fix(auth): wiring Auth/Sessions, нормализация email, GetUserByID для /me, 409 на дубль, timing-guard логина

This commit is contained in:
2026-07-03 20:29:05 +07:00
parent aa0ef1c6a9
commit 35ffe73ae3
8 changed files with 265 additions and 10 deletions
+36
View File
@@ -1,6 +1,7 @@
package store
import (
"errors"
"testing"
"time"
@@ -57,6 +58,41 @@ func TestGetUserByEmail_FindsRegisteredUser(t *testing.T) {
}
}
// TestRegisterUser_DuplicateEmailReturnsErrEmailTaken verifies the fix for
// the duplicate-registration gap: a second RegisterUser call for an
// already-taken email must fail with the ErrEmailTaken sentinel (mapped from
// the UNIQUE constraint violation on users.email), not a generic pgx error.
func TestRegisterUser_DuplicateEmailReturnsErrEmailTaken(t *testing.T) {
s, ctx := newStore(t)
if _, _, err := s.RegisterUser(ctx, "dup@example.com", "argon2-hash"); err != nil {
t.Fatal(err)
}
if _, _, err := s.RegisterUser(ctx, "dup@example.com", "argon2-hash"); !errors.Is(err, ErrEmailTaken) {
t.Fatalf("expected ErrEmailTaken, got %v", err)
}
}
// TestGetUserByID_ReturnsUser verifies the fix for the /me gap: GetUserByID
// returns the same user created by RegisterUser, including their real email.
func TestGetUserByID_ReturnsUser(t *testing.T) {
s, ctx := newStore(t)
u, _, err := s.RegisterUser(ctx, "gina@example.com", "argon2-hash")
if err != nil {
t.Fatal(err)
}
got, err := s.GetUserByID(ctx, u.ID)
if err != nil {
t.Fatal(err)
}
if got.ID != u.ID || got.Email != "gina@example.com" {
t.Fatalf("unexpected user: %+v", got)
}
}
// TestSessionLifecycle_CreateGetDelete verifies CreateSession + GetSessionUser
// round-trips to the owning user ID, an expired session is excluded from
// GetSessionUser, and DeleteSession removes the session.