fix(httpapi): bind session token to current AuthUser; add negative auth tests
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01MMHQTtnQtQqL8muAXHr9kd
This commit is contained in:
@@ -58,7 +58,8 @@ func (s *Server) requireAuth(next http.Handler) http.Handler {
|
|||||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if _, ok := crypto.VerifySession(s.cfg.SessionSecret, c.Value, time.Now()); !ok {
|
user, ok := crypto.VerifySession(s.cfg.SessionSecret, c.Value, time.Now())
|
||||||
|
if !ok || user != s.cfg.AuthUser {
|
||||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,8 +5,10 @@ import (
|
|||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/vasyansk/imap-copier/internal/config"
|
"github.com/vasyansk/imap-copier/internal/config"
|
||||||
|
"github.com/vasyansk/imap-copier/internal/crypto"
|
||||||
)
|
)
|
||||||
|
|
||||||
func testServer() *Server {
|
func testServer() *Server {
|
||||||
@@ -55,3 +57,39 @@ func TestRequireAuthAllowsValidCookie(t *testing.T) {
|
|||||||
t.Fatalf("want 200, got %d", rw.Code)
|
t.Fatalf("want 200, got %d", rw.Code)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestLoginRejectsBadCredentials(t *testing.T) {
|
||||||
|
s := testServer()
|
||||||
|
req := httptest.NewRequest("POST", "/api/login", strings.NewReader(`{"user":"admin","pass":"wrong"}`))
|
||||||
|
rw := httptest.NewRecorder()
|
||||||
|
s.handleLogin(rw, req)
|
||||||
|
if rw.Code != http.StatusUnauthorized {
|
||||||
|
t.Fatalf("want 401, got %d", rw.Code)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestRequireAuthRejectsTamperedCookie(t *testing.T) {
|
||||||
|
s := testServer()
|
||||||
|
h := s.requireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(200) }))
|
||||||
|
req := httptest.NewRequest("GET", "/api/tasks", nil)
|
||||||
|
req.AddCookie(&http.Cookie{Name: cookieName, Value: "not.a.validtoken"})
|
||||||
|
rw := httptest.NewRecorder()
|
||||||
|
h.ServeHTTP(rw, req)
|
||||||
|
if rw.Code != http.StatusUnauthorized {
|
||||||
|
t.Fatalf("want 401, got %d", rw.Code)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestRequireAuthRejectsTokenForDifferentUser(t *testing.T) {
|
||||||
|
s := testServer()
|
||||||
|
// token signed for a user that is NOT s.cfg.AuthUser ("admin")
|
||||||
|
tok := crypto.SignSession(s.cfg.SessionSecret, "olduser", time.Now().Add(time.Hour))
|
||||||
|
h := s.requireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(200) }))
|
||||||
|
req := httptest.NewRequest("GET", "/api/tasks", nil)
|
||||||
|
req.AddCookie(&http.Cookie{Name: cookieName, Value: tok})
|
||||||
|
rw := httptest.NewRecorder()
|
||||||
|
h.ServeHTTP(rw, req)
|
||||||
|
if rw.Code != http.StatusUnauthorized {
|
||||||
|
t.Fatalf("stale-user token must be rejected, got %d", rw.Code)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user