package auth import ( "context" "net/http" "net/http/httptest" "testing" "time" "github.com/golang-jwt/jwt/v5" ) const testSecret = "my-super-secret-supabase-jwt-key" func generateTestToken(sub string, email string, expiresAt time.Time, secret string) (string, error) { token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ "sub": sub, "email": email, "exp": expiresAt.Unix(), }) return token.SignedString([]byte(secret)) } func TestValidateJWT(t *testing.T) { // 1. Valid token validToken, err := generateTestToken("driver-uuid-123", "driver@test.com", time.Now().Add(time.Hour), testSecret) if err != nil { t.Fatalf("failed to generate valid token: %v", err) } claims, err := ValidateJWT(validToken, testSecret) if err != nil { t.Errorf("expected no error, got: %v", err) } if claims.DriverID != "driver-uuid-123" || claims.Email != "driver@test.com" { t.Errorf("unexpected claims: %+v", claims) } // 2. Expired token expiredToken, err := generateTestToken("driver-uuid-123", "driver@test.com", time.Now().Add(-time.Hour), testSecret) if err != nil { t.Fatalf("failed to generate expired token: %v", err) } _, err = ValidateJWT(expiredToken, testSecret) if err == nil { t.Error("expected error for expired token, got nil") } // 3. Invalid signature _, err = ValidateJWT(validToken, "wrong-secret-key") if err == nil { t.Error("expected error for wrong signature, got nil") } } func TestAuthMiddleware(t *testing.T) { nextHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { driverID, ok := DriverIDFromContext(r.Context()) if ok { w.Header().Set("X-Driver-ID", driverID) } w.WriteHeader(http.StatusOK) }) // 1. DevMode = true: bypass authentication mwDev := Middleware(testSecret, true)(nextHandler) req := httptest.NewRequest(http.MethodGet, "/api/races", nil) w := httptest.NewRecorder() mwDev.ServeHTTP(w, req) if w.Code != http.StatusOK { t.Errorf("expected 200 OK in DevMode, got %d", w.Code) } // 2. DevMode = false: missing Authorization header mwProd := Middleware(testSecret, false)(nextHandler) w = httptest.NewRecorder() mwProd.ServeHTTP(w, req) if w.Code != http.StatusUnauthorized { t.Errorf("expected 401 Unauthorized for missing auth header, got %d", w.Code) } // 3. DevMode = false: invalid Authorization format reqFormat := httptest.NewRequest(http.MethodGet, "/api/races", nil) reqFormat.Header.Set("Authorization", "InvalidFormat token123") w = httptest.NewRecorder() mwProd.ServeHTTP(w, reqFormat) if w.Code != http.StatusUnauthorized { t.Errorf("expected 401 Unauthorized for invalid format, got %d", w.Code) } // 4. DevMode = false: valid token validToken, err := generateTestToken("driver-uuid-123", "driver@test.com", time.Now().Add(time.Hour), testSecret) if err != nil { t.Fatalf("failed to generate valid token: %v", err) } reqValid := httptest.NewRequest(http.MethodGet, "/api/races", nil) reqValid.Header.Set("Authorization", "Bearer "+validToken) w = httptest.NewRecorder() mwProd.ServeHTTP(w, reqValid) if w.Code != http.StatusOK { t.Errorf("expected 200 OK for valid token, got %d", w.Code) } if w.Header().Get("X-Driver-ID") != "driver-uuid-123" { t.Errorf("expected X-Driver-ID header to be set in context, got %q", w.Header().Get("X-Driver-ID")) } } func TestContextHelpers(t *testing.T) { ctx := context.Background() if _, ok := DriverIDFromContext(ctx); ok { t.Error("expected ok=false for empty context") } ctx = context.WithValue(ctx, driverIDKey, "test-driver") id, ok := DriverIDFromContext(ctx) if !ok || id != "test-driver" { t.Errorf("expected test-driver, got %s (ok=%t)", id, ok) } }