Added tests for auth middleware.

middleware/auth.go

@@ -11,17 +11,18 @@ import (
 	"github.com/labstack/echo/v4"
 )
 
+// LoadAuthenticatedUser loads the authenticated user, if one, and stores in context
 func LoadAuthenticatedUser(authClient *services.AuthClient) echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
 			u, err := authClient.GetAuthenticatedUser(c)
 			switch err.(type) {
 			case *ent.NotFoundError:
-				c.Logger().Debug("auth user not found")
+				c.Logger().Warn("auth user not found")
 			case services.NotAuthenticatedError:
 			case nil:
 				c.Set(context.AuthenticatedUserKey, u)
-				c.Logger().Info("auth user loaded in to context: %d", u.ID)
+				c.Logger().Infof("auth user loaded in to context: %d", u.ID)
 			default:
 				c.Logger().Errorf("error querying for authenticated user: %v", err)
 			}
@@ -31,41 +32,42 @@ func LoadAuthenticatedUser(authClient *services.AuthClient) echo.MiddlewareFunc
 	}
 }
 
+// LoadValidPasswordToken loads a valid password token entity that matches the user and token
+// provided in path parameters
+// If the token is invalid, the user will be redirected to the forgot password route
+// This requires that the user owning the token is loaded in to context
 func LoadValidPasswordToken(authClient *services.AuthClient) echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
-			var usr *ent.User
-
+			// Extract the user parameter
 			if c.Get(context.UserKey) == nil {
-				return echo.NewHTTPError(http.StatusInternalServerError, "Internal server error")
+				return echo.NewHTTPError(http.StatusInternalServerError)
 			}
-			usr = c.Get(context.UserKey).(*ent.User)
+			usr := c.Get(context.UserKey).(*ent.User)
 
-			tokenParam := c.Param("password_token")
-			token, err := authClient.GetValidPasswordToken(c, tokenParam, usr.ID)
+			token, err := authClient.GetValidPasswordToken(c, c.Param("password_token"), usr.ID)
 
 			switch err.(type) {
 			case nil:
+				c.Set(context.PasswordTokenKey, token)
+				return next(c)
 			case services.InvalidPasswordTokenError:
 				msg.Warning(c, "The link is either invalid or has expired. Please request a new one.")
 				return c.Redirect(http.StatusFound, c.Echo().Reverse("forgot_password"))
 			default:
 				c.Logger().Error(err)
-				return echo.NewHTTPError(http.StatusInternalServerError, "Internal server error")
+				return echo.NewHTTPError(http.StatusInternalServerError)
 			}
-
-			c.Set(context.PasswordTokenKey, token)
-
-			return next(c)
 		}
 	}
 }
 
+// RequireAuthentication requires that the user be authenticated in order to proceed
 func RequireAuthentication() echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
 			if u := c.Get(context.AuthenticatedUserKey); u == nil {
-				return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+				return echo.NewHTTPError(http.StatusUnauthorized)
 			}
 
 			return next(c)
@@ -73,11 +75,12 @@ func RequireAuthentication() echo.MiddlewareFunc {
 	}
 }
 
+// RequireNoAuthentication requires that the user not be authenticated in order to proceed
 func RequireNoAuthentication() echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
 			if u := c.Get(context.AuthenticatedUserKey); u != nil {
-				return echo.NewHTTPError(http.StatusForbidden, "Forbidden")
+				return echo.NewHTTPError(http.StatusForbidden)
 			}
 
 			return next(c)

middleware/auth_test.go

@@ -1,6 +1,7 @@
 package middleware
 
 import (
+	"fmt"
 	"net/http"
 	"testing"
 
@@ -8,8 +9,6 @@ import (
 	"goweb/ent"
 	"goweb/tests"
 
-	"github.com/labstack/echo/v4"
-
 	"github.com/stretchr/testify/require"
 
 	"github.com/stretchr/testify/assert"
@@ -42,9 +41,7 @@ func TestRequireAuthentication(t *testing.T) {
 
 	// Not logged in
 	err := tests.ExecuteMiddleware(ctx, RequireAuthentication())
-	httpError, ok := err.(*echo.HTTPError)
-	require.True(t, ok)
-	assert.Equal(t, http.StatusUnauthorized, httpError.Code)
+	tests.AssertHTTPErrorCode(t, err, http.StatusUnauthorized)
 
 	// Login
 	err = c.Auth.Login(ctx, usr.ID)
@@ -53,9 +50,7 @@ func TestRequireAuthentication(t *testing.T) {
 
 	// Logged in
 	err = tests.ExecuteMiddleware(ctx, RequireAuthentication())
-	httpError, ok = err.(*echo.HTTPError)
-	require.True(t, ok)
-	assert.NotEqual(t, http.StatusUnauthorized, httpError.Code)
+	tests.AssertHTTPErrorCodeNot(t, err, http.StatusUnauthorized)
 }
 
 func TestRequireNoAuthentication(t *testing.T) {
@@ -64,9 +59,7 @@ func TestRequireNoAuthentication(t *testing.T) {
 
 	// Not logged in
 	err := tests.ExecuteMiddleware(ctx, RequireNoAuthentication())
-	httpError, ok := err.(*echo.HTTPError)
-	require.True(t, ok)
-	assert.NotEqual(t, http.StatusForbidden, httpError.Code)
+	tests.AssertHTTPErrorCodeNot(t, err, http.StatusForbidden)
 
 	// Login
 	err = c.Auth.Login(ctx, usr.ID)
@@ -75,11 +68,44 @@ func TestRequireNoAuthentication(t *testing.T) {
 
 	// Logged in
 	err = tests.ExecuteMiddleware(ctx, RequireNoAuthentication())
-	httpError, ok = err.(*echo.HTTPError)
-	require.True(t, ok)
-	assert.Equal(t, http.StatusForbidden, httpError.Code)
+	tests.AssertHTTPErrorCode(t, err, http.StatusForbidden)
 }
 
 func TestLoadValidPasswordToken(t *testing.T) {
+	ctx, _ := tests.NewContext(c.Web, "/")
+	tests.InitSession(ctx)
 
+	// Missing user context
+	err := tests.ExecuteMiddleware(ctx, LoadValidPasswordToken(c.Auth))
+	tests.AssertHTTPErrorCode(t, err, http.StatusInternalServerError)
+
+	// Add user context but no password token and expect a redirect
+	ctx.SetParamNames("user")
+	ctx.SetParamValues(fmt.Sprintf("%d", usr.ID))
+	_ = tests.ExecuteMiddleware(ctx, LoadUser(c.ORM))
+	err = tests.ExecuteMiddleware(ctx, LoadValidPasswordToken(c.Auth))
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusFound, ctx.Response().Status)
+
+	// Add user context and invalid password token and expect a redirect
+	ctx.SetParamNames("user", "password_token")
+	ctx.SetParamValues(fmt.Sprintf("%d", usr.ID), "faketoken")
+	_ = tests.ExecuteMiddleware(ctx, LoadUser(c.ORM))
+	err = tests.ExecuteMiddleware(ctx, LoadValidPasswordToken(c.Auth))
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusFound, ctx.Response().Status)
+
+	// Create a valid token
+	token, pt, err := c.Auth.GeneratePasswordResetToken(ctx, usr.ID)
+	require.NoError(t, err)
+
+	// Add user and valid password token
+	ctx.SetParamNames("user", "password_token")
+	ctx.SetParamValues(fmt.Sprintf("%d", usr.ID), token)
+	_ = tests.ExecuteMiddleware(ctx, LoadUser(c.ORM))
+	err = tests.ExecuteMiddleware(ctx, LoadValidPasswordToken(c.Auth))
+	tests.AssertHTTPErrorCode(t, err, http.StatusNotFound)
+	ctxPt, ok := ctx.Get(context.PasswordTokenKey).(*ent.PasswordToken)
+	require.True(t, ok)
+	assert.Equal(t, pt.ID, ctxPt.ID)
 }