2020-07-29 18:00:04 +08:00
|
|
|
package handler
|
2020-07-26 17:09:05 +08:00
|
|
|
|
|
|
|
|
import (
|
2021-03-15 20:11:09 +08:00
|
|
|
"bufio"
|
|
|
|
|
"net"
|
2020-07-26 17:09:05 +08:00
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
2026-02-07 09:11:40 +00:00
|
|
|
"strings"
|
2020-07-26 17:09:05 +08:00
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
2022-01-14 11:01:02 +08:00
|
|
|
"github.com/golang-jwt/jwt/v4"
|
2020-07-26 17:09:05 +08:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestAuthHandlerFailed(t *testing.T) {
|
2022-10-17 06:30:58 +08:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "http://localhost", http.NoBody)
|
2020-07-26 17:09:05 +08:00
|
|
|
handler := Authorize("B63F477D-BBA3-4E52-96D3-C0034C27694A", WithUnauthorizedCallback(
|
|
|
|
|
func(w http.ResponseWriter, r *http.Request, err error) {
|
2021-09-29 13:09:20 +08:00
|
|
|
assert.NotNil(t, err)
|
|
|
|
|
w.Header().Set("X-Test", err.Error())
|
2020-07-26 17:09:05 +08:00
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
|
|
|
_, err = w.Write([]byte("content"))
|
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
}))(
|
|
|
|
|
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
|
}))
|
|
|
|
|
|
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
|
handler.ServeHTTP(resp, req)
|
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, resp.Code)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestAuthHandler(t *testing.T) {
|
|
|
|
|
const key = "B63F477D-BBA3-4E52-96D3-C0034C27694A"
|
2022-10-17 06:30:58 +08:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "http://localhost", http.NoBody)
|
2023-01-24 16:32:02 +08:00
|
|
|
token, err := buildToken(key, map[string]any{
|
2020-07-26 17:09:05 +08:00
|
|
|
"key": "value",
|
|
|
|
|
}, 3600)
|
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
|
|
|
handler := Authorize(key)(
|
|
|
|
|
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.Header().Set("X-Test", "test")
|
|
|
|
|
_, err := w.Write([]byte("content"))
|
|
|
|
|
assert.Nil(t, err)
|
2020-12-28 21:30:24 +08:00
|
|
|
|
|
|
|
|
flusher, ok := w.(http.Flusher)
|
2020-12-29 10:25:55 +08:00
|
|
|
assert.True(t, ok)
|
2020-12-28 21:30:24 +08:00
|
|
|
flusher.Flush()
|
2020-07-26 17:09:05 +08:00
|
|
|
}))
|
|
|
|
|
|
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
|
handler.ServeHTTP(resp, req)
|
|
|
|
|
assert.Equal(t, http.StatusOK, resp.Code)
|
|
|
|
|
assert.Equal(t, "test", resp.Header().Get("X-Test"))
|
|
|
|
|
assert.Equal(t, "content", resp.Body.String())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestAuthHandlerWithPrevSecret(t *testing.T) {
|
|
|
|
|
const (
|
|
|
|
|
key = "14F17379-EB8F-411B-8F12-6929002DCA76"
|
|
|
|
|
prevKey = "B63F477D-BBA3-4E52-96D3-C0034C27694A"
|
|
|
|
|
)
|
2022-10-17 06:30:58 +08:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "http://localhost", http.NoBody)
|
2023-01-24 16:32:02 +08:00
|
|
|
token, err := buildToken(key, map[string]any{
|
2020-07-26 17:09:05 +08:00
|
|
|
"key": "value",
|
|
|
|
|
}, 3600)
|
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
|
|
|
|
handler := Authorize(key, WithPrevSecret(prevKey))(
|
|
|
|
|
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.Header().Set("X-Test", "test")
|
|
|
|
|
_, err := w.Write([]byte("content"))
|
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
}))
|
|
|
|
|
|
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
|
handler.ServeHTTP(resp, req)
|
|
|
|
|
assert.Equal(t, http.StatusOK, resp.Code)
|
|
|
|
|
assert.Equal(t, "test", resp.Header().Get("X-Test"))
|
|
|
|
|
assert.Equal(t, "content", resp.Body.String())
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-30 16:22:18 +08:00
|
|
|
func TestAuthHandler_NilError(t *testing.T) {
|
2022-10-17 06:30:58 +08:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "http://localhost", http.NoBody)
|
2020-07-30 16:22:18 +08:00
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
|
assert.NotPanics(t, func() {
|
|
|
|
|
unauthorized(resp, req, nil, nil)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-07 09:11:40 +00:00
|
|
|
func TestAuthHandlerWithJSONBody(t *testing.T) {
|
|
|
|
|
const key = "B63F477D-BBA3-4E52-96D3-C0034C27694A"
|
|
|
|
|
|
|
|
|
|
// Create a request with JSON body
|
|
|
|
|
jsonBody := `{"username":"test","password":"secret"}`
|
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "http://localhost/login",
|
|
|
|
|
strings.NewReader(jsonBody))
|
|
|
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
|
// Missing authorization header to trigger the unauthorized path
|
|
|
|
|
|
|
|
|
|
handler := Authorize(key)(
|
|
|
|
|
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
|
}))
|
|
|
|
|
|
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
|
handler.ServeHTTP(resp, req)
|
|
|
|
|
|
|
|
|
|
// Should return unauthorized
|
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, resp.Code)
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-07 09:04:34 +00:00
|
|
|
func TestAuthHandlerWithMultipartFormData(t *testing.T) {
|
|
|
|
|
const key = "B63F477D-BBA3-4E52-96D3-C0034C27694A"
|
|
|
|
|
|
|
|
|
|
// Create a multipart form-data request
|
|
|
|
|
// We don't need actual body content since we're testing that
|
|
|
|
|
// the body is NOT read when Content-Type is multipart/form-data
|
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "http://localhost/upload",
|
|
|
|
|
http.NoBody)
|
|
|
|
|
req.Header.Set("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary")
|
|
|
|
|
// Missing authorization header to trigger the unauthorized path
|
|
|
|
|
|
|
|
|
|
handler := Authorize(key)(
|
|
|
|
|
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
|
}))
|
|
|
|
|
|
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
|
handler.ServeHTTP(resp, req)
|
|
|
|
|
|
|
|
|
|
// Should return unauthorized
|
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, resp.Code)
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-07 09:06:52 +00:00
|
|
|
func TestAuthHandlerWithMultipartFormDataLargeFile(t *testing.T) {
|
|
|
|
|
const key = "B63F477D-BBA3-4E52-96D3-C0034C27694A"
|
|
|
|
|
|
|
|
|
|
// Create a multipart form-data request with a simulated large file
|
|
|
|
|
// This tests that the body is NOT consumed when Content-Type is multipart/form-data
|
|
|
|
|
largeContent := make([]byte, 1024*1024) // 1MB of data
|
|
|
|
|
for i := range largeContent {
|
|
|
|
|
largeContent[i] = byte(i % 256)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "http://localhost/upload",
|
|
|
|
|
http.NoBody)
|
|
|
|
|
req.Header.Set("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary")
|
|
|
|
|
req.Header.Set("Content-Length", "1048576")
|
|
|
|
|
// Missing authorization header to trigger the unauthorized path
|
|
|
|
|
|
|
|
|
|
handler := Authorize(key)(
|
|
|
|
|
http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
|
}))
|
|
|
|
|
|
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
|
|
|
|
|
|
// This should complete quickly without reading the body
|
|
|
|
|
start := time.Now()
|
|
|
|
|
handler.ServeHTTP(resp, req)
|
|
|
|
|
elapsed := time.Since(start)
|
|
|
|
|
|
|
|
|
|
// Should return unauthorized
|
|
|
|
|
assert.Equal(t, http.StatusUnauthorized, resp.Code)
|
|
|
|
|
// Should complete in less than 100ms (without reading 1MB of data)
|
|
|
|
|
assert.Less(t, elapsed, 100*time.Millisecond)
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-07 09:04:34 +00:00
|
|
|
func TestIsMultipartFormData(t *testing.T) {
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
contentType string
|
|
|
|
|
expected bool
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "multipart/form-data",
|
|
|
|
|
contentType: "multipart/form-data",
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "multipart/form-data with boundary",
|
|
|
|
|
contentType: "multipart/form-data; boundary=----WebKitFormBoundary",
|
|
|
|
|
expected: true,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "application/json",
|
|
|
|
|
contentType: "application/json",
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "application/x-www-form-urlencoded",
|
|
|
|
|
contentType: "application/x-www-form-urlencoded",
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "empty content type",
|
|
|
|
|
contentType: "",
|
|
|
|
|
expected: false,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "http://localhost", http.NoBody)
|
|
|
|
|
req.Header.Set("Content-Type", tt.contentType)
|
|
|
|
|
result := isMultipartFormData(req)
|
|
|
|
|
assert.Equal(t, tt.expected, result)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-24 16:32:02 +08:00
|
|
|
func buildToken(secretKey string, payloads map[string]any, seconds int64) (string, error) {
|
2020-07-26 17:09:05 +08:00
|
|
|
now := time.Now().Unix()
|
|
|
|
|
claims := make(jwt.MapClaims)
|
|
|
|
|
claims["exp"] = now + seconds
|
|
|
|
|
claims["iat"] = now
|
|
|
|
|
for k, v := range payloads {
|
|
|
|
|
claims[k] = v
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token := jwt.New(jwt.SigningMethodHS256)
|
|
|
|
|
token.Claims = claims
|
|
|
|
|
|
|
|
|
|
return token.SignedString([]byte(secretKey))
|
|
|
|
|
}
|
2021-03-15 20:11:09 +08:00
|
|
|
|
|
|
|
|
type mockedHijackable struct {
|
|
|
|
|
*httptest.ResponseRecorder
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m mockedHijackable) Hijack() (net.Conn, *bufio.ReadWriter, error) {
|
|
|
|
|
return nil, nil, nil
|
|
|
|
|
}
|
