mcr/internal/server/admin_auth_test.go

package server

import (
	"encoding/json"
	"testing"

	"github.com/go-chi/chi/v5"

	"git.wntrmute.dev/kyle/mcr/internal/auth"
)

func TestAdminHealthHandler(t *testing.T) {
	database := openAdminTestDB(t)
	router, _ := buildAdminRouter(t, database)

	// Health endpoint does not require auth.
	rr := adminReq(t, router, "GET", "/v1/health", "")
	if rr.Code != 200 {
		t.Fatalf("status: got %d, want 200", rr.Code)
	}

	var resp map[string]string
	if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
		t.Fatalf("decode: %v", err)
	}
	if resp["status"] != "ok" {
		t.Fatalf("status field: got %q, want %q", resp["status"], "ok")
	}
}

func TestAdminLoginSuccess(t *testing.T) {
	database := openAdminTestDB(t)
	router, _ := buildAdminRouter(t, database)

	body := `{"username":"admin","password":"secret"}`
	rr := adminReq(t, router, "POST", "/v1/auth/login", body)
	if rr.Code != 200 {
		t.Fatalf("status: got %d, want 200; body: %s", rr.Code, rr.Body.String())
	}

	var resp adminLoginResponse
	if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
		t.Fatalf("decode: %v", err)
	}
	if resp.Token != "test-token" {
		t.Fatalf("token: got %q, want %q", resp.Token, "test-token")
	}
	if resp.ExpiresAt == "" {
		t.Fatal("expires_at: expected non-empty")
	}
}

func TestAdminLoginInvalidCreds(t *testing.T) {
	database := openAdminTestDB(t)

	validator := &fakeValidator{
		claims: &auth.Claims{Subject: "admin-uuid", AccountType: "human", Roles: []string{"admin"}},
	}
	login := &fakeLoginClient{err: auth.ErrUnauthorized}
	reloader := &fakePolicyReloader{}
	gcState := &GCState{}

	r := chi.NewRouter()
	MountAdminRoutes(r, validator, "mcr-test", AdminDeps{
		DB:      database,
		Login:   login,
		Engine:  reloader,
		AuditFn: nil,
		GCState: gcState,
	})

	body := `{"username":"admin","password":"wrong"}`
	rr := adminReq(t, r, "POST", "/v1/auth/login", body)
	if rr.Code != 401 {
		t.Fatalf("status: got %d, want 401", rr.Code)
	}

	var errResp adminErrorResponse
	if err := json.NewDecoder(rr.Body).Decode(&errResp); err != nil {
		t.Fatalf("decode: %v", err)
	}
	if errResp.Error != "authentication failed" {
		t.Fatalf("error: got %q, want %q", errResp.Error, "authentication failed")
	}
}

func TestAdminLoginMissingFields(t *testing.T) {
	database := openAdminTestDB(t)
	router, _ := buildAdminRouter(t, database)

	body := `{"username":"admin"}`
	rr := adminReq(t, router, "POST", "/v1/auth/login", body)
	if rr.Code != 400 {
		t.Fatalf("status: got %d, want 400", rr.Code)
	}
}

func TestAdminLoginBadJSON(t *testing.T) {
	database := openAdminTestDB(t)
	router, _ := buildAdminRouter(t, database)

	rr := adminReq(t, router, "POST", "/v1/auth/login", "not json")
	if rr.Code != 400 {
		t.Fatalf("status: got %d, want 400", rr.Code)
	}
}

func TestAdminLogout(t *testing.T) {
	database := openAdminTestDB(t)
	router, _ := buildAdminRouter(t, database)

	rr := adminReq(t, router, "POST", "/v1/auth/logout", "")
	if rr.Code != 204 {
		t.Fatalf("status: got %d, want 204", rr.Code)
	}
}