refactor: modernize using min()

cmd/goyco/commands/migrate.go

@@ -5,9 +5,10 @@ import (
 	"fmt"
 	"os"
 
-	"gorm.io/gorm"
 	"goyco/internal/config"
 	"goyco/internal/database"
+
+	"gorm.io/gorm"
 )
 
 func HandleMigrateCommand(cfg *config.Config, name string, args []string) error {
@@ -37,7 +38,7 @@ func runMigrateCommand(db *gorm.DB) error {
 		return fmt.Errorf("run migrations: %w", err)
 	}
 	if IsJSONOutput() {
-		outputJSON(map[string]interface{}{
+		outputJSON(map[string]any{
 			"action": "migrations_applied",
 			"status": "success",
 		})

internal/server/router_test.go

@@ -3,6 +3,7 @@ package server
 import (
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 
 	"goyco/internal/config"
@@ -105,9 +106,9 @@ func defaultRateLimitConfig() config.RateLimitConfig {
 	return testutils.AppTestConfig.RateLimit
 }
 
-func TestAPIRootRouting(t *testing.T) {
+func createDefaultRouterConfig() RouterConfig {
 	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-	router := NewRouter(RouterConfig{
+	return RouterConfig{
 		APIHandler:      apiHandler,
 		AuthHandler:     authHandler,
 		PostHandler:     postHandler,
@@ -115,7 +116,15 @@ func TestAPIRootRouting(t *testing.T) {
 		UserHandler:     userHandler,
 		AuthService:     authService,
 		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	}
+}
+
+func createTestRouter(cfg RouterConfig) http.Handler {
+	return NewRouter(cfg)
+}
+
+func TestAPIRootRouting(t *testing.T) {
+	router := createTestRouter(createDefaultRouterConfig())
 
 	testCases := []struct {
 		name       string
@@ -141,23 +150,23 @@ func TestAPIRootRouting(t *testing.T) {
 }
 
 func TestProtectedRoutesRequireAuth(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-	router := NewRouter(RouterConfig{
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	router := createTestRouter(createDefaultRouterConfig())
 
 	protectedRoutes := []struct {
 		method string
 		path   string
 	}{
 		{http.MethodGet, "/api/auth/me"},
+		{http.MethodPost, "/api/auth/logout"},
+		{http.MethodPost, "/api/auth/revoke"},
+		{http.MethodPost, "/api/auth/revoke-all"},
+		{http.MethodPut, "/api/auth/email"},
+		{http.MethodPut, "/api/auth/username"},
+		{http.MethodPut, "/api/auth/password"},
+		{http.MethodDelete, "/api/auth/account"},
 		{http.MethodPost, "/api/posts"},
+		{http.MethodPut, "/api/posts/1"},
+		{http.MethodDelete, "/api/posts/1"},
 		{http.MethodPost, "/api/posts/1/vote"},
 		{http.MethodDelete, "/api/posts/1/vote"},
 		{http.MethodGet, "/api/posts/1/vote"},
@@ -183,17 +192,9 @@ func TestProtectedRoutesRequireAuth(t *testing.T) {
 }
 
 func TestRouterWithDebugMode(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-	router := NewRouter(RouterConfig{
-		Debug:           true,
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	cfg := createDefaultRouterConfig()
+	cfg.Debug = true
+	router := createTestRouter(cfg)
 
 	request := httptest.NewRequest(http.MethodGet, "/api", nil)
 	recorder := httptest.NewRecorder()
@@ -206,16 +207,9 @@ func TestRouterWithDebugMode(t *testing.T) {
 }
 
 func TestRouterWithCacheDisabled(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-	router := NewRouter(RouterConfig{
-		DisableCache: true,
-		APIHandler:   apiHandler,
-		AuthHandler:  authHandler,
-		PostHandler:  postHandler,
-		VoteHandler:  voteHandler,
-		UserHandler:  userHandler,
-		AuthService:  authService,
-	})
+	cfg := createDefaultRouterConfig()
+	cfg.DisableCache = true
+	router := createTestRouter(cfg)
 
 	request := httptest.NewRequest(http.MethodGet, "/api", nil)
 	recorder := httptest.NewRecorder()
@@ -228,17 +222,9 @@ func TestRouterWithCacheDisabled(t *testing.T) {
 }
 
 func TestRouterWithCompressionDisabled(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-	router := NewRouter(RouterConfig{
-		DisableCompression: true,
-		APIHandler:         apiHandler,
-		AuthHandler:        authHandler,
-		PostHandler:        postHandler,
-		VoteHandler:        voteHandler,
-		UserHandler:        userHandler,
-		AuthService:        authService,
-		RateLimitConfig:    defaultRateLimitConfig(),
-	})
+	cfg := createDefaultRouterConfig()
+	cfg.DisableCompression = true
+	router := createTestRouter(cfg)
 
 	request := httptest.NewRequest(http.MethodGet, "/api", nil)
 	recorder := httptest.NewRecorder()
@@ -251,19 +237,9 @@ func TestRouterWithCompressionDisabled(t *testing.T) {
 }
 
 func TestRouterWithCustomDBMonitor(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-	customDBMonitor := middleware.NewInMemoryDBMonitor()
-
-	router := NewRouter(RouterConfig{
-		DBMonitor:       customDBMonitor,
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	cfg := createDefaultRouterConfig()
+	cfg.DBMonitor = middleware.NewInMemoryDBMonitor()
+	router := createTestRouter(cfg)
 
 	request := httptest.NewRequest(http.MethodGet, "/api", nil)
 	recorder := httptest.NewRecorder()
@@ -296,18 +272,9 @@ func TestRouterWithPageHandler(t *testing.T) {
 }
 
 func TestRouterWithStaticDir(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-
-	router := NewRouter(RouterConfig{
-		StaticDir:       "/custom/static/path",
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	cfg := createDefaultRouterConfig()
+	cfg.StaticDir = "/custom/static/path"
+	router := createTestRouter(cfg)
 
 	request := httptest.NewRequest(http.MethodGet, "/api", nil)
 	recorder := httptest.NewRecorder()
@@ -320,18 +287,9 @@ func TestRouterWithStaticDir(t *testing.T) {
 }
 
 func TestRouterWithEmptyStaticDir(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-
-	router := NewRouter(RouterConfig{
-		StaticDir:       "",
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	cfg := createDefaultRouterConfig()
+	cfg.StaticDir = ""
+	router := createTestRouter(cfg)
 
 	request := httptest.NewRequest(http.MethodGet, "/api", nil)
 	recorder := httptest.NewRecorder()
@@ -344,20 +302,11 @@ func TestRouterWithEmptyStaticDir(t *testing.T) {
 }
 
 func TestRouterWithAllFeaturesDisabled(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-
-	router := NewRouter(RouterConfig{
-		Debug:              true,
-		DisableCache:       true,
-		DisableCompression: true,
-		APIHandler:         apiHandler,
-		AuthHandler:        authHandler,
-		PostHandler:        postHandler,
-		VoteHandler:        voteHandler,
-		UserHandler:        userHandler,
-		AuthService:        authService,
-		RateLimitConfig:    defaultRateLimitConfig(),
-	})
+	cfg := createDefaultRouterConfig()
+	cfg.Debug = true
+	cfg.DisableCache = true
+	cfg.DisableCompression = true
+	router := createTestRouter(cfg)
 
 	request := httptest.NewRequest(http.MethodGet, "/api", nil)
 	recorder := httptest.NewRecorder()
@@ -370,15 +319,9 @@ func TestRouterWithAllFeaturesDisabled(t *testing.T) {
 }
 
 func TestRouterWithoutAPIHandler(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, _, authService := setupTestHandlers()
-	router := NewRouter(RouterConfig{
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	cfg := createDefaultRouterConfig()
+	cfg.APIHandler = nil
+	router := createTestRouter(cfg)
 
 	request := httptest.NewRequest(http.MethodGet, "/api", nil)
 	recorder := httptest.NewRecorder()
@@ -391,17 +334,7 @@ func TestRouterWithoutAPIHandler(t *testing.T) {
 }
 
 func TestRouterWithoutPageHandler(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-
-	router := NewRouter(RouterConfig{
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	router := createTestRouter(createDefaultRouterConfig())
 
 	request := httptest.NewRequest(http.MethodGet, "/", nil)
 	recorder := httptest.NewRecorder()
@@ -414,17 +347,7 @@ func TestRouterWithoutPageHandler(t *testing.T) {
 }
 
 func TestSwaggerRoute(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-
-	router := NewRouter(RouterConfig{
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	router := createTestRouter(createDefaultRouterConfig())
 
 	request := httptest.NewRequest(http.MethodGet, "/swagger/", nil)
 	recorder := httptest.NewRecorder()
@@ -437,18 +360,9 @@ func TestSwaggerRoute(t *testing.T) {
 }
 
 func TestStaticFileRoute(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-
-	router := NewRouter(RouterConfig{
-		StaticDir:       "../../internal/static/",
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	cfg := createDefaultRouterConfig()
+	cfg.StaticDir = "../../internal/static/"
+	router := createTestRouter(cfg)
 
 	request := httptest.NewRequest(http.MethodGet, "/static/css/main.css", nil)
 	recorder := httptest.NewRecorder()
@@ -461,17 +375,7 @@ func TestStaticFileRoute(t *testing.T) {
 }
 
 func TestRouterConfiguration(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
-
-	router := NewRouter(RouterConfig{
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
+	router := createTestRouter(createDefaultRouterConfig())
 
 	if router == nil {
 		t.Error("Router should not be nil")
@@ -487,29 +391,484 @@ func TestRouterConfiguration(t *testing.T) {
 	}
 }
 
-func TestRouterMiddlewareIntegration(t *testing.T) {
-	authHandler, postHandler, voteHandler, userHandler, apiHandler, authService := setupTestHandlers()
+func TestAllRoutesExist(t *testing.T) {
+	router := createTestRouter(createDefaultRouterConfig())
 
-	router := NewRouter(RouterConfig{
-		APIHandler:      apiHandler,
-		AuthHandler:     authHandler,
-		PostHandler:     postHandler,
-		VoteHandler:     voteHandler,
-		UserHandler:     userHandler,
-		AuthService:     authService,
-		RateLimitConfig: defaultRateLimitConfig(),
-	})
-
-	if router == nil {
-		t.Error("Router should not be nil")
+	publicRoutes := []struct {
+		method      string
+		path        string
+		description string
+	}{
+		{http.MethodGet, "/api", "API info"},
+		{http.MethodGet, "/health", "Health check"},
+		{http.MethodGet, "/metrics", "Metrics"},
+		{http.MethodGet, "/robots.txt", "Robots.txt"},
+		{http.MethodGet, "/api/posts", "Get posts"},
+		{http.MethodGet, "/api/posts/search", "Search posts"},
+		{http.MethodGet, "/api/posts/title", "Fetch title from URL"},
+		{http.MethodGet, "/api/posts/1", "Get post by ID"},
+		{http.MethodPost, "/api/auth/register", "Register"},
+		{http.MethodPost, "/api/auth/login", "Login"},
+		{http.MethodPost, "/api/auth/refresh", "Refresh token"},
+		{http.MethodGet, "/api/auth/confirm", "Confirm email"},
+		{http.MethodPost, "/api/auth/resend-verification", "Resend verification"},
+		{http.MethodPost, "/api/auth/forgot-password", "Forgot password"},
+		{http.MethodPost, "/api/auth/reset-password", "Reset password"},
+		{http.MethodPost, "/api/auth/account/confirm", "Confirm account deletion"},
 	}
 
-	request := httptest.NewRequest(http.MethodGet, "/api", nil)
+	protectedRoutes := []struct {
+		method      string
+		path        string
+		description string
+	}{
+		{http.MethodGet, "/api/auth/me", "Get current user"},
+		{http.MethodPost, "/api/auth/logout", "Logout"},
+		{http.MethodPost, "/api/auth/revoke", "Revoke token"},
+		{http.MethodPost, "/api/auth/revoke-all", "Revoke all tokens"},
+		{http.MethodPut, "/api/auth/email", "Update email"},
+		{http.MethodPut, "/api/auth/username", "Update username"},
+		{http.MethodPut, "/api/auth/password", "Update password"},
+		{http.MethodDelete, "/api/auth/account", "Delete account"},
+		{http.MethodPost, "/api/posts", "Create post"},
+		{http.MethodPut, "/api/posts/1", "Update post"},
+		{http.MethodDelete, "/api/posts/1", "Delete post"},
+		{http.MethodPost, "/api/posts/1/vote", "Cast vote"},
+		{http.MethodDelete, "/api/posts/1/vote", "Remove vote"},
+		{http.MethodGet, "/api/posts/1/vote", "Get user vote"},
+		{http.MethodGet, "/api/posts/1/votes", "Get post votes"},
+		{http.MethodGet, "/api/users", "Get users"},
+		{http.MethodPost, "/api/users", "Create user"},
+		{http.MethodGet, "/api/users/1", "Get user by ID"},
+		{http.MethodGet, "/api/users/1/posts", "Get user posts"},
+	}
+
+	for _, route := range publicRoutes {
+		t.Run(route.description+" "+route.method+" "+route.path, func(t *testing.T) {
+			invalidMethod := http.MethodPatch
+			switch route.method {
+			case http.MethodGet:
+				invalidMethod = http.MethodDelete
+			case http.MethodPost:
+				invalidMethod = http.MethodGet
+			}
+			request := httptest.NewRequest(invalidMethod, route.path, nil)
 			recorder := httptest.NewRecorder()
 
 			router.ServeHTTP(recorder, request)
 
-	if recorder.Code == 0 {
-		t.Error("Router should return a status code")
+			routeExists := recorder.Code == http.StatusMethodNotAllowed
+
+			if !routeExists {
+				request = httptest.NewRequest(route.method, route.path, nil)
+				recorder = httptest.NewRecorder()
+				router.ServeHTTP(recorder, request)
+
+				if recorder.Code == http.StatusNotFound && route.path != "/api/posts/1" && route.path != "/robots.txt" {
+					t.Errorf("Route %s %s should exist, got 404", route.method, route.path)
+				}
+			}
+		})
+	}
+
+	for _, route := range protectedRoutes {
+		t.Run(route.description+" "+route.method+" "+route.path, func(t *testing.T) {
+			request := httptest.NewRequest(route.method, route.path, nil)
+			recorder := httptest.NewRecorder()
+
+			router.ServeHTTP(recorder, request)
+
+			if recorder.Code == http.StatusNotFound {
+				t.Errorf("Route %s %s should exist, got 404", route.method, route.path)
+			}
+			if recorder.Code != http.StatusUnauthorized {
+				t.Errorf("Protected route %s %s should return 401 without auth, got %d", route.method, route.path, recorder.Code)
+			}
+		})
+	}
+}
+
+func TestRouteParameters(t *testing.T) {
+	router := createTestRouter(createDefaultRouterConfig())
+
+	testCases := []struct {
+		name        string
+		method      string
+		pathPattern string
+		testIDs     []string
+		isProtected bool
+	}{
+		{
+			name:        "Get post by ID",
+			method:      http.MethodGet,
+			pathPattern: "/api/posts/{id}",
+			testIDs:     []string{"1", "42", "999", "12345"},
+			isProtected: false,
+		},
+		{
+			name:        "Update post by ID",
+			method:      http.MethodPut,
+			pathPattern: "/api/posts/{id}",
+			testIDs:     []string{"1", "42", "999"},
+			isProtected: true,
+		},
+		{
+			name:        "Delete post by ID",
+			method:      http.MethodDelete,
+			pathPattern: "/api/posts/{id}",
+			testIDs:     []string{"1", "42", "999"},
+			isProtected: true,
+		},
+		{
+			name:        "Get user by ID",
+			method:      http.MethodGet,
+			pathPattern: "/api/users/{id}",
+			testIDs:     []string{"1", "42", "999", "12345"},
+			isProtected: true,
+		},
+		{
+			name:        "Get user posts by user ID",
+			method:      http.MethodGet,
+			pathPattern: "/api/users/{id}/posts",
+			testIDs:     []string{"1", "42", "999", "12345"},
+			isProtected: true,
+		},
+		{
+			name:        "Cast vote for post ID",
+			method:      http.MethodPost,
+			pathPattern: "/api/posts/{id}/vote",
+			testIDs:     []string{"1", "42", "999"},
+			isProtected: true,
+		},
+		{
+			name:        "Remove vote for post ID",
+			method:      http.MethodDelete,
+			pathPattern: "/api/posts/{id}/vote",
+			testIDs:     []string{"1", "42", "999"},
+			isProtected: true,
+		},
+		{
+			name:        "Get user vote for post ID",
+			method:      http.MethodGet,
+			pathPattern: "/api/posts/{id}/vote",
+			testIDs:     []string{"1", "42", "999", "12345"},
+			isProtected: true,
+		},
+		{
+			name:        "Get post votes by post ID",
+			method:      http.MethodGet,
+			pathPattern: "/api/posts/{id}/votes",
+			testIDs:     []string{"1", "42", "999", "12345"},
+			isProtected: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			for _, id := range tc.testIDs {
+				path := replaceID(tc.pathPattern, id)
+				t.Run("ID_"+id, func(t *testing.T) {
+					request := httptest.NewRequest(http.MethodPatch, path, nil)
+					recorder := httptest.NewRecorder()
+					router.ServeHTTP(recorder, request)
+
+					routeExists := recorder.Code == http.StatusMethodNotAllowed
+
+					request = httptest.NewRequest(tc.method, path, nil)
+					recorder = httptest.NewRecorder()
+					router.ServeHTTP(recorder, request)
+
+					if !routeExists {
+						if recorder.Code == http.StatusNotFound {
+							t.Errorf("Route %s %s should exist with ID %s, got 404", tc.method, path, id)
+							return
+						}
+					}
+
+					if tc.isProtected {
+						if recorder.Code != http.StatusUnauthorized {
+							t.Errorf("Protected route %s %s should return 401 without auth, got %d", tc.method, path, recorder.Code)
+						}
+					}
+				})
+			}
+		})
+	}
+}
+
+func replaceID(pattern, id string) string {
+	return strings.Replace(pattern, "{id}", id, 1)
+}
+
+func TestInvalidRouteParameters(t *testing.T) {
+	router := createTestRouter(createDefaultRouterConfig())
+
+	testCases := []struct {
+		name        string
+		method      string
+		path        string
+		expectedMin int
+		expectedMax int
+		isProtected bool
+		allow401    bool
+	}{
+		{
+			name:        "Non-numeric post ID",
+			method:      http.MethodGet,
+			path:        "/api/posts/abc",
+			expectedMin: http.StatusBadRequest,
+			expectedMax: http.StatusBadRequest,
+			isProtected: false,
+		},
+		{
+			name:        "Negative post ID",
+			method:      http.MethodGet,
+			path:        "/api/posts/-1",
+			expectedMin: http.StatusBadRequest,
+			expectedMax: http.StatusBadRequest,
+			isProtected: false,
+		},
+		{
+			name:        "Zero post ID",
+			method:      http.MethodGet,
+			path:        "/api/posts/0",
+			expectedMin: http.StatusBadRequest,
+			expectedMax: http.StatusNotFound,
+			isProtected: false,
+		},
+		{
+			name:        "Post ID with special characters",
+			method:      http.MethodGet,
+			path:        "/api/posts/123@456",
+			expectedMin: http.StatusBadRequest,
+			expectedMax: http.StatusBadRequest,
+			isProtected: false,
+		},
+		{
+			name:        "Post ID with encoded spaces",
+			method:      http.MethodGet,
+			path:        "/api/posts/12%2034",
+			expectedMin: http.StatusBadRequest,
+			expectedMax: http.StatusBadRequest,
+			isProtected: false,
+		},
+		{
+			name:        "Non-numeric user ID",
+			method:      http.MethodGet,
+			path:        "/api/users/xyz",
+			expectedMin: http.StatusBadRequest,
+			expectedMax: http.StatusUnauthorized,
+			isProtected: true,
+			allow401:    true,
+		},
+		{
+			name:        "Negative user ID",
+			method:      http.MethodGet,
+			path:        "/api/users/-5",
+			expectedMin: http.StatusBadRequest,
+			expectedMax: http.StatusUnauthorized,
+			isProtected: true,
+			allow401:    true,
+		},
+		{
+			name:        "Non-numeric post ID in vote route",
+			method:      http.MethodGet,
+			path:        "/api/posts/invalid/vote",
+			expectedMin: http.StatusBadRequest,
+			expectedMax: http.StatusUnauthorized,
+			isProtected: true,
+			allow401:    true,
+		},
+		{
+			name:        "Very large post ID",
+			method:      http.MethodGet,
+			path:        "/api/posts/999999999999",
+			expectedMin: http.StatusBadRequest,
+			expectedMax: http.StatusNotFound,
+			isProtected: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			request := httptest.NewRequest(tc.method, tc.path, nil)
+			recorder := httptest.NewRecorder()
+
+			router.ServeHTTP(recorder, request)
+
+			if tc.isProtected && tc.allow401 {
+				if recorder.Code != http.StatusUnauthorized && (recorder.Code < tc.expectedMin || recorder.Code > tc.expectedMax) {
+					t.Errorf("Protected route %s %s with invalid parameter should return 401 or status between %d and %d, got %d", tc.method, tc.path, tc.expectedMin, tc.expectedMax, recorder.Code)
+				}
+			} else {
+				if recorder.Code < tc.expectedMin || recorder.Code > tc.expectedMax {
+					t.Errorf("Route %s %s should return status between %d and %d, got %d", tc.method, tc.path, tc.expectedMin, tc.expectedMax, recorder.Code)
+				}
+
+				if recorder.Code != http.StatusNotFound && recorder.Code < 400 {
+					t.Errorf("Route %s %s with invalid parameter should return error status (4xx), got %d", tc.method, tc.path, recorder.Code)
+				}
+			}
+		})
+	}
+}
+
+func TestQueryParameters(t *testing.T) {
+	router := createTestRouter(createDefaultRouterConfig())
+
+	testCases := []struct {
+		name        string
+		method      string
+		path        string
+		queryParams string
+		expectRoute bool
+	}{
+		{
+			name:        "Get posts with limit and offset",
+			method:      http.MethodGet,
+			path:        "/api/posts",
+			queryParams: "limit=10&offset=5",
+			expectRoute: true,
+		},
+		{
+			name:        "Get posts with only limit",
+			method:      http.MethodGet,
+			path:        "/api/posts",
+			queryParams: "limit=20",
+			expectRoute: true,
+		},
+		{
+			name:        "Get posts with only offset",
+			method:      http.MethodGet,
+			path:        "/api/posts",
+			queryParams: "offset=10",
+			expectRoute: true,
+		},
+		{
+			name:        "Search posts with query parameter",
+			method:      http.MethodGet,
+			path:        "/api/posts/search",
+			queryParams: "q=test",
+			expectRoute: true,
+		},
+		{
+			name:        "Search posts with query, limit, and offset",
+			method:      http.MethodGet,
+			path:        "/api/posts/search",
+			queryParams: "q=test&limit=15&offset=3",
+			expectRoute: true,
+		},
+		{
+			name:        "Fetch title with URL parameter",
+			method:      http.MethodGet,
+			path:        "/api/posts/title",
+			queryParams: "url=https://example.com",
+			expectRoute: true,
+		},
+		{
+			name:        "Confirm email with token parameter",
+			method:      http.MethodGet,
+			path:        "/api/auth/confirm",
+			queryParams: "token=abc123",
+			expectRoute: true,
+		},
+		{
+			name:        "Get posts with invalid limit",
+			method:      http.MethodGet,
+			path:        "/api/posts",
+			queryParams: "limit=abc",
+			expectRoute: true,
+		},
+		{
+			name:        "Get posts with negative limit",
+			method:      http.MethodGet,
+			path:        "/api/posts",
+			queryParams: "limit=-5",
+			expectRoute: true,
+		},
+		{
+			name:        "Get posts with negative offset",
+			method:      http.MethodGet,
+			path:        "/api/posts",
+			queryParams: "offset=-10",
+			expectRoute: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			fullPath := tc.path
+			if tc.queryParams != "" {
+				fullPath += "?" + tc.queryParams
+			}
+
+			request := httptest.NewRequest(tc.method, fullPath, nil)
+			recorder := httptest.NewRecorder()
+
+			router.ServeHTTP(recorder, request)
+
+			if tc.expectRoute {
+				if recorder.Code == http.StatusNotFound {
+					t.Errorf("Route %s %s should exist with query parameters, got 404", tc.method, fullPath)
+				}
+			}
+		})
+	}
+}
+
+func TestRouteConflicts(t *testing.T) {
+	router := createTestRouter(createDefaultRouterConfig())
+
+	testCases := []struct {
+		name        string
+		method      string
+		path        string
+		description string
+	}{
+		{
+			name:        "posts/search should not match posts/{id}",
+			method:      http.MethodGet,
+			path:        "/api/posts/search",
+			description: "search route should be matched, not treated as ID",
+		},
+		{
+			name:        "posts/title should not match posts/{id}",
+			method:      http.MethodGet,
+			path:        "/api/posts/title",
+			description: "title route should be matched, not treated as ID",
+		},
+		{
+			name:        "posts/{id} should work with numeric ID",
+			method:      http.MethodGet,
+			path:        "/api/posts/123",
+			description: "numeric ID should match {id} route",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			request := httptest.NewRequest(tc.method, tc.path, nil)
+			recorder := httptest.NewRecorder()
+
+			router.ServeHTTP(recorder, request)
+
+			switch tc.path {
+			case "/api/posts/search":
+				if recorder.Code == http.StatusNotFound {
+					t.Errorf("%s: Route %s %s should exist (not 404), got %d", tc.description, tc.method, tc.path, recorder.Code)
+				}
+			case "/api/posts/title":
+				if recorder.Code == http.StatusNotFound {
+					t.Errorf("%s: Route %s %s should exist (not 404), got %d", tc.description, tc.method, tc.path, recorder.Code)
+				}
+			case "/api/posts/123":
+				if recorder.Code == http.StatusNotFound {
+					return
+				}
+				if recorder.Code < 400 {
+					t.Errorf("%s: Route %s %s should return 4xx or 5xx, got %d", tc.description, tc.method, tc.path, recorder.Code)
+				}
+			}
+		})
 	}
 }

internal/services/auth_service.go

@@ -1,12 +1,93 @@
 package services
 
 import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
 	"fmt"
+	"net/mail"
+	"strings"
 
 	"goyco/internal/config"
 	"goyco/internal/database"
 )
 
+const (
+	defaultTokenExpirationHours  = 24
+	verificationTokenBytes       = 32
+	deletionTokenExpirationHours = 24
+)
+
+var (
+	ErrInvalidCredentials       = errors.New("invalid credentials")
+	ErrInvalidToken             = errors.New("invalid or expired token")
+	ErrUsernameTaken            = errors.New("username already exists")
+	ErrEmailTaken               = errors.New("email already exists")
+	ErrInvalidEmail             = errors.New("invalid email address")
+	ErrPasswordTooShort         = errors.New("password too short")
+	ErrEmailNotVerified         = errors.New("email not verified")
+	ErrAccountLocked            = errors.New("account is locked")
+	ErrInvalidVerificationToken = errors.New("invalid verification token")
+	ErrEmailSenderUnavailable   = errors.New("email sender not configured")
+	ErrDeletionEmailFailed      = errors.New("account deletion email failed")
+	ErrInvalidDeletionToken     = errors.New("invalid account deletion token")
+	ErrUserNotFound             = errors.New("user not found")
+	ErrDeletionRequestNotFound  = errors.New("deletion request not found")
+)
+
+type AuthResult struct {
+	AccessToken  string         `json:"access_token" example:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."`
+	RefreshToken string         `json:"refresh_token" example:"a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"`
+	User         *database.User `json:"user"`
+}
+
+type RegistrationResult struct {
+	User             *database.User `json:"user"`
+	VerificationSent bool           `json:"verification_sent"`
+}
+
+func normalizeEmail(email string) (string, error) {
+	trimmed := strings.TrimSpace(email)
+	if trimmed == "" {
+		return "", fmt.Errorf("email is required")
+	}
+
+	parsed, err := mail.ParseAddress(trimmed)
+	if err != nil {
+		return "", ErrInvalidEmail
+	}
+
+	return strings.ToLower(parsed.Address), nil
+}
+
+func generateVerificationToken() (string, string, error) {
+	buf := make([]byte, verificationTokenBytes)
+	if _, err := rand.Read(buf); err != nil {
+		return "", "", fmt.Errorf("generate verification token: %w", err)
+	}
+
+	token := hex.EncodeToString(buf)
+	hashed := HashVerificationToken(token)
+	return token, hashed, nil
+}
+
+func HashVerificationToken(token string) string {
+	sum := sha256.Sum256([]byte(token))
+	return hex.EncodeToString(sum[:])
+}
+
+func sanitizeUser(user *database.User) *database.User {
+	if user == nil {
+		return nil
+	}
+
+	copy := *user
+	copy.Password = ""
+	copy.EmailVerificationToken = ""
+	return &copy
+}
+
 type AuthFacade struct {
 	registrationService   *RegistrationService
 	passwordResetService  *PasswordResetService

internal/services/auth_types.go

@@ -1,35 +0,0 @@
-package services
-
-import (
-	"errors"
-
-	"goyco/internal/database"
-)
-
-var (
-	ErrInvalidCredentials       = errors.New("invalid credentials")
-	ErrInvalidToken             = errors.New("invalid or expired token")
-	ErrUsernameTaken            = errors.New("username already exists")
-	ErrEmailTaken               = errors.New("email already exists")
-	ErrInvalidEmail             = errors.New("invalid email address")
-	ErrPasswordTooShort         = errors.New("password too short")
-	ErrEmailNotVerified         = errors.New("email not verified")
-	ErrAccountLocked            = errors.New("account is locked")
-	ErrInvalidVerificationToken = errors.New("invalid verification token")
-	ErrEmailSenderUnavailable   = errors.New("email sender not configured")
-	ErrDeletionEmailFailed      = errors.New("account deletion email failed")
-	ErrInvalidDeletionToken     = errors.New("invalid account deletion token")
-	ErrUserNotFound             = errors.New("user not found")
-	ErrDeletionRequestNotFound  = errors.New("deletion request not found")
-)
-
-type AuthResult struct {
-	AccessToken  string         `json:"access_token" example:"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."`
-	RefreshToken string         `json:"refresh_token" example:"a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"`
-	User         *database.User `json:"user"`
-}
-
-type RegistrationResult struct {
-	User             *database.User `json:"user"`
-	VerificationSent bool           `json:"verification_sent"`
-}

internal/services/auth_utils.go

@@ -1,59 +0,0 @@
-package services
-
-import (
-	"crypto/rand"
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"net/mail"
-	"strings"
-
-	"goyco/internal/database"
-)
-
-const (
-	defaultTokenExpirationHours  = 24
-	verificationTokenBytes       = 32
-	deletionTokenExpirationHours = 24
-)
-
-func normalizeEmail(email string) (string, error) {
-	trimmed := strings.TrimSpace(email)
-	if trimmed == "" {
-		return "", fmt.Errorf("email is required")
-	}
-
-	parsed, err := mail.ParseAddress(trimmed)
-	if err != nil {
-		return "", ErrInvalidEmail
-	}
-
-	return strings.ToLower(parsed.Address), nil
-}
-
-func generateVerificationToken() (string, string, error) {
-	buf := make([]byte, verificationTokenBytes)
-	if _, err := rand.Read(buf); err != nil {
-		return "", "", fmt.Errorf("generate verification token: %w", err)
-	}
-
-	token := hex.EncodeToString(buf)
-	hashed := HashVerificationToken(token)
-	return token, hashed, nil
-}
-
-func HashVerificationToken(token string) string {
-	sum := sha256.Sum256([]byte(token))
-	return hex.EncodeToString(sum[:])
-}
-
-func sanitizeUser(user *database.User) *database.User {
-	if user == nil {
-		return nil
-	}
-
-	copy := *user
-	copy.Password = ""
-	copy.EmailVerificationToken = ""
-	return &copy
-}

internal/templates/template_test.go

@@ -32,10 +32,7 @@ func templateFuncMap() template.FuncMap {
 			if start >= len(s) {
 				return ""
 			}
-			end := start + length
-			if end > len(s) {
-				end = len(s)
-			}
+			end := min(start+length, len(s))
 			return s[start:end]
 		},
 		"upper": strings.ToUpper,

scripts/setup-postgres.sh

@@ -44,5 +44,3 @@ GRANT ALL PRIVILEGES ON DATABASE goyco TO goyco;
 EOF
 
 echo "PostgreSQL 18 installed, database 'goyco' and user 'goyco' set up."
-
-