az/morz-infoboard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
morz-infoboard/server/backend/internal/httpapi/middleware_test.go
Jesko Anschütz 700567071b feat(auth): RequireNotRestricted middleware 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-27 21:29:26 +01:00

63 lines
2 KiB
Go
Raw Blame History

package httpapi_test
import (
"context"
"net/http"
"net/http/httptest"
"testing"
"git.az-it.net/az/morz-infoboard/server/backend/internal/httpapi"
"git.az-it.net/az/morz-infoboard/server/backend/internal/reqcontext"
"git.az-it.net/az/morz-infoboard/server/backend/internal/store"
)
func userCtx(role string) context.Context {
return reqcontext.WithUser(context.Background(), &store.User{Role: role})
}
func TestRequireNotRestricted_blocks_restricted(t *testing.T) {
req := httptest.NewRequest(http.MethodPost, "/", nil).WithContext(userCtx("restricted"))
rr := httptest.NewRecorder()
httpapi.RequireNotRestricted(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
t.Fatal("should not be called")
})).ServeHTTP(rr, req)
if rr.Code != http.StatusForbidden {
t.Fatalf("expected 403, got %d", rr.Code)
}
}
func TestRequireNotRestricted_allows_screen_user(t *testing.T) {
req := httptest.NewRequest(http.MethodPost, "/", nil).WithContext(userCtx("screen_user"))
rr := httptest.NewRecorder()
called := false
httpapi.RequireNotRestricted(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
called = true
})).ServeHTTP(rr, req)
if !called {
t.Fatal("expected next to be called")
}
}
func TestRequireNotRestricted_allows_admin(t *testing.T) {
req := httptest.NewRequest(http.MethodPost, "/", nil).WithContext(userCtx("admin"))
rr := httptest.NewRecorder()
called := false
httpapi.RequireNotRestricted(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
called = true
})).ServeHTTP(rr, req)
if !called {
t.Fatal("expected next to be called")
}
}
func TestRequireNotRestricted_allows_no_user(t *testing.T) {
req := httptest.NewRequest(http.MethodPost, "/", nil)
rr := httptest.NewRecorder()
called := false
httpapi.RequireNotRestricted(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
called = true
})).ServeHTTP(rr, req)
if !called {
t.Fatal("no user in context — RequireAuth handles that, this middleware passes through")
}
}
Reference in a new issue View git blame Copy permalink