Etusivu Tutki Apua
Kirjaudu sisään
weiym
/
perms-system-server
1
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Puu: c5fab9a9bc
Haarat Tagit
perms-system...
/
internal
/
handler
/
pub
/
refreshTokenHandler_test.go

refreshTokenHandler_test.go 2.3 KB
Historia Raaka

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 
  1. package pub
    2. 

  2. 

  3. import (
    4. 

  4. 	"encoding/json"
    5. 

  5. 	"net/http"
    6. 

  6. 	"net/http/httptest"
    7. 

  7. 	"strings"
    8. 

  8. 	"testing"
    9. 

  9. 

  10. 	"perms-system-server/internal/response"
    11. 

  11. 	"perms-system-server/internal/svc"
    12. 

  12. 	"perms-system-server/internal/testutil"
    13. 

  13. 

  14. 	"github.com/stretchr/testify/assert"
    15. 

  15. 	"github.com/stretchr/testify/require"
    16. 

  16. )
    17. 

  17. 

  18. // TC-0800: handler 薄层契约 —— RefreshTokenHandler 在 Authorization header 缺失时,
    19. 

  19. // 必须把错误透传成 401 "未登录" / 或等价业务错误 (绝不能 200 或 5xx)。
    20. 

  20. // 同时不应把内部实现细节泄露到 Msg 里。
    21. 

  21. func TestRefreshTokenHandler_MissingAuthorizationHeader(t *testing.T) {
    22. 

  22. 	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
    23. 

  23. 	handler := RefreshTokenHandler(svcCtx)
    24. 

  24. 

  25. 	req := httptest.NewRequest(http.MethodPost, "/api/auth/refreshToken", strings.NewReader("{}"))
    26. 

  26. 	req.Header.Set("Content-Type", "application/json")
    27. 

  27. 	rr := httptest.NewRecorder()
    28. 

  28. 	handler.ServeHTTP(rr, req)
    29. 

  29. 

  30. 	var body response.Body
    31. 

  31. 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &body))
    32. 

  32. 	assert.NotEqual(t, 200, body.ErrorCode, "缺 Authorization 必须报错而非 200")
    33. 

  33. 	assert.True(t, body.ErrorCode == 401 || body.ErrorCode == 400,
    34. 

  34. 		"缺 Authorization 必须是 401/400; 实际 code=%d msg=%q", body.ErrorCode, body.ErrorMessage)
    35. 

  35. 	assert.NotContains(t, strings.ToLower(body.ErrorMessage), "sql", "错误文案不得泄露 SQL 实现细节")
    36. 

  36. 	assert.NotContains(t, strings.ToLower(body.ErrorMessage), "redis", "错误文案不得泄露 Redis 实现细节")
    37. 

  37. }
    38. 

  38. 

  39. // TC-0801: handler 薄层契约 —— RefreshTokenHandler 在 Authorization 带非法值时 401, 且不 panic。
    40. 

  40. func TestRefreshTokenHandler_GarbageBearerToken(t *testing.T) {
    41. 

  41. 	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
    42. 

  42. 	handler := RefreshTokenHandler(svcCtx)
    43. 

  43. 

  44. 	req := httptest.NewRequest(http.MethodPost, "/api/auth/refreshToken", strings.NewReader("{}"))
    45. 

  45. 	req.Header.Set("Content-Type", "application/json")
    46. 

  46. 	req.Header.Set("Authorization", "Bearer garbage.token.value")
    47. 

  47. 	rr := httptest.NewRecorder()
    48. 

  48. 	handler.ServeHTTP(rr, req)
    49. 

  49. 

  50. 	var body response.Body
    51. 

  51. 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &body))
    52. 

  52. 	assert.False(t, body.Success)
    53. 

  53. 	assert.Equal(t, 401, body.ErrorCode,
    54. 

  54. 		"非法 refresh token 必须 401, 而不是 500 panic 或 200; 实际 code=%d msg=%q", body.ErrorCode, body.ErrorMessage)
    55. 

  55. }
    56.