add auth lib

2026-03-01 03:04:43 +01:00
parent e9bb724708
commit 4b6268535f
11 changed files with 544 additions and 0 deletions
--- a/jwt/jwt_test.go
+++ b/jwt/jwt_test.go
@@ -0,0 +1,96 @@
+package jwt
+
+import (
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func TestJWTManagerGenerateAndParseAuthToken(t *testing.T) {
+	mgr := NewJWTManager("secret", 2*time.Minute, 10*time.Minute)
+
+	token, err := mgr.GenerateAuthToken("user-1", "alice")
+	if err != nil {
+		t.Fatalf("generate auth token: %v", err)
+	}
+
+	claims, err := mgr.ParseAuthToken(token)
+	if err != nil {
+		t.Fatalf("parse auth token: %v", err)
+	}
+	if claims.UserID != "user-1" {
+		t.Fatalf("expected user id user-1, got %q", claims.UserID)
+	}
+	if claims.Username != "alice" {
+		t.Fatalf("expected username alice, got %q", claims.Username)
+	}
+	if claims.TokenType != TokenTypeAuth {
+		t.Fatalf("expected token type %q, got %q", TokenTypeAuth, claims.TokenType)
+	}
+}
+
+func TestJWTManagerRejectsWrongTokenType(t *testing.T) {
+	mgr := NewJWTManager("secret", time.Minute, time.Minute)
+
+	refreshToken, err := mgr.GenerateRefreshToken("user-1", "alice")
+	if err != nil {
+		t.Fatalf("generate refresh token: %v", err)
+	}
+	if _, err := mgr.ParseAuthToken(refreshToken); err == nil {
+		t.Fatal("expected error when parsing refresh token as auth token")
+	}
+
+	authToken, err := mgr.GenerateAuthToken("user-1", "alice")
+	if err != nil {
+		t.Fatalf("generate auth token: %v", err)
+	}
+	if _, err := mgr.ParseRefreshToken(authToken); err == nil {
+		t.Fatal("expected error when parsing auth token as refresh token")
+	}
+}
+
+func TestJWTManagerRejectsInvalidOrTamperedToken(t *testing.T) {
+	mgr := NewJWTManager("secret", time.Minute, time.Minute)
+
+	if _, err := mgr.ParseAuthToken("not-a-token"); err == nil {
+		t.Fatal("expected parse error for malformed token")
+	}
+
+	token, err := mgr.GenerateAuthToken("user-1", "alice")
+	if err != nil {
+		t.Fatalf("generate auth token: %v", err)
+	}
+
+	otherMgr := NewJWTManager("different-secret", time.Minute, time.Minute)
+	if _, err := otherMgr.ParseAuthToken(token); err == nil {
+		t.Fatal("expected signature validation error with different secret")
+	}
+}
+
+func TestJWTManagerRejectsExpiredToken(t *testing.T) {
+	mgr := NewJWTManager("secret", -1*time.Second, time.Minute)
+
+	token, err := mgr.GenerateAuthToken("user-1", "alice")
+	if err != nil {
+		t.Fatalf("generate expired auth token: %v", err)
+	}
+
+	if _, err := mgr.ParseAuthToken(token); err == nil {
+		t.Fatal("expected expired token error")
+	}
+}
+
+func TestJWTManagerRejectsNonHMACAlgorithm(t *testing.T) {
+	mgr := NewJWTManager("secret", time.Minute, time.Minute)
+
+	noneToken := jwt.NewWithClaims(jwt.SigningMethodNone, Claims{UserID: "u", Username: "n", TokenType: TokenTypeAuth})
+	tokenStr, err := noneToken.SignedString(jwt.UnsafeAllowNoneSignatureType)
+	if err != nil {
+		t.Fatalf("sign none token: %v", err)
+	}
+
+	if _, err := mgr.ParseAuthToken(tokenStr); err == nil {
+		t.Fatal("expected error for non-HMAC algorithm")
+	}
+}