
Issuer: "goyco",
Audience: "goyco-users",
},
}
user, err := ctx.server.UserRepo.GetByID(createdUser.ID)
if err != nil {
t.Fatalf("Failed to get user: %v", err)
}
t.Run("token_just_before_expiry", func(t *testing.T) {
token := generateTokenWithExpiration(t, user, &cfg.JWT, 1*time.Minute)
statusCode := ctx.makeRequestWithToken(t, token)
if statusCode != http.StatusOK {
t.Errorf("Expected token just before expiry to work, got status %d", statusCode)
}
})
t.Run("token_just_after_expiry", func(t *testing.T) {
token := generateTokenWithExpiration(t, user, &cfg.JWT, -1*time.Minute)
statusCode := ctx.makeRequestWithToken(t, token)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected expired token to be rejected, got status %d", statusCode)
}
})
t.Run("token_expiration_edge_case", func(t *testing.T) {
token := generateTokenWithExpiration(t, user, &cfg.JWT, 0)
statusCode := ctx.makeRequestWithToken(t, token)
if statusCode == http.StatusOK {
t.Log("Token with zero expiration may be accepted (clock skew tolerance)")
}
})
})
}
func TestE2E_TokenReplayAttack(t *testing.T) {
ctx := setupTestContext(t)
t.Run("token_replay_attack", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "replay", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
token := authClient.Token
t.Run("same_token_multiple_times", func(t *testing.T) {
for i := 0; i < 5; i++ {
statusCode := ctx.makeRequestWithToken(t, token)
if statusCode != http.StatusOK {
t.Errorf("Expected token to work multiple times (replay %d), got status %d", i+1, statusCode)
}
}
})
t.Run("token_reuse_after_revocation", func(t *testing.T) {
authClient.RevokeAllTokens(t)
statusCode := ctx.makeRequestWithToken(t, token)
if statusCode == http.StatusOK {
t.Log("Access token may still work after refresh token revocation (acceptable)")
}
_, statusCode = authClient.RefreshAccessToken(t)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected refresh token to be rejected after revocation, got status %d", statusCode)
}
})
t.Run("token_reuse_after_user_deletion", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "deleteuser", "Password123!")
deleteClient := ctx.loginUser(t, testUser.Username, testUser.Password)
deleteToken := deleteClient.Token
ctx.server.EmailSender.Reset()
deleteClient.RequestAccountDeletion(t)
deletionToken := ctx.server.EmailSender.DeletionToken()
if deletionToken == "" {
t.Fatalf("Expected deletion token")
}
deleteClient.ConfirmAccountDeletion(t, deletionToken, false)
statusCode := ctx.makeRequestWithToken(t, deleteToken)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected token to be rejected after user deletion, got status %d", statusCode)
}
})
})
}
func TestE2E_TokenScope(t *testing.T) {
ctx := setupTestContext(t)
t.Run("token_scope", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "scope", "Password123!")
cfg := &config.Config{
JWT: config.JWTConfig{
Secret: "test-secret-key-for-testing-purposes-only",
Expiration: 24,
RefreshExpiration: 168,
Issuer: "goyco",
Audience: "goyco-users",
},
}
user, err := ctx.server.UserRepo.GetByID(createdUser.ID)
if err != nil {
t.Fatalf("Failed to get user: %v", err)
}
t.Run("access_token_cannot_be_used_as_refresh", func(t *testing.T) {
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
accessToken := authClient.Token
refreshData := map[string]string{
"refresh_token": accessToken,
}
body, err := json.Marshal(refreshData)
if err != nil {
t.Fatalf("Failed to marshal refresh data: %v", err)
}
request, err := http.NewRequest("POST", ctx.baseURL+"/api/auth/refresh", bytes.NewReader(body))
if err != nil {
t.Fatalf("Failed to create refresh request: %v", err)
}
request.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(request)
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make refresh request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusOK {
t.Errorf("Expected access token to be rejected as refresh token, got status 200")
}
})
t.Run("refresh_token_cannot_access_protected_endpoints", func(t *testing.T) {
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
refreshTokenString := authClient.RefreshToken
statusCode := ctx.makeRequestWithToken(t, refreshTokenString)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected refresh token string to be rejected for protected endpoints, got status %d", statusCode)
}
invalidTypeToken := generateTokenWithType(t, user, &cfg.JWT, "invalid-type")
statusCode = ctx.makeRequestWithToken(t, invalidTypeToken)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected invalid token type to be rejected, got status %d", statusCode)
}
})
t.Run("token_type_validation", func(t *testing.T) {
emptyTypeToken := generateTokenWithType(t, user, &cfg.JWT, "")
statusCode := ctx.makeRequestWithToken(t, emptyTypeToken)
if statusCode != http.StatusUnauthorized {
t.Errorf("Expected empty token type to be rejected, got status %d", statusCode)
}
})
})
}
func TestE2E_ConcurrentLoginPrevention(t *testing.T) {
ctx := setupTestContext(t)
t.Run("concurrent_login_prevention", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "concurrent", "Password123!")
user, err := ctx.server.UserRepo.GetByID(createdUser.ID)
if err != nil {
t.Fatalf("Failed to get user: %v", err)
}
initialVersion := user.SessionVersion
login1 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
login2 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
login3 := ctx.loginUser(t, createdUser.Username, createdUser.Password)
user, err = ctx.server.UserRepo.GetByID(createdUser.ID)
if err != nil {
t.Fatalf("Failed to get user after logins: %v", err)
}
if user.SessionVersion != initialVersion {
t.Log("Session version may increment on login (acceptable behavior)")
}
profile1 := login1.GetProfile(t)
if profile1.Data.Username != createdUser.Username {
t.Errorf("Expected login1 to work")
}
profile2 := login2.GetProfile(t)
if profile2.Data.Username != createdUser.Username {
t.Errorf("Expected login2 to work")
}
profile3 := login3.GetProfile(t)
if profile3.Data.Username != createdUser.Username {
t.Errorf("Expected login3 to work")
}
if login1.Token == login2.Token || login1.Token == login3.Token || login2.Token == login3.Token {
t.Errorf("Expected concurrent logins to generate different tokens")
}
})
}

874
internal/e2e/security_test.go Normal file
View File

@@ -0,0 +1,874 @@
package e2e
import (
"bytes"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"strings"
"testing"
"goyco/internal/repositories"
"goyco/internal/testutils"
)
func TestE2E_SecurityWorkflows(t *testing.T) {
ctx := setupTestContext(t)
t.Run("security_workflows", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "testuser", "StrongPass123!")
_ = ctx.loginUser(t, createdUser.Username, createdUser.Password)
t.Run("unauthorized_access_attempts", func(t *testing.T) {
request, err := testutils.NewRequestBuilder("GET", ctx.baseURL+"/api/auth/me").Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusUnauthorized {
t.Errorf("Expected 401 for unauthorized access, got %d", resp.StatusCode)
}
})
t.Run("invalid_token_access", func(t *testing.T) {
request, err := testutils.NewRequestBuilder("GET", ctx.baseURL+"/api/auth/me").
WithAuth("invalid-token-12345").
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusUnauthorized {
t.Errorf("Expected 401 for invalid token, got %d", resp.StatusCode)
}
})
t.Run("rate_limiting", func(t *testing.T) {
rateLimitCtx := setupTestContextWithAuthRateLimit(t, 5)
rateLimitUser := rateLimitCtx.createUserWithCleanup(t, "ratelimituser", "StrongPass123!")
_ = rateLimitCtx.loginUser(t, rateLimitUser.Username, rateLimitUser.Password)
testIP := testutils.GenerateTestIP()
rateLimited := false
for range 10 {
statusCode := rateLimitCtx.loginExpectStatusWithIP(t, rateLimitUser.Username, "WrongPass123!", http.StatusUnauthorized, testIP)
if statusCode == http.StatusTooManyRequests {
rateLimited = true
break
}
}
if !rateLimited {
t.Errorf("Expected rate limiting to occur after multiple failed login attempts")
}
})
})
}
func TestE2E_SearchSanitization(t *testing.T) {
ctx := setupTestContext(t)
t.Run("search_sanitization", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "testuser", "StrongPass123!")
_ = authClient.CreatePost(t, "Searchable Post", "https://example.com/search", "This post contains searchable content")
benignSearch := authClient.SearchPosts(t, "searchable")
if !benignSearch.Success {
t.Errorf("Expected benign search to succeed, got failure: %s", benignSearch.Message)
}
if len(benignSearch.Data.Posts) == 0 {
t.Errorf("Expected to find post with benign search query")
}
maliciousQuery := "searchable'; DROP TABLE users; --"
request, err := testutils.NewRequestBuilder("GET", ctx.baseURL+"/api/posts/search?q="+url.QueryEscape(maliciousQuery)).Build()
if err != nil {
t.Fatalf("Failed to create malicious search request: %v", err)
}
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make malicious search request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusBadRequest {
t.Errorf("Expected 400 for malicious search query, got %d", resp.StatusCode)
}
})
}
func TestE2E_SecurityHeaders(t *testing.T) {
ctx := setupTestContext(t)
expectedHeaders := map[string]string{
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"X-XSS-Protection": "1; mode=block",
"Referrer-Policy": "strict-origin-when-cross-origin",
}
type endpointTest struct {
name string
method string
path string
auth bool
body []byte
}
endpoints := []endpointTest{
{name: "health_endpoint", method: "GET", path: "/health", auth: false},
{name: "metrics_endpoint", method: "GET", path: "/metrics", auth: false},
{name: "api_registration", method: "POST", path: "/api/auth/register", auth: false, body: []byte(`{"username":"testuser","email":"test@example.com","password":"StrongPass123!"}`)},
{name: "api_posts", method: "GET", path: "/api/posts", auth: true},
{name: "api_auth_me", method: "GET", path: "/api/auth/me", auth: true},
}
t.Run("security_headers_on_all_endpoints", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "headertest", "StrongPass123!")
var authToken string
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err == nil {
authToken = authClient.Token
}
for _, endpoint := range endpoints {
t.Run(endpoint.name, func(t *testing.T) {
var req *http.Request
var err error
if endpoint.body != nil {
req, err = http.NewRequest(endpoint.method, ctx.baseURL+endpoint.path, bytes.NewReader(endpoint.body))
} else {
req, err = http.NewRequest(endpoint.method, ctx.baseURL+endpoint.path, nil)
}
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
if endpoint.auth && authToken != "" {
req.Header.Set("Authorization", "Bearer "+authToken)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
for headerName, expectedValue := range expectedHeaders {
actualValue := resp.Header.Get(headerName)
if actualValue != expectedValue {
t.Errorf("Endpoint %s: Expected %s header to be '%s', got '%s'", endpoint.path, headerName, expectedValue, actualValue)
}
}
csp := resp.Header.Get("Content-Security-Policy")
if csp == "" {
t.Errorf("Endpoint %s: Content-Security-Policy header should be present", endpoint.path)
}
})
}
})
}
func TestE2E_SQLInjectionAcrossEndpoints(t *testing.T) {
ctx := setupTestContext(t)
sqlPayloads := testutils.SQLInjectionPayloads
t.Run("sql_injection_in_post_fields", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "sqltest", "StrongPass123!")
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err != nil {
t.Skipf("Skipping sql injection in post fields test: %v", err)
}
for i, payload := range sqlPayloads {
t.Run(fmt.Sprintf("payload_%d", i), func(t *testing.T) {
postData := map[string]string{
"title": payload,
"url": fmt.Sprintf("https://example.com/test%d", i),
"content": "Test content",
}
req, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/posts").
WithAuth(authClient.Token).
WithJSONBody(postData).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusInternalServerError {
t.Errorf("SQL injection in title caused server crash (500). Payload: %s", payload)
}
postData2 := map[string]string{
"title": fmt.Sprintf("Test Post %d", i),
"url": fmt.Sprintf("https://example.com/test2-%d", i),
"content": payload,
}
req2, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/posts").
WithAuth(authClient.Token).
WithJSONBody(postData2).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp2, err := ctx.client.Do(req2)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp2.Body.Close()
if resp2.StatusCode == http.StatusInternalServerError {
t.Errorf("SQL injection in content caused server crash (500). Payload: %s", payload)
}
})
}
})
t.Run("sql_injection_in_registration_fields", func(t *testing.T) {
for i, payload := range sqlPayloads {
t.Run(fmt.Sprintf("payload_%d", i), func(t *testing.T) {
regData := map[string]string{
"username": payload,
"email": uniqueEmail(t, fmt.Sprintf("test%d", i)),
"password": "StrongPass123!",
}
req, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/auth/register").
WithJSONBody(regData).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusInternalServerError {
t.Errorf("SQL injection in username caused server crash (500). Payload: %s", payload)
}
regData2 := map[string]string{
"username": uniqueUsername(t, fmt.Sprintf("user%d", i)),
"email": fmt.Sprintf("test%s@example.com", payload),
"password": "StrongPass123!",
}
req2, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/auth/register").
WithJSONBody(regData2).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp2, err := ctx.client.Do(req2)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp2.Body.Close()
if resp2.StatusCode == http.StatusInternalServerError {
t.Errorf("SQL injection in email caused server crash (500). Payload: %s", payload)
}
})
}
})
t.Run("sql_injection_in_url_fields", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "sqltest2", "StrongPass123!")
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err != nil {
t.Skipf("Skipping sql injection in url fields test: %v", err)
}
for i, payload := range sqlPayloads {
t.Run(fmt.Sprintf("payload_%d", i), func(t *testing.T) {
postData := map[string]string{
"title": fmt.Sprintf("Test Post %d", i),
"url": fmt.Sprintf("https://example.com/test%s", payload),
"content": "Test content",
}
req, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/posts").
WithAuth(authClient.Token).
WithJSONBody(postData).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusInternalServerError {
t.Errorf("SQL injection in URL caused server crash (500). Payload: %s", payload)
}
})
}
})
t.Run("sql_injection_in_query_parameters", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "sqltest3", "StrongPass123!")
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err != nil {
t.Skipf("Skipping sql injection in query parameters test: %v", err)
}
_ = authClient.CreatePost(t, "Searchable Post", "https://example.com/search", "Content")
for i, payload := range sqlPayloads {
t.Run(fmt.Sprintf("payload_%d", i), func(t *testing.T) {
searchURL := ctx.baseURL + "/api/posts/search?q=" + url.QueryEscape(payload)
req, err := testutils.NewRequestBuilder("GET", searchURL).
WithAuth(authClient.Token).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusInternalServerError {
t.Errorf("SQL injection in search query caused server crash (500). Payload: %s", payload)
}
if resp.StatusCode != http.StatusBadRequest && resp.StatusCode != http.StatusOK {
t.Logf("SQL injection in search query returned status %d (acceptable if sanitized). Payload: %s", resp.StatusCode, payload)
}
})
}
})
}
func TestE2E_XSSPrevention(t *testing.T) {
ctx := setupTestContext(t)
xssPayloads := testutils.XSSPayloads
t.Run("xss_in_post_fields", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "xsstest", "StrongPass123!")
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err != nil {
t.Fatalf("Failed to login: %v", err)
}
for idx, payload := range xssPayloads {
t.Run(fmt.Sprintf("payload_%d", idx), func(t *testing.T) {
postData := map[string]string{
"title": payload,
"url": fmt.Sprintf("https://example.com/xss-test-%d", idx),
"content": "Test content",
}
req, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/posts").
WithAuth(authClient.Token).
WithJSONBody(postData).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusInternalServerError {
t.Errorf("XSS payload in title caused server crash (500). Payload: %s", payload)
}
if resp.StatusCode == http.StatusCreated {
reader, cleanup, err := getResponseReader(resp)
if err != nil {
t.Fatalf("Failed to get response reader: %v", err)
}
defer cleanup()
var postResp PostResponse
if err := json.NewDecoder(reader).Decode(&postResp); err == nil {
if strings.Contains(postResp.Data.Title, "<script") {
t.Errorf("XSS payload not sanitized in title response. Payload: %s, Response: %s", payload, postResp.Data.Title)
}
}
}
postData2 := map[string]string{
"title": fmt.Sprintf("Test Post %d", idx),
"url": fmt.Sprintf("https://example.com/xss-test2-%d", idx),
"content": payload,
}
req2, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/posts").
WithAuth(authClient.Token).
WithJSONBody(postData2).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp2, err := ctx.client.Do(req2)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp2.Body.Close()
if resp2.StatusCode == http.StatusInternalServerError {
t.Errorf("XSS payload in content caused server crash (500). Payload: %s", payload)
}
if resp2.StatusCode == http.StatusCreated {
reader, cleanup, err := getResponseReader(resp2)
if err != nil {
t.Fatalf("Failed to get response reader: %v", err)
}
defer cleanup()
var postResp PostResponse
if err := json.NewDecoder(reader).Decode(&postResp); err == nil {
if strings.Contains(postResp.Data.Content, "<script") || strings.Contains(postResp.Data.Content, "javascript:") {
t.Errorf("XSS payload not sanitized in content response. Payload: %s", payload)
}
}
}
})
}
})
t.Run("xss_in_username_fields", func(t *testing.T) {
for i, payload := range xssPayloads {
t.Run(fmt.Sprintf("payload_%d", i), func(t *testing.T) {
regData := map[string]string{
"username": payload,
"email": uniqueEmail(t, fmt.Sprintf("test%d", i)),
"password": "StrongPass123!",
}
req, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/auth/register").
WithJSONBody(regData).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusInternalServerError {
t.Errorf("XSS payload in username caused server crash (500). Payload: %s", payload)
}
})
}
})
t.Run("xss_in_search_queries", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "xsstest2", "StrongPass123!")
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err != nil {
t.Fatalf("Failed to login: %v", err)
}
_ = authClient.CreatePost(t, "Searchable Post", "https://example.com/search", "Content")
for i, payload := range xssPayloads {
t.Run(fmt.Sprintf("payload_%d", i), func(t *testing.T) {
searchURL := ctx.baseURL + "/api/posts/search?q=" + url.QueryEscape(payload)
req, err := testutils.NewRequestBuilder("GET", searchURL).
WithAuth(authClient.Token).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusInternalServerError {
t.Errorf("XSS payload in search query caused server crash (500). Payload: %s", payload)
}
if resp.StatusCode == http.StatusOK {
reader, cleanup, err := getResponseReader(resp)
if err != nil {
t.Fatalf("Failed to get response reader: %v", err)
}
defer cleanup()
var searchResp PostsListResponse
if err := json.NewDecoder(reader).Decode(&searchResp); err != nil {
t.Fatalf("Failed to decode search response: %v", err)
}
for _, post := range searchResp.Data.Posts {
if strings.Contains(post.Title, "<script") || strings.Contains(post.Title, "javascript:") {
t.Errorf("XSS payload not sanitized in post title. Payload: %s", payload)
}
if strings.Contains(post.Content, "<script") || strings.Contains(post.Content, "javascript:") {
t.Errorf("XSS payload not sanitized in post content. Payload: %s", payload)
}
}
}
})
}
})
}
func TestE2E_InformationDisclosure(t *testing.T) {
ctx := setupTestContext(t)
t.Run("information_disclosure", func(t *testing.T) {
t.Run("error_messages_dont_reveal_sensitive_info", func(t *testing.T) {
request, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/auth/login").
WithJSONBody(map[string]string{
"username": "nonexistent",
"password": "wrongpassword",
}).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
bodyStr := string(body)
if strings.Contains(strings.ToLower(bodyStr), "database") {
t.Errorf("Error message should not reveal database information")
}
if strings.Contains(strings.ToLower(bodyStr), "sql") {
t.Errorf("Error message should not reveal SQL information")
}
if strings.Contains(strings.ToLower(bodyStr), "stack") {
t.Errorf("Error message should not reveal stack trace")
}
})
t.Run("invalid_endpoints_dont_reveal_structure", func(t *testing.T) {
request, err := http.NewRequest("GET", ctx.baseURL+"/api/nonexistent/endpoint", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
bodyStr := string(body)
if strings.Contains(strings.ToLower(bodyStr), "route") && resp.StatusCode == http.StatusNotFound {
t.Logf("404 response may contain route information, which is acceptable")
}
})
})
}
func TestE2E_SecurityHeadersEnhanced(t *testing.T) {
ctx := setupTestContext(t)
expectedHeaders := map[string]string{
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"X-XSS-Protection": "1; mode=block",
"Referrer-Policy": "strict-origin-when-cross-origin",
}
t.Run("security_headers_values", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "headertest", "StrongPass123!")
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err != nil {
t.Fatalf("Failed to login: %v", err)
}
endpoints := []struct {
name string
method string
path string
auth bool
}{
{"health", "GET", "/health", false},
{"metrics", "GET", "/metrics", false},
{"api_posts", "GET", "/api/posts", true},
{"api_auth_me", "GET", "/api/auth/me", true},
}
for _, endpoint := range endpoints {
t.Run(endpoint.name, func(t *testing.T) {
req, err := http.NewRequest(endpoint.method, ctx.baseURL+endpoint.path, nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
if endpoint.auth && authClient != nil {
req.Header.Set("Authorization", "Bearer "+authClient.Token)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
for headerName, expectedValue := range expectedHeaders {
actualValue := resp.Header.Get(headerName)
if actualValue != expectedValue {
t.Errorf("Endpoint %s: Expected %s header to be '%s', got '%s'", endpoint.path, headerName, expectedValue, actualValue)
}
}
csp := resp.Header.Get("Content-Security-Policy")
if csp == "" {
t.Errorf("Endpoint %s: Content-Security-Policy header should be present", endpoint.path)
}
if strings.Contains(csp, "unsafe-inline") && !strings.Contains(csp, "'nonce-") {
t.Errorf("Endpoint %s: CSP contains unsafe-inline without nonce", endpoint.path)
}
})
}
})
t.Run("hsts_header", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/health", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
req.Header.Set("X-Forwarded-Proto", "https")
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
hsts := resp.Header.Get("Strict-Transport-Security")
if hsts == "" {
t.Error("HSTS header should be present for HTTPS requests")
}
if !strings.Contains(hsts, "max-age=") {
t.Errorf("HSTS header should contain max-age, got: %s", hsts)
}
})
}
func TestE2E_ParameterizedQueries(t *testing.T) {
ctx := setupTestContext(t)
t.Run("sql_injection_prevention", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "sqltest", "StrongPass123!")
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err != nil {
t.Fatalf("Failed to login: %v", err)
}
for i, payload := range testutils.SQLInjectionPayloads {
t.Run(fmt.Sprintf("payload_%d", i), func(t *testing.T) {
postData := map[string]string{
"title": payload,
"url": fmt.Sprintf("https://example.com/test%d", i),
"content": "Test content",
}
req, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/posts").
WithAuth(authClient.Token).
WithJSONBody(postData).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusInternalServerError {
t.Errorf("SQL injection in title caused server error (500). Payload: %s", payload)
}
if resp.StatusCode != http.StatusCreated {
t.Errorf("Expected post creation to succeed (parameterized queries prevent SQL injection), got status: %d", resp.StatusCode)
}
})
}
})
t.Run("search_sanitization", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "searchtest", "StrongPass123!")
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err != nil {
t.Fatalf("Failed to login: %v", err)
}
_ = authClient.CreatePost(t, "Searchable Post", "https://example.com/search", "Content")
for i, payload := range testutils.SQLInjectionPayloads {
t.Run(fmt.Sprintf("payload_%d", i), func(t *testing.T) {
searchURL := ctx.baseURL + "/api/posts/search?q=" + url.QueryEscape(payload)
req, err := testutils.NewRequestBuilder("GET", searchURL).
WithAuth(authClient.Token).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusInternalServerError {
t.Errorf("SQL injection in search query caused server error (500). Payload: %s", payload)
}
})
}
})
}
func TestE2E_TokenHashing(t *testing.T) {
ctx := setupTestContext(t)
t.Run("verification_token_hashed", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "hashtest", "StrongPass123!")
authClient, err := ctx.loginUserSafe(t, testUser.Username, testUser.Password)
if err != nil {
t.Fatalf("Failed to login: %v", err)
}
ctx.server.EmailSender.Reset()
authClient.RegisterUser(t, "newuser", "newuser@example.com", "Password123!")
verificationToken := ctx.server.EmailSender.VerificationToken()
if verificationToken == "" {
t.Fatal("Expected verification token to be generated")
}
user, err := ctx.server.UserRepo.GetByUsername("newuser")
if err != nil {
t.Fatalf("Failed to get user: %v", err)
}
if user.EmailVerificationToken == verificationToken {
t.Error("Verification token should be hashed in database")
}
if len(user.EmailVerificationToken) < 32 {
t.Errorf("Hashed token should be at least 32 characters, got %d", len(user.EmailVerificationToken))
}
})
t.Run("password_reset_token_hashed", func(t *testing.T) {
testUser := ctx.createUserWithCleanup(t, "resettest", "StrongPass123!")
ctx.server.EmailSender.Reset()
testutils.RequestPasswordReset(t, ctx.client, ctx.baseURL, testUser.Email, testutils.GenerateTestIP())
resetToken := ctx.server.EmailSender.PasswordResetToken()
if resetToken == "" {
t.Skip("Rate limited, skipping token hashing test")
return
}
hash := sha256.Sum256([]byte(resetToken))
tokenHash := hex.EncodeToString(hash[:])
deletionRepo := repositories.NewAccountDeletionRepository(ctx.server.DB)
_, err := deletionRepo.GetByTokenHash(tokenHash)
if err == nil {
t.Log("Password reset token appears to be stored hashed")
}
})
}
func TestE2E_SecurityHeaderCombinations(t *testing.T) {
ctx := setupTestContext(t)
t.Run("all_security_headers_present", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/health", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
requiredHeaders := []string{
"X-Content-Type-Options",
"X-Frame-Options",
"X-XSS-Protection",
"Referrer-Policy",
"Content-Security-Policy",
}
for _, header := range requiredHeaders {
if resp.Header.Get(header) == "" {
t.Errorf("Required security header missing: %s", header)
}
}
})
}

125
internal/e2e/static_files_test.go Normal file
View File

@@ -0,0 +1,125 @@
package e2e
import (
"io"
"net/http"
"strings"
"testing"
"goyco/internal/testutils"
)
func TestE2E_StaticFileServing(t *testing.T) {
ctx := setupTestContext(t)
t.Run("static_css_file_served", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/static/css/main.css", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusOK {
contentType := resp.Header.Get("Content-Type")
if !strings.Contains(contentType, "text/css") && !strings.Contains(contentType, "application/octet-stream") {
t.Logf("Unexpected Content-Type for CSS file: %s", contentType)
}
body, err := io.ReadAll(resp.Body)
if err != nil {
t.Fatalf("Failed to read response body: %v", err)
}
if len(body) == 0 {
t.Error("Static CSS file is empty")
}
} else if resp.StatusCode == http.StatusNotFound {
t.Log("Static CSS file not found (may not exist in test environment)")
} else {
t.Errorf("Expected status 200 or 404, got %d", resp.StatusCode)
}
})
t.Run("static_file_not_found", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/static/nonexistent/file.txt", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusNotFound {
t.Errorf("Expected status 404 for nonexistent file, got %d", resp.StatusCode)
}
})
t.Run("static_directory_listing_disabled", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/static/", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusNotFound && resp.StatusCode != http.StatusForbidden {
t.Logf("Directory listing status: %d (acceptable)", resp.StatusCode)
}
})
t.Run("static_favicon_served", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/static/favicon.ico", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusOK {
contentType := resp.Header.Get("Content-Type")
if !strings.Contains(contentType, "image") && !strings.Contains(contentType, "application/octet-stream") {
t.Logf("Unexpected Content-Type for favicon: %s", contentType)
}
} else if resp.StatusCode == http.StatusNotFound {
t.Log("Favicon not found (may not exist in test environment)")
}
})
t.Run("static_path_traversal_prevented", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/static/../common.go", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusNotFound && resp.StatusCode != http.StatusForbidden {
t.Errorf("Expected 404 or 403 for path traversal attempt, got %d", resp.StatusCode)
}
})
}

179
internal/e2e/user_test.go Normal file
View File

@@ -0,0 +1,179 @@
package e2e
import (
"net/http"
"testing"
)
func TestE2E_UserDirectory(t *testing.T) {
ctx := setupTestContext(t)
t.Run("user_directory", func(t *testing.T) {
users := ctx.createMultipleUsersWithCleanup(t, 3, "user", "StrongPass123!")
authClient := ctx.loginUser(t, users[0].Username, users[0].Password)
usersResp := authClient.GetUsers(t)
if len(usersResp.Data.Users) < 3 {
t.Errorf("Expected at least 3 users, got %d", len(usersResp.Data.Users))
}
for _, user := range usersResp.Data.Users {
if user.Username == "" {
t.Errorf("Expected username to be present, got empty string")
}
}
})
}
func TestE2E_ProfileManagement(t *testing.T) {
ctx := setupTestContext(t)
t.Run("profile_management", func(t *testing.T) {
createdUser, authClient := ctx.createUserAndLogin(t, "testuser", "StrongPass123!")
profile := authClient.GetProfile(t)
assertUserResponse(t, profile, createdUser)
})
}
func TestE2E_ProfileAccessAuthorization(t *testing.T) {
ctx := setupTestContext(t)
t.Run("profile_access_authorization", func(t *testing.T) {
createdUsers := ctx.createMultipleUsersWithCleanup(t, 2, "profileuser", "StrongPass123!")
user1 := createdUsers[0]
user2 := createdUsers[1]
authClient1 := ctx.loginUser(t, user1.Username, user1.Password)
authClient2 := ctx.loginUser(t, user2.Username, user2.Password)
user2CurrentUsername := user2.Username
t.Run("users_only_see_own_profile_via_me_endpoint", func(t *testing.T) {
profile1 := authClient1.GetProfile(t)
if profile1.Data.ID != user1.ID {
t.Errorf("User1's /api/auth/me shows wrong ID: expected %d, got %d", user1.ID, profile1.Data.ID)
}
if profile1.Data.Username != user1.Username {
t.Errorf("User1's /api/auth/me shows wrong username: expected '%s', got '%s'", user1.Username, profile1.Data.Username)
}
if profile1.Data.Email != user1.Email {
t.Errorf("User1's /api/auth/me shows wrong email: expected '%s', got '%s'", user1.Email, profile1.Data.Email)
}
profile2 := authClient2.GetProfile(t)
if profile2.Data.ID != user2.ID {
t.Errorf("User2's /api/auth/me shows wrong ID: expected %d, got %d", user2.ID, profile2.Data.ID)
}
if profile2.Data.Username != user2.Username {
t.Errorf("User2's /api/auth/me shows wrong username: expected '%s', got '%s'", user2.Username, profile2.Data.Username)
}
if profile2.Data.Email != user2.Email {
t.Errorf("User2's /api/auth/me shows wrong email: expected '%s', got '%s'", user2.Email, profile2.Data.Email)
}
if profile1.Data.ID == profile2.Data.ID {
t.Errorf("User1 and User2 profiles should have different IDs via /api/auth/me, but both show %d", profile1.Data.ID)
}
if profile1.Data.Username == profile2.Data.Username {
t.Errorf("User1 and User2 profiles should have different usernames via /api/auth/me, but both show '%s'", profile1.Data.Username)
}
if profile1.Data.Email == profile2.Data.Email {
t.Errorf("User1 and User2 profiles should have different emails via /api/auth/me, but both show '%s'", profile1.Data.Email)
}
})
t.Run("users_cannot_modify_other_users_email", func(t *testing.T) {
originalProfile1 := authClient1.GetProfile(t)
originalEmail1 := originalProfile1.Data.Email
ctx.server.EmailSender.Reset()
statusCode := authClient2.UpdateEmailExpectStatus(t, uniqueEmail(t, "newemail2"))
if statusCode != http.StatusOK {
t.Errorf("Expected User2 to be able to update their own email with status 200, got %d", statusCode)
}
verificationToken := ctx.server.EmailSender.VerificationToken()
if verificationToken != "" {
ctx.confirmEmail(t, verificationToken)
}
updatedProfile1 := authClient1.GetProfile(t)
if updatedProfile1.Data.Email != originalEmail1 {
t.Errorf("User2 updating their own email should not affect User1's email. Expected '%s', got '%s'", originalEmail1, updatedProfile1.Data.Email)
}
})
t.Run("users_cannot_modify_other_users_username", func(t *testing.T) {
originalProfile1 := authClient1.GetProfile(t)
originalUsername1 := originalProfile1.Data.Username
user2CurrentUsername = uniqueUsername(t, "newusername2")
authClient2.UpdateUsername(t, user2CurrentUsername)
updatedProfile1 := authClient1.GetProfile(t)
if updatedProfile1.Data.Username != originalUsername1 {
t.Errorf("User2 updating their own username should not affect User1's username. Expected '%s', got '%s'", originalUsername1, updatedProfile1.Data.Username)
}
updatedProfile2 := authClient2.GetProfile(t)
if updatedProfile2.Data.Username == originalUsername1 {
t.Errorf("Expected User2's username to be updated, but it's still '%s'", originalUsername1)
}
})
t.Run("users_cannot_modify_other_users_password", func(t *testing.T) {
baselineAuthClient1 := ctx.loginUser(t, user1.Username, "StrongPass123!")
if baselineAuthClient1.Token == "" {
t.Fatalf("User1 should be able to login with original password before User2's update")
}
authClient2.UpdatePassword(t, "StrongPass123!", "NewPass456!")
newAuthClient1 := ctx.loginUser(t, user1.Username, "StrongPass123!")
if newAuthClient1.Token == "" {
t.Errorf("User1 should still be able to login with original password after User2 updates their own password")
}
profile1After := newAuthClient1.GetProfile(t)
if profile1After.Data.Username != user1.Username {
t.Errorf("User1's username should remain unchanged after User2's password update. Expected '%s', got '%s'", user1.Username, profile1After.Data.Username)
}
})
t.Run("user1_updates_dont_affect_user2", func(t *testing.T) {
authClient2 = ctx.loginUser(t, user2CurrentUsername, "NewPass456!")
originalProfile2 := authClient2.GetProfile(t)
originalUsername2 := originalProfile2.Data.Username
authClient1.UpdateUsername(t, uniqueUsername(t, "newusername1"))
updatedProfile2 := authClient2.GetProfile(t)
if updatedProfile2.Data.Username != originalUsername2 {
t.Errorf("User1 updating their own username should not affect User2's username. Expected '%s', got '%s'", originalUsername2, updatedProfile2.Data.Username)
}
updatedProfile1 := authClient1.GetProfile(t)
if updatedProfile1.Data.Username == originalUsername2 {
t.Errorf("Expected User1's username to be updated, but it's still '%s'", originalUsername2)
}
})
t.Run("profiles_remain_isolated_after_updates", func(t *testing.T) {
authClient2 = ctx.loginUser(t, user2CurrentUsername, "NewPass456!")
finalProfile1 := authClient1.GetProfile(t)
finalProfile2 := authClient2.GetProfile(t)
if finalProfile1.Data.ID == finalProfile2.Data.ID {
t.Errorf("After all updates, User1 and User2 should still have different IDs, but both show %d", finalProfile1.Data.ID)
}
if finalProfile1.Data.Username == finalProfile2.Data.Username {
t.Errorf("After all updates, User1 and User2 should still have different usernames, but both show '%s'", finalProfile1.Data.Username)
}
if finalProfile1.Data.Email == finalProfile2.Data.Email {
t.Errorf("After all updates, User1 and User2 should still have different emails, but both show '%s'", finalProfile1.Data.Email)
}
})
})
}

192
internal/e2e/version_test.go Normal file
View File

@@ -0,0 +1,192 @@
package e2e
import (
"encoding/json"
"net/http"
"regexp"
"testing"
"goyco/internal/testutils"
)
func TestE2E_VersionEndpoint(t *testing.T) {
ctx := setupTestContext(t)
t.Run("version_in_api_info", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/api", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected status 200 for /api endpoint, got %d", resp.StatusCode)
return
}
var apiInfo map[string]interface{}
if err := json.NewDecoder(resp.Body).Decode(&apiInfo); err != nil {
t.Fatalf("Failed to decode API info response: %v", err)
}
data, ok := apiInfo["data"].(map[string]interface{})
if !ok {
t.Fatalf("API info data is not a map")
}
version, ok := data["version"].(string)
if !ok {
t.Error("Version field missing or not a string in API info")
return
}
if version == "" {
t.Error("Version is empty")
}
versionPattern := regexp.MustCompile(`^\d+\.\d+\.\d+`)
if !versionPattern.MatchString(version) {
t.Errorf("Version format invalid, expected semantic version (x.y.z), got: %s", version)
}
})
t.Run("version_in_health_endpoint", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/health", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected status 200 for /health endpoint, got %d", resp.StatusCode)
return
}
var healthInfo map[string]interface{}
if err := json.NewDecoder(resp.Body).Decode(&healthInfo); err != nil {
t.Fatalf("Failed to decode health response: %v", err)
}
data, ok := healthInfo["data"].(map[string]interface{})
if !ok {
t.Fatalf("Health data is not a map")
}
version, ok := data["version"].(string)
if !ok {
t.Error("Version field missing or not a string in health info")
return
}
if version == "" {
t.Error("Version is empty")
}
versionPattern := regexp.MustCompile(`^\d+\.\d+\.\d+`)
if !versionPattern.MatchString(version) {
t.Errorf("Version format invalid, expected semantic version (x.y.z), got: %s", version)
}
})
t.Run("version_consistency", func(t *testing.T) {
apiReq, err := http.NewRequest("GET", ctx.baseURL+"/api", nil)
if err != nil {
t.Fatalf("Failed to create API request: %v", err)
}
testutils.WithStandardHeaders(apiReq)
apiResp, err := ctx.client.Do(apiReq)
if err != nil {
t.Fatalf("API request failed: %v", err)
}
defer apiResp.Body.Close()
healthReq, err := http.NewRequest("GET", ctx.baseURL+"/health", nil)
if err != nil {
t.Fatalf("Failed to create health request: %v", err)
}
testutils.WithStandardHeaders(healthReq)
healthResp, err := ctx.client.Do(healthReq)
if err != nil {
t.Fatalf("Health request failed: %v", err)
}
defer healthResp.Body.Close()
if apiResp.StatusCode != http.StatusOK || healthResp.StatusCode != http.StatusOK {
t.Skip("One or both endpoints unavailable")
return
}
var apiInfo map[string]interface{}
if err := json.NewDecoder(apiResp.Body).Decode(&apiInfo); err != nil {
t.Fatalf("Failed to decode API info: %v", err)
}
var healthInfo map[string]interface{}
if err := json.NewDecoder(healthResp.Body).Decode(&healthInfo); err != nil {
t.Fatalf("Failed to decode health info: %v", err)
}
apiData, _ := apiInfo["data"].(map[string]interface{})
healthData, _ := healthInfo["data"].(map[string]interface{})
apiVersion, apiOk := apiData["version"].(string)
healthVersion, healthOk := healthData["version"].(string)
if apiOk && healthOk && apiVersion != healthVersion {
t.Errorf("Version mismatch: /api has %s, /health has %s", apiVersion, healthVersion)
}
})
t.Run("version_format_validation", func(t *testing.T) {
req, err := http.NewRequest("GET", ctx.baseURL+"/api", nil)
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
testutils.WithStandardHeaders(req)
resp, err := ctx.client.Do(req)
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Skip("API endpoint unavailable")
return
}
var apiInfo map[string]interface{}
if err := json.NewDecoder(resp.Body).Decode(&apiInfo); err != nil {
t.Fatalf("Failed to decode API info: %v", err)
}
data, ok := apiInfo["data"].(map[string]interface{})
if !ok {
return
}
version, ok := data["version"].(string)
if !ok || version == "" {
return
}
semverPattern := regexp.MustCompile(`^\d+\.\d+\.\d+(-[a-zA-Z0-9-]+)?(\+[a-zA-Z0-9-]+)?$`)
if !semverPattern.MatchString(version) {
t.Logf("Version '%s' does not strictly follow semantic versioning (acceptable)", version)
}
})
}

266
internal/e2e/votes_test.go Normal file
View File

@@ -0,0 +1,266 @@
package e2e
import (
"net/http"
"testing"
)
func TestE2E_VoteManagement(t *testing.T) {
ctx := setupTestContext(t)
t.Run("vote_operations", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "testuser", "StrongPass123!")
createdPost := authClient.CreatePost(t, "Vote Test Post", "https://example.com/vote", "Content for voting")
var voteResp *VoteResponse
statusCode := retryOnRateLimit(t, 3, func() int {
resp, code := authClient.VoteOnPostRaw(t, createdPost.ID, "up")
if code == http.StatusOK {
voteResp = resp
}
return code
})
if statusCode == http.StatusTooManyRequests {
t.Skip("Skipping vote operations test: rate limited after retries")
return
}
if statusCode != http.StatusOK {
t.Fatalf("Vote failed with status %d", statusCode)
}
assertVoteResponse(t, voteResp, "up")
userVote := authClient.GetUserVote(t, createdPost.ID)
if !userVote.Success {
t.Errorf("Expected to get user vote, got failure: %s", userVote.Message)
}
userVoteData := assertVoteData(t, userVote)
if hasVote, ok := userVoteData["has_vote"].(bool); !ok || !hasVote {
t.Errorf("Expected has_vote true after casting vote, got %#v", userVoteData["has_vote"])
}
postVotes := authClient.GetPostVotes(t, createdPost.ID)
if !postVotes.Success {
t.Errorf("Expected to get post votes, got failure: %s", postVotes.Message)
}
postVotesData := assertVoteData(t, postVotes)
if count, ok := postVotesData["count"].(float64); !ok || count < 1 {
t.Errorf("Expected post votes count to be >= 1, got %#v", postVotesData["count"])
}
authClient.RemoveVote(t, createdPost.ID)
removedVote := authClient.GetUserVote(t, createdPost.ID)
if !removedVote.Success {
t.Errorf("Expected to get vote removal state, got failure: %s", removedVote.Message)
}
removedVoteData := assertVoteData(t, removedVote)
if hasVote, ok := removedVoteData["has_vote"].(bool); ok && hasVote {
t.Errorf("Expected has_vote false after removal, got true")
}
if voteVal, present := removedVoteData["vote"]; present && voteVal != nil {
t.Errorf("Expected vote data to be nil after removal, got %#v", voteVal)
}
postVotesAfter := authClient.GetPostVotes(t, createdPost.ID)
if !postVotesAfter.Success {
t.Errorf("Expected to get post votes after removal, got failure: %s", postVotesAfter.Message)
}
postVotesAfterData := assertVoteData(t, postVotesAfter)
if count, ok := postVotesAfterData["count"].(float64); ok && count != 0 {
t.Errorf("Expected post votes count to be 0 after removal, got %v", count)
}
})
}
func TestE2E_VoteAuthorization(t *testing.T) {
ctx := setupTestContext(t)
t.Run("vote_authorization", func(t *testing.T) {
createdUsers := ctx.createMultipleUsersWithCleanup(t, 2, "voteuser", "StrongPass123!")
user1 := createdUsers[0]
user2 := createdUsers[1]
authClient1 := ctx.loginUser(t, user1.Username, user1.Password)
authClient2 := ctx.loginUser(t, user2.Username, user2.Password)
createdPost := authClient1.CreatePost(t, "Vote Test Post", "https://example.com/vote", "Content for voting tests")
t.Run("users_can_only_vote_with_own_token", func(t *testing.T) {
voteResp1 := authClient1.VoteOnPost(t, createdPost.ID, "up")
if !voteResp1.Success {
t.Errorf("Expected User1 to be able to vote with their own token, got failure: %s", voteResp1.Message)
}
userVote1 := authClient1.GetUserVote(t, createdPost.ID)
if !userVote1.Success {
t.Errorf("Expected to get User1's vote, got failure: %s", userVote1.Message)
}
userVote1Data := assertVoteData(t, userVote1)
if hasVote, ok := userVote1Data["has_vote"].(bool); !ok || !hasVote {
t.Errorf("Expected User1 to have a vote after voting, got has_vote=%v", userVote1Data["has_vote"])
}
voteResp2 := authClient2.VoteOnPost(t, createdPost.ID, "up")
if !voteResp2.Success {
t.Errorf("Expected User2 to be able to vote with their own token, got failure: %s", voteResp2.Message)
}
userVote2 := authClient2.GetUserVote(t, createdPost.ID)
if !userVote2.Success {
t.Errorf("Expected to get User2's vote, got failure: %s", userVote2.Message)
}
userVote2Data := assertVoteData(t, userVote2)
if hasVote, ok := userVote2Data["has_vote"].(bool); !ok || !hasVote {
t.Errorf("Expected User2 to have a vote after voting, got has_vote=%v", userVote2Data["has_vote"])
}
userVote1After := authClient1.GetUserVote(t, createdPost.ID)
if !userVote1After.Success {
t.Errorf("Expected to still get User1's vote after User2 votes, got failure: %s", userVote1After.Message)
}
userVote1AfterData := assertVoteData(t, userVote1After)
if hasVote, ok := userVote1AfterData["has_vote"].(bool); !ok || !hasVote {
t.Errorf("Expected User1's vote to still exist after User2 votes, got has_vote=%v", userVote1AfterData["has_vote"])
}
})
t.Run("vote_counts_reflect_authenticated_votes", func(t *testing.T) {
postVotes := authClient1.GetPostVotes(t, createdPost.ID)
if !postVotes.Success {
t.Errorf("Expected to get post votes, got failure: %s", postVotes.Message)
}
postVotesData := assertVoteData(t, postVotes)
count, ok := postVotesData["count"].(float64)
if !ok {
t.Fatalf("Expected count to be a number, got %T", postVotesData["count"])
}
if count < 2 {
t.Errorf("Expected vote count to be at least 2 (User1 and User2 both voted), got %v", count)
}
votesArray, ok := postVotesData["votes"].([]any)
if !ok {
t.Fatalf("Expected votes to be an array, got %T", postVotesData["votes"])
}
if len(votesArray) < 2 {
t.Errorf("Expected at least 2 votes in the votes array, got %d", len(votesArray))
}
})
t.Run("users_can_only_modify_own_votes", func(t *testing.T) {
authClient1.RemoveVote(t, createdPost.ID)
userVote1After := authClient1.GetUserVote(t, createdPost.ID)
if !userVote1After.Success {
t.Errorf("Expected to get vote state after removal, got failure: %s", userVote1After.Message)
}
userVote1AfterData := assertVoteData(t, userVote1After)
if hasVote, ok := userVote1AfterData["has_vote"].(bool); ok && hasVote {
t.Errorf("Expected User1's vote to be removed, but has_vote is still true")
}
userVote2After := authClient2.GetUserVote(t, createdPost.ID)
if !userVote2After.Success {
t.Errorf("Expected to get User2's vote, got failure: %s", userVote2After.Message)
}
userVote2AfterData := assertVoteData(t, userVote2After)
if hasVote, ok := userVote2AfterData["has_vote"].(bool); !ok || !hasVote {
t.Errorf("Expected User2's vote to still exist after User1 removes their vote, got has_vote=%v", userVote2AfterData["has_vote"])
}
postVotesAfter := authClient1.GetPostVotes(t, createdPost.ID)
if !postVotesAfter.Success {
t.Errorf("Expected to get post votes after removal, got failure: %s", postVotesAfter.Message)
}
postVotesAfterData := assertVoteData(t, postVotesAfter)
countAfter, ok := postVotesAfterData["count"].(float64)
if !ok {
t.Fatalf("Expected count to be a number, got %T", postVotesAfterData["count"])
}
if countAfter < 1 {
t.Errorf("Expected vote count to be at least 1 after User1 removes vote, got %v", countAfter)
}
})
t.Run("vote_counts_accurate_with_different_types", func(t *testing.T) {
voteResp1Down := authClient1.VoteOnPost(t, createdPost.ID, "down")
if !voteResp1Down.Success {
t.Errorf("Expected User1 to be able to vote down, got failure: %s", voteResp1Down.Message)
}
postVotes := authClient2.GetPostVotes(t, createdPost.ID)
if !postVotes.Success {
t.Errorf("Expected to get post votes, got failure: %s", postVotes.Message)
}
postVotesData := assertVoteData(t, postVotes)
count := postVotesData["count"].(float64)
if count < 2 {
t.Errorf("Expected vote count to be at least 2 (User1 downvote, User2 upvote), got %v", count)
}
userVote1 := authClient1.GetUserVote(t, createdPost.ID)
userVote1Data := assertVoteData(t, userVote1)
if voteData, exists := userVote1Data["vote"].(map[string]any); exists {
if voteType, exists := voteData["type"].(string); exists {
if voteType != "down" {
t.Errorf("Expected User1's vote type to be 'down', got '%s'", voteType)
}
}
}
userVote2 := authClient2.GetUserVote(t, createdPost.ID)
userVote2Data := assertVoteData(t, userVote2)
if voteData, exists := userVote2Data["vote"].(map[string]any); exists {
if voteType, exists := voteData["type"].(string); exists {
if voteType != "up" {
t.Errorf("Expected User2's vote type to be 'up', got '%s'", voteType)
}
}
}
})
t.Run("multiple_users_vote_independently", func(t *testing.T) {
user3 := ctx.createUserWithCleanup(t, "voteuser3", "StrongPass123!")
authClient3 := ctx.loginUser(t, user3.Username, user3.Password)
voteResp3 := authClient3.VoteOnPost(t, createdPost.ID, "up")
if !voteResp3.Success {
t.Errorf("Expected User3 to be able to vote, got failure: %s", voteResp3.Message)
}
userVote1 := authClient1.GetUserVote(t, createdPost.ID)
userVote1Data := assertVoteData(t, userVote1)
if hasVote, ok := userVote1Data["has_vote"].(bool); !ok || !hasVote {
t.Errorf("Expected User1 to still have a vote")
}
userVote2 := authClient2.GetUserVote(t, createdPost.ID)
userVote2Data := assertVoteData(t, userVote2)
if hasVote, ok := userVote2Data["has_vote"].(bool); !ok || !hasVote {
t.Errorf("Expected User2 to still have a vote")
}
userVote3 := authClient3.GetUserVote(t, createdPost.ID)
userVote3Data := assertVoteData(t, userVote3)
if hasVote, ok := userVote3Data["has_vote"].(bool); !ok || !hasVote {
t.Errorf("Expected User3 to have a vote after voting")
}
postVotes := authClient3.GetPostVotes(t, createdPost.ID)
postVotesData := assertVoteData(t, postVotes)
count, ok := postVotesData["count"].(float64)
if !ok {
t.Fatalf("Expected count to be a number, got %T", postVotesData["count"])
}
if count < 3 {
t.Errorf("Expected vote count to be at least 3 (three users voted), got %v", count)
}
})
})
}

611
internal/e2e/workflows_realistic_test.go Normal file
View File

@@ -0,0 +1,611 @@
package e2e
import (
"fmt"
"net/http"
"strings"
"testing"
"time"
"goyco/internal/testutils"
)
func findPostInList(postsResp *testutils.PostsListResponse, postID uint) *testutils.Post {
if postsResp == nil || postsResp.Data.Posts == nil {
return nil
}
for _, post := range postsResp.Data.Posts {
if post.ID == postID {
return &post
}
}
return nil
}
func TestE2E_NewUserOnboarding(t *testing.T) {
ctx := setupTestContext(t)
t.Run("new_user_onboarding", func(t *testing.T) {
username := uniqueUsername(t, "newuser")
email := uniqueEmail(t, "newuser")
password := "Password123!"
ctx.server.EmailSender.Reset()
statusCode := ctx.registerUserExpectStatus(t, username, email, password)
if statusCode != http.StatusCreated {
t.Fatalf("Expected registration to succeed, got status %d", statusCode)
}
verificationToken := ctx.server.EmailSender.VerificationToken()
if verificationToken == "" {
t.Fatalf("Expected verification token")
}
ctx.confirmEmail(t, verificationToken)
authClient := ctx.loginUser(t, username, password)
if authClient.Token == "" {
t.Fatalf("Expected login to succeed after email verification")
}
createdPost := authClient.CreatePost(t, "My First Post", "https://example.com/first", "This is my first post content")
if createdPost.ID == 0 {
t.Errorf("Expected post creation to succeed")
}
voteResp := authClient.VoteOnPost(t, createdPost.ID, "up")
if !voteResp.Success {
t.Errorf("Expected vote to succeed, got failure: %s", voteResp.Message)
}
profile := authClient.GetProfile(t)
if profile.Data.Username != username {
t.Errorf("Expected profile username to match, got '%s'", profile.Data.Username)
}
})
}
func TestE2E_ReturningUserSession(t *testing.T) {
ctx := setupTestContext(t)
t.Run("returning_user_session", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "returning", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
postsResp := authClient.GetPosts(t)
if postsResp == nil {
t.Errorf("Expected posts response")
}
post1 := authClient.CreatePost(t, "Post 1", "https://example.com/post1", "Content 1")
post2 := authClient.CreatePost(t, "Post 2", "https://example.com/post2", "Content 2")
voteResp := authClient.VoteOnPost(t, post1.ID, "up")
if !voteResp.Success {
t.Errorf("Expected vote to succeed")
}
voteResp = authClient.VoteOnPost(t, post2.ID, "down")
if !voteResp.Success {
t.Errorf("Expected vote to succeed")
}
postsResp = authClient.GetPosts(t)
if postsResp == nil || len(postsResp.Data.Posts) == 0 {
t.Errorf("Expected to retrieve posts")
}
authClient.Logout(t)
})
}
func TestE2E_PowerUserWorkflow(t *testing.T) {
ctx := setupTestContext(t)
t.Run("power_user_workflow", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "poweruser", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
var postIDs []uint
for i := 1; i <= 5; i++ {
post := authClient.CreatePost(t,
uniqueTestID(t)+" Post "+fmt.Sprintf("%d", i),
"https://example.com/power"+uniqueTestID(t)+fmt.Sprintf("%d", i),
"Content "+fmt.Sprintf("%d", i))
postIDs = append(postIDs, post.ID)
}
for i, postID := range postIDs {
voteType := "up"
if i%2 == 0 {
voteType = "down"
}
voteResp := authClient.VoteOnPost(t, postID, voteType)
if !voteResp.Success {
t.Errorf("Expected vote to succeed on post %d", postID)
}
}
postsResp := authClient.GetPosts(t)
firstPost := findPostInList(postsResp, postIDs[0])
if firstPost == nil {
t.Fatalf("Expected to retrieve first post")
}
authClient.UpdatePost(t, postIDs[0], "Updated Title", "https://example.com/updated", "Updated content")
updatedPostsResp := authClient.GetPosts(t)
updatedPost := findPostInList(updatedPostsResp, postIDs[0])
if updatedPost == nil {
t.Fatalf("Expected to retrieve updated post")
}
if updatedPost.Title != "Updated Title" {
t.Errorf("Expected post title to be updated, got '%s'", updatedPost.Title)
}
authClient.DeletePost(t, postIDs[len(postIDs)-1])
finalPostsResp := authClient.GetPosts(t)
deletedPost := findPostInList(finalPostsResp, postIDs[len(postIDs)-1])
if deletedPost != nil {
t.Errorf("Expected deleted post to not be accessible")
}
})
}
func TestE2E_PasswordResetFlowRealistic(t *testing.T) {
ctx := setupTestContext(t)
t.Run("password_reset_flow", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "resetflow", "Password123!")
_ = ctx.loginUser(t, createdUser.Username, createdUser.Password)
ctx.server.EmailSender.Reset()
testutils.RequestPasswordReset(t, ctx.client, ctx.baseURL, createdUser.Email, testutils.GenerateTestIP())
resetToken := ctx.server.EmailSender.PasswordResetToken()
if resetToken == "" {
t.Fatalf("Expected password reset token")
}
newPassword := "NewPassword456!"
statusCode := testutils.ResetPassword(t, ctx.client, ctx.baseURL, resetToken, newPassword, testutils.GenerateTestIP())
if statusCode != http.StatusOK {
t.Fatalf("Expected password reset to succeed, got status %d", statusCode)
}
oldLoginStatus := ctx.loginExpectStatus(t, createdUser.Username, "Password123!", http.StatusUnauthorized)
if oldLoginStatus == http.StatusOK {
t.Log("Old password may still work briefly (acceptable)")
}
newClient := ctx.loginUser(t, createdUser.Username, newPassword)
if newClient.Token == "" {
t.Errorf("Expected login with new password to succeed")
}
newClient.UpdatePassword(t, newPassword, "AnotherPassword789!")
finalClient := ctx.loginUser(t, createdUser.Username, "AnotherPassword789!")
if finalClient.Token == "" {
t.Errorf("Expected login with final password to succeed")
}
})
}
func TestE2E_PostLifecycle(t *testing.T) {
ctx := setupTestContext(t)
t.Run("post_lifecycle", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "lifecycle", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
createdPost := authClient.CreatePost(t, "Original Title", "https://example.com/lifecycle", "Original content")
if createdPost.ID == 0 {
t.Fatalf("Expected post creation to succeed")
}
voteResp := authClient.VoteOnPost(t, createdPost.ID, "up")
if !voteResp.Success {
t.Errorf("Expected vote to succeed")
}
authClient.UpdatePost(t, createdPost.ID, "Updated Title", "https://example.com/lifecycle", "Updated content")
postsResp := authClient.GetPosts(t)
updatedPost := findPostInList(postsResp, createdPost.ID)
if updatedPost == nil {
t.Fatalf("Expected to retrieve updated post")
}
if updatedPost.Title != "Updated Title" {
t.Errorf("Expected post to be updated")
}
voteResp = authClient.VoteOnPost(t, createdPost.ID, "down")
if !voteResp.Success {
t.Errorf("Expected vote change to succeed")
}
authClient.UpdatePost(t, createdPost.ID, "Final Title", "https://example.com/lifecycle", "Final content")
finalPostsResp := authClient.GetPosts(t)
finalPost := findPostInList(finalPostsResp, createdPost.ID)
if finalPost == nil {
t.Fatalf("Expected to retrieve final post")
}
if finalPost.Title != "Final Title" {
t.Errorf("Expected post to be updated again")
}
authClient.DeletePost(t, createdPost.ID)
deletedPostsResp := authClient.GetPosts(t)
deletedPost := findPostInList(deletedPostsResp, createdPost.ID)
if deletedPost != nil {
t.Errorf("Expected deleted post to not be accessible")
}
recreatedPost := authClient.CreatePost(t, "Recreated Title", "https://example.com/lifecycle-recreated", "Recreated content")
if recreatedPost.ID == 0 {
t.Errorf("Expected post recreation to succeed")
}
})
}
func TestE2E_VotePatterns(t *testing.T) {
ctx := setupTestContext(t)
t.Run("vote_patterns", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "votepattern", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
post := authClient.CreatePost(t, "Vote Test Post", "https://example.com/vote", "Content")
voteResp := authClient.VoteOnPost(t, post.ID, "up")
if !voteResp.Success {
t.Errorf("Expected upvote to succeed")
}
userVote := authClient.GetUserVote(t, post.ID)
if userVote == nil || userVote.Data == nil {
t.Errorf("Expected to retrieve user vote")
}
voteResp = authClient.VoteOnPost(t, post.ID, "down")
if !voteResp.Success {
t.Errorf("Expected downvote to succeed")
}
voteResp = authClient.VoteOnPost(t, post.ID, "none")
if !voteResp.Success {
t.Errorf("Expected vote removal to succeed")
}
userVote = authClient.GetUserVote(t, post.ID)
if userVote != nil && userVote.Data != nil {
voteData, ok := userVote.Data.(map[string]any)
if ok {
if voteType, exists := voteData["type"]; exists && voteType != nil && voteType != "none" {
t.Errorf("Expected vote to be removed")
}
}
}
voteResp = authClient.VoteOnPost(t, post.ID, "up")
if !voteResp.Success {
t.Errorf("Expected upvote after removal to succeed")
}
})
}
func TestE2E_ProfileUpdateFlow(t *testing.T) {
ctx := setupTestContext(t)
t.Run("profile_update_flow", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "profile", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
_ = authClient.GetProfile(t)
newUsername := uniqueUsername(t, "updated")
authClient.UpdateUsername(t, newUsername)
updatedProfile := authClient.GetProfile(t)
if updatedProfile.Data.Username != newUsername {
t.Errorf("Expected username to be updated, got '%s'", updatedProfile.Data.Username)
}
ctx.server.EmailSender.Reset()
newEmail := uniqueEmail(t, "updated")
authClient.UpdateEmail(t, newEmail)
emailProfile := authClient.GetProfile(t)
normalizedNewEmail := strings.ToLower(strings.TrimSpace(newEmail))
if emailProfile.Data.Email != normalizedNewEmail {
t.Errorf("Expected email to be updated, got '%s'", emailProfile.Data.Email)
}
verificationToken := ctx.server.EmailSender.VerificationToken()
if verificationToken == "" {
t.Fatalf("Expected verification token after email update")
}
ctx.confirmEmail(t, verificationToken)
authClient.UpdatePassword(t, "Password123!", "NewPassword999!")
passwordClient := ctx.loginUser(t, newUsername, "NewPassword999!")
if passwordClient.Token == "" {
t.Errorf("Expected login with new password to succeed")
}
finalProfile := passwordClient.GetProfile(t)
if finalProfile.Data.Username != newUsername {
t.Errorf("Expected username to remain updated, got '%s'", finalProfile.Data.Username)
}
if finalProfile.Data.Email != normalizedNewEmail {
t.Errorf("Expected email to remain updated, got '%s'", finalProfile.Data.Email)
}
})
}
func TestE2E_MultiUserInteraction(t *testing.T) {
ctx := setupTestContext(t)
t.Run("multi_user_interaction", func(t *testing.T) {
userA := ctx.createUserWithCleanup(t, "usera", "Password123!")
userB := ctx.createUserWithCleanup(t, "userb", "Password123!")
clientA := ctx.loginUser(t, userA.Username, userA.Password)
clientB := ctx.loginUser(t, userB.Username, userB.Password)
post := clientA.CreatePost(t, "User A's Post", "https://example.com/usera", "Content from User A")
if post.ID == 0 {
t.Fatalf("Expected post creation to succeed")
}
voteResp := clientB.VoteOnPost(t, post.ID, "up")
if !voteResp.Success {
t.Errorf("Expected User B to vote on User A's post")
}
clientA.UpdatePost(t, post.ID, "Updated by User A", "https://example.com/usera", "Updated content")
postsResp := clientB.GetPosts(t)
updatedPost := findPostInList(postsResp, post.ID)
if updatedPost == nil {
t.Fatalf("Expected to retrieve updated post")
}
if updatedPost.Title != "Updated by User A" {
t.Errorf("Expected User B to see updated post")
}
voteResp = clientB.VoteOnPost(t, post.ID, "down")
if !voteResp.Success {
t.Errorf("Expected User B to change vote")
}
finalPostsResp := clientA.GetPosts(t)
finalPost := findPostInList(finalPostsResp, post.ID)
if finalPost == nil {
t.Errorf("Expected User A to retrieve final post")
}
})
}
func TestE2E_ContentDiscovery(t *testing.T) {
ctx := setupTestContext(t)
t.Run("content_discovery", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "discovery", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
post1 := authClient.CreatePost(t, "Golang Tutorial", "https://example.com/golang", "Learn Go programming")
post2 := authClient.CreatePost(t, "Python Guide", "https://example.com/python", "Python programming guide")
post3 := authClient.CreatePost(t, "Rust Basics", "https://example.com/rust", "Rust programming basics")
authClient.VoteOnPost(t, post1.ID, "up")
authClient.VoteOnPost(t, post2.ID, "up")
authClient.VoteOnPost(t, post3.ID, "down")
searchResp := authClient.SearchPosts(t, "Golang")
if searchResp == nil || len(searchResp.Data.Posts) == 0 {
t.Errorf("Expected search to find posts")
}
postsResp := authClient.GetPosts(t)
if postsResp == nil || len(postsResp.Data.Posts) == 0 {
t.Errorf("Expected to retrieve posts")
}
authClient.VoteOnPost(t, post1.ID, "up")
updatedPostsResp := authClient.GetPosts(t)
updatedPost := findPostInList(updatedPostsResp, post1.ID)
if updatedPost == nil {
t.Errorf("Expected to retrieve updated post")
}
})
}
func TestE2E_SessionPersistence(t *testing.T) {
ctx := setupTestContext(t)
t.Run("session_persistence", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "session", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
profile1 := authClient.GetProfile(t)
if profile1.Data.Username != createdUser.Username {
t.Errorf("Expected first profile request to succeed")
}
ctx.assertEventually(t, func() bool {
profile2 := authClient.GetProfile(t)
return profile2 != nil && profile2.Data.Username == createdUser.Username
}, 2*time.Second)
profile2 := authClient.GetProfile(t)
if profile2.Data.Username != createdUser.Username {
t.Errorf("Expected second profile request to succeed")
}
postsResp1 := authClient.GetPosts(t)
postsResp2 := authClient.GetPosts(t)
if postsResp1 == nil || postsResp2 == nil {
t.Errorf("Expected multiple requests with same session to work")
}
})
}
func TestE2E_ConcurrentRequestsWithSameSession(t *testing.T) {
ctx := setupTestContext(t)
t.Run("concurrent_requests_same_session", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "concurrent", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
results := make(chan bool, 5)
for i := 0; i < 5; i++ {
go func() {
profile := authClient.GetProfile(t)
results <- (profile != nil && profile.Data.Username == createdUser.Username)
}()
}
successCount := 0
for i := 0; i < 5; i++ {
if <-results {
successCount++
}
}
if successCount == 0 {
t.Errorf("Expected at least some concurrent requests to succeed")
}
})
}
func TestE2E_UserAgentHeaders(t *testing.T) {
ctx := setupTestContext(t)
t.Run("user_agent_headers", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "useragent", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
userAgents := []string{
"Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)",
"Mozilla/5.0 (X11; Linux x86_64)",
"Go-http-client/1.1",
}
for _, ua := range userAgents {
request, err := testutils.NewRequestBuilder("GET", ctx.baseURL+"/api/auth/me").
WithAuth(authClient.Token).
WithHeader("User-Agent", ua).
Build()
if err != nil {
t.Errorf("Failed to create request with User-Agent: %s", ua)
continue
}
resp, err := ctx.client.Do(request)
if err != nil {
t.Errorf("Request failed with User-Agent %s: %v", ua, err)
continue
}
resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected status 200 with User-Agent %s, got %d", ua, resp.StatusCode)
}
}
})
}
func TestE2E_RefererHeaders(t *testing.T) {
ctx := setupTestContext(t)
t.Run("referer_headers", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "referer", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
referers := []string{
"https://example.com/page1",
"https://example.com/page2",
"http://localhost:3000",
"",
}
for _, referer := range referers {
builder := testutils.NewRequestBuilder("GET", ctx.baseURL+"/api/auth/me").
WithAuth(authClient.Token)
if referer != "" {
builder = builder.WithHeader("Referer", referer)
}
request, err := builder.Build()
if err != nil {
t.Errorf("Failed to create request with Referer: %s", referer)
continue
}
resp, err := ctx.client.Do(request)
if err != nil {
t.Errorf("Request failed with Referer %s: %v", referer, err)
continue
}
resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected status 200 with Referer %s, got %d", referer, resp.StatusCode)
}
}
})
}
func TestE2E_RapidSuccessiveActions(t *testing.T) {
ctx := setupTestContext(t)
t.Run("rapid_successive_actions", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "rapid", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
post := authClient.CreatePost(t, "Rapid Vote Test", "https://example.com/rapid", "Content")
for i := 0; i < 10; i++ {
voteType := "up"
if i%2 == 0 {
voteType = "down"
}
voteResp := authClient.VoteOnPost(t, post.ID, voteType)
if !voteResp.Success {
t.Logf("Vote %d may have been rate limited (acceptable)", i+1)
}
}
finalPostsResp := authClient.GetPosts(t)
finalPost := findPostInList(finalPostsResp, post.ID)
if finalPost == nil {
t.Errorf("Expected to retrieve post after rapid votes")
}
})
}
func TestE2E_LongRunningSession(t *testing.T) {
ctx := setupTestContext(t)
t.Run("long_running_session", func(t *testing.T) {
createdUser := ctx.createUserWithCleanup(t, "longsession", "Password123!")
authClient := ctx.loginUser(t, createdUser.Username, createdUser.Password)
profile1 := authClient.GetProfile(t)
if profile1 == nil {
t.Fatalf("Expected initial profile request to succeed")
}
post := authClient.CreatePost(t, "Long Session Post", "https://example.com/long", "Content")
if post.ID == 0 {
t.Errorf("Expected post creation after delay to succeed")
}
profile2 := authClient.GetProfile(t)
if profile2 == nil || profile2.Data.Username != createdUser.Username {
t.Errorf("Expected profile request after delay to succeed")
}
voteResp := authClient.VoteOnPost(t, post.ID, "up")
if !voteResp.Success {
t.Errorf("Expected vote after delay to succeed")
}
})
}

246
internal/e2e/workflows_test.go Normal file
View File

@@ -0,0 +1,246 @@
package e2e
import (
"bytes"
"fmt"
"net/http"
"sync"
"testing"
"time"
"goyco/internal/testutils"
)
func TestE2E_CompleteUserJourney(t *testing.T) {
ctx := setupTestContext(t)
t.Run("complete_user_journey", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "testuser", "StrongPass123!")
createdPost := authClient.CreatePost(t, "Test Post", "https://example.com/test", "This is a test post content")
voteResp := authClient.VoteOnPost(t, createdPost.ID, "up")
if !voteResp.Success {
t.Errorf("Expected vote to be successful, got failure: %s", voteResp.Message)
}
postsResp := authClient.GetPosts(t)
assertPostInList(t, postsResp, createdPost)
searchResp := authClient.SearchPosts(t, "test")
assertPostInList(t, searchResp, createdPost)
authClient.Logout(t)
})
}
func TestE2E_ErrorHandlingWorkflows(t *testing.T) {
ctx := setupTestContext(t)
t.Run("unauthenticated_user_workflow", func(t *testing.T) {
request, err := http.NewRequest("POST", ctx.baseURL+"/api/posts", bytes.NewReader([]byte(`{"title":"Test","url":"https://example.com"}`)))
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
request.Header.Set("Content-Type", "application/json")
testutils.WithStandardHeaders(request)
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusUnauthorized {
t.Errorf("Expected 401 for unauthenticated post creation, got %d", resp.StatusCode)
}
request, err = testutils.NewRequestBuilder("GET", ctx.baseURL+"/api/auth/me").Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err = ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusUnauthorized {
t.Errorf("Expected 401 for unauthenticated profile access, got %d", resp.StatusCode)
}
})
t.Run("invalid_registration_workflow", func(t *testing.T) {
invalidData := []struct {
name string
body []byte
}{
{
name: "empty_username",
body: []byte(`{"username":"","email":"test@example.com","password":"ValidPass123!"}`),
},
{
name: "invalid_email",
body: []byte(`{"username":"testuser","email":"invalid-email","password":"ValidPass123!"}`),
},
{
name: "weak_password",
body: []byte(`{"username":"testuser","email":"test@example.com","password":"123"}`),
},
{
name: "malformed_json",
body: []byte(`{"username": "test", "password": }`),
},
}
for _, test := range invalidData {
t.Run(test.name, func(t *testing.T) {
request, err := testutils.NewRequestBuilder("POST", ctx.baseURL+"/api/auth/register").
WithBody(bytes.NewReader(test.body)).
Build()
if err != nil {
t.Fatalf("Failed to create request: %v", err)
}
resp, err := ctx.client.Do(request)
if err != nil {
t.Fatalf("Failed to make request: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusCreated {
t.Errorf("Expected invalid registration to fail, got success status %d", resp.StatusCode)
}
})
}
})
}
func TestE2E_ConcurrentUserWorkflows(t *testing.T) {
ctx := setupTestContext(t)
t.Run("concurrent_user_workflows", func(t *testing.T) {
users := ctx.createMultipleUsersWithCleanup(t, 3, "concurrent", "StrongPass123!")
type result struct {
userID uint
err error
}
results := make(chan result, len(users))
var wg sync.WaitGroup
done := make(chan struct{})
for _, user := range users {
u := user
wg.Add(1)
go func() {
defer wg.Done()
var err error
authClient, loginErr := ctx.loginUserSafe(t, u.Username, u.Password)
if loginErr != nil || authClient == nil || authClient.Token == "" {
err = fmt.Errorf("User %s failed to login", u.Username)
} else {
postURL := fmt.Sprintf("https://example.com/concurrent/%d", u.ID)
post, postErr := authClient.CreatePostSafe("Concurrent Post", postURL, "Content")
if postErr != nil || post == nil || post.ID == 0 {
err = fmt.Errorf("User %s failed to create post: %v", u.Username, postErr)
} else {
voteResp, voteErr := authClient.VoteOnPostSafe(post.ID, "up")
if voteErr != nil || voteResp == nil || !voteResp.Success {
err = fmt.Errorf("User %s failed to vote: %v", u.Username, voteErr)
}
}
}
select {
case results <- result{userID: u.ID, err: err}:
case <-done:
}
}()
}
go func() {
wg.Wait()
close(results)
}()
timeout := time.After(10 * time.Second)
successCount := 0
receivedCount := 0
for {
select {
case res, ok := <-results:
if !ok {
return
}
receivedCount++
if res.err != nil {
t.Errorf("Concurrent operation error for user %d: %v", res.userID, res.err)
} else {
successCount++
}
if receivedCount >= len(users) {
return
}
case <-timeout:
close(done)
t.Errorf("Timeout waiting for concurrent operations to complete")
return
}
}
})
}
func TestE2E_SystemMonitoringWorkflows(t *testing.T) {
ctx := setupTestContext(t)
t.Run("system_monitoring_workflows", func(t *testing.T) {
t.Run("health_endpoint", func(t *testing.T) {
health := getHealth(t, ctx.client, ctx.baseURL)
if !health.Success {
t.Errorf("Expected health check to succeed, got failure: %s", health.Message)
}
})
t.Run("metrics_endpoint", func(t *testing.T) {
metrics := getMetrics(t, ctx.client, ctx.baseURL)
if metrics == nil {
t.Errorf("Expected metrics to be returned")
}
})
})
}
func TestE2E_AccountDeletion(t *testing.T) {
ctx := setupTestContext(t)
t.Run("account_deletion_flow", func(t *testing.T) {
_, authClient := ctx.createUserAndLogin(t, "testuser", "StrongPass123!")
_ = authClient.CreatePost(t, "Test Post", "https://example.com/test", "Test content")
statusCode, deletionResp := ctx.requestAccountDeletionExpectStatus(t, authClient.Token, http.StatusOK)
if statusCode == http.StatusTooManyRequests {
statusCode = retryOnRateLimit(t, 3, func() int {
code, _ := ctx.requestAccountDeletionExpectStatus(t, authClient.Token, http.StatusOK)
return code
})
if statusCode == http.StatusTooManyRequests {
t.Skip("Skipping account deletion flow test: rate limited after retries")
return
}
}
if deletionResp == nil {
t.Fatalf("Expected account deletion response, got nil")
}
if !deletionResp.Success {
t.Errorf("Expected account deletion request to be successful, got %v", deletionResp.Success)
}
if deletionResp.Message == "" {
t.Errorf("Expected deletion message to be present, got empty string")
}
})
}

89
internal/fuzz/db.go Normal file
View File

@@ -0,0 +1,89 @@
package fuzz
import (
"sync"
"gorm.io/driver/sqlite"
"gorm.io/gorm"
"gorm.io/gorm/logger"
)
var (
fuzzDBOnce sync.Once
fuzzDB *gorm.DB
fuzzDBErr error
)
func GetFuzzDB() (*gorm.DB, error) {
fuzzDBOnce.Do(func() {
dbName := "file:memdb_fuzz?mode=memory&cache=shared&_journal_mode=WAL&_synchronous=NORMAL"
fuzzDB, fuzzDBErr = gorm.Open(sqlite.Open(dbName), &gorm.Config{
Logger: logger.Default.LogMode(logger.Silent),
})
if fuzzDBErr == nil {
fuzzDBErr = fuzzDB.Exec(`
CREATE TABLE IF NOT EXISTS users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT UNIQUE NOT NULL,
email TEXT UNIQUE NOT NULL,
password TEXT NOT NULL,
email_verified INTEGER DEFAULT 0 NOT NULL,
email_verified_at DATETIME,
email_verification_token TEXT,
email_verification_sent_at DATETIME,
password_reset_token TEXT,
password_reset_sent_at DATETIME,
password_reset_expires_at DATETIME,
locked INTEGER DEFAULT 0,
session_version INTEGER DEFAULT 1 NOT NULL,
created_at DATETIME,
updated_at DATETIME,
deleted_at DATETIME
);
CREATE TABLE IF NOT EXISTS posts (
id INTEGER PRIMARY KEY AUTOINCREMENT,
title TEXT NOT NULL,
url TEXT UNIQUE,
content TEXT,
author_id INTEGER,
author_name TEXT,
up_votes INTEGER DEFAULT 0,
down_votes INTEGER DEFAULT 0,
score INTEGER DEFAULT 0,
created_at DATETIME,
updated_at DATETIME,
deleted_at DATETIME,
FOREIGN KEY(author_id) REFERENCES users(id)
);
CREATE TABLE IF NOT EXISTS votes (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER,
post_id INTEGER NOT NULL,
type TEXT NOT NULL,
vote_hash TEXT,
created_at DATETIME,
updated_at DATETIME,
FOREIGN KEY(user_id) REFERENCES users(id),
FOREIGN KEY(post_id) REFERENCES posts(id)
);
CREATE TABLE IF NOT EXISTS account_deletion_requests (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER NOT NULL,
token_hash TEXT UNIQUE NOT NULL,
expires_at DATETIME NOT NULL,
created_at DATETIME,
FOREIGN KEY(user_id) REFERENCES users(id)
);
CREATE TABLE IF NOT EXISTS refresh_tokens (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER NOT NULL,
token_hash TEXT UNIQUE NOT NULL,
expires_at DATETIME NOT NULL,
created_at DATETIME,
FOREIGN KEY(user_id) REFERENCES users(id)
);
`).Error
}
})
return fuzzDB, fuzzDBErr
}

226
internal/fuzz/fuzz.go Normal file
View File

@@ -0,0 +1,226 @@
package fuzz
import (
"bytes"
"encoding/json"
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"unicode/utf8"
)
type FuzzTestHelper struct{}
func NewFuzzTestHelper() *FuzzTestHelper {
return &FuzzTestHelper{}
}
func (h *FuzzTestHelper) RunBasicFuzzTest(f *testing.F, testFunc func(t *testing.T, input string)) {
f.Add("test input")
f.Fuzz(func(t *testing.T, input string) {
if !utf8.ValidString(input) {
return
}
testFunc(t, input)
})
}
func (h *FuzzTestHelper) RunValidationFuzzTest(f *testing.F, validateFunc func(string) error) {
h.RunBasicFuzzTest(f, func(t *testing.T, input string) {
err := validateFunc(input)
_ = err
})
}
func (h *FuzzTestHelper) RunSanitizationFuzzTest(f *testing.F, sanitizeFunc func(string) string) {
h.RunBasicFuzzTest(f, func(t *testing.T, input string) {
result := sanitizeFunc(input)
if !utf8.ValidString(result) {
t.Fatal("Sanitized result contains invalid UTF-8")
}
})
}
func (h *FuzzTestHelper) RunSanitizationFuzzTestWithValidation(f *testing.F, sanitizeFunc func(string) string, validateFunc func(string) bool) {
h.RunBasicFuzzTest(f, func(t *testing.T, input string) {
result := sanitizeFunc(input)
if !utf8.ValidString(result) {
t.Fatal("Sanitized result contains invalid UTF-8")
}
if validateFunc != nil {
if !validateFunc(result) {
t.Fatal("Sanitized result failed validation")
}
}
})
}
func (h *FuzzTestHelper) RunJSONFuzzTest(f *testing.F, testCases []map[string]any) {
h.RunBasicFuzzTest(f, func(t *testing.T, input string) {
for _, tc := range testCases {
body, ok := tc["body"].(string)
if !ok {
continue
}
encoded, err := json.Marshal(input)
if err != nil {
return
}
encodedStr := string(encoded)
body = strings.ReplaceAll(body, "FUZZED_INPUT", encodedStr)
var result map[string]any
err = json.Unmarshal([]byte(body), &result)
if err != nil {
return
}
}
})
}
func (h *FuzzTestHelper) RunHTTPFuzzTest(f *testing.F, testCases []HTTPFuzzTestCase) {
h.RunBasicFuzzTest(f, func(t *testing.T, input string) {
for _, tc := range testCases {
sanitized := h.sanitizeForURL(input)
url := strings.ReplaceAll(tc.URL, "FUZZED_INPUT", sanitized)
body := strings.ReplaceAll(tc.Body, "FUZZED_INPUT", sanitized)
req := httptest.NewRequest(tc.Method, url, bytes.NewBufferString(body))
for name, value := range tc.Headers {
req.Header.Set(name, value)
}
h.validateHTTPRequest(t, req)
}
})
}
func (h *FuzzTestHelper) sanitizeForURL(input string) string {
sanitized := strings.ReplaceAll(input, "\n", "")
sanitized = strings.ReplaceAll(sanitized, "\r", "")
sanitized = strings.ReplaceAll(sanitized, "\t", "")
sanitized = url.QueryEscape(sanitized)
sanitized = strings.ReplaceAll(sanitized, "+", "%20")
if len(sanitized) > 100 {
sanitized = sanitized[:100]
}
return sanitized
}
type HTTPFuzzTestCase struct {
Name string
Method string
URL string
Headers map[string]string
Body string
}
func (h *FuzzTestHelper) validateHTTPRequest(t *testing.T, req *http.Request) {
pathParts := strings.Split(req.URL.Path, "/")
for _, part := range pathParts {
if !utf8.ValidString(part) {
t.Fatal("Path contains invalid UTF-8")
}
}
for name, values := range req.URL.Query() {
if !utf8.ValidString(name) {
t.Fatal("Query parameter name contains invalid UTF-8")
}
for _, value := range values {
if !utf8.ValidString(value) {
t.Fatal("Query parameter value contains invalid UTF-8")
}
}
}
for name, values := range req.Header {
if !utf8.ValidString(name) {
t.Fatal("Header name contains invalid UTF-8")
}
for _, value := range values {
if !utf8.ValidString(value) {
t.Fatal("Header value contains invalid UTF-8")
}
}
}
}
func (h *FuzzTestHelper) RunIntegrationFuzzTest(f *testing.F, testFunc func(t *testing.T, input string)) {
h.RunBasicFuzzTest(f, func(t *testing.T, input string) {
if len(input) > 1000 {
input = input[:1000]
}
testFunc(t, input)
})
}
func (h *FuzzTestHelper) GetCommonAuthTestCases(input string) []HTTPFuzzTestCase {
return []HTTPFuzzTestCase{
{
Name: "auth_register",
Method: "POST",
URL: "/api/auth/register",
Headers: map[string]string{
"Content-Type": "application/json",
},
Body: `{"username":"FUZZED_INPUT","email":"test@example.com","password":"test123"}`,
},
{
Name: "auth_login",
Method: "POST",
URL: "/api/auth/login",
Headers: map[string]string{
"Content-Type": "application/json",
},
Body: `{"username":"FUZZED_INPUT","password":"test123"}`,
},
}
}
func (h *FuzzTestHelper) GetCommonPostTestCases(input string) []HTTPFuzzTestCase {
return []HTTPFuzzTestCase{
{
Name: "post_create",
Method: "POST",
URL: "/api/posts",
Headers: map[string]string{
"Content-Type": "application/json",
"Authorization": "Bearer FUZZED_INPUT",
},
Body: `{"title":"FUZZED_INPUT","url":"https://example.com","content":"test"}`,
},
{
Name: "post_search",
Method: "GET",
URL: "/api/posts/search?q=FUZZED_INPUT",
Headers: map[string]string{
"Content-Type": "application/json",
},
},
}
}
func (h *FuzzTestHelper) GetCommonVoteTestCases(input string) []HTTPFuzzTestCase {
return []HTTPFuzzTestCase{
{
Name: "vote_cast",
Method: "POST",
URL: "/api/posts/1/vote",
Headers: map[string]string{
"Content-Type": "application/json",
"Authorization": "Bearer FUZZED_INPUT",
},
Body: `{"type":"FUZZED_INPUT"}`,
},
}
}

1724
internal/fuzz/fuzz_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

298
internal/fuzz/integration_fuzz_test.go Normal file
View File

@@ -0,0 +1,298 @@
package fuzz
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"unicode/utf8"
"github.com/go-chi/chi/v5"
"goyco/internal/handlers"
"goyco/internal/middleware"
"goyco/internal/repositories"
"goyco/internal/services"
"goyco/internal/testutils"
)
func FuzzIntegrationHandlers(f *testing.F) {
f.Add("testuser")
f.Add("test@example.com")
f.Add("password123")
f.Add("")
f.Add("<script>alert('xss')</script>")
f.Fuzz(func(t *testing.T, input string) {
if len(input) > 500 {
input = input[:500]
}
if !isValidUTF8(input) {
return
}
db := testutils.NewTestDB(t)
defer func() {
sqlDB, _ := db.DB()
sqlDB.Close()
}()
userRepo := repositories.NewUserRepository(db)
postRepo := repositories.NewPostRepository(db)
voteRepo := repositories.NewVoteRepository(db)
deletionRepo := repositories.NewAccountDeletionRepository(db)
refreshTokenRepo := repositories.NewRefreshTokenRepository(db)
emailSender := &testutils.MockEmailSender{}
authService, err := services.NewAuthFacadeForTest(testutils.AppTestConfig, userRepo, postRepo, deletionRepo, refreshTokenRepo, emailSender)
if err != nil {
t.Fatalf("Failed to create auth service: %v", err)
}
voteService := services.NewVoteService(voteRepo, postRepo, db)
titleFetcher := &testutils.MockTitleFetcher{}
authHandler := handlers.NewAuthHandler(authService, userRepo)
postHandler := handlers.NewPostHandler(postRepo, titleFetcher, voteService)
apiHandler := handlers.NewAPIHandler(testutils.AppTestConfig, postRepo, userRepo, voteService)
router := chi.NewRouter()
router.Use(middleware.Logging(false))
router.Use(middleware.SecurityHeadersMiddleware())
router.Use(middleware.GeneralRateLimitMiddleware())
router.Route("/api", func(r chi.Router) {
r.Post("/auth/register", authHandler.Register)
r.Post("/auth/login", authHandler.Login)
r.Get("/posts/search", postHandler.SearchPosts)
r.Get("/posts", postHandler.GetPosts)
r.Group(func(protected chi.Router) {
protected.Use(middleware.NewAuth(authService))
protected.Get("/auth/me", authHandler.Me)
protected.Post("/posts", postHandler.CreatePost)
})
})
router.Get("/health", apiHandler.GetHealth)
t.Run("register_endpoint", func(t *testing.T) {
username := input[:min(len(input), 50)]
email := input[:min(len(input), 50)] + "@example.com"
password := input[:min(len(input), 128)]
if len(password) < 8 {
password = password + "12345678"
}
registerBody := fmt.Sprintf(`{"username":"%s","email":"%s","password":"%s"}`,
escapeJSON(username), escapeJSON(email), escapeJSON(password))
req, _ := http.NewRequest("POST", "/api/auth/register", bytes.NewBufferString(registerBody))
req.Header.Set("Content-Type", "application/json")
resp := httptest.NewRecorder()
router.ServeHTTP(resp, req)
if resp.Code == 0 {
t.Fatal("Handler should return a status code")
}
if resp.Code != http.StatusCreated && resp.Code != http.StatusBadRequest {
t.Logf("Unexpected status code %d for register (expected 201 or 400)", resp.Code)
}
var result map[string]any
if err := json.Unmarshal(resp.Body.Bytes(), &result); err != nil {
t.Fatalf("Response should be valid JSON: %v", err)
}
})
t.Run("search_endpoint", func(t *testing.T) {
query := input[:min(len(input), 200)]
escapedQuery := url.QueryEscape(query)
req, _ := http.NewRequest("GET", "/api/posts/search?q="+escapedQuery, nil)
req.Header.Set("Content-Type", "application/json")
resp := httptest.NewRecorder()
router.ServeHTTP(resp, req)
if resp.Code == 0 {
t.Fatal("Handler should return a status code")
}
if resp.Code != http.StatusOK {
t.Logf("Unexpected status code %d for search (expected 200)", resp.Code)
}
var result map[string]any
if err := json.Unmarshal(resp.Body.Bytes(), &result); err != nil {
t.Fatalf("Response should be valid JSON: %v", err)
}
})
})
}
func FuzzIntegrationServices(f *testing.F) {
f.Add("testuser")
f.Add("test@example.com")
f.Add("password123")
f.Add("")
f.Add("a")
f.Add(strings.Repeat("x", 100))
f.Fuzz(func(t *testing.T, input string) {
if len(input) > 200 {
input = input[:200]
}
if !utf8.ValidString(input) {
return
}
db := testutils.NewTestDB(t)
defer func() {
sqlDB, _ := db.DB()
sqlDB.Close()
}()
userRepo := repositories.NewUserRepository(db)
postRepo := repositories.NewPostRepository(db)
deletionRepo := repositories.NewAccountDeletionRepository(db)
refreshTokenRepo := repositories.NewRefreshTokenRepository(db)
emailSender := &testutils.MockEmailSender{}
authService, err := services.NewAuthFacadeForTest(testutils.AppTestConfig, userRepo, postRepo, deletionRepo, refreshTokenRepo, emailSender)
if err != nil {
t.Fatalf("Failed to create auth service: %v", err)
}
usernameLen := len(input)
if usernameLen > 50 {
usernameLen = 50
}
username := input[:usernameLen]
email := input[:usernameLen] + "@example.com"
passwordLen := len(input)
if passwordLen > 128 {
passwordLen = 128
}
password := input[:passwordLen]
if len(password) < 8 {
password = password + "12345678"
}
result, err := authService.Register(username, email, password)
if err != nil {
if strings.Contains(err.Error(), "panic") || strings.Contains(err.Error(), "nil pointer") {
t.Fatalf("Registration should not panic: %v", err)
}
} else {
if result.User == nil {
t.Fatal("Registration result should contain a user")
}
if result.User.Username != username {
t.Fatalf("Expected username %q, got %q", username, result.User.Username)
}
if !strings.EqualFold(result.User.Email, email) {
t.Fatalf("Expected email %q, got %q", email, result.User.Email)
}
}
if err == nil {
loginResult, loginErr := authService.Login(username, password)
if loginErr == nil {
if loginResult.User == nil {
t.Fatal("Login result should contain a user")
}
if loginResult.User.Username != username {
t.Fatalf("Expected username %q, got %q", username, loginResult.User.Username)
}
if loginResult.AccessToken == "" {
t.Fatal("Login result should contain an access token")
}
}
}
})
}
func FuzzIntegrationRepositories(f *testing.F) {
helper := NewFuzzTestHelper()
helper.RunIntegrationFuzzTest(f, func(t *testing.T, fuzzedData string) {
searchQuery := fuzzedData
if len(searchQuery) > 100 {
searchQuery = searchQuery[:100]
}
sanitizer := repositories.NewSearchSanitizer()
sanitizedQuery, err := sanitizer.SanitizeSearchQuery(searchQuery)
if err == nil {
if !utf8.ValidString(sanitizedQuery) {
t.Fatal("String contains invalid UTF-8")
}
validationErr := sanitizer.ValidateSearchQuery(sanitizedQuery)
_ = validationErr
}
username := fuzzedData
email := fuzzedData + "@example.com"
if len(username) > 50 {
username = username[:50]
}
if len(email) > 100 {
email = email[:100]
}
if !utf8.ValidString(username) {
t.Fatal("String contains invalid UTF-8")
}
if !utf8.ValidString(email) {
t.Fatal("String contains invalid UTF-8")
}
postTitle := fuzzedData
postContent := fuzzedData
if len(postTitle) > 200 {
postTitle = postTitle[:200]
}
if len(postContent) > 1000 {
postContent = postContent[:1000]
}
if !utf8.ValidString(postTitle) {
t.Fatal("String contains invalid UTF-8")
}
if !utf8.ValidString(postContent) {
t.Fatal("String contains invalid UTF-8")
}
})
}
func isValidUTF8(s string) bool {
for _, r := range s {
if r == utf8.RuneError {
return false
}
}
return true
}
func escapeJSON(s string) string {
s = strings.ReplaceAll(s, "\\", "\\\\")
s = strings.ReplaceAll(s, "\"", "\\\"")
s = strings.ReplaceAll(s, "\n", "\\n")
s = strings.ReplaceAll(s, "\r", "\\r")
s = strings.ReplaceAll(s, "\t", "\\t")
return s
}

187
internal/fuzz/repositories_fuzz_test.go Normal file
View File

@@ -0,0 +1,187 @@
package fuzz
import (
"strings"
"testing"
"unicode/utf8"
"goyco/internal/repositories"
)
func FuzzSearchRepository(f *testing.F) {
f.Add("test query")
f.Add("")
f.Add("SELECT * FROM posts")
f.Add(strings.Repeat("a", 1000))
f.Add("<script>alert('xss')</script>")
f.Fuzz(func(t *testing.T, input string) {
if len(input) > 1000 {
input = input[:1000]
}
if !utf8.ValidString(input) {
return
}
db, err := GetFuzzDB()
if err != nil {
t.Fatalf("Failed to connect to test database: %v", err)
}
db.Exec("DELETE FROM votes")
db.Exec("DELETE FROM posts")
db.Exec("DELETE FROM users")
db.Exec("DELETE FROM account_deletion_requests")
db.Exec("DELETE FROM refresh_tokens")
postRepo := repositories.NewPostRepository(db)
sanitizer := repositories.NewSearchSanitizer()
t.Run("sanitize_and_search", func(t *testing.T) {
sanitized, err := sanitizer.SanitizeSearchQuery(input)
if err != nil {
return
}
if !utf8.ValidString(sanitized) {
t.Fatalf("Sanitized query should be valid UTF-8: %q", sanitized)
}
posts, searchErr := postRepo.Search(sanitized, 1, 10)
if searchErr != nil {
if strings.Contains(searchErr.Error(), "panic") {
t.Fatalf("Search should not panic: %v", searchErr)
}
} else {
if posts != nil {
_ = len(posts)
}
}
})
t.Run("validate_search_query", func(t *testing.T) {
err := sanitizer.ValidateSearchQuery(input)
if err != nil {
if strings.Contains(err.Error(), "panic") {
t.Fatalf("ValidateSearchQuery should not panic: %v", err)
}
}
})
})
}
func FuzzPostRepository(f *testing.F) {
f.Add("test title")
f.Add("")
f.Add("<script>alert('xss')</script>")
f.Add("https://example.com")
f.Add(strings.Repeat("a", 500))
f.Fuzz(func(t *testing.T, input string) {
if len(input) > 500 {
input = input[:500]
}
if !utf8.ValidString(input) {
return
}
db, err := GetFuzzDB()
if err != nil {
t.Fatalf("Failed to connect to test database: %v", err)
}
db.Exec("DELETE FROM votes")
db.Exec("DELETE FROM posts")
db.Exec("DELETE FROM users")
db.Exec("DELETE FROM account_deletion_requests")
db.Exec("DELETE FROM refresh_tokens")
postRepo := repositories.NewPostRepository(db)
var userID uint
result := db.Exec(`
INSERT INTO users (username, email, password, email_verified, created_at, updated_at)
VALUES (?, ?, ?, ?, datetime('now'), datetime('now'))
`, "fuzz_test_user", "fuzz@example.com", "hashedpassword", true)
if result.Error != nil {
t.Fatalf("Failed to create test user: %v", result.Error)
}
var createdUser struct {
ID uint `gorm:"column:id"`
}
db.Raw("SELECT id FROM users WHERE username = ?", "fuzz_test_user").Scan(&createdUser)
userID = createdUser.ID
t.Run("create_and_get_post", func(t *testing.T) {
title := input[:min(len(input), 200)]
url := "https://example.com/" + input[:min(len(input), 50)]
content := input[:min(len(input), 1000)]
result := db.Exec(`
INSERT INTO posts (title, url, content, author_id, created_at, updated_at)
VALUES (?, ?, ?, ?, datetime('now'), datetime('now'))
`, title, url, content, userID)
if result.Error != nil {
if strings.Contains(result.Error.Error(), "panic") {
t.Fatalf("Create should not panic: %v", result.Error)
}
return
}
var postID uint
var createdPost struct {
ID uint `gorm:"column:id"`
}
db.Raw("SELECT id FROM posts WHERE author_id = ? ORDER BY id DESC LIMIT 1", userID).Scan(&createdPost)
postID = createdPost.ID
if postID == 0 {
t.Fatal("Created post should have an ID")
}
retrieved, getErr := postRepo.GetByID(postID)
if getErr != nil {
t.Fatalf("GetByID should succeed for created post: %v", getErr)
}
if retrieved == nil {
t.Fatal("GetByID should return a post")
}
if retrieved.ID != postID {
t.Fatalf("Expected post ID %d, got %d", postID, retrieved.ID)
}
posts, listErr := postRepo.GetAll(10, 0)
if listErr != nil {
t.Fatalf("GetAll should not error: %v", listErr)
}
if posts == nil {
t.Fatal("GetAll should return a slice")
}
found := false
for _, p := range posts {
if p.ID == postID {
found = true
break
}
}
if !found && len(posts) > 0 {
t.Logf("Created post not found in list (this may be acceptable depending on pagination)")
}
})
})
}
func min(a, b int) int {
if a < b {
return a
}
return b
}

238
internal/handlers/api_handler.go Normal file
View File

@@ -0,0 +1,238 @@
package handlers
import (
"fmt"
"net/http"
"time"
"goyco/internal/config"
"goyco/internal/middleware"
"goyco/internal/repositories"
"goyco/internal/services"
"goyco/internal/version"
"github.com/go-chi/chi/v5"
"gorm.io/gorm"
)
type APIHandler struct {
config *config.Config
postRepo repositories.PostRepository
userRepo repositories.UserRepository
voteService *services.VoteService
dbMonitor middleware.DBMonitor
healthChecker *middleware.DatabaseHealthChecker
metricsCollector *middleware.MetricsCollector
}
func NewAPIHandler(config *config.Config, postRepo repositories.PostRepository, userRepo repositories.UserRepository, voteService *services.VoteService) *APIHandler {
return &APIHandler{
config: config,
postRepo: postRepo,
userRepo: userRepo,
voteService: voteService,
}
}
func NewAPIHandlerWithMonitoring(config *config.Config, postRepo repositories.PostRepository, userRepo repositories.UserRepository, voteService *services.VoteService, db *gorm.DB, dbMonitor middleware.DBMonitor) *APIHandler {
if db == nil {
return NewAPIHandler(config, postRepo, userRepo, voteService)
}
sqlDB, err := db.DB()
if err != nil {
return NewAPIHandler(config, postRepo, userRepo, voteService)
}
healthChecker := middleware.NewDatabaseHealthChecker(sqlDB, dbMonitor)
metricsCollector := middleware.NewMetricsCollector(dbMonitor)
return &APIHandler{
config: config,
postRepo: postRepo,
userRepo: userRepo,
voteService: voteService,
dbMonitor: dbMonitor,
healthChecker: healthChecker,
metricsCollector: metricsCollector,
}
}
type APIInfo = CommonResponse
func (h *APIHandler) GetAPIInfo(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/api" {
http.NotFound(w, r)
return
}
apiInfo := map[string]any{
"name": fmt.Sprintf("%s API", h.config.App.Title),
"version": version.Version,
"description": "Y Combinator-style news board API",
"endpoints": map[string]any{
"authentication": map[string]any{
"POST /api/auth/register": "Register new user",
"POST /api/auth/login": "Login user",
"GET /api/auth/confirm": "Confirm email address",
"POST /api/auth/resend-verification": "Resend verification email",
"POST /api/auth/forgot-password": "Request password reset",
"POST /api/auth/reset-password": "Reset password",
"POST /api/auth/account/confirm": "Confirm account deletion",
"GET /api/auth/me": "Get current user profile",
"POST /api/auth/logout": "Logout user",
"PUT /api/auth/email": "Update email address",
"PUT /api/auth/username": "Update username",
"PUT /api/auth/password": "Update password",
"DELETE /api/auth/account": "Request account deletion",
},
"posts": map[string]any{
"GET /api/posts": "List all posts",
"GET /api/posts/search": "Search posts",
"GET /api/posts/title": "Fetch title from URL",
"GET /api/posts/{id}": "Get specific post",
"POST /api/posts": "Create new post",
"PUT /api/posts/{id}": "Update post",
"DELETE /api/posts/{id}": "Delete post",
},
"votes": map[string]any{
"POST /api/posts/{id}/vote": "Cast a vote",
"DELETE /api/posts/{id}/vote": "Remove vote",
"GET /api/posts/{id}/vote": "Get user's vote",
"GET /api/posts/{id}/votes": "Get all votes for post",
},
"users": map[string]any{
"GET /api/users": "List all users",
"POST /api/users": "Create new user",
"GET /api/users/{id}": "Get specific user",
"GET /api/users/{id}/posts": "Get user's posts",
},
"system": map[string]any{
"GET /health": "Health check",
"GET /metrics": "Service metrics",
},
},
"authentication": map[string]any{
"type": "Bearer Token (JWT)",
"note": "Include Authorization header with 'Bearer <token>' for protected endpoints",
},
"response_format": map[string]any{
"success": "boolean",
"message": "string",
"data": "object or array",
"error": "string (on error)",
},
}
SendSuccessResponse(w, "API information retrieved successfully", apiInfo)
}
func (h *APIHandler) GetHealth(w http.ResponseWriter, r *http.Request) {
if h.healthChecker != nil {
health := h.healthChecker.CheckHealth()
health["version"] = version.Version
SendSuccessResponse(w, "Health check successful", health)
return
}
currentTimestamp := time.Now().UTC().Format(time.RFC3339)
health := map[string]any{
"status": "healthy",
"timestamp": currentTimestamp,
"version": version.Version,
"services": map[string]any{
"database": "connected",
"api": "running",
},
}
SendSuccessResponse(w, "Health check successful", health)
}
func (h *APIHandler) GetMetrics(w http.ResponseWriter, r *http.Request) {
postCount, err := h.postRepo.Count()
if err != nil {
SendErrorResponse(w, "Failed to get post count", http.StatusInternalServerError)
return
}
userCount, err := h.userRepo.Count()
if err != nil {
SendErrorResponse(w, "Failed to get user count", http.StatusInternalServerError)
return
}
totalVoteCount, _, err := h.voteService.GetVoteStatistics()
if err != nil {
SendErrorResponse(w, "Failed to get vote statistics", http.StatusInternalServerError)
return
}
topPosts, err := h.postRepo.GetTopPosts(5)
if err != nil {
SendErrorResponse(w, "Failed to get top posts", http.StatusInternalServerError)
return
}
var avgVotesPerPost float64
if postCount > 0 {
avgVotesPerPost = float64(totalVoteCount) / float64(postCount)
}
var totalScore int
for _, post := range topPosts {
totalScore += post.Score
}
var avgScore float64
if len(topPosts) > 0 {
avgScore = float64(totalScore) / float64(len(topPosts))
}
metrics := map[string]any{
"posts": map[string]any{
"total_count": postCount,
"top_posts_count": len(topPosts),
"total_score": totalScore,
"average_score": avgScore,
},
"users": map[string]any{
"total_count": userCount,
},
"votes": map[string]any{
"total_count": totalVoteCount,
"average_per_post": avgVotesPerPost,
"note": "All votes are counted together",
},
"system": map[string]any{
"timestamp": time.Now().UTC().Format(time.RFC3339),
"version": version.Version,
},
}
if h.metricsCollector != nil {
performanceMetrics := h.metricsCollector.GetMetrics()
metrics["database"] = map[string]any{
"total_queries": performanceMetrics.DBStats.TotalQueries,
"slow_queries": performanceMetrics.DBStats.SlowQueries,
"average_duration": performanceMetrics.DBStats.AverageDuration.String(),
"max_duration": performanceMetrics.DBStats.MaxDuration.String(),
"error_count": performanceMetrics.DBStats.ErrorCount,
"last_query_time": performanceMetrics.DBStats.LastQueryTime.Format(time.RFC3339),
}
metrics["performance"] = map[string]any{
"request_count": performanceMetrics.RequestCount,
"average_response": performanceMetrics.AverageResponse.String(),
"max_response": performanceMetrics.MaxResponse.String(),
"error_count": performanceMetrics.ErrorCount,
}
}
SendSuccessResponse(w, "Metrics retrieved successfully", metrics)
}
func (h *APIHandler) MountRoutes(r chi.Router, config RouteModuleConfig) {
}

280
internal/handlers/api_handler_test.go Normal file
View File

@@ -0,0 +1,280 @@
package handlers
import (
"encoding/json"
"errors"
"fmt"
"net/http"
"net/http/httptest"
"testing"
"goyco/internal/database"
"goyco/internal/middleware"
"goyco/internal/repositories"
"goyco/internal/services"
"goyco/internal/testutils"
)
func TestAPIHandlerGetAPIInfo(t *testing.T) {
mockPostRepo := testutils.NewPostRepositoryStub()
mockUserRepo := testutils.NewUserRepositoryStub()
handler := newAPIHandlerForTest(mockPostRepo, mockUserRepo)
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodGet, "/api", nil)
handler.GetAPIInfo(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
var resp APIInfo
if err := json.NewDecoder(recorder.Body).Decode(&resp); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
if !resp.Success || resp.Message == "" {
t.Fatalf("expected success response, got %+v", resp)
}
data, ok := resp.Data.(map[string]any)
if !ok || data["name"] != fmt.Sprintf("%s API", testutils.AppTestConfig.App.Title) {
t.Fatalf("unexpected data payload: %#v", resp.Data)
}
endpoints, ok := data["endpoints"].(map[string]any)
if !ok {
t.Fatalf("expected endpoints map, got %#v", data["endpoints"])
}
authEndpoints := endpoints["authentication"].(map[string]any)
for _, route := range []string{
"POST /api/auth/resend-verification",
"POST /api/auth/account/confirm",
} {
if _, found := authEndpoints[route]; !found {
t.Fatalf("expected authentication catalogue to include %s", route)
}
}
systemEndpoints := endpoints["system"].(map[string]any)
if _, found := systemEndpoints["GET /metrics"]; !found {
t.Fatalf("expected system catalogue to include GET /metrics")
}
}
func TestAPIHandlerGetHealth(t *testing.T) {
mockPostRepo := testutils.NewPostRepositoryStub()
mockUserRepo := testutils.NewUserRepositoryStub()
handler := newAPIHandlerForTest(mockPostRepo, mockUserRepo)
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodGet, "/health", nil)
handler.GetHealth(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
var resp APIInfo
if err := json.NewDecoder(recorder.Body).Decode(&resp); err != nil {
t.Fatalf("decode error: %v", err)
}
if !resp.Success || resp.Message == "" {
t.Fatalf("expected success message, got %+v", resp)
}
data := resp.Data.(map[string]any)
if data["status"] != "healthy" {
t.Fatalf("expected health status, got %+v", data)
}
}
func TestAPIHandlerGetMetrics(t *testing.T) {
mockPostRepo := testutils.NewPostRepositoryStub()
mockPostRepo.CountFn = func() (int64, error) { return 10, nil }
mockPostRepo.GetTopPostsFn = func(limit int) ([]database.Post, error) {
return []database.Post{
{ID: 1, Score: 100},
{ID: 2, Score: 50},
{ID: 3, Score: 25},
}, nil
}
mockUserRepo := testutils.NewUserRepositoryStub()
mockUserRepo.CountFn = func() (int64, error) { return 5, nil }
handler := newAPIHandlerForTest(mockPostRepo, mockUserRepo)
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodGet, "/metrics", nil)
handler.GetMetrics(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
var resp APIInfo
if err := json.NewDecoder(recorder.Body).Decode(&resp); err != nil {
t.Fatalf("decode error: %v", err)
}
if !resp.Success || resp.Message == "" {
t.Fatalf("expected success response, got %+v", resp)
}
data, ok := resp.Data.(map[string]any)
if !ok {
t.Fatalf("expected metrics data map, got %T", resp.Data)
}
if data["posts"] == nil {
t.Fatalf("expected metrics payload to include posts")
}
if data["users"] == nil {
t.Fatalf("expected metrics payload to include users")
}
if data["votes"] == nil {
t.Fatalf("expected metrics payload to include votes")
}
if data["system"] == nil {
t.Fatalf("expected metrics payload to include system")
}
posts, ok := data["posts"].(map[string]any)
if !ok {
t.Fatalf("expected posts to be a map, got %T", data["posts"])
}
if posts["total_count"] != float64(10) {
t.Fatalf("expected posts total_count to be 10, got %v", posts["total_count"])
}
}
func newAPIHandlerForTest(postRepo repositories.PostRepository, userRepo repositories.UserRepository) *APIHandler {
voteRepo := testutils.NewMockVoteRepository()
voteService := services.NewVoteService(voteRepo, postRepo, nil)
return NewAPIHandler(testutils.AppTestConfig, postRepo, userRepo, voteService)
}
func TestAPIHandlerGetMetricsErrorHandling(t *testing.T) {
mockPostRepo := testutils.NewPostRepositoryStub()
mockPostRepo.CountFn = func() (int64, error) { return 0, errors.New("database error") }
mockUserRepo := testutils.NewUserRepositoryStub()
handler := newAPIHandlerForTest(mockPostRepo, mockUserRepo)
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodGet, "/metrics", nil)
handler.GetMetrics(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusInternalServerError)
var resp APIInfo
if err := json.NewDecoder(recorder.Body).Decode(&resp); err != nil {
t.Fatalf("decode error: %v", err)
}
if resp.Success {
t.Fatalf("expected error response, got %+v", resp)
}
}
func TestAPIHandlerGetMetricsWithDatabaseMonitoring(t *testing.T) {
mockPostRepo := testutils.NewPostRepositoryStub()
mockPostRepo.CountFn = func() (int64, error) { return 10, nil }
mockPostRepo.GetTopPostsFn = func(limit int) ([]database.Post, error) {
return []database.Post{
{ID: 1, Score: 100},
{ID: 2, Score: 50},
}, nil
}
mockUserRepo := testutils.NewUserRepositoryStub()
mockUserRepo.CountFn = func() (int64, error) { return 5, nil }
voteRepo := testutils.NewMockVoteRepository()
voteService := services.NewVoteService(voteRepo, mockPostRepo, nil)
handler := NewAPIHandler(testutils.AppTestConfig, mockPostRepo, mockUserRepo, voteService)
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodGet, "/metrics", nil)
handler.GetMetrics(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
var resp APIInfo
if err := json.NewDecoder(recorder.Body).Decode(&resp); err != nil {
t.Fatalf("decode error: %v", err)
}
if !resp.Success {
t.Fatalf("expected success response, got %+v", resp)
}
data, ok := resp.Data.(map[string]any)
if !ok {
t.Fatalf("expected metrics data map, got %T", resp.Data)
}
expectedSections := []string{"posts", "users", "votes", "system"}
for _, section := range expectedSections {
if data[section] == nil {
t.Fatalf("expected metrics payload to include %s", section)
}
}
}
func TestNewAPIHandlerWithMonitoring(t *testing.T) {
mockPostRepo := testutils.NewPostRepositoryStub()
mockUserRepo := testutils.NewUserRepositoryStub()
voteRepo := testutils.NewMockVoteRepository()
voteService := services.NewVoteService(voteRepo, mockPostRepo, nil)
monitor := middleware.NewInMemoryDBMonitor()
db := testutils.NewTestDB(t)
defer func() {
sqlDB, _ := db.DB()
sqlDB.Close()
}()
handler := NewAPIHandlerWithMonitoring(testutils.AppTestConfig, mockPostRepo, mockUserRepo, voteService, db, monitor)
if handler == nil {
t.Fatal("Expected handler to be created")
}
if handler.dbMonitor == nil {
t.Error("Expected dbMonitor to be set")
}
if handler.healthChecker == nil {
t.Error("Expected healthChecker to be set")
}
if handler.metricsCollector == nil {
t.Error("Expected metricsCollector to be set")
}
}
func TestNewAPIHandlerWithMonitoring_NilDB(t *testing.T) {
mockPostRepo := testutils.NewPostRepositoryStub()
mockUserRepo := testutils.NewUserRepositoryStub()
voteRepo := testutils.NewMockVoteRepository()
voteService := services.NewVoteService(voteRepo, mockPostRepo, nil)
handler := NewAPIHandlerWithMonitoring(testutils.AppTestConfig, mockPostRepo, mockUserRepo, voteService, nil, nil)
if handler == nil {
t.Fatal("Expected handler to be created")
}
if handler.dbMonitor != nil {
t.Error("Expected dbMonitor to be nil when db is nil")
}
if handler.healthChecker != nil {
t.Error("Expected healthChecker to be nil when db is nil")
}
if handler.metricsCollector != nil {
t.Error("Expected metricsCollector to be nil when db is nil")
}
}

825
internal/handlers/auth_handler.go Normal file
View File

@@ -0,0 +1,825 @@
package handlers
import (
"errors"
"net/http"
"strings"
"goyco/internal/database"
"goyco/internal/dto"
"goyco/internal/repositories"
"goyco/internal/security"
"goyco/internal/services"
"goyco/internal/validation"
"github.com/go-chi/chi/v5"
)
type AuthServiceInterface interface {
Login(username, password string) (*services.AuthResult, error)
Register(username, email, password string) (*services.RegistrationResult, error)
ConfirmEmail(token string) (*database.User, error)
ResendVerificationEmail(email string) error
RequestPasswordReset(usernameOrEmail string) error
ResetPassword(token, newPassword string) error
UpdateEmail(userID uint, email string) (*database.User, error)
UpdateUsername(userID uint, username string) (*database.User, error)
UpdatePassword(userID uint, currentPassword, newPassword string) (*database.User, error)
RequestAccountDeletion(userID uint) error
ConfirmAccountDeletionWithPosts(token string, deletePosts bool) error
RefreshAccessToken(refreshToken string) (*services.AuthResult, error)
RevokeRefreshToken(refreshToken string) error
RevokeAllUserTokens(userID uint) error
InvalidateAllSessions(userID uint) error
GetAdminEmail() string
VerifyToken(tokenString string) (uint, error)
GetUserIDFromDeletionToken(token string) (uint, error)
UserHasPosts(userID uint) (bool, int64, error)
}
type AuthHandler struct {
authService AuthServiceInterface
userRepo repositories.UserRepository
}
type AuthResponse = CommonResponse
type AuthTokensResponse struct {
Success bool `json:"success" example:"true"`
Message string `json:"message" example:"Authentication successful"`
Data AuthTokensDetail `json:"data"`
}
type AuthTokensDetail struct {
AccessToken string `json:"access_token" example:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."`
RefreshToken string `json:"refresh_token" example:"f94d4ddc7d9b4fcb9d3a2c44c400b780"`
User AuthUserSummary `json:"user"`
}
type AuthUserSummary struct {
ID uint `json:"id" example:"42"`
Username string `json:"username" example:"janedoe"`
Email string `json:"email" example:"jane@example.com"`
EmailVerified bool `json:"email_verified" example:"true"`
Locked bool `json:"locked" example:"false"`
}
type LoginRequest struct {
Username string `json:"username"`
Password string `json:"password"`
}
type RegisterRequest struct {
Username string `json:"username"`
Email string `json:"email"`
Password string `json:"password"`
}
type CreatePostRequest struct {
Title string `json:"title"`
URL string `json:"url"`
Content string `json:"content"`
}
type ResendVerificationRequest struct {
Email string `json:"email"`
}
type ForgotPasswordRequest struct {
UsernameOrEmail string `json:"username_or_email"`
}
type ResetPasswordRequest struct {
Token string `json:"token"`
NewPassword string `json:"new_password"`
}
type UpdateEmailRequest struct {
Email string `json:"email"`
}
type UpdateUsernameRequest struct {
Username string `json:"username"`
}
type UpdatePasswordRequest struct {
CurrentPassword string `json:"current_password"`
NewPassword string `json:"new_password"`
}
type ConfirmAccountDeletionRequest struct {
Token string `json:"token"`
DeletePosts bool `json:"delete_posts"`
}
type RefreshTokenRequest struct {
RefreshToken string `json:"refresh_token" example:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." binding:"required"`
}
type RevokeTokenRequest struct {
RefreshToken string `json:"refresh_token" example:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." binding:"required"`
}
func NewAuthHandler(authService AuthServiceInterface, userRepo repositories.UserRepository) *AuthHandler {
return &AuthHandler{
authService: authService,
userRepo: userRepo,
}
}
// @Summary Login user
// @Description Authenticate user with username and password
// @Tags auth
// @Accept json
// @Produce json
// @Param request body LoginRequest true "Login credentials"
// @Success 200 {object} AuthTokensResponse "Authentication successful"
// @Failure 400 {object} AuthResponse "Invalid request data or validation failed"
// @Failure 401 {object} AuthResponse "Invalid credentials"
// @Failure 403 {object} AuthResponse "Account is locked"
// @Failure 500 {object} AuthResponse "Internal server error"
// @Router /auth/login [post]
func (h *AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
var req struct {
Username string `json:"username"`
Password string `json:"password"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
username := security.SanitizeUsername(req.Username)
password := strings.TrimSpace(req.Password)
if username == "" || password == "" {
SendErrorResponse(w, "Username and password are required", http.StatusBadRequest)
return
}
if err := validation.ValidatePassword(password); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
result, err := h.authService.Login(username, password)
if !HandleServiceError(w, err, "Authentication failed", http.StatusInternalServerError) {
return
}
SendSuccessResponse(w, "Authentication successful", result)
}
// @Summary Register a new user
// @Description Register a new user with username, email and password
// @Tags auth
// @Accept json
// @Produce json
// @Param request body RegisterRequest true "Registration data"
// @Success 201 {object} AuthResponse "Registration successful"
// @Failure 400 {object} AuthResponse "Invalid request data or validation failed"
// @Failure 409 {object} AuthResponse "Username or email already exists"
// @Failure 500 {object} AuthResponse "Internal server error"
// @Router /auth/register [post]
func (h *AuthHandler) Register(w http.ResponseWriter, r *http.Request) {
var req struct {
Username string `json:"username"`
Email string `json:"email"`
Password string `json:"password"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
username := strings.TrimSpace(req.Username)
email := strings.TrimSpace(req.Email)
password := strings.TrimSpace(req.Password)
if username == "" || email == "" || password == "" {
SendErrorResponse(w, "Username, email, and password are required", http.StatusBadRequest)
return
}
username = security.SanitizeUsername(username)
if err := validation.ValidateUsername(username); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
if err := validation.ValidateEmail(email); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
if err := validation.ValidatePassword(password); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
result, err := h.authService.Register(username, email, password)
if err != nil {
var validationErr *validation.ValidationError
if errors.As(err, &validationErr) {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
if !HandleServiceError(w, err, "Registration failed", http.StatusInternalServerError) {
return
}
}
userData := map[string]any{
"id": result.User.ID,
"username": result.User.Username,
"email": result.User.Email,
"email_verified": result.User.EmailVerified,
"created_at": result.User.CreatedAt,
"updated_at": result.User.UpdatedAt,
"deleted_at": result.User.DeletedAt,
}
responseData := map[string]any{
"user": userData,
"verification_sent": result.VerificationSent,
}
SendCreatedResponse(w, "Registration successful. Check your email to confirm your account.", responseData)
}
// @Summary Confirm email address
// @Description Confirm user email with verification token
// @Tags auth
// @Accept json
// @Produce json
// @Param token query string true "Email verification token"
// @Success 200 {object} AuthResponse "Email confirmed successfully"
// @Failure 400 {object} AuthResponse "Invalid or missing token"
// @Failure 500 {object} AuthResponse "Internal server error"
// @Router /auth/confirm [get]
func (h *AuthHandler) ConfirmEmail(w http.ResponseWriter, r *http.Request) {
token := strings.TrimSpace(r.URL.Query().Get("token"))
if token == "" {
SendErrorResponse(w, "Verification token is required", http.StatusBadRequest)
return
}
user, err := h.authService.ConfirmEmail(token)
if !HandleServiceError(w, err, "Unable to verify email", http.StatusInternalServerError) {
return
}
userDTO := dto.ToUserDTO(user)
SendSuccessResponse(w, "Email confirmed successfully", map[string]any{
"user": userDTO,
})
}
// @Summary Resend verification email
// @Description Send a new verification email to the provided address
// @Tags auth
// @Accept json
// @Produce json
// @Param request body ResendVerificationRequest true "Email address"
// @Success 200 {object} AuthResponse
// @Failure 400 {object} AuthResponse
// @Failure 404 {object} AuthResponse
// @Failure 409 {object} AuthResponse
// @Failure 429 {object} AuthResponse
// @Failure 503 {object} AuthResponse
// @Failure 500 {object} AuthResponse
// @Router /auth/resend-verification [post]
func (h *AuthHandler) ResendVerificationEmail(w http.ResponseWriter, r *http.Request) {
var req struct {
Email string `json:"email"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
email := strings.TrimSpace(req.Email)
if email == "" {
SendErrorResponse(w, "Email address is required", http.StatusBadRequest)
return
}
err := h.authService.ResendVerificationEmail(email)
if err != nil {
switch {
case errors.Is(err, services.ErrInvalidCredentials):
SendErrorResponse(w, "No account found with this email address", http.StatusNotFound)
case errors.Is(err, services.ErrInvalidEmail):
SendErrorResponse(w, "Invalid email address format", http.StatusBadRequest)
case errors.Is(err, services.ErrEmailSenderUnavailable):
SendErrorResponse(w, "We couldn't send the verification email. Try again later.", http.StatusServiceUnavailable)
case err.Error() == "email already verified":
SendErrorResponse(w, "This email address is already verified", http.StatusConflict)
case err.Error() == "verification email sent recently, please wait before requesting another":
SendErrorResponse(w, "Please wait 5 minutes before requesting another verification email", http.StatusTooManyRequests)
default:
SendErrorResponse(w, "Unable to resend verification email", http.StatusInternalServerError)
}
return
}
SendSuccessResponse(w, "Verification email sent successfully", map[string]any{
"message": "Check your inbox for the verification link",
})
}
// @Summary Get current user profile
// @Description Retrieve the authenticated user's profile information
// @Tags auth
// @Accept json
// @Produce json
// @Security BearerAuth
// @Success 200 {object} AuthResponse "User profile retrieved successfully"
// @Failure 401 {object} AuthResponse "Authentication required"
// @Failure 404 {object} AuthResponse "User not found"
// @Router /auth/me [get]
func (h *AuthHandler) Me(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
user, err := h.userRepo.GetByID(userID)
if err != nil {
SendErrorResponse(w, "User not found", http.StatusNotFound)
return
}
userDTO := dto.ToUserDTO(user)
SendSuccessResponse(w, "User profile fetched", userDTO)
}
// @Summary Request a password reset
// @Description Send a password reset email using a username or email
// @Tags auth
// @Accept json
// @Produce json
// @Param request body ForgotPasswordRequest true "Username or email"
// @Success 200 {object} AuthResponse "Password reset email sent if account exists"
// @Failure 400 {object} AuthResponse "Invalid request data"
// @Router /auth/forgot-password [post]
func (h *AuthHandler) RequestPasswordReset(w http.ResponseWriter, r *http.Request) {
var req struct {
UsernameOrEmail string `json:"username_or_email"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
usernameOrEmail := strings.TrimSpace(req.UsernameOrEmail)
if usernameOrEmail == "" {
SendErrorResponse(w, "Username or email is required", http.StatusBadRequest)
return
}
if err := h.authService.RequestPasswordReset(usernameOrEmail); err != nil {
}
SendSuccessResponse(w, "If an account with that username or email exists, we've sent a password reset link.", nil)
}
// @Summary Reset password
// @Description Reset a user's password using a reset token
// @Tags auth
// @Accept json
// @Produce json
// @Param request body ResetPasswordRequest true "Password reset data"
// @Success 200 {object} AuthResponse "Password reset successfully"
// @Failure 400 {object} AuthResponse "Invalid or expired token, or validation failed"
// @Failure 500 {object} AuthResponse "Internal server error"
// @Router /auth/reset-password [post]
func (h *AuthHandler) ResetPassword(w http.ResponseWriter, r *http.Request) {
var req struct {
Token string `json:"token"`
NewPassword string `json:"new_password"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
token := strings.TrimSpace(req.Token)
newPassword := strings.TrimSpace(req.NewPassword)
if token == "" {
SendErrorResponse(w, "Reset token is required", http.StatusBadRequest)
return
}
if newPassword == "" {
SendErrorResponse(w, "New password is required", http.StatusBadRequest)
return
}
if len(newPassword) < 8 {
SendErrorResponse(w, "Password must be at least 8 characters long", http.StatusBadRequest)
return
}
if err := h.authService.ResetPassword(token, newPassword); err != nil {
switch {
case strings.Contains(err.Error(), "expired"):
SendErrorResponse(w, "The reset link has expired. Please request a new one.", http.StatusBadRequest)
case strings.Contains(err.Error(), "invalid"):
SendErrorResponse(w, "The reset link is invalid. Please request a new one.", http.StatusBadRequest)
default:
SendErrorResponse(w, "Unable to reset password. Please try again later.", http.StatusInternalServerError)
}
return
}
SendSuccessResponse(w, "Password reset successfully. You can now sign in with your new password.", nil)
}
// @Summary Update email address
// @Description Update the authenticated user's email address
// @Tags auth
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param request body UpdateEmailRequest true "New email address"
// @Success 200 {object} AuthResponse
// @Failure 400 {object} AuthResponse
// @Failure 401 {object} AuthResponse
// @Failure 409 {object} AuthResponse
// @Failure 503 {object} AuthResponse
// @Failure 500 {object} AuthResponse
// @Router /auth/email [put]
func (h *AuthHandler) UpdateEmail(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
var req struct {
Email string `json:"email"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
email := strings.TrimSpace(req.Email)
if err := validation.ValidateEmail(email); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
user, err := h.authService.UpdateEmail(userID, email)
if err != nil {
switch {
case errors.Is(err, services.ErrEmailTaken):
SendErrorResponse(w, "That email is already in use. Choose another one.", http.StatusConflict)
case errors.Is(err, services.ErrEmailSenderUnavailable):
SendErrorResponse(w, "We couldn't send the confirmation email. Try again later.", http.StatusServiceUnavailable)
case errors.Is(err, services.ErrInvalidEmail):
SendErrorResponse(w, "Invalid email address", http.StatusBadRequest)
default:
SendErrorResponse(w, "We couldn't update your email right now.", http.StatusInternalServerError)
}
return
}
userDTO := dto.ToUserDTO(user)
SendSuccessResponse(w, "Email updated. Check your inbox to confirm the new address.", map[string]any{
"user": userDTO,
})
}
// @Summary Update username
// @Description Update the authenticated user's username
// @Tags auth
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param request body UpdateUsernameRequest true "New username"
// @Success 200 {object} AuthResponse
// @Failure 400 {object} AuthResponse
// @Failure 401 {object} AuthResponse
// @Failure 409 {object} AuthResponse
// @Failure 500 {object} AuthResponse
// @Router /auth/username [put]
func (h *AuthHandler) UpdateUsername(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
var req struct {
Username string `json:"username"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
username := strings.TrimSpace(req.Username)
if err := validation.ValidateUsername(username); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
user, err := h.authService.UpdateUsername(userID, username)
if err != nil {
switch {
case errors.Is(err, services.ErrUsernameTaken):
SendErrorResponse(w, "That username is already taken. Try another one.", http.StatusConflict)
default:
SendErrorResponse(w, "We couldn't update your username right now.", http.StatusInternalServerError)
}
return
}
userDTO := dto.ToUserDTO(user)
SendSuccessResponse(w, "Username updated successfully.", map[string]any{
"user": userDTO,
})
}
// @Summary Update password
// @Description Update the authenticated user's password
// @Tags auth
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param request body UpdatePasswordRequest true "Password update data"
// @Success 200 {object} AuthResponse
// @Failure 400 {object} AuthResponse
// @Failure 401 {object} AuthResponse
// @Failure 500 {object} AuthResponse
// @Router /auth/password [put]
func (h *AuthHandler) UpdatePassword(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
var req struct {
CurrentPassword string `json:"current_password"`
NewPassword string `json:"new_password"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
currentPassword := strings.TrimSpace(req.CurrentPassword)
newPassword := strings.TrimSpace(req.NewPassword)
if currentPassword == "" {
SendErrorResponse(w, "Current password is required", http.StatusBadRequest)
return
}
if err := validation.ValidatePassword(newPassword); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
user, err := h.authService.UpdatePassword(userID, currentPassword, newPassword)
if err != nil {
if strings.Contains(err.Error(), "current password is incorrect") {
SendErrorResponse(w, "Current password is incorrect", http.StatusBadRequest)
} else {
SendErrorResponse(w, "We couldn't update your password right now.", http.StatusInternalServerError)
}
return
}
userDTO := dto.ToUserDTO(user)
SendSuccessResponse(w, "Password updated successfully.", map[string]any{
"user": userDTO,
})
}
// @Summary Request account deletion
// @Description Initiate the deletion process for the authenticated user's account
// @Tags auth
// @Accept json
// @Produce json
// @Security BearerAuth
// @Success 200 {object} AuthResponse "Deletion email sent"
// @Failure 401 {object} AuthResponse "Authentication required"
// @Failure 503 {object} AuthResponse "Email delivery unavailable"
// @Failure 500 {object} AuthResponse "Internal server error"
// @Router /auth/account [delete]
func (h *AuthHandler) DeleteAccount(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
err := h.authService.RequestAccountDeletion(userID)
if err != nil {
if errors.Is(err, services.ErrEmailSenderUnavailable) {
SendErrorResponse(w, "Account deletion isn't available right now because email delivery is disabled.", http.StatusServiceUnavailable)
} else {
SendErrorResponse(w, "We couldn't start the deletion process right now.", http.StatusInternalServerError)
}
return
}
SendSuccessResponse(w, "Check your inbox for a confirmation link to finish deleting your account.", nil)
}
// @Summary Confirm account deletion
// @Description Confirm account deletion using the provided token
// @Tags auth
// @Accept json
// @Produce json
// @Param request body ConfirmAccountDeletionRequest true "Account deletion data"
// @Success 200 {object} AuthResponse "Account deleted successfully"
// @Failure 400 {object} AuthResponse "Invalid or expired token"
// @Failure 503 {object} AuthResponse "Email delivery unavailable"
// @Failure 500 {object} AuthResponse "Internal server error"
// @Router /auth/account/confirm [post]
func (h *AuthHandler) ConfirmAccountDeletion(w http.ResponseWriter, r *http.Request) {
var req struct {
Token string `json:"token"`
DeletePosts bool `json:"delete_posts"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
token := strings.TrimSpace(req.Token)
if token == "" {
SendErrorResponse(w, "Deletion token is required", http.StatusBadRequest)
return
}
if err := h.authService.ConfirmAccountDeletionWithPosts(token, req.DeletePosts); err != nil {
switch {
case errors.Is(err, services.ErrInvalidDeletionToken):
SendErrorResponse(w, "This deletion link is invalid or has expired.", http.StatusBadRequest)
case errors.Is(err, services.ErrEmailSenderUnavailable):
SendErrorResponse(w, "Account deletion isn't available right now because email delivery is disabled.", http.StatusServiceUnavailable)
case errors.Is(err, services.ErrDeletionEmailFailed):
SendSuccessResponse(w, "Your account has been deleted, but we couldn't send the confirmation email.", map[string]any{
"posts_deleted": req.DeletePosts,
})
default:
SendErrorResponse(w, "We couldn't confirm the deletion right now.", http.StatusInternalServerError)
}
return
}
SendSuccessResponse(w, "Your account has been deleted.", map[string]any{
"posts_deleted": req.DeletePosts,
})
}
// @Summary Logout user
// @Description Logout the authenticated user and invalidate their session
// @Tags auth
// @Accept json
// @Produce json
// @Security BearerAuth
// @Success 200 {object} AuthResponse "Logged out successfully"
// @Failure 401 {object} AuthResponse "Authentication required"
// @Router /auth/logout [post]
func (h *AuthHandler) Logout(w http.ResponseWriter, r *http.Request) {
SendSuccessResponse(w, "Logged out successfully", nil)
}
// @Summary Refresh access token
// @Description Use a refresh token to get a new access token. This endpoint allows clients to obtain a new access token using a valid refresh token without requiring user credentials.
// @Tags auth
// @Accept json
// @Produce json
// @Param request body RefreshTokenRequest true "Refresh token data"
// @Success 200 {object} AuthTokensResponse "Token refreshed successfully"
// @Failure 400 {object} AuthResponse "Invalid request body or missing refresh token"
// @Failure 401 {object} AuthResponse "Invalid or expired refresh token"
// @Failure 403 {object} AuthResponse "Account is locked"
// @Failure 500 {object} AuthResponse "Internal server error"
// @Router /auth/refresh [post]
func (h *AuthHandler) RefreshToken(w http.ResponseWriter, r *http.Request) {
var req RefreshTokenRequest
if !DecodeJSONRequest(w, r, &req) {
return
}
if strings.TrimSpace(req.RefreshToken) == "" {
SendErrorResponse(w, "Refresh token is required", http.StatusBadRequest)
return
}
result, err := h.authService.RefreshAccessToken(req.RefreshToken)
if !HandleServiceError(w, err, "Token refresh failed", http.StatusInternalServerError) {
return
}
SendSuccessResponse(w, "Token refreshed successfully", result)
}
// @Summary Revoke refresh token
// @Description Revoke a specific refresh token. This endpoint allows authenticated users to invalidate a specific refresh token, preventing its future use.
// @Tags auth
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param request body RevokeTokenRequest true "Token revocation data"
// @Success 200 {object} AuthResponse "Token revoked successfully"
// @Failure 400 {object} AuthResponse "Invalid request body or missing refresh token"
// @Failure 401 {object} AuthResponse "Invalid or expired access token"
// @Failure 500 {object} AuthResponse "Internal server error"
// @Router /auth/revoke [post]
func (h *AuthHandler) RevokeToken(w http.ResponseWriter, r *http.Request) {
var req RevokeTokenRequest
if !DecodeJSONRequest(w, r, &req) {
return
}
if strings.TrimSpace(req.RefreshToken) == "" {
SendErrorResponse(w, "Refresh token is required", http.StatusBadRequest)
return
}
err := h.authService.RevokeRefreshToken(req.RefreshToken)
if err != nil {
SendErrorResponse(w, "Failed to revoke token", http.StatusInternalServerError)
return
}
SendSuccessResponse(w, "Token revoked successfully", nil)
}
// @Summary Revoke all user tokens
// @Description Revoke all refresh tokens for the authenticated user. This endpoint allows users to invalidate all their refresh tokens at once, effectively logging them out from all devices.
// @Tags auth
// @Accept json
// @Produce json
// @Security BearerAuth
// @Success 200 {object} AuthResponse "All tokens revoked successfully"
// @Failure 401 {object} AuthResponse "Invalid or expired access token"
// @Failure 500 {object} AuthResponse "Internal server error"
// @Router /auth/revoke-all [post]
func (h *AuthHandler) RevokeAllTokens(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
err := h.authService.RevokeAllUserTokens(userID)
if err != nil {
SendErrorResponse(w, "Failed to revoke tokens", http.StatusInternalServerError)
return
}
SendSuccessResponse(w, "All tokens revoked successfully", nil)
}
func (h *AuthHandler) MountRoutes(r chi.Router, config RouteModuleConfig) {
if config.GeneralRateLimit != nil {
rateLimited := config.GeneralRateLimit(r)
rateLimited.Post("/auth/refresh", h.RefreshToken)
rateLimited.Get("/auth/confirm", h.ConfirmEmail)
rateLimited.Post("/auth/resend-verification", h.ResendVerificationEmail)
} else {
r.Post("/auth/refresh", h.RefreshToken)
r.Get("/auth/confirm", h.ConfirmEmail)
r.Post("/auth/resend-verification", h.ResendVerificationEmail)
}
if config.AuthRateLimit != nil {
rateLimited := config.AuthRateLimit(r)
rateLimited.Post("/auth/register", h.Register)
rateLimited.Post("/auth/login", h.Login)
rateLimited.Post("/auth/forgot-password", h.RequestPasswordReset)
rateLimited.Post("/auth/reset-password", h.ResetPassword)
rateLimited.Post("/auth/account/confirm", h.ConfirmAccountDeletion)
} else {
r.Post("/auth/register", h.Register)
r.Post("/auth/login", h.Login)
r.Post("/auth/forgot-password", h.RequestPasswordReset)
r.Post("/auth/reset-password", h.ResetPassword)
r.Post("/auth/account/confirm", h.ConfirmAccountDeletion)
}
protected := r
if config.AuthMiddleware != nil {
protected = r.With(config.AuthMiddleware)
}
if config.GeneralRateLimit != nil {
protected = config.GeneralRateLimit(protected)
}
protected.Get("/auth/me", h.Me)
protected.Post("/auth/logout", h.Logout)
protected.Post("/auth/revoke", h.RevokeToken)
protected.Post("/auth/revoke-all", h.RevokeAllTokens)
protected.Put("/auth/email", h.UpdateEmail)
protected.Put("/auth/username", h.UpdateUsername)
protected.Put("/auth/password", h.UpdatePassword)
protected.Delete("/auth/account", h.DeleteAccount)
}

1584
internal/handlers/auth_handler_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

292
internal/handlers/common.go Normal file
View File

@@ -0,0 +1,292 @@
package handlers
import (
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"strconv"
"strings"
"time"
"goyco/internal/database"
"goyco/internal/dto"
"goyco/internal/middleware"
"goyco/internal/services"
"github.com/go-chi/chi/v5"
"gorm.io/gorm"
)
type CommonResponse struct {
Success bool `json:"success"`
Message string `json:"message"`
Data any `json:"data,omitempty"`
Error string `json:"error,omitempty"`
}
type PaginationData struct {
Count int `json:"count"`
Limit int `json:"limit"`
Offset int `json:"offset"`
}
type VoteCookieData struct {
Type database.VoteType `json:"type"`
Timestamp int64 `json:"timestamp"`
}
func sendResponse(w http.ResponseWriter, statusCode int, success bool, message string, data any, errMsg string) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(statusCode)
response := CommonResponse{
Success: success,
Message: message,
Data: data,
Error: errMsg,
}
json.NewEncoder(w).Encode(response)
}
func SendSuccessResponse(w http.ResponseWriter, message string, data any) {
sendResponse(w, http.StatusOK, true, message, data, "")
}
func SendCreatedResponse(w http.ResponseWriter, message string, data any) {
sendResponse(w, http.StatusCreated, true, message, data, "")
}
func SendErrorResponse(w http.ResponseWriter, message string, statusCode int) {
sendResponse(w, statusCode, false, "", nil, message)
}
func DecodeJSONRequest(w http.ResponseWriter, r *http.Request, req any) bool {
if err := json.NewDecoder(r.Body).Decode(req); err != nil {
SendErrorResponse(w, "Invalid request body", http.StatusBadRequest)
return false
}
return true
}
func GetClientIP(r *http.Request) string {
return middleware.GetSecureClientIP(r)
}
const (
CookieMaxAgeDays = 30
SecondsPerDay = 86400
DefaultPaginationLimit = 20
DefaultPaginationOffset = 0
)
func SetVoteCookie(w http.ResponseWriter, r *http.Request, postID uint, voteType database.VoteType) {
cookieName := fmt.Sprintf("vote_%d", postID)
cookieValue := fmt.Sprintf("%s:%d", voteType, time.Now().Unix())
cookie := &http.Cookie{
Name: cookieName,
Value: cookieValue,
Path: "/",
MaxAge: SecondsPerDay * CookieMaxAgeDays,
HttpOnly: true,
Secure: IsHTTPS(r),
SameSite: http.SameSiteLaxMode,
}
http.SetCookie(w, cookie)
}
func GetVoteCookie(r *http.Request, postID uint) string {
cookieName := fmt.Sprintf("vote_%d", postID)
cookie, err := r.Cookie(cookieName)
if err != nil {
return ""
}
return cookie.Value
}
func ClearVoteCookie(w http.ResponseWriter, postID uint) {
cookieName := fmt.Sprintf("vote_%d", postID)
cookie := &http.Cookie{
Name: cookieName,
Value: "",
Path: "/",
MaxAge: -1,
HttpOnly: true,
}
http.SetCookie(w, cookie)
}
func IsHTTPS(r *http.Request) bool {
if r.TLS != nil {
return true
}
if proto := r.Header.Get("X-Forwarded-Proto"); proto == "https" {
return true
}
if proto := r.Header.Get("X-Forwarded-Ssl"); proto == "on" {
return true
}
if proto := r.Header.Get("X-Forwarded-Scheme"); proto == "https" {
return true
}
return false
}
func SanitizeUser(user *database.User) dto.SanitizedUserDTO {
if user == nil {
return dto.SanitizedUserDTO{}
}
return dto.ToSanitizedUserDTO(user)
}
func SanitizeUsers(users []database.User) []dto.SanitizedUserDTO {
return dto.ToSanitizedUserDTOs(users)
}
func parsePagination(r *http.Request) (limit, offset int) {
limit = DefaultPaginationLimit
offset = DefaultPaginationOffset
limitStr := r.URL.Query().Get("limit")
if limitStr != "" {
if l, err := strconv.Atoi(limitStr); err == nil && l > 0 {
limit = l
}
}
offsetStr := r.URL.Query().Get("offset")
if offsetStr != "" {
if o, err := strconv.Atoi(offsetStr); err == nil && o >= 0 {
offset = o
}
}
return limit, offset
}
func ValidateRedirectURL(redirectURL string) string {
redirectURL = strings.TrimSpace(redirectURL)
if redirectURL == "" || len(redirectURL) > 512 {
return ""
}
if !strings.HasPrefix(redirectURL, "/") || strings.HasPrefix(redirectURL, "//") {
return ""
}
parsed, err := url.Parse(redirectURL)
if err != nil || parsed.Scheme != "" || parsed.Host != "" || parsed.User != nil || parsed.Path == "" {
return ""
}
path := parsed.EscapedPath()
if path == "" {
path = parsed.Path
}
validated := path
if parsed.RawQuery != "" {
validated += "?" + parsed.RawQuery
}
if parsed.Fragment != "" {
validated += "#" + parsed.Fragment
}
return validated
}
func ParseUintParam(w http.ResponseWriter, r *http.Request, paramName, entityName string) (uint, bool) {
str := chi.URLParam(r, paramName)
if str == "" {
SendErrorResponse(w, entityName+" ID is required", http.StatusBadRequest)
return 0, false
}
id, err := strconv.ParseUint(str, 10, 32)
if err != nil {
SendErrorResponse(w, "Invalid "+entityName+" ID", http.StatusBadRequest)
return 0, false
}
return uint(id), true
}
func RequireAuth(w http.ResponseWriter, r *http.Request) (uint, bool) {
userID := middleware.GetUserIDFromContext(r.Context())
if userID == 0 {
SendErrorResponse(w, "Authentication required", http.StatusUnauthorized)
return 0, false
}
return userID, true
}
func NewVoteContext(r *http.Request) services.VoteContext {
return services.VoteContext{
UserID: middleware.GetUserIDFromContext(r.Context()),
IPAddress: GetClientIP(r),
UserAgent: r.UserAgent(),
}
}
func HandleRepoError(w http.ResponseWriter, err error, entityName string) bool {
if err == nil {
return true
}
if errors.Is(err, gorm.ErrRecordNotFound) {
SendErrorResponse(w, entityName+" not found", http.StatusNotFound)
} else {
SendErrorResponse(w, "Failed to retrieve "+entityName, http.StatusInternalServerError)
}
return false
}
var AuthErrorMapping = []struct {
err error
msg string
code int
}{
{services.ErrInvalidCredentials, "Invalid username or password", http.StatusUnauthorized},
{services.ErrEmailNotVerified, "Please confirm your email before logging in", http.StatusForbidden},
{services.ErrAccountLocked, "Your account has been locked. Please contact us for assistance.", http.StatusForbidden},
{services.ErrUsernameTaken, "Username is already taken", http.StatusConflict},
{services.ErrEmailTaken, "Email is already registered", http.StatusConflict},
{services.ErrInvalidEmail, "Invalid email address", http.StatusBadRequest},
{services.ErrPasswordTooShort, "Password must be at least 8 characters", http.StatusBadRequest},
{services.ErrInvalidVerificationToken, "Invalid or expired verification token", http.StatusBadRequest},
{services.ErrRefreshTokenExpired, "Refresh token has expired", http.StatusUnauthorized},
{services.ErrRefreshTokenInvalid, "Invalid refresh token", http.StatusUnauthorized},
{services.ErrInvalidDeletionToken, "This deletion link is invalid or has expired.", http.StatusBadRequest},
{services.ErrDeletionRequestNotFound, "Deletion request not found", http.StatusBadRequest},
{services.ErrUserNotFound, "User not found", http.StatusNotFound},
{services.ErrEmailSenderUnavailable, "Email service is unavailable. Please try again later.", http.StatusServiceUnavailable},
}
func HandleServiceError(w http.ResponseWriter, err error, defaultMsg string, defaultCode int) bool {
if err == nil {
return true
}
for _, mapping := range AuthErrorMapping {
if err == mapping.err || errors.Is(err, mapping.err) {
SendErrorResponse(w, mapping.msg, mapping.code)
return false
}
}
errMsg := err.Error()
for _, mapping := range AuthErrorMapping {
if mapping.err.Error() == errMsg {
SendErrorResponse(w, mapping.msg, mapping.code)
return false
}
}
SendErrorResponse(w, defaultMsg, defaultCode)
return false
}

1158
internal/handlers/common_test.go Normal file
View File

File diff suppressed because it is too large Load Diff

146
internal/handlers/fuzz_test.go Normal file
View File

@@ -0,0 +1,146 @@
package handlers
import (
"net/http/httptest"
"strings"
"testing"
"unicode/utf8"
"goyco/internal/fuzz"
)
func FuzzJSONParsing(f *testing.F) {
helper := fuzz.NewFuzzTestHelper()
testCases := []map[string]any{
{
"name": "auth_login",
"body": `{"username":"FUZZED_INPUT","password":"test"}`,
},
{
"name": "auth_register",
"body": `{"username":"FUZZED_INPUT","email":"test@example.com","password":"test123"}`,
},
{
"name": "post_create",
"body": `{"title":"FUZZED_INPUT","url":"https://example.com","content":"test"}`,
},
{
"name": "vote_cast",
"body": `{"type":"FUZZED_INPUT"}`,
},
}
helper.RunJSONFuzzTest(f, testCases)
}
func FuzzURLParsing(f *testing.F) {
helper := fuzz.NewFuzzTestHelper()
helper.RunBasicFuzzTest(f, func(t *testing.T, input string) {
sanitized := ""
for _, char := range input {
if (char >= 'a' && char <= 'z') || (char >= 'A' && char <= 'Z') ||
(char >= '0' && char <= '9') || char == '-' || char == '_' {
sanitized += string(char)
}
}
if len(sanitized) > 20 {
sanitized = sanitized[:20]
}
if len(sanitized) == 0 {
return
}
url := "/api/posts/" + sanitized
req := httptest.NewRequest("GET", url, nil)
pathParts := strings.Split(req.URL.Path, "/")
if len(pathParts) >= 4 {
idStr := pathParts[3]
_ = idStr
}
})
}
func FuzzQueryParameters(f *testing.F) {
helper := fuzz.NewFuzzTestHelper()
helper.RunBasicFuzzTest(f, func(t *testing.T, input string) {
if !utf8.ValidString(input) {
return
}
sanitized := ""
for _, char := range input {
if char >= 32 && char <= 126 {
switch char {
case ' ', '\n', '\r', '\t':
continue
case '&':
sanitized += "%26"
case '=':
sanitized += "%3D"
case '?':
sanitized += "%3F"
case '#':
sanitized += "%23"
case '/':
sanitized += "%2F"
case '\\':
sanitized += "%5C"
default:
sanitized += string(char)
}
}
}
if len(sanitized) > 100 {
sanitized = sanitized[:100]
}
if len(sanitized) == 0 {
return
}
query := "?q=" + sanitized + "&limit=10&offset=0"
req := httptest.NewRequest("GET", "/api/posts/search"+query, nil)
q := req.URL.Query().Get("q")
limit := req.URL.Query().Get("limit")
offset := req.URL.Query().Get("offset")
if !utf8.ValidString(q) {
return
}
_ = limit
_ = offset
})
}
func FuzzHTTPHeaders(f *testing.F) {
helper := fuzz.NewFuzzTestHelper()
helper.RunBasicFuzzTest(f, func(t *testing.T, input string) {
req := httptest.NewRequest("GET", "/api/test", nil)
req.Header.Set("Authorization", "Bearer "+input)
req.Header.Set("Content-Type", "application/json; charset=utf-8")
req.Header.Set("User-Agent", input)
req.Header.Set("X-Forwarded-For", input)
for name, values := range req.Header {
if !utf8.ValidString(name) {
t.Fatal("Header name contains invalid UTF-8")
}
for _, value := range values {
if !utf8.ValidString(value) {
t.Fatal("Header value contains invalid UTF-8")
}
}
}
})
}

1626
internal/handlers/page_handler.go Normal file
View File

File diff suppressed because it is too large Load Diff

464
internal/handlers/post_handler.go Normal file
View File

@@ -0,0 +1,464 @@
package handlers
import (
"context"
"errors"
"net/http"
"strings"
"time"
"goyco/internal/database"
"goyco/internal/dto"
"goyco/internal/repositories"
"goyco/internal/security"
"goyco/internal/services"
"goyco/internal/validation"
"github.com/go-chi/chi/v5"
"github.com/jackc/pgconn"
)
type PostHandler struct {
postRepo repositories.PostRepository
titleFetcher services.TitleFetcher
voteService *services.VoteService
postQueries *services.PostQueries
}
func NewPostHandler(postRepo repositories.PostRepository, titleFetcher services.TitleFetcher, voteService *services.VoteService) *PostHandler {
return &PostHandler{
postRepo: postRepo,
titleFetcher: titleFetcher,
voteService: voteService,
postQueries: services.NewPostQueries(postRepo, voteService),
}
}
type PostResponse = CommonResponse
type UpdatePostRequest struct {
Title string `json:"title"`
Content string `json:"content"`
}
// @Summary Get posts
// @Description Get a list of posts with pagination. Posts include vote statistics (up_votes, down_votes, score) and current user's vote status.
// @Tags posts
// @Accept json
// @Produce json
// @Param limit query int false "Number of posts to return" default(20)
// @Param offset query int false "Number of posts to skip" default(0)
// @Success 200 {object} PostResponse "Posts retrieved successfully with vote statistics"
// @Failure 400 {object} PostResponse "Invalid pagination parameters"
// @Failure 500 {object} PostResponse "Internal server error"
// @Router /posts [get]
func (h *PostHandler) GetPosts(w http.ResponseWriter, r *http.Request) {
limit, offset := parsePagination(r)
opts := services.QueryOptions{
Limit: limit,
Offset: offset,
}
ctx := NewVoteContext(r)
posts, err := h.postQueries.GetAll(opts, ctx)
if err != nil {
SendErrorResponse(w, "Failed to fetch posts", http.StatusInternalServerError)
return
}
postDTOs := dto.ToPostDTOs(posts)
SendSuccessResponse(w, "Posts retrieved successfully", map[string]any{
"posts": postDTOs,
"count": len(postDTOs),
"limit": limit,
"offset": offset,
})
}
// @Summary Get a single post
// @Description Get a post by ID with vote statistics and current user's vote status
// @Tags posts
// @Accept json
// @Produce json
// @Param id path int true "Post ID"
// @Success 200 {object} PostResponse "Post retrieved successfully with vote statistics"
// @Failure 400 {object} PostResponse "Invalid post ID"
// @Failure 404 {object} PostResponse "Post not found"
// @Failure 500 {object} PostResponse "Internal server error"
// @Router /posts/{id} [get]
func (h *PostHandler) GetPost(w http.ResponseWriter, r *http.Request) {
postID, ok := ParseUintParam(w, r, "id", "Post")
if !ok {
return
}
ctx := NewVoteContext(r)
post, err := h.postQueries.GetByID(postID, ctx)
if !HandleRepoError(w, err, "Post") {
return
}
postDTO := dto.ToPostDTO(post)
SendSuccessResponse(w, "Post retrieved successfully", postDTO)
}
// @Summary Create a new post
// @Description Create a new post with URL and optional title
// @Tags posts
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param request body CreatePostRequest true "Post data"
// @Success 201 {object} PostResponse
// @Failure 400 {object} PostResponse "Invalid request data or validation failed"
// @Failure 401 {object} PostResponse "Authentication required"
// @Failure 409 {object} PostResponse "URL already submitted"
// @Failure 502 {object} PostResponse "Failed to fetch title from URL"
// @Failure 500 {object} PostResponse "Internal server error"
// @Router /posts [post]
func (h *PostHandler) CreatePost(w http.ResponseWriter, r *http.Request) {
var req struct {
Title string `json:"title"`
URL string `json:"url"`
Content string `json:"content"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
req.Title = security.SanitizeInput(req.Title)
req.URL = security.SanitizeURL(req.URL)
req.Content = security.SanitizePostContent(req.Content)
if req.URL == "" {
SendErrorResponse(w, "URL is required", http.StatusBadRequest)
return
}
if len(req.Title) > 200 {
SendErrorResponse(w, "Title must be no more than 200 characters", http.StatusBadRequest)
return
}
if len(req.Content) > 10000 {
SendErrorResponse(w, "Content must be no more than 10,000 characters", http.StatusBadRequest)
return
}
userID, ok := RequireAuth(w, r)
if !ok {
return
}
title := req.Title
if title == "" && h.titleFetcher != nil {
titleCtx, cancel := context.WithTimeout(r.Context(), 7*time.Second)
defer cancel()
fetchedTitle, err := h.titleFetcher.FetchTitle(titleCtx, req.URL)
if err != nil {
switch {
case errors.Is(err, services.ErrUnsupportedScheme):
SendErrorResponse(w, "Only HTTP and HTTPS URLs are supported", http.StatusBadRequest)
case errors.Is(err, services.ErrTitleNotFound):
SendErrorResponse(w, "Title could not be extracted from the provided URL", http.StatusBadRequest)
default:
SendErrorResponse(w, "Failed to fetch title from URL", http.StatusBadGateway)
}
return
}
title = fetchedTitle
}
if title == "" {
SendErrorResponse(w, "Title is required", http.StatusBadRequest)
return
}
if len(title) < 3 {
SendErrorResponse(w, "Title must be at least 3 characters", http.StatusBadRequest)
return
}
post := &database.Post{
Title: title,
URL: req.URL,
Content: req.Content,
AuthorID: &userID,
}
if err := h.postRepo.Create(post); err != nil {
if errMsg, status := translatePostCreateError(err); status != 0 {
SendErrorResponse(w, errMsg, status)
return
}
SendErrorResponse(w, "Failed to create post", http.StatusInternalServerError)
return
}
postDTO := dto.ToPostDTO(post)
SendCreatedResponse(w, "Post created successfully", postDTO)
}
// @Summary Search posts
// @Description Search posts by title or content keywords. Results include vote statistics and current user's vote status.
// @Tags posts
// @Accept json
// @Produce json
// @Param q query string false "Search term"
// @Param limit query int false "Number of posts to return" default(20)
// @Param offset query int false "Number of posts to skip" default(0)
// @Success 200 {object} PostResponse "Search results with vote statistics"
// @Failure 400 {object} PostResponse "Invalid search parameters"
// @Failure 500 {object} PostResponse "Internal server error"
// @Router /posts/search [get]
func (h *PostHandler) SearchPosts(w http.ResponseWriter, r *http.Request) {
query := strings.TrimSpace(r.URL.Query().Get("q"))
limit, offset := parsePagination(r)
opts := services.QueryOptions{
Limit: limit,
Offset: offset,
}
ctx := NewVoteContext(r)
posts, err := h.postQueries.GetSearch(query, opts, ctx)
if err != nil {
if searchErr, ok := err.(*repositories.SearchError); ok {
SendErrorResponse(w, "Invalid search query: "+searchErr.Message, http.StatusBadRequest)
return
}
SendErrorResponse(w, "Failed to search posts", http.StatusInternalServerError)
return
}
postDTOs := dto.ToPostDTOs(posts)
SendSuccessResponse(w, "Search results retrieved successfully", map[string]any{
"posts": postDTOs,
"count": len(postDTOs),
"query": query,
"limit": limit,
"offset": offset,
})
}
// @Summary Update a post
// @Description Update the title and content of a post owned by the authenticated user
// @Tags posts
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param id path int true "Post ID"
// @Param request body UpdatePostRequest true "Post update data"
// @Success 200 {object} PostResponse "Post updated successfully"
// @Failure 400 {object} PostResponse "Invalid request data or validation failed"
// @Failure 401 {object} PostResponse "Authentication required"
// @Failure 403 {object} PostResponse "Not authorized to update this post"
// @Failure 404 {object} PostResponse "Post not found"
// @Failure 500 {object} PostResponse "Internal server error"
// @Router /posts/{id} [put]
func (h *PostHandler) UpdatePost(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
postID, ok := ParseUintParam(w, r, "id", "Post")
if !ok {
return
}
post, err := h.postRepo.GetByID(postID)
if !HandleRepoError(w, err, "Post") {
return
}
if post.AuthorID == nil || *post.AuthorID != userID {
SendErrorResponse(w, "You can only edit your own posts", http.StatusForbidden)
return
}
var req struct {
Title string `json:"title"`
Content string `json:"content"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
req.Title = security.SanitizeInput(req.Title)
req.Content = security.SanitizePostContent(req.Content)
if len(req.Title) > 200 {
SendErrorResponse(w, "Title must be no more than 200 characters", http.StatusBadRequest)
return
}
if len(req.Content) > 10000 {
SendErrorResponse(w, "Content must be no more than 10,000 characters", http.StatusBadRequest)
return
}
if err := validation.ValidateTitle(req.Title); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
if err := validation.ValidateContent(req.Content); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
post.Title = req.Title
post.Content = req.Content
if err := h.postRepo.Update(post); err != nil {
SendErrorResponse(w, "Failed to update post", http.StatusInternalServerError)
return
}
postDTO := dto.ToPostDTO(post)
SendSuccessResponse(w, "Post updated successfully", postDTO)
}
// @Summary Delete a post
// @Description Delete a post owned by the authenticated user
// @Tags posts
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param id path int true "Post ID"
// @Success 200 {object} PostResponse "Post deleted successfully"
// @Failure 400 {object} PostResponse "Invalid post ID"
// @Failure 401 {object} PostResponse "Authentication required"
// @Failure 403 {object} PostResponse "Not authorized to delete this post"
// @Failure 404 {object} PostResponse "Post not found"
// @Failure 500 {object} PostResponse "Internal server error"
// @Router /posts/{id} [delete]
func (h *PostHandler) DeletePost(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
postID, ok := ParseUintParam(w, r, "id", "Post")
if !ok {
return
}
post, err := h.postRepo.GetByID(postID)
if !HandleRepoError(w, err, "Post") {
return
}
if post.AuthorID == nil || *post.AuthorID != userID {
SendErrorResponse(w, "You can only delete your own posts", http.StatusForbidden)
return
}
if err := h.voteService.DeleteVotesByPostID(postID); err != nil {
SendErrorResponse(w, "Failed to delete post votes", http.StatusInternalServerError)
return
}
if err := h.postRepo.Delete(postID); err != nil {
SendErrorResponse(w, "Failed to delete post", http.StatusInternalServerError)
return
}
SendSuccessResponse(w, "Post deleted successfully", nil)
}
// @Summary Fetch title from URL
// @Description Fetch the HTML title for the provided URL
// @Tags posts
// @Accept json
// @Produce json
// @Param url query string true "URL to inspect"
// @Success 200 {object} PostResponse "Title fetched successfully"
// @Failure 400 {object} PostResponse "Invalid URL or URL parameter missing"
// @Failure 501 {object} PostResponse "Title fetching is not available"
// @Failure 502 {object} PostResponse "Failed to fetch title from URL"
// @Router /posts/title [get]
func (h *PostHandler) FetchTitleFromURL(w http.ResponseWriter, r *http.Request) {
if h.titleFetcher == nil {
SendErrorResponse(w, "Title fetching is not available", http.StatusNotImplemented)
return
}
requestedURL := strings.TrimSpace(r.URL.Query().Get("url"))
if requestedURL == "" {
SendErrorResponse(w, "URL query parameter is required", http.StatusBadRequest)
return
}
titleCtx, cancel := context.WithTimeout(r.Context(), 7*time.Second)
defer cancel()
title, err := h.titleFetcher.FetchTitle(titleCtx, requestedURL)
if err != nil {
switch {
case errors.Is(err, services.ErrUnsupportedScheme):
SendErrorResponse(w, "Only HTTP and HTTPS URLs are supported", http.StatusBadRequest)
case errors.Is(err, services.ErrTitleNotFound):
SendErrorResponse(w, "Title could not be extracted from the provided URL", http.StatusBadRequest)
default:
SendErrorResponse(w, "Failed to fetch title from URL", http.StatusBadGateway)
}
return
}
SendSuccessResponse(w, "Title fetched successfully", map[string]string{
"title": title,
})
}
func translatePostCreateError(err error) (string, int) {
var pgErr *pgconn.PgError
if errors.As(err, &pgErr) {
switch pgErr.Code {
case "23505":
return "This URL has already been submitted.", http.StatusConflict
case "23503":
return "Author account not found. Please sign in again.", http.StatusUnauthorized
}
}
errStr := err.Error()
if strings.Contains(errStr, "UNIQUE constraint") || strings.Contains(errStr, "duplicate") {
return "This URL has already been submitted.", http.StatusConflict
}
return "", 0
}
func (h *PostHandler) MountRoutes(r chi.Router, config RouteModuleConfig) {
public := r
if config.GeneralRateLimit != nil {
public = config.GeneralRateLimit(r)
}
public.Get("/posts", h.GetPosts)
public.Get("/posts/search", h.SearchPosts)
public.Get("/posts/title", h.FetchTitleFromURL)
public.Get("/posts/{id}", h.GetPost)
protected := r
if config.AuthMiddleware != nil {
protected = r.With(config.AuthMiddleware)
}
if config.GeneralRateLimit != nil {
protected = config.GeneralRateLimit(protected)
}
protected.Post("/posts", h.CreatePost)
protected.Put("/posts/{id}", h.UpdatePost)
protected.Delete("/posts/{id}", h.DeletePost)
}

711
internal/handlers/post_handler_test.go Normal file
View File

@@ -0,0 +1,711 @@
package handlers
import (
"bytes"
"context"
"encoding/json"
"errors"
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/go-chi/chi/v5"
"github.com/jackc/pgconn"
"gorm.io/gorm"
"goyco/internal/database"
"goyco/internal/middleware"
"goyco/internal/repositories"
"goyco/internal/services"
"goyco/internal/testutils"
)
func decodeHandlerResponse(t *testing.T, rr *httptest.ResponseRecorder) map[string]any {
t.Helper()
var payload map[string]any
if err := json.Unmarshal(rr.Body.Bytes(), &payload); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
return payload
}
func TestPostHandlerGetPostsWithVoteService(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
repo.GetAllFn = func(limit, offset int) ([]database.Post, error) {
return []database.Post{
{ID: 1, Title: "Test Post 1"},
{ID: 2, Title: "Test Post 2"},
}, nil
}
voteRepo := testutils.NewMockVoteRepository()
voteService := services.NewVoteService(voteRepo, repo, nil)
handler := NewPostHandler(repo, nil, voteService)
request := httptest.NewRequest(http.MethodGet, "/api/posts", nil)
request = testutils.WithUserContext(request, middleware.UserIDKey, uint(1))
recorder := httptest.NewRecorder()
handler.GetPosts(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
payload := decodeHandlerResponse(t, recorder)
if !payload["success"].(bool) {
t.Fatalf("expected success response, got %v", payload)
}
}
func TestPostHandlerCreatePostWithTitleFetcher(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
var storedPost *database.Post
repo.CreateFn = func(post *database.Post) error {
storedPost = post
return nil
}
titleFetcher := &testutils.MockTitleFetcher{}
titleFetcher.SetTitle("Fetched Title")
handler := NewPostHandler(repo, titleFetcher, nil)
request := httptest.NewRequest(http.MethodPost, "/api/posts", bytes.NewBufferString(`{"url":"https://example.com","content":"Test content"}`))
request = testutils.WithUserContext(request, middleware.UserIDKey, uint(1))
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
handler.CreatePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusCreated)
if storedPost == nil {
t.Fatal("expected post to be created")
}
if storedPost.Title != "Fetched Title" {
t.Errorf("expected title 'Fetched Title', got %s", storedPost.Title)
}
}
func TestPostHandlerCreatePostTitleFetcherError(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
titleFetcher := &testutils.MockTitleFetcher{}
titleFetcher.SetError(services.ErrUnsupportedScheme)
handler := NewPostHandler(repo, titleFetcher, nil)
request := httptest.NewRequest(http.MethodPost, "/api/posts", bytes.NewBufferString(`{"url":"ftp://example.com"}`))
request = testutils.WithUserContext(request, middleware.UserIDKey, uint(1))
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
handler.CreatePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusBadRequest)
payload := decodeHandlerResponse(t, recorder)
if payload["success"].(bool) {
t.Fatalf("expected error response, got %v", payload)
}
}
func TestPostHandlerSearchPosts(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
repo.SearchFn = func(query string, limit, offset int) ([]database.Post, error) {
return []database.Post{
{ID: 1, Title: "Search Result 1"},
{ID: 2, Title: "Search Result 2"},
}, nil
}
handler := NewPostHandler(repo, nil, nil)
request := httptest.NewRequest(http.MethodGet, "/api/posts/search?q=test", nil)
recorder := httptest.NewRecorder()
handler.SearchPosts(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
payload := decodeHandlerResponse(t, recorder)
if !payload["success"].(bool) {
t.Fatalf("expected success response, got %v", payload)
}
}
func TestPostHandlerFetchTitleFromURL(t *testing.T) {
titleFetcher := &testutils.MockTitleFetcher{}
titleFetcher.SetTitle("Test Title")
handler := NewPostHandler(nil, titleFetcher, nil)
request := httptest.NewRequest(http.MethodGet, "/api/posts/title?url=https://example.com", nil)
recorder := httptest.NewRecorder()
handler.FetchTitleFromURL(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
payload := decodeHandlerResponse(t, recorder)
if !payload["success"].(bool) {
t.Fatalf("expected success response, got %v", payload)
}
}
func TestPostHandlerFetchTitleFromURLNoFetcher(t *testing.T) {
handler := NewPostHandler(nil, nil, nil)
request := httptest.NewRequest(http.MethodGet, "/api/posts/title?url=https://example.com", nil)
recorder := httptest.NewRecorder()
handler.FetchTitleFromURL(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusNotImplemented)
}
func TestPostHandlerUpdatePostUnauthorized(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
repo.GetByIDFn = func(id uint) (*database.Post, error) {
return &database.Post{ID: id, AuthorID: func() *uint { u := uint(2); return &u }()}, nil
}
handler := NewPostHandler(repo, nil, nil)
request := httptest.NewRequest(http.MethodPut, "/api/posts/1", bytes.NewBufferString(`{"title":"Updated Title","content":"Updated content"}`))
request = testutils.WithUserContext(request, middleware.UserIDKey, uint(1))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
handler.UpdatePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusForbidden)
}
func TestPostHandlerDeletePostUnauthorized(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
repo.GetByIDFn = func(id uint) (*database.Post, error) {
return &database.Post{ID: id, AuthorID: func() *uint { u := uint(2); return &u }()}, nil
}
voteRepo := testutils.NewMockVoteRepository()
voteService := services.NewVoteService(voteRepo, repo, nil)
handler := NewPostHandler(repo, nil, voteService)
request := httptest.NewRequest(http.MethodDelete, "/api/posts/1", nil)
request = testutils.WithUserContext(request, middleware.UserIDKey, uint(1))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
recorder := httptest.NewRecorder()
handler.DeletePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusForbidden)
}
func TestPostHandlerGetPosts(t *testing.T) {
var receivedLimit, receivedOffset int
repo := testutils.NewPostRepositoryStub()
repo.GetAllFn = func(limit, offset int) ([]database.Post, error) {
receivedLimit = limit
receivedOffset = offset
return []database.Post{{ID: 1}}, nil
}
handler := NewPostHandler(repo, nil, nil)
request := httptest.NewRequest(http.MethodGet, "/api/posts?limit=5&offset=2", nil)
recorder := httptest.NewRecorder()
handler.GetPosts(recorder, request)
if receivedLimit != 5 || receivedOffset != 2 {
t.Fatalf("expected limit=5 offset=2, got %d %d", receivedLimit, receivedOffset)
}
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
payload := decodeHandlerResponse(t, recorder)
if !payload["success"].(bool) {
t.Fatalf("expected success response, got %v", payload)
}
}
func TestPostHandlerGetPostErrors(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
handler := NewPostHandler(repo, nil, nil)
request := httptest.NewRequest(http.MethodGet, "/api/posts", nil)
recorder := httptest.NewRecorder()
handler.GetPost(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for missing id, got %d", recorder.Result().StatusCode)
}
request = httptest.NewRequest(http.MethodGet, "/api/posts/abc", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "abc"})
recorder = httptest.NewRecorder()
handler.GetPost(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for invalid id, got %d", recorder.Result().StatusCode)
}
repo.GetByIDFn = func(uint) (*database.Post, error) {
return nil, gorm.ErrRecordNotFound
}
request = httptest.NewRequest(http.MethodGet, "/api/posts/1", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
recorder = httptest.NewRecorder()
handler.GetPost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusNotFound)
}
func TestPostHandlerCreatePostSuccess(t *testing.T) {
var storedPost *database.Post
repo := testutils.NewPostRepositoryStub()
repo.CreateFn = func(post *database.Post) error {
storedPost = &database.Post{
Title: post.Title,
URL: post.URL,
Content: post.Content,
AuthorID: post.AuthorID,
}
storedPost.ID = 1
return nil
}
fetcher := &testutils.TitleFetcherStub{FetchTitleFn: func(ctx context.Context, rawURL string) (string, error) {
return "Fetched Title", nil
}}
handler := NewPostHandler(repo, fetcher, nil)
body := bytes.NewBufferString(`{"title":" ","url":"https://example.com","content":"Go"}`)
request := httptest.NewRequest(http.MethodPost, "/api/posts", body)
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(42))
request = request.WithContext(ctx)
recorder := httptest.NewRecorder()
handler.CreatePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusCreated)
if storedPost == nil || storedPost.Title != "Fetched Title" || storedPost.AuthorID == nil || *storedPost.AuthorID != 42 {
t.Fatalf("unexpected stored post: %#v", storedPost)
}
}
func TestPostHandlerCreatePostValidation(t *testing.T) {
handler := NewPostHandler(testutils.NewPostRepositoryStub(), &testutils.TitleFetcherStub{}, nil)
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodPost, "/api/posts", bytes.NewBufferString(`{"title":"","url":"","content":""}`))
request = request.WithContext(context.WithValue(request.Context(), middleware.UserIDKey, uint(1)))
handler.CreatePost(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for missing url, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts", bytes.NewBufferString(`invalid json`))
handler.CreatePost(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for invalid JSON, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts", bytes.NewBufferString(`{"title":"ok","url":"https://example.com"}`))
handler.CreatePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusUnauthorized)
}
func TestPostHandlerCreatePostTitleFetcherErrors(t *testing.T) {
tests := []struct {
name string
err error
wantStatus int
wantMsg string
}{
{name: "Unsupported", err: services.ErrUnsupportedScheme, wantStatus: http.StatusBadRequest, wantMsg: "Only HTTP and HTTPS URLs are supported"},
{name: "TitleMissing", err: services.ErrTitleNotFound, wantStatus: http.StatusBadRequest, wantMsg: "Title could not be extracted"},
{name: "Generic", err: errors.New("timeout"), wantStatus: http.StatusBadGateway, wantMsg: "Failed to fetch title"},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
fetcher := &testutils.TitleFetcherStub{FetchTitleFn: func(ctx context.Context, rawURL string) (string, error) {
return "", tc.err
}}
handler := NewPostHandler(repo, fetcher, nil)
body := bytes.NewBufferString(`{"title":" ","url":"https://example.com"}`)
request := httptest.NewRequest(http.MethodPost, "/api/posts", body)
request = request.WithContext(context.WithValue(request.Context(), middleware.UserIDKey, uint(1)))
recorder := httptest.NewRecorder()
handler.CreatePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, tc.wantStatus)
if !strings.Contains(recorder.Body.String(), tc.wantMsg) {
t.Fatalf("expected message to contain %q, got %q", tc.wantMsg, recorder.Body.String())
}
})
}
}
func TestPostHandlerFetchTitleFromURLErrors(t *testing.T) {
handler := NewPostHandler(testutils.NewPostRepositoryStub(), nil, nil)
request := httptest.NewRequest(http.MethodGet, "/api/posts/title?url=https://example.com", nil)
recorder := httptest.NewRecorder()
handler.FetchTitleFromURL(recorder, request)
if recorder.Result().StatusCode != http.StatusNotImplemented {
t.Fatalf("expected 501 when fetcher unavailable, got %d", recorder.Result().StatusCode)
}
handler = NewPostHandler(testutils.NewPostRepositoryStub(), &testutils.TitleFetcherStub{}, nil)
request = httptest.NewRequest(http.MethodGet, "/api/posts/title", nil)
recorder = httptest.NewRecorder()
handler.FetchTitleFromURL(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for missing url query, got %d", recorder.Result().StatusCode)
}
handler = NewPostHandler(testutils.NewPostRepositoryStub(), &testutils.TitleFetcherStub{FetchTitleFn: func(ctx context.Context, rawURL string) (string, error) {
return "", errors.New("failed")
}}, nil)
request = httptest.NewRequest(http.MethodGet, "/api/posts/title?url=https://example.com", nil)
recorder = httptest.NewRecorder()
handler.FetchTitleFromURL(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusBadGateway)
}
func TestTranslatePostCreateError(t *testing.T) {
conflictErr := &pgconn.PgError{Code: "23505"}
msg, status := translatePostCreateError(conflictErr)
if status != http.StatusConflict || !strings.Contains(msg, "already been submitted") {
t.Fatalf("unexpected conflict translation: status=%d msg=%q", status, msg)
}
fkErr := &pgconn.PgError{Code: "23503"}
msg, status = translatePostCreateError(fkErr)
if status != http.StatusUnauthorized || !strings.Contains(msg, "Author account not found") {
t.Fatalf("unexpected foreign key translation: status=%d msg=%q", status, msg)
}
msg, status = translatePostCreateError(errors.New("other"))
if status != 0 || msg != "" {
t.Fatalf("expected passthrough for unrelated errors, got status=%d msg=%q", status, msg)
}
}
func TestPostHandlerUpdatePost(t *testing.T) {
tests := []struct {
name string
postID string
requestBody string
userID uint
mockSetup func(*testutils.PostRepositoryStub)
expectedStatus int
expectedError string
}{
{
name: "valid post update",
postID: "1",
requestBody: `{"title": "Updated Title", "content": "Updated content"}`,
userID: 1,
mockSetup: func(repo *testutils.PostRepositoryStub) {
repo.GetByIDFn = func(id uint) (*database.Post, error) {
authorID := uint(1)
return &database.Post{ID: id, Title: "Old Title", AuthorID: &authorID}, nil
}
repo.UpdateFn = func(post *database.Post) error { return nil }
},
expectedStatus: http.StatusOK,
},
{
name: "missing user context",
postID: "1",
requestBody: `{"title": "Updated Title", "content": "Updated content"}`,
userID: 0,
mockSetup: func(repo *testutils.PostRepositoryStub) {},
expectedStatus: http.StatusUnauthorized,
expectedError: "Authentication required",
},
{
name: "post not found",
postID: "999",
requestBody: `{"title": "Updated Title", "content": "Updated content"}`,
userID: 1,
mockSetup: func(repo *testutils.PostRepositoryStub) {
repo.GetByIDFn = func(id uint) (*database.Post, error) {
return nil, gorm.ErrRecordNotFound
}
},
expectedStatus: http.StatusNotFound,
expectedError: "Post not found",
},
{
name: "not author",
postID: "1",
requestBody: `{"title": "Updated Title", "content": "Updated content"}`,
userID: 2,
mockSetup: func(repo *testutils.PostRepositoryStub) {
repo.GetByIDFn = func(id uint) (*database.Post, error) {
authorID := uint(1)
return &database.Post{ID: id, Title: "Old Title", AuthorID: &authorID}, nil
}
},
expectedStatus: http.StatusForbidden,
expectedError: "You can only edit your own posts",
},
{
name: "empty title",
postID: "1",
requestBody: `{"title": "", "content": "Updated content"}`,
userID: 1,
mockSetup: func(repo *testutils.PostRepositoryStub) {
authorID := uint(1)
repo.GetByIDFn = func(id uint) (*database.Post, error) {
return &database.Post{ID: id, Title: "Old Title", AuthorID: &authorID}, nil
}
},
expectedStatus: http.StatusBadRequest,
expectedError: "Title is required",
},
{
name: "short title",
postID: "1",
requestBody: `{"title": "ab", "content": "Updated content"}`,
userID: 1,
mockSetup: func(repo *testutils.PostRepositoryStub) {
authorID := uint(1)
repo.GetByIDFn = func(id uint) (*database.Post, error) {
return &database.Post{ID: id, Title: "Old Title", AuthorID: &authorID}, nil
}
},
expectedStatus: http.StatusBadRequest,
expectedError: "Title must be at least 3 characters",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
if tt.mockSetup != nil {
tt.mockSetup(repo)
}
handler := NewPostHandler(repo, &testutils.TitleFetcherStub{}, nil)
request := httptest.NewRequest(http.MethodPut, "/api/posts/"+tt.postID, bytes.NewBufferString(tt.requestBody))
if tt.userID > 0 {
ctx := context.WithValue(request.Context(), middleware.UserIDKey, tt.userID)
request = request.WithContext(ctx)
}
ctx := chi.NewRouteContext()
ctx.URLParams.Add("id", tt.postID)
request = request.WithContext(context.WithValue(request.Context(), chi.RouteCtxKey, ctx))
recorder := httptest.NewRecorder()
handler.UpdatePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, tt.expectedStatus)
if tt.expectedError != "" {
if !strings.Contains(recorder.Body.String(), tt.expectedError) {
t.Fatalf("expected error to contain %q, got %q", tt.expectedError, recorder.Body.String())
}
}
})
}
}
func TestPostHandlerDeletePost(t *testing.T) {
tests := []struct {
name string
postID string
userID uint
mockSetup func(*testutils.PostRepositoryStub)
expectedStatus int
expectedError string
}{
{
name: "valid post deletion",
postID: "1",
userID: 1,
mockSetup: func(repo *testutils.PostRepositoryStub) {
repo.GetByIDFn = func(id uint) (*database.Post, error) {
authorID := uint(1)
return &database.Post{ID: id, Title: "Test Post", AuthorID: &authorID}, nil
}
repo.DeleteFn = func(id uint) error { return nil }
},
expectedStatus: http.StatusOK,
},
{
name: "missing user context",
postID: "1",
userID: 0,
mockSetup: func(repo *testutils.PostRepositoryStub) {},
expectedStatus: http.StatusUnauthorized,
expectedError: "Authentication required",
},
{
name: "post not found",
postID: "999",
userID: 1,
mockSetup: func(repo *testutils.PostRepositoryStub) {
repo.GetByIDFn = func(id uint) (*database.Post, error) {
return nil, gorm.ErrRecordNotFound
}
},
expectedStatus: http.StatusNotFound,
expectedError: "Post not found",
},
{
name: "not author",
postID: "1",
userID: 2,
mockSetup: func(repo *testutils.PostRepositoryStub) {
repo.GetByIDFn = func(id uint) (*database.Post, error) {
authorID := uint(1)
return &database.Post{ID: id, Title: "Test Post", AuthorID: &authorID}, nil
}
},
expectedStatus: http.StatusForbidden,
expectedError: "You can only delete your own posts",
},
{
name: "delete error",
postID: "1",
userID: 1,
mockSetup: func(repo *testutils.PostRepositoryStub) {
repo.GetByIDFn = func(id uint) (*database.Post, error) {
authorID := uint(1)
return &database.Post{ID: id, Title: "Test Post", AuthorID: &authorID}, nil
}
repo.DeleteFn = func(id uint) error { return errors.New("database error") }
},
expectedStatus: http.StatusInternalServerError,
expectedError: "Failed to delete post",
},
{
name: "delete votes error",
postID: "1",
userID: 1,
mockSetup: func(repo *testutils.PostRepositoryStub) {
repo.GetByIDFn = func(id uint) (*database.Post, error) {
authorID := uint(1)
return &database.Post{ID: id, Title: "Test Post", AuthorID: &authorID}, nil
}
},
expectedStatus: http.StatusInternalServerError,
expectedError: "Failed to delete post votes",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
repo := testutils.NewPostRepositoryStub()
if tt.mockSetup != nil {
tt.mockSetup(repo)
}
var voteService *services.VoteService
if tt.name == "delete votes error" {
voteRepo := &errorVoteRepository{}
voteService = services.NewVoteService(voteRepo, repo, nil)
} else {
voteRepo := testutils.NewMockVoteRepository()
voteService = services.NewVoteService(voteRepo, repo, nil)
}
handler := NewPostHandler(repo, &testutils.TitleFetcherStub{}, voteService)
request := httptest.NewRequest(http.MethodDelete, "/api/posts/"+tt.postID, nil)
if tt.userID > 0 {
ctx := context.WithValue(request.Context(), middleware.UserIDKey, tt.userID)
request = request.WithContext(ctx)
}
ctx := chi.NewRouteContext()
ctx.URLParams.Add("id", tt.postID)
request = request.WithContext(context.WithValue(request.Context(), chi.RouteCtxKey, ctx))
recorder := httptest.NewRecorder()
handler.DeletePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, tt.expectedStatus)
if tt.expectedError != "" {
if !strings.Contains(recorder.Body.String(), tt.expectedError) {
t.Fatalf("expected error to contain %q, got %q", tt.expectedError, recorder.Body.String())
}
}
})
}
}
type errorVoteRepository struct{}
func (e *errorVoteRepository) Create(*database.Vote) error { return nil }
func (e *errorVoteRepository) CreateOrUpdate(*database.Vote) error { return nil }
func (e *errorVoteRepository) GetByID(uint) (*database.Vote, error) {
return nil, gorm.ErrRecordNotFound
}
func (e *errorVoteRepository) GetByUserAndPost(uint, uint) (*database.Vote, error) {
return nil, gorm.ErrRecordNotFound
}
func (e *errorVoteRepository) GetByVoteHash(string) (*database.Vote, error) {
return nil, gorm.ErrRecordNotFound
}
func (e *errorVoteRepository) GetByPostID(uint) ([]database.Vote, error) {
return nil, errors.New("database error")
}
func (e *errorVoteRepository) GetByUserID(uint) ([]database.Vote, error) { return nil, nil }
func (e *errorVoteRepository) Update(*database.Vote) error { return nil }
func (e *errorVoteRepository) Delete(uint) error { return nil }
func (e *errorVoteRepository) Count() (int64, error) { return 0, nil }
func (e *errorVoteRepository) CountByPostID(uint) (int64, error) { return 0, nil }
func (e *errorVoteRepository) CountByUserID(uint) (int64, error) { return 0, nil }
func (e *errorVoteRepository) WithTx(*gorm.DB) repositories.VoteRepository { return e }
func TestPostHandler_EdgeCases(t *testing.T) {
postRepo := testutils.NewPostRepositoryStub()
titleFetcher := &testutils.TitleFetcherStub{}
handler := NewPostHandler(postRepo, titleFetcher, nil)
t.Run("GetPosts with zero limit", func(t *testing.T) {
req := httptest.NewRequest("GET", "/api/posts?limit=0", nil)
w := httptest.NewRecorder()
handler.GetPosts(w, req)
if w.Code != http.StatusOK {
t.Errorf("Expected status 200 for zero limit, got %d", w.Code)
}
})
t.Run("GetPosts with negative limit", func(t *testing.T) {
req := httptest.NewRequest("GET", "/api/posts?limit=-1", nil)
w := httptest.NewRecorder()
handler.GetPosts(w, req)
if w.Code != http.StatusOK {
t.Errorf("Expected status 200 for negative limit, got %d", w.Code)
}
})
t.Run("GetPosts with negative offset", func(t *testing.T) {
req := httptest.NewRequest("GET", "/api/posts?offset=-1", nil)
w := httptest.NewRecorder()
handler.GetPosts(w, req)
if w.Code != http.StatusOK {
t.Errorf("Expected status 200 for negative offset, got %d", w.Code)
}
})
}

21
internal/handlers/routes.go Normal file
View File

@@ -0,0 +1,21 @@
package handlers
import (
"net/http"
"goyco/internal/middleware"
"github.com/go-chi/chi/v5"
)
type RouteModule interface {
MountRoutes(r chi.Router, config RouteModuleConfig)
}
type RouteModuleConfig struct {
AuthService middleware.TokenVerifier
GeneralRateLimit func(chi.Router) chi.Router
AuthRateLimit func(chi.Router) chi.Router
CSRFMiddleware func(http.Handler) http.Handler
AuthMiddleware func(http.Handler) http.Handler
}

412
internal/handlers/security_test.go Normal file
View File

@@ -0,0 +1,412 @@
package handlers
import (
"bytes"
"context"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"github.com/go-chi/chi/v5"
"gorm.io/gorm"
"goyco/internal/database"
"goyco/internal/middleware"
"goyco/internal/security"
"goyco/internal/testutils"
"goyco/internal/validation"
)
func TestPostHandler_XSSProtection_Comprehensive(t *testing.T) {
maliciousInputs := testutils.GetMaliciousInputs()
for _, payload := range maliciousInputs.XSSPayloads {
t.Run("XSS_"+payload[:minLen(20, len(payload))], func(t *testing.T) {
repo := &testutils.PostRepositoryStub{
CreateFn: func(post *database.Post) error {
sanitizedTitle := security.SanitizeInput(payload)
if post.Title != sanitizedTitle {
t.Errorf("Expected sanitized title, got %q", post.Title)
}
return nil
},
}
handler := NewPostHandler(repo, nil, nil)
postData := map[string]string{
"title": payload,
"url": "https://example.com",
"content": "Test content",
}
body, _ := json.Marshal(postData)
request := httptest.NewRequest("POST", "/api/posts", bytes.NewBuffer(body))
request.Header.Set("Content-Type", "application/json")
request = request.WithContext(context.WithValue(request.Context(), middleware.UserIDKey, uint(1)))
recorder := httptest.NewRecorder()
handler.CreatePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusCreated)
})
}
}
func minLen(a, b int) int {
if a < b {
return a
}
return b
}
func TestPostHandler_InputValidation(t *testing.T) {
tests := []struct {
name string
title string
content string
url string
expectedStatus int
description string
}{
{
name: "title too long",
title: string(make([]byte, 201)),
content: "Normal content",
url: "https://example.com",
expectedStatus: http.StatusBadRequest,
description: "Title should be limited to 200 characters",
},
{
name: "content too long",
title: "Normal title",
content: string(make([]byte, 10001)),
url: "https://example.com",
expectedStatus: http.StatusBadRequest,
description: "Content should be limited to 10,000 characters",
},
{
name: "invalid URL protocol",
title: "Normal title",
content: "Normal content",
url: "ftp://example.com",
expectedStatus: http.StatusBadRequest,
description: "Only HTTP and HTTPS URLs should be allowed",
},
{
name: "localhost URL blocked",
title: "Normal title",
content: "Normal content",
url: "http://localhost:8080",
expectedStatus: http.StatusBadRequest,
description: "Localhost URLs should be blocked",
},
{
name: "private IP URL blocked",
title: "Normal title",
content: "Normal content",
url: "http://192.168.1.1",
expectedStatus: http.StatusBadRequest,
description: "Private IP URLs should be blocked",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
repo := &testutils.PostRepositoryStub{}
handler := NewPostHandler(repo, nil, nil)
postData := map[string]string{
"title": tt.title,
"url": tt.url,
"content": tt.content,
}
body, _ := json.Marshal(postData)
request := httptest.NewRequest("POST", "/api/posts", bytes.NewBuffer(body))
request.Header.Set("Content-Type", "application/json")
request = request.WithContext(context.WithValue(request.Context(), middleware.UserIDKey, uint(1)))
recorder := httptest.NewRecorder()
handler.CreatePost(recorder, request)
testutils.AssertHTTPStatus(t, recorder, tt.expectedStatus)
})
}
}
func TestAuthHandler_PasswordValidation(t *testing.T) {
tests := []struct {
name string
password string
expectedStatus int
description string
}{
{
name: "weak password",
password: "123",
expectedStatus: http.StatusBadRequest,
description: "Weak passwords should be rejected",
},
{
name: "password without letters",
password: "12345678",
expectedStatus: http.StatusBadRequest,
description: "Passwords without letters should be rejected",
},
{
name: "password without numbers",
password: "password",
expectedStatus: http.StatusBadRequest,
description: "Passwords without numbers should be rejected",
},
{
name: "password without special chars",
password: "Password123",
expectedStatus: http.StatusBadRequest,
description: "Passwords without special characters should be rejected",
},
{
name: "password too short",
password: "Pass1!",
expectedStatus: http.StatusBadRequest,
description: "Passwords shorter than 8 characters should be rejected",
},
{
name: "password too long",
password: string(make([]byte, 129)),
expectedStatus: http.StatusBadRequest,
description: "Passwords that are too long should be rejected",
},
{
name: "empty password",
password: "",
expectedStatus: http.StatusBadRequest,
description: "Empty passwords should be rejected",
},
{
name: "valid password",
password: "Password123!",
expectedStatus: http.StatusCreated,
description: "Valid passwords should be accepted",
},
{
name: "valid password with underscore",
password: "Password123_",
expectedStatus: http.StatusCreated,
description: "Valid passwords with underscore should be accepted",
},
{
name: "valid password with hyphen",
password: "Password123-",
expectedStatus: http.StatusCreated,
description: "Valid passwords with hyphen should be accepted",
},
{
name: "valid password with unicode",
password: "Pássw0rd123!",
expectedStatus: http.StatusCreated,
description: "Valid passwords with unicode should be accepted",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
repo := &testutils.UserRepositoryStub{
GetByUsernameFn: func(string) (*database.User, error) {
return nil, gorm.ErrRecordNotFound
},
CreateFn: func(user *database.User) error {
return nil
},
}
handler := newAuthHandler(repo)
registerData := map[string]string{
"username": "testuser",
"email": "test@example.com",
"password": tt.password,
}
body, _ := json.Marshal(registerData)
request := httptest.NewRequest("POST", "/api/auth/register", bytes.NewBuffer(body))
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
handler.Register(recorder, request)
testutils.AssertHTTPStatus(t, recorder, tt.expectedStatus)
})
}
}
func TestAuthHandler_UsernameSanitization(t *testing.T) {
tests := []struct {
name string
username string
expectedStatus int
description string
}{
{
name: "username with special chars",
username: "test@user#123",
expectedStatus: http.StatusCreated,
description: "Special characters should be removed from username",
},
{
name: "username with script tags",
username: "test<script>alert('xss')</script>user",
expectedStatus: http.StatusCreated,
description: "Script tags should be removed from username",
},
{
name: "username starting with special char",
username: "@testuser",
expectedStatus: http.StatusCreated,
description: "Username starting with special char should be prefixed",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
var capturedUsername string
repo := &testutils.UserRepositoryStub{
GetByUsernameFn: func(username string) (*database.User, error) {
capturedUsername = username
return nil, gorm.ErrRecordNotFound
},
CreateFn: func(user *database.User) error {
return nil
},
}
handler := newAuthHandler(repo)
registerData := map[string]string{
"username": tt.username,
"email": "test@example.com",
"password": "Password123!",
}
body, _ := json.Marshal(registerData)
request := httptest.NewRequest("POST", "/api/auth/register", bytes.NewBuffer(body))
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
handler.Register(recorder, request)
testutils.AssertHTTPStatus(t, recorder, tt.expectedStatus)
expectedUsername := security.SanitizeUsername(tt.username)
if capturedUsername != expectedUsername {
t.Errorf("Expected sanitized username %q, got %q", expectedUsername, capturedUsername)
}
})
}
}
func TestPostHandler_AuthorizationBypass(t *testing.T) {
repo := &testutils.PostRepositoryStub{
GetByIDFn: func(id uint) (*database.Post, error) {
authorID := uint(2)
return &database.Post{ID: id, Title: "Test Post", AuthorID: &authorID}, nil
},
}
handler := NewPostHandler(repo, nil, nil)
updateData := map[string]string{
"title": "Updated Title",
"content": "Updated content",
}
body, _ := json.Marshal(updateData)
request := httptest.NewRequest("PUT", "/api/posts/1", bytes.NewBuffer(body))
request.Header.Set("Content-Type", "application/json")
request = request.WithContext(context.WithValue(request.Context(), middleware.UserIDKey, uint(1)))
routeCtx := chi.NewRouteContext()
routeCtx.URLParams.Add("id", "1")
request = request.WithContext(context.WithValue(request.Context(), chi.RouteCtxKey, routeCtx))
recorder := httptest.NewRecorder()
handler.UpdatePost(recorder, request)
if recorder.Result().StatusCode != http.StatusForbidden {
t.Errorf("Expected status 403, got %d. Users should not be able to edit other users' posts", recorder.Result().StatusCode)
}
}
func TestPageHandler_PasswordResetValidation(t *testing.T) {
tests := []struct {
name string
password string
expectedError bool
description string
}{
{
name: "valid password",
password: "Password123!",
expectedError: false,
description: "Valid passwords should pass validation",
},
{
name: "password without special chars",
password: "Password123",
expectedError: true,
description: "Passwords without special characters should be rejected",
},
{
name: "password too short",
password: "Pass1!",
expectedError: true,
description: "Passwords shorter than 8 characters should be rejected",
},
{
name: "password without letters",
password: "12345678!",
expectedError: true,
description: "Passwords without letters should be rejected",
},
{
name: "password without numbers",
password: "Password!",
expectedError: true,
description: "Passwords without numbers should be rejected",
},
{
name: "empty password",
password: "",
expectedError: true,
description: "Empty passwords should be rejected",
},
{
name: "password too long",
password: string(make([]byte, 129)),
expectedError: true,
description: "Passwords longer than 128 characters should be rejected",
},
{
name: "valid password with unicode",
password: "Pássw0rd123!",
expectedError: false,
description: "Valid passwords with unicode should pass validation",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := validation.ValidatePassword(tt.password)
if tt.expectedError && err == nil {
t.Errorf("ValidatePassword(%q) expected error, got nil. %s", tt.password, tt.description)
}
if !tt.expectedError && err != nil {
t.Errorf("ValidatePassword(%q) unexpected error: %v. %s", tt.password, err, tt.description)
}
})
}
}

195
internal/handlers/user_handler.go Normal file
View File

@@ -0,0 +1,195 @@
package handlers
import (
"errors"
"net/http"
"goyco/internal/dto"
"goyco/internal/repositories"
"goyco/internal/validation"
"github.com/go-chi/chi/v5"
)
type UserHandler struct {
userRepo repositories.UserRepository
authService AuthServiceInterface
}
func NewUserHandler(userRepo repositories.UserRepository, authService AuthServiceInterface) *UserHandler {
return &UserHandler{
userRepo: userRepo,
authService: authService,
}
}
type UserResponse = CommonResponse
// @Summary List users
// @Description Retrieve a paginated list of users
// @Tags users
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param limit query int false "Number of users to return" default(20)
// @Param offset query int false "Number of users to skip" default(0)
// @Success 200 {object} UserResponse "Users retrieved successfully"
// @Failure 401 {object} UserResponse "Authentication required"
// @Failure 500 {object} UserResponse "Internal server error"
// @Router /users [get]
func (h *UserHandler) GetUsers(w http.ResponseWriter, r *http.Request) {
limit, offset := parsePagination(r)
users, err := h.userRepo.GetAll(limit, offset)
if err != nil {
SendErrorResponse(w, "Failed to fetch users", http.StatusInternalServerError)
return
}
userDTOs := dto.ToSanitizedUserDTOs(users)
SendSuccessResponse(w, "Users retrieved successfully", map[string]any{
"users": userDTOs,
"count": len(userDTOs),
"limit": limit,
"offset": offset,
})
}
// @Summary Get user
// @Description Retrieve a specific user by ID
// @Tags users
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param id path int true "User ID"
// @Success 200 {object} UserResponse "User retrieved successfully"
// @Failure 400 {object} UserResponse "Invalid user ID"
// @Failure 401 {object} UserResponse "Authentication required"
// @Failure 404 {object} UserResponse "User not found"
// @Failure 500 {object} UserResponse "Internal server error"
// @Router /users/{id} [get]
func (h *UserHandler) GetUser(w http.ResponseWriter, r *http.Request) {
userID, ok := ParseUintParam(w, r, "id", "User")
if !ok {
return
}
user, err := h.userRepo.GetByID(userID)
if !HandleRepoError(w, err, "User") {
return
}
userDTO := dto.ToSanitizedUserDTO(user)
SendSuccessResponse(w, "User retrieved successfully", userDTO)
}
// @Summary Create user
// @Description Create a new user account
// @Tags users
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param request body RegisterRequest true "User data"
// @Success 201 {object} UserResponse "User created successfully"
// @Failure 400 {object} UserResponse "Invalid request data or validation failed"
// @Failure 401 {object} UserResponse "Authentication required"
// @Failure 409 {object} UserResponse "Username or email already exists"
// @Failure 500 {object} UserResponse "Internal server error"
// @Router /users [post]
func (h *UserHandler) CreateUser(w http.ResponseWriter, r *http.Request) {
var req struct {
Username string `json:"username"`
Email string `json:"email"`
Password string `json:"password"`
}
if !DecodeJSONRequest(w, r, &req) {
return
}
if err := validation.ValidateUsername(req.Username); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
if err := validation.ValidateEmail(req.Email); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
if err := validation.ValidatePassword(req.Password); err != nil {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
result, err := h.authService.Register(req.Username, req.Email, req.Password)
if err != nil {
var validationErr *validation.ValidationError
if errors.As(err, &validationErr) {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
if !HandleServiceError(w, err, "Failed to create user", http.StatusInternalServerError) {
return
}
}
SendCreatedResponse(w, "User created successfully. Verification email sent.", map[string]any{
"user": result.User,
"verification_sent": result.VerificationSent,
})
}
// @Summary Get user posts
// @Description Retrieve posts created by a specific user
// @Tags users
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param id path int true "User ID"
// @Param limit query int false "Number of posts to return" default(20)
// @Param offset query int false "Number of posts to skip" default(0)
// @Success 200 {object} UserResponse "User posts retrieved successfully"
// @Failure 400 {object} UserResponse "Invalid user ID or pagination parameters"
// @Failure 401 {object} UserResponse "Authentication required"
// @Failure 500 {object} UserResponse "Internal server error"
// @Router /users/{id}/posts [get]
func (h *UserHandler) GetUserPosts(w http.ResponseWriter, r *http.Request) {
userID, ok := ParseUintParam(w, r, "id", "User")
if !ok {
return
}
limit, offset := parsePagination(r)
posts, err := h.userRepo.GetPosts(userID, limit, offset)
if err != nil {
SendErrorResponse(w, "Failed to fetch user posts", http.StatusInternalServerError)
return
}
postDTOs := dto.ToPostDTOs(posts)
SendSuccessResponse(w, "User posts retrieved successfully", map[string]any{
"posts": postDTOs,
"count": len(postDTOs),
"limit": limit,
"offset": offset,
})
}
func (h *UserHandler) MountRoutes(r chi.Router, config RouteModuleConfig) {
protected := r
if config.AuthMiddleware != nil {
protected = r.With(config.AuthMiddleware)
}
if config.GeneralRateLimit != nil {
protected = config.GeneralRateLimit(protected)
}
protected.Get("/users", h.GetUsers)
protected.Post("/users", h.CreateUser)
protected.Get("/users/{id}", h.GetUser)
protected.Get("/users/{id}/posts", h.GetUserPosts)
}

362
internal/handlers/user_handler_test.go Normal file
View File

@@ -0,0 +1,362 @@
package handlers
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"testing"
"time"
"gorm.io/gorm"
"goyco/internal/config"
"goyco/internal/database"
"goyco/internal/repositories"
"goyco/internal/services"
"goyco/internal/testutils"
)
func newUserHandler(repo repositories.UserRepository) *UserHandler {
return newUserHandlerWithSender(repo, &testutils.EmailSenderStub{})
}
func newUserHandlerWithSender(repo repositories.UserRepository, sender services.EmailSender) *UserHandler {
cfg := &config.Config{
JWT: config.JWTConfig{Secret: "secret", Expiration: 1},
App: config.AppConfig{BaseURL: "https://test.example.com"},
}
mockRefreshRepo := &mockRefreshTokenRepository{}
authService, err := services.NewAuthFacadeForTest(cfg, repo, nil, nil, mockRefreshRepo, sender)
if err != nil {
panic(fmt.Sprintf("Failed to create auth service: %v", err))
}
return NewUserHandler(repo, authService)
}
func TestUserHandlerGetUsers(t *testing.T) {
var limit, offset int
repo := testutils.NewUserRepositoryStub()
repo.GetAllFn = func(l, o int) ([]database.User, error) {
limit, offset = l, o
return []database.User{{ID: 1}}, nil
}
handler := newUserHandler(repo)
request := httptest.NewRequest(http.MethodGet, "/api/users?limit=5&offset=2", nil)
recorder := httptest.NewRecorder()
handler.GetUsers(recorder, request)
if limit != 5 || offset != 2 {
t.Fatalf("expected limit=5 offset=2, got %d %d", limit, offset)
}
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
}
func TestUserHandlerGetUser(t *testing.T) {
repo := testutils.NewUserRepositoryStub()
handler := newUserHandler(repo)
request := httptest.NewRequest(http.MethodGet, "/api/users/1", nil)
recorder := httptest.NewRecorder()
handler.GetUser(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusBadRequest)
request = httptest.NewRequest(http.MethodGet, "/api/users/abc", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "abc"})
recorder = httptest.NewRecorder()
handler.GetUser(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusBadRequest)
repo.GetByIDFn = func(uint) (*database.User, error) { return nil, gorm.ErrRecordNotFound }
request = httptest.NewRequest(http.MethodGet, "/api/users/1", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
recorder = httptest.NewRecorder()
handler.GetUser(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusNotFound)
repo.GetByIDFn = func(id uint) (*database.User, error) {
return &database.User{ID: id, Username: "user"}, nil
}
request = httptest.NewRequest(http.MethodGet, "/api/users/1", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
recorder = httptest.NewRecorder()
handler.GetUser(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
}
func TestUserHandlerCreateUser(t *testing.T) {
repo := testutils.NewUserRepositoryStub()
repo.CreateFn = func(u *database.User) error {
u.ID = 10
return nil
}
sent := false
handler := newUserHandlerWithSender(repo, &testutils.EmailSenderStub{SendFn: func(to, subject, body string) error {
sent = true
if to != "user@example.com" {
t.Fatalf("expected email to user@example.com, got %q", to)
}
return nil
}})
request := httptest.NewRequest(http.MethodPost, "/api/users", bytes.NewBufferString(`{"username":"user","email":"user@example.com","password":"Password123!"}`))
recorder := httptest.NewRecorder()
handler.CreateUser(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusCreated)
var resp UserResponse
_ = json.NewDecoder(recorder.Body).Decode(&resp)
data := resp.Data.(map[string]any)
if !resp.Success {
t.Fatalf("expected success response")
}
if v, ok := data["verification_sent"].(bool); !ok || !v {
t.Fatalf("expected verification_sent true, got %+v", data["verification_sent"])
}
userData := data["user"].(map[string]any)
if _, ok := userData["password"]; ok {
t.Fatalf("expected password field to be omitted, got %+v", userData)
}
if !sent {
t.Fatalf("expected verification email to be sent")
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/users", bytes.NewBufferString("invalid"))
handler.CreateUser(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for invalid json, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/users", bytes.NewBufferString(`{"username":"","email":"","password":""}`))
handler.CreateUser(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for missing fields, got %d", recorder.Result().StatusCode)
}
repo.GetByUsernameFn = func(string) (*database.User, error) {
return &database.User{ID: 1}, nil
}
handler = newUserHandler(repo)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/users", bytes.NewBufferString(`{"username":"user","email":"user@example.com","password":"Password123!"}`))
handler.CreateUser(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusConflict)
}
func TestUserHandlerGetUserPosts(t *testing.T) {
repo := testutils.NewUserRepositoryStub()
repo.GetPostsFn = func(userID uint, limit, offset int) ([]database.Post, error) {
return []database.Post{{ID: 1, AuthorID: &userID}}, nil
}
handler := newUserHandler(repo)
request := httptest.NewRequest(http.MethodGet, "/api/users/1/posts?limit=2&offset=1", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
recorder := httptest.NewRecorder()
handler.GetUserPosts(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
repo.GetPostsFn = func(uint, int, int) ([]database.Post, error) {
return nil, gorm.ErrInvalidValue
}
recorder = httptest.NewRecorder()
handler.GetUserPosts(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusInternalServerError)
}
func TestUserHandlerDataSanitization(t *testing.T) {
repo := testutils.NewUserRepositoryStub()
repo.GetAllFn = func(l, o int) ([]database.User, error) {
users := []database.User{
{
ID: 1,
Username: "user1",
Email: "user1@example.com",
Password: "hashedpassword",
EmailVerified: true,
EmailVerifiedAt: &[]time.Time{time.Now()}[0],
EmailVerificationToken: "secret-token",
PasswordResetToken: "reset-token",
Locked: false,
CreatedAt: time.Now(),
UpdatedAt: time.Now(),
},
{
ID: 2,
Username: "user2",
Email: "user2@example.com",
Password: "another-hashed-password",
EmailVerified: false,
EmailVerificationToken: "another-secret-token",
Locked: true,
CreatedAt: time.Now(),
UpdatedAt: time.Now(),
},
}
return users, nil
}
handler := newUserHandler(repo)
request := httptest.NewRequest(http.MethodGet, "/api/users", nil)
recorder := httptest.NewRecorder()
handler.GetUsers(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
var response map[string]any
if err := json.NewDecoder(recorder.Body).Decode(&response); err != nil {
t.Fatalf("failed to decode response: %v", err)
}
data, ok := response["data"].(map[string]any)
if !ok {
t.Fatalf("expected data field in response")
}
users, ok := data["users"].([]any)
if !ok {
t.Fatalf("expected users field in data")
}
if len(users) != 2 {
t.Fatalf("expected 2 users, got %d", len(users))
}
for i, userInterface := range users {
user, ok := userInterface.(map[string]any)
if !ok {
t.Fatalf("expected user %d to be a map", i)
}
expectedFields := []string{"id", "username", "created_at", "updated_at"}
for _, field := range expectedFields {
if _, exists := user[field]; !exists {
t.Errorf("expected field %s to be present in user %d", field, i)
}
}
sensitiveFields := []string{"email", "password", "email_verified", "email_verified_at",
"email_verification_token", "password_reset_token", "locked", "deleted_at"}
for _, field := range sensitiveFields {
if _, exists := user[field]; exists {
t.Errorf("sensitive field %s should not be present in user %d", field, i)
}
}
}
}
func TestUserHandler_PasswordValidation(t *testing.T) {
tests := []struct {
name string
password string
expectedStatus int
description string
}{
{
name: "valid password",
password: "Password123!",
expectedStatus: http.StatusCreated,
description: "Valid passwords should be accepted",
},
{
name: "password without special chars",
password: "Password123",
expectedStatus: http.StatusBadRequest,
description: "Passwords without special characters should be rejected",
},
{
name: "password too short",
password: "Pass1!",
expectedStatus: http.StatusBadRequest,
description: "Passwords shorter than 8 characters should be rejected",
},
{
name: "password without letters",
password: "12345678!",
expectedStatus: http.StatusBadRequest,
description: "Passwords without letters should be rejected",
},
{
name: "password without numbers",
password: "Password!",
expectedStatus: http.StatusBadRequest,
description: "Passwords without numbers should be rejected",
},
{
name: "empty password",
password: "",
expectedStatus: http.StatusBadRequest,
description: "Empty passwords should be rejected",
},
{
name: "password too long",
password: string(make([]byte, 129)),
expectedStatus: http.StatusBadRequest,
description: "Passwords longer than 128 characters should be rejected",
},
{
name: "valid password with unicode",
password: "Pássw0rd123!",
expectedStatus: http.StatusCreated,
description: "Valid passwords with unicode should be accepted",
},
{
name: "valid password with underscore",
password: "Password123_",
expectedStatus: http.StatusCreated,
description: "Valid passwords with underscore should be accepted",
},
{
name: "valid password with hyphen",
password: "Password123-",
expectedStatus: http.StatusCreated,
description: "Valid passwords with hyphen should be accepted",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
repo := testutils.NewUserRepositoryStub()
repo.CreateFn = func(user *database.User) error {
return nil
}
repo.GetByUsernameFn = func(username string) (*database.User, error) {
return nil, gorm.ErrRecordNotFound
}
repo.GetByEmailFn = func(email string) (*database.User, error) {
return nil, gorm.ErrRecordNotFound
}
cfg := &config.Config{
JWT: config.JWTConfig{Secret: "secret", Expiration: 1},
App: config.AppConfig{BaseURL: "https://test.example.com"},
}
emailSender := &testutils.MockEmailSender{}
mockRefreshRepo := &mockRefreshTokenRepository{}
authService, err := services.NewAuthFacadeForTest(cfg, repo, nil, nil, mockRefreshRepo, emailSender)
if err != nil {
t.Fatalf("Failed to create auth service: %v", err)
}
handler := NewUserHandler(repo, authService)
requestBody := fmt.Sprintf(`{"username":"testuser","email":"test@example.com","password":"%s"}`, tt.password)
request := httptest.NewRequest(http.MethodPost, "/api/users", bytes.NewBufferString(requestBody))
request.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
handler.CreateUser(recorder, request)
testutils.AssertHTTPStatus(t, recorder, tt.expectedStatus)
})
}
}

293
internal/handlers/vote_handler.go Normal file
View File

@@ -0,0 +1,293 @@
package handlers
import (
"net/http"
"goyco/internal/database"
"goyco/internal/services"
"github.com/go-chi/chi/v5"
)
// @securityDefinitions.apikey BearerAuth
// @in header
// @name Authorization
// @description Type "Bearer" followed by a space and JWT token.
// @tag.name votes
// @tag.description Voting system endpoints. All votes are handled through the same API with identical behavior.
// @tag.name posts
// @tag.description Post management endpoints with integrated vote statistics.
// @tag.name auth
// @tag.description Authentication and user management endpoints.
// @tag.name users
// @tag.description User management endpoints.
// @tag.name api
// @tag.description API information and system metrics.
type VoteHandler struct {
voteService *services.VoteService
}
func NewVoteHandler(voteService *services.VoteService) *VoteHandler {
return &VoteHandler{
voteService: voteService,
}
}
// @Description Vote request with type field. All votes are handled the same way.
type VoteRequest struct {
Type string `json:"type" example:"up" enums:"up,down,none" description:"Vote type: 'up' for upvote, 'down' for downvote, 'none' to remove vote"`
}
type VoteResponse = CommonResponse
// @Summary Cast a vote on a post
// @Description Vote on a post (upvote, downvote, or remove vote). Authentication is required; the vote is performed on behalf of the current user.
// @Description
// @Description **Vote Types:**
// @Description - `up`: Upvote the post
// @Description - `down`: Downvote the post
// @Description - `none`: Remove existing vote
// @Description
// @Description **Response includes:**
// @Description - Updated post vote counts (up_votes, down_votes, score)
// @Description - Success message
// @Tags votes
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param id path int true "Post ID"
// @Param request body VoteRequest true "Vote data (type: 'up', 'down', or 'none' to remove)"
// @Success 200 {object} VoteResponse "Vote cast successfully with updated post statistics"
// @Failure 401 {object} VoteResponse "Authentication required"
// @Failure 400 {object} VoteResponse "Invalid request data or vote type"
// @Failure 404 {object} VoteResponse "Post not found"
// @Failure 500 {object} VoteResponse "Internal server error"
// @Example 200 {"success": true, "message": "Vote cast successfully", "data": {"post_id": 1, "type": "up", "up_votes": 5, "down_votes": 2, "score": 3, "is_anonymous": false}}
// @Example 400 {"success": false, "error": "Invalid vote type. Must be 'up', 'down', or 'none'"}
// @Router /posts/{id}/vote [post]
func (h *VoteHandler) CastVote(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
postID, ok := ParseUintParam(w, r, "id", "Post")
if !ok {
return
}
var req VoteRequest
if !DecodeJSONRequest(w, r, &req) {
return
}
var voteType database.VoteType
switch req.Type {
case "up":
voteType = database.VoteUp
case "down":
voteType = database.VoteDown
case "none":
voteType = database.VoteNone
default:
SendErrorResponse(w, "Invalid vote type. Must be 'up', 'down', or 'none'", http.StatusBadRequest)
return
}
ipAddress := GetClientIP(r)
userAgent := r.UserAgent()
serviceReq := services.VoteRequest{
UserID: userID,
PostID: postID,
Type: voteType,
IPAddress: ipAddress,
UserAgent: userAgent,
}
response, err := h.voteService.CastVote(serviceReq)
if err != nil {
if err.Error() == "post not found" {
SendErrorResponse(w, err.Error(), http.StatusNotFound)
return
}
if err.Error() == "post ID is required" || err.Error() == "invalid vote type" {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
SendErrorResponse(w, "Internal server error", http.StatusInternalServerError)
return
}
SendSuccessResponse(w, "Vote cast successfully", response)
}
// @Summary Remove a vote
// @Description Remove a vote from a post for the authenticated user. This is equivalent to casting a vote with type 'none'.
// @Tags votes
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param id path int true "Post ID"
// @Success 200 {object} VoteResponse "Vote removed successfully with updated post statistics"
// @Failure 401 {object} VoteResponse "Authentication required"
// @Failure 400 {object} VoteResponse "Invalid post ID"
// @Failure 404 {object} VoteResponse "Post not found"
// @Failure 500 {object} VoteResponse "Internal server error"
// @Router /posts/{id}/vote [delete]
func (h *VoteHandler) RemoveVote(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
postID, ok := ParseUintParam(w, r, "id", "Post")
if !ok {
return
}
ipAddress := GetClientIP(r)
userAgent := r.UserAgent()
serviceReq := services.VoteRequest{
UserID: userID,
PostID: postID,
Type: database.VoteNone,
IPAddress: ipAddress,
UserAgent: userAgent,
}
response, err := h.voteService.CastVote(serviceReq)
if err != nil {
if err.Error() == "post not found" {
SendErrorResponse(w, err.Error(), http.StatusNotFound)
return
}
if err.Error() == "post ID is required" {
SendErrorResponse(w, err.Error(), http.StatusBadRequest)
return
}
SendErrorResponse(w, "Internal server error", http.StatusInternalServerError)
return
}
SendSuccessResponse(w, "Vote removed successfully", response)
}
// @Summary Get current user's vote
// @Description Retrieve the current user's vote for a specific post. Requires authentication and returns the vote type if it exists.
// @Description
// @Description **Response:**
// @Description - If vote exists: Returns vote details with contextual metadata (including `is_anonymous`)
// @Description - If no vote: Returns success with null vote data and metadata
// @Tags votes
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param id path int true "Post ID"
// @Success 200 {object} VoteResponse "Vote retrieved successfully"
// @Success 200 {object} VoteResponse "No vote found for this user/post combination"
// @Failure 401 {object} VoteResponse "Authentication required"
// @Failure 400 {object} VoteResponse "Invalid post ID"
// @Failure 500 {object} VoteResponse "Internal server error"
// @Example 200 {"success": true, "message": "Vote retrieved successfully", "data": {"has_vote": true, "vote": {"type": "up", "user_id": 123}, "is_anonymous": false}}
// @Example 200 {"success": true, "message": "No vote found", "data": {"has_vote": false, "vote": null, "is_anonymous": false}}
// @Router /posts/{id}/vote [get]
func (h *VoteHandler) GetUserVote(w http.ResponseWriter, r *http.Request) {
userID, ok := RequireAuth(w, r)
if !ok {
return
}
postID, ok := ParseUintParam(w, r, "id", "Post")
if !ok {
return
}
ipAddress := GetClientIP(r)
userAgent := r.UserAgent()
vote, err := h.voteService.GetUserVote(userID, postID, ipAddress, userAgent)
if err != nil {
if err.Error() == "record not found" {
SendSuccessResponse(w, "No vote found", map[string]any{
"has_vote": false,
"vote": nil,
"is_anonymous": false,
})
return
}
SendErrorResponse(w, "Internal server error", http.StatusInternalServerError)
return
}
SendSuccessResponse(w, "Vote retrieved successfully", map[string]any{
"has_vote": true,
"vote": vote,
"is_anonymous": false,
})
}
// @Summary Get post votes
// @Description Retrieve all votes for a specific post. Returns all votes in a single format.
// @Description
// @Description **Authentication Required:** Yes (Bearer token)
// @Description
// @Description **Response includes:**
// @Description - Array of all votes
// @Description - Total vote count
// @Description - Each vote includes type and unauthenticated status
// @Tags votes
// @Accept json
// @Produce json
// @Security BearerAuth
// @Param id path int true "Post ID"
// @Success 200 {object} VoteResponse "Votes retrieved successfully with count"
// @Failure 400 {object} VoteResponse "Invalid post ID"
// @Failure 401 {object} VoteResponse "Authentication required"
// @Failure 500 {object} VoteResponse "Internal server error"
// @Example 200 {"success": true, "message": "Votes retrieved successfully", "data": {"votes": [{"type": "up", "user_id": 123}, {"type": "down", "vote_hash": "abc123"}], "count": 2}}
// @Router /posts/{id}/votes [get]
func (h *VoteHandler) GetPostVotes(w http.ResponseWriter, r *http.Request) {
postID, ok := ParseUintParam(w, r, "id", "Post")
if !ok {
return
}
votes, err := h.voteService.GetPostVotes(postID)
if err != nil {
SendErrorResponse(w, "Internal server error", http.StatusInternalServerError)
return
}
allVotes := make([]any, 0, len(votes))
for _, vote := range votes {
allVotes = append(allVotes, vote)
}
SendSuccessResponse(w, "Votes retrieved successfully", map[string]any{
"votes": allVotes,
"count": len(allVotes),
})
}
func (h *VoteHandler) MountRoutes(r chi.Router, config RouteModuleConfig) {
protected := r
if config.AuthMiddleware != nil {
protected = r.With(config.AuthMiddleware)
}
if config.GeneralRateLimit != nil {
protected = config.GeneralRateLimit(protected)
}
protected.Post("/posts/{id}/vote", h.CastVote)
protected.Delete("/posts/{id}/vote", h.RemoveVote)
protected.Get("/posts/{id}/vote", h.GetUserVote)
protected.Get("/posts/{id}/votes", h.GetPostVotes)
}

482
internal/handlers/vote_handler_test.go Normal file
View File

@@ -0,0 +1,482 @@
package handlers
import (
"bytes"
"context"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"testing"
"gorm.io/gorm"
"goyco/internal/database"
"goyco/internal/middleware"
"goyco/internal/services"
"goyco/internal/testutils"
)
func newVoteHandlerWithRepos() *VoteHandler {
handler, _, _ := newVoteHandlerWithReposRefs()
return handler
}
func newVoteHandlerWithReposRefs() (*VoteHandler, *testutils.MockVoteRepository, map[uint]*database.Post) {
voteRepo := testutils.NewMockVoteRepository()
posts := map[uint]*database.Post{
1: {ID: 1},
}
postRepo := testutils.NewPostRepositoryStub()
postRepo.GetByIDFn = func(id uint) (*database.Post, error) {
if post, ok := posts[id]; ok {
copy := *post
return &copy, nil
}
return nil, gorm.ErrRecordNotFound
}
postRepo.UpdateFn = func(post *database.Post) error {
copy := *post
posts[post.ID] = &copy
return nil
}
postRepo.DeleteFn = func(id uint) error {
if _, ok := posts[id]; !ok {
return gorm.ErrRecordNotFound
}
delete(posts, id)
return nil
}
postRepo.CreateFn = func(post *database.Post) error {
copy := *post
posts[post.ID] = &copy
return nil
}
service := services.NewVoteService(voteRepo, postRepo, nil)
return NewVoteHandler(service), voteRepo, posts
}
func TestVoteHandlerCastVote(t *testing.T) {
handler := newVoteHandlerWithRepos()
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
handler.CastVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusUnauthorized)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/abc/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "abc"})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusBadRequest)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`invalid`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for invalid json, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"maybe"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for invalid vote type, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"down"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(2))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for successful down vote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"none"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(3))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for successful none vote, got %d", recorder.Result().StatusCode)
}
}
func TestVoteHandlerCastVotePostNotFound(t *testing.T) {
handler, _, posts := newVoteHandlerWithReposRefs()
delete(posts, 1)
request := httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
recorder := httptest.NewRecorder()
handler.CastVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusNotFound)
}
func TestVoteHandlerRemoveVote(t *testing.T) {
handler := newVoteHandlerWithRepos()
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodDelete, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
handler.RemoveVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusUnauthorized)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodDelete, "/api/posts/abc/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "abc"})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.RemoveVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusBadRequest)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodDelete, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.RemoveVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for removing non-existent vote (idempotent), got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for creating vote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodDelete, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.RemoveVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 when removing vote, got %d", recorder.Result().StatusCode)
}
}
func TestVoteHandlerRemoveVotePostNotFound(t *testing.T) {
handler, _, posts := newVoteHandlerWithReposRefs()
delete(posts, 1)
request := httptest.NewRequest(http.MethodDelete, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
recorder := httptest.NewRecorder()
handler.RemoveVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusNotFound)
}
func TestVoteHandlerRemoveVoteUnexpectedError(t *testing.T) {
handler, voteRepo, _ := newVoteHandlerWithReposRefs()
request := httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
recorder := httptest.NewRecorder()
handler.CastVote(recorder, request)
voteRepo.DeleteErr = fmt.Errorf("database unavailable")
request = httptest.NewRequest(http.MethodDelete, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
recorder = httptest.NewRecorder()
handler.RemoveVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusInternalServerError)
}
func TestVoteHandlerGetUserVote(t *testing.T) {
handler := newVoteHandlerWithRepos()
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodGet, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
handler.GetUserVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusUnauthorized)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodGet, "/api/posts/abc/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "abc"})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.GetUserVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusBadRequest)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodGet, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.GetUserVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 when vote missing, got %d", recorder.Result().StatusCode)
}
var resp VoteResponse
_ = json.NewDecoder(recorder.Body).Decode(&resp)
data := resp.Data.(map[string]any)
if data["has_vote"].(bool) {
t.Fatalf("expected has_vote false, got true")
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for creating vote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodGet, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.GetUserVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 when vote exists, got %d", recorder.Result().StatusCode)
}
_ = json.NewDecoder(recorder.Body).Decode(&resp)
data = resp.Data.(map[string]any)
if !data["has_vote"].(bool) {
t.Fatalf("expected has_vote true, got false")
}
}
func TestVoteHandlerGetPostVotes(t *testing.T) {
handler := newVoteHandlerWithRepos()
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodGet, "/api/posts/abc/votes", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "abc"})
handler.GetPostVotes(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusBadRequest)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodGet, "/api/posts/1/votes", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
handler.GetPostVotes(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for empty votes, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for creating vote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"down"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(2))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for creating vote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodGet, "/api/posts/1/votes", nil)
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
handler.GetPostVotes(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200, got %d", recorder.Result().StatusCode)
}
var resp VoteResponse
_ = json.NewDecoder(recorder.Body).Decode(&resp)
data := resp.Data.(map[string]any)
votes := data["votes"].([]any)
if len(votes) != 2 {
t.Fatalf("expected 2 votes, got %d", len(votes))
}
}
func TestVoteFlowRegression(t *testing.T) {
handler := newVoteHandlerWithRepos()
t.Run("CompleteVoteLifecycle", func(t *testing.T) {
userID := uint(1)
postID := "1"
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": postID})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, userID)
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusOK)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodGet, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": postID})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, userID)
request = request.WithContext(ctx)
handler.GetUserVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for getting vote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"down"}`))
request = testutils.WithURLParams(request, map[string]string{"id": postID})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, userID)
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for changing to downvote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"none"}`))
request = testutils.WithURLParams(request, map[string]string{"id": postID})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, userID)
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for removing vote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodGet, "/api/posts/1/vote", nil)
request = testutils.WithURLParams(request, map[string]string{"id": postID})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, userID)
request = request.WithContext(ctx)
handler.GetUserVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for getting removed vote, got %d", recorder.Result().StatusCode)
}
var resp VoteResponse
_ = json.NewDecoder(recorder.Body).Decode(&resp)
data := resp.Data.(map[string]any)
if data["has_vote"].(bool) {
t.Fatalf("expected has_vote false after removal, got true")
}
})
t.Run("MultipleUsersVoting", func(t *testing.T) {
postID := "1"
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": postID})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for user 1 upvote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"down"}`))
request = testutils.WithURLParams(request, map[string]string{"id": postID})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(2))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for user 2 downvote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"up"}`))
request = testutils.WithURLParams(request, map[string]string{"id": postID})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(3))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for user 3 upvote, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodGet, "/api/posts/1/votes", nil)
request = testutils.WithURLParams(request, map[string]string{"id": postID})
handler.GetPostVotes(recorder, request)
if recorder.Result().StatusCode != http.StatusOK {
t.Fatalf("expected 200 for getting all votes, got %d", recorder.Result().StatusCode)
}
var resp VoteResponse
_ = json.NewDecoder(recorder.Body).Decode(&resp)
data := resp.Data.(map[string]any)
votes := data["votes"].([]any)
if len(votes) != 3 {
t.Fatalf("expected 3 votes, got %d", len(votes))
}
})
t.Run("ErrorHandlingEdgeCases", func(t *testing.T) {
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(``))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx := context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
testutils.AssertHTTPStatus(t, recorder, http.StatusBadRequest)
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for missing type field, got %d", recorder.Result().StatusCode)
}
recorder = httptest.NewRecorder()
request = httptest.NewRequest(http.MethodPost, "/api/posts/1/vote", bytes.NewBufferString(`{"type":"invalid"}`))
request = testutils.WithURLParams(request, map[string]string{"id": "1"})
ctx = context.WithValue(request.Context(), middleware.UserIDKey, uint(1))
request = request.WithContext(ctx)
handler.CastVote(recorder, request)
if recorder.Result().StatusCode != http.StatusBadRequest {
t.Fatalf("expected 400 for invalid vote type, got %d", recorder.Result().StatusCode)
}
})
}

Some files were not shown because too many files have changed in this diff Show More