chore(allsrv): add tests for unauthorized access

Filling in some tests gaps. With these in place, we can now address concern 2), the duplication of auth everywhere. Take a crack at DRYing up the basic auth integration.
jsteenb2 · Jul 5, 2024 · 79af2cb · 79af2cb
1 parent ec22efa
commit 79af2cb
Showing 1 changed file with 63 additions and 0 deletions.
diff --git a/allsrv/server_test.go b/allsrv/server_test.go
@@ -41,6 +41,21 @@ func TestServer(t *testing.T) {
 				assert.Equal(t, want, got)
 			})
 		})
+
+		t.Run("when provided invalid basic auth should fail", func(t *testing.T) {
+			svr := allsrv.NewServer(new(allsrv.InmemDB), "dodgers@stink.com", "PaSsWoRd")
+
+			req := httptest.NewRequest("POST", "/foo", newJSONBody(t, allsrv.Foo{
+				Name: "first-foo",
+				Note: "some note",
+			}))
+			req.SetBasicAuth("dodgers@rule.com", "wrongO")
+			rec := httptest.NewRecorder()
+
+			svr.ServeHTTP(rec, req)
+
+			assert.Equal(t, http.StatusUnauthorized, rec.Code)
+		})
 	})
 
 	t.Run("foo read", func(t *testing.T) {
@@ -71,6 +86,18 @@ func TestServer(t *testing.T) {
 				assert.Equal(t, want, got)
 			})
 		})
+
+		t.Run("when provided invalid basic auth should fail", func(t *testing.T) {
+			svr := allsrv.NewServer(new(allsrv.InmemDB), "dodgers@stink.com", "PaSsWoRd")
+
+			req := httptest.NewRequest("GET", "/foo?id=reader1", nil)
+			req.SetBasicAuth("dodgers@rule.com", "wrongO")
+			rec := httptest.NewRecorder()
+
+			svr.ServeHTTP(rec, req)
+
+			assert.Equal(t, http.StatusUnauthorized, rec.Code)
+		})
 	})
 
 	t.Run("foo update", func(t *testing.T) {
@@ -98,6 +125,30 @@ func TestServer(t *testing.T) {
 			// note: lame we don't get the updated foo back
 			assert.Equal(t, http.StatusOK, rec.Code)
 		})
+
+		t.Run("when provided invalid basic auth should fail", func(t *testing.T) {
+			db := new(allsrv.InmemDB)
+			err := db.CreateFoo(allsrv.Foo{
+				ID:   "id1",
+				Name: "first_name",
+				Note: "first note",
+			})
+			require.NoError(t, err)
+
+			svr := allsrv.NewServer(db, "dodgers@stink.com", "PaSsWoRd")
+
+			req := httptest.NewRequest("PUT", "/foo", newJSONBody(t, allsrv.Foo{
+				ID:   "id1",
+				Name: "second_name",
+				Note: "second note",
+			}))
+			req.SetBasicAuth("dodgers@rule.com", "wrongO")
+			rec := httptest.NewRecorder()
+
+			svr.ServeHTTP(rec, req)
+
+			assert.Equal(t, http.StatusUnauthorized, rec.Code)
+		})
 	})
 
 	t.Run("foo delete", func(t *testing.T) {
@@ -120,6 +171,18 @@ func TestServer(t *testing.T) {
 
 			assert.Equal(t, http.StatusOK, rec.Code)
 		})
+
+		t.Run("when provided invalid basic auth should fail", func(t *testing.T) {
+			svr := allsrv.NewServer(new(allsrv.InmemDB), "dodgers@stink.com", "PaSsWoRd")
+
+			req := httptest.NewRequest("DELETE", "/foo?id=id1", nil)
+			req.SetBasicAuth("dodgers@rule.com", "wrongO")
+			rec := httptest.NewRecorder()
+
+			svr.ServeHTTP(rec, req)
+
+			assert.Equal(t, http.StatusUnauthorized, rec.Code)
+		})
 	})
 }