arthur/xtablo-source
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions 5
xtablo-source/backend/templates/layout_test.go

52 lines
1.6 KiB
Go
Raw Normal View History

test(02-06): add failing tests for logout, protected routes, and layout auth - TestLogout_Success: POST /logout with valid cookie -> 303, cookie cleared, session deleted - TestLogout_UnauthRedirectsToLogin: POST /logout without cookie -> 303 from RequireAuth - TestLogout_HXRedirect: HTMX logout -> 200 + HX-Redirect: /login - TestLogout_AfterLogoutSubsequentRequestUnauth: stale cookie blocked after logout - TestProtected_HomeUnauthRedirects: GET / without session -> 303 /login - TestProtected_HomeUnauthHXRedirect: HTMX GET / without session -> 200 + HX-Redirect - TestProtected_HomeAuthRendersUserEmail: authed GET / -> 200 with user email - TestLayout_LogoutFormVisibleWhenAuthed: Layout with user shows logout form - TestLayout_LogoutFormHiddenWhenUnauthed: Layout with nil user hides logout form
2026-05-14 20:32:33 +00:00
package templates
import (
"bytes"
"context"
"strings"
"testing"
"backend/internal/auth"
)
// TestLayout_LogoutFormVisibleWhenAuthed verifies that the logout form is
// rendered in the header when Layout receives a non-nil user (D-22).
feat(02-07): gorilla/csrf integration — mount middleware, wire all forms, env-driven key - auth.Mount(env, key) wraps csrf.Protect with locked D-14/D-24 options - auth.LoadKeyFromEnv() reads SESSION_SECRET, hex-decodes, validates 32 bytes; fails fast on error - ui.CSRFField(token) templ component renders hidden _csrf input - Layout, LoginPage/Fragment, SignupPage/Fragment, Index all embed @ui.CSRFField(csrfToken) - Handlers thread csrf.Token(r) into every page/fragment render call - NewRouter mounts auth.Mount after ResolveSession, before all route groups (D-24) - main.go calls auth.LoadKeyFromEnv(); logs.Fatalf on missing/invalid SESSION_SECRET - SESSION_SECRET documented in .env.example with openssl rand -hex 32 instruction - go.mod: gorilla/csrf v1.7.3 (direct); prior tests updated with getCSRFToken helper - All Plan 04/05/06 tests updated to acquire and submit valid _csrf tokens
2026-05-14 20:59:06 +00:00
// The _csrf hidden field must also be present (AUTH-06).
test(02-06): add failing tests for logout, protected routes, and layout auth - TestLogout_Success: POST /logout with valid cookie -> 303, cookie cleared, session deleted - TestLogout_UnauthRedirectsToLogin: POST /logout without cookie -> 303 from RequireAuth - TestLogout_HXRedirect: HTMX logout -> 200 + HX-Redirect: /login - TestLogout_AfterLogoutSubsequentRequestUnauth: stale cookie blocked after logout - TestProtected_HomeUnauthRedirects: GET / without session -> 303 /login - TestProtected_HomeUnauthHXRedirect: HTMX GET / without session -> 200 + HX-Redirect - TestProtected_HomeAuthRendersUserEmail: authed GET / -> 200 with user email - TestLayout_LogoutFormVisibleWhenAuthed: Layout with user shows logout form - TestLayout_LogoutFormHiddenWhenUnauthed: Layout with nil user hides logout form
2026-05-14 20:32:33 +00:00
func TestLayout_LogoutFormVisibleWhenAuthed(t *testing.T) {
var buf bytes.Buffer
user := &auth.User{Email: "a@b.c"}
feat(02-07): gorilla/csrf integration — mount middleware, wire all forms, env-driven key - auth.Mount(env, key) wraps csrf.Protect with locked D-14/D-24 options - auth.LoadKeyFromEnv() reads SESSION_SECRET, hex-decodes, validates 32 bytes; fails fast on error - ui.CSRFField(token) templ component renders hidden _csrf input - Layout, LoginPage/Fragment, SignupPage/Fragment, Index all embed @ui.CSRFField(csrfToken) - Handlers thread csrf.Token(r) into every page/fragment render call - NewRouter mounts auth.Mount after ResolveSession, before all route groups (D-24) - main.go calls auth.LoadKeyFromEnv(); logs.Fatalf on missing/invalid SESSION_SECRET - SESSION_SECRET documented in .env.example with openssl rand -hex 32 instruction - go.mod: gorilla/csrf v1.7.3 (direct); prior tests updated with getCSRFToken helper - All Plan 04/05/06 tests updated to acquire and submit valid _csrf tokens
2026-05-14 20:59:06 +00:00
err := Layout("Test", user, "mytesttoken").Render(context.Background(), &buf)
test(02-06): add failing tests for logout, protected routes, and layout auth - TestLogout_Success: POST /logout with valid cookie -> 303, cookie cleared, session deleted - TestLogout_UnauthRedirectsToLogin: POST /logout without cookie -> 303 from RequireAuth - TestLogout_HXRedirect: HTMX logout -> 200 + HX-Redirect: /login - TestLogout_AfterLogoutSubsequentRequestUnauth: stale cookie blocked after logout - TestProtected_HomeUnauthRedirects: GET / without session -> 303 /login - TestProtected_HomeUnauthHXRedirect: HTMX GET / without session -> 200 + HX-Redirect - TestProtected_HomeAuthRendersUserEmail: authed GET / -> 200 with user email - TestLayout_LogoutFormVisibleWhenAuthed: Layout with user shows logout form - TestLayout_LogoutFormHiddenWhenUnauthed: Layout with nil user hides logout form
2026-05-14 20:32:33 +00:00
if err != nil {
t.Fatalf("Layout.Render: %v", err)
}
body := buf.String()
if !strings.Contains(body, `action="/logout"`) {
t.Errorf("Layout body missing action=\"/logout\"; want logout form when authed\nbody: %s", body)
}
if !strings.Contains(body, `method="POST"`) {
t.Errorf("Layout body missing method=\"POST\"; logout must be a POST form (D-22)")
}
feat(02-07): gorilla/csrf integration — mount middleware, wire all forms, env-driven key - auth.Mount(env, key) wraps csrf.Protect with locked D-14/D-24 options - auth.LoadKeyFromEnv() reads SESSION_SECRET, hex-decodes, validates 32 bytes; fails fast on error - ui.CSRFField(token) templ component renders hidden _csrf input - Layout, LoginPage/Fragment, SignupPage/Fragment, Index all embed @ui.CSRFField(csrfToken) - Handlers thread csrf.Token(r) into every page/fragment render call - NewRouter mounts auth.Mount after ResolveSession, before all route groups (D-24) - main.go calls auth.LoadKeyFromEnv(); logs.Fatalf on missing/invalid SESSION_SECRET - SESSION_SECRET documented in .env.example with openssl rand -hex 32 instruction - go.mod: gorilla/csrf v1.7.3 (direct); prior tests updated with getCSRFToken helper - All Plan 04/05/06 tests updated to acquire and submit valid _csrf tokens
2026-05-14 20:59:06 +00:00
if !strings.Contains(body, `name="_csrf"`) {
t.Errorf("Layout body missing name=\"_csrf\"; logout form must embed CSRF field (AUTH-06)")
}
if !strings.Contains(body, `value="mytesttoken"`) {
t.Errorf("Layout body missing value=\"mytesttoken\"; CSRF token not threaded into form")
}
test(02-06): add failing tests for logout, protected routes, and layout auth - TestLogout_Success: POST /logout with valid cookie -> 303, cookie cleared, session deleted - TestLogout_UnauthRedirectsToLogin: POST /logout without cookie -> 303 from RequireAuth - TestLogout_HXRedirect: HTMX logout -> 200 + HX-Redirect: /login - TestLogout_AfterLogoutSubsequentRequestUnauth: stale cookie blocked after logout - TestProtected_HomeUnauthRedirects: GET / without session -> 303 /login - TestProtected_HomeUnauthHXRedirect: HTMX GET / without session -> 200 + HX-Redirect - TestProtected_HomeAuthRendersUserEmail: authed GET / -> 200 with user email - TestLayout_LogoutFormVisibleWhenAuthed: Layout with user shows logout form - TestLayout_LogoutFormHiddenWhenUnauthed: Layout with nil user hides logout form
2026-05-14 20:32:33 +00:00
}
// TestLayout_LogoutFormHiddenWhenUnauthed verifies that no logout form is
// rendered when Layout receives a nil user (unauthenticated request).
func TestLayout_LogoutFormHiddenWhenUnauthed(t *testing.T) {
var buf bytes.Buffer
feat(02-07): gorilla/csrf integration — mount middleware, wire all forms, env-driven key - auth.Mount(env, key) wraps csrf.Protect with locked D-14/D-24 options - auth.LoadKeyFromEnv() reads SESSION_SECRET, hex-decodes, validates 32 bytes; fails fast on error - ui.CSRFField(token) templ component renders hidden _csrf input - Layout, LoginPage/Fragment, SignupPage/Fragment, Index all embed @ui.CSRFField(csrfToken) - Handlers thread csrf.Token(r) into every page/fragment render call - NewRouter mounts auth.Mount after ResolveSession, before all route groups (D-24) - main.go calls auth.LoadKeyFromEnv(); logs.Fatalf on missing/invalid SESSION_SECRET - SESSION_SECRET documented in .env.example with openssl rand -hex 32 instruction - go.mod: gorilla/csrf v1.7.3 (direct); prior tests updated with getCSRFToken helper - All Plan 04/05/06 tests updated to acquire and submit valid _csrf tokens
2026-05-14 20:59:06 +00:00
err := Layout("Test", nil, "").Render(context.Background(), &buf)
test(02-06): add failing tests for logout, protected routes, and layout auth - TestLogout_Success: POST /logout with valid cookie -> 303, cookie cleared, session deleted - TestLogout_UnauthRedirectsToLogin: POST /logout without cookie -> 303 from RequireAuth - TestLogout_HXRedirect: HTMX logout -> 200 + HX-Redirect: /login - TestLogout_AfterLogoutSubsequentRequestUnauth: stale cookie blocked after logout - TestProtected_HomeUnauthRedirects: GET / without session -> 303 /login - TestProtected_HomeUnauthHXRedirect: HTMX GET / without session -> 200 + HX-Redirect - TestProtected_HomeAuthRendersUserEmail: authed GET / -> 200 with user email - TestLayout_LogoutFormVisibleWhenAuthed: Layout with user shows logout form - TestLayout_LogoutFormHiddenWhenUnauthed: Layout with nil user hides logout form
2026-05-14 20:32:33 +00:00
if err != nil {
t.Fatalf("Layout.Render: %v", err)
}
body := buf.String()
if strings.Contains(body, `action="/logout"`) {
t.Errorf("Layout body must NOT contain action=\"/logout\" when user is nil (unauthenticated)")
}
}
Reference in a new issue Copy permalink