gabehf/Koito
1
0
Fork 0
mirror of https://github.com/gabehf/Koito.git synced 2026-04-22 20:11:50 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

add admin-only routes and authorization middleware tests

Browse source
This commit is contained in:
Ian Stewart 2026-02-26 16:46:24 -08:00
parent 64236c99c9
commit 4cbdf6a261
No known key found for this signature in database
3 changed files with 106 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

65
engine/admin_test.go Normal file
View file

@ -0,0 +1,65 @@
package engine_test
import (
"context"
"fmt"
"net/http"
"net/url"
"strings"
"testing"
"github.com/gabehf/koito/internal/db"
"github.com/gabehf/koito/internal/models"
"github.com/stretchr/testify/require"
)
// Minimal test: non-admin gets 403 on delete artist; admin succeeds.
func TestAdminProtectedDeleteArtist(t *testing.T) {
// create non-admin user
_, err := store.SaveUser(context.Background(), db.SaveUserOpts{
Username: "regular_user",
Password: "password123",
Role: models.UserRoleUser,
})
require.NoError(t, err)
// login as non-admin
form := url.Values{}
form.Set("username", "regular_user")
form.Set("password", "password123")
resp, err := http.DefaultClient.Post(host()+"/apis/web/v1/login", "application/x-www-form-urlencoded", strings.NewReader(form.Encode()))
require.NoError(t, err)
require.Len(t, resp.Cookies(), 1)
session := resp.Cookies()[0].Value
// create an artist to delete
artist, err := store.SaveArtist(context.Background(), db.SaveArtistOpts{Name: "ToBeDeleted"})
require.NoError(t, err)
// attempt delete as non-admin, expect Forbidden
req, err := http.NewRequest("DELETE", host()+fmt.Sprintf("/apis/web/v1/artist?id=%d", artist.ID), nil)
require.NoError(t, err)
req.AddCookie(&http.Cookie{Name: "koito_session", Value: session})
resp2, err := http.DefaultClient.Do(req)
require.NoError(t, err)
defer resp2.Body.Close()
require.Equal(t, http.StatusForbidden, resp2.StatusCode)
// login as admin (default user 'test')
form2 := url.Values{}
form2.Set("username", "test")
form2.Set("password", "testuser123")
resp3, err := http.DefaultClient.Post(host()+"/apis/web/v1/login", "application/x-www-form-urlencoded", strings.NewReader(form2.Encode()))
require.NoError(t, err)
require.Len(t, resp3.Cookies(), 1)
adminSession := resp3.Cookies()[0].Value
// attempt delete as admin - expect NoContent
req2, err := http.NewRequest("DELETE", host()+fmt.Sprintf("/apis/web/v1/artist?id=%d", artist.ID), nil)
require.NoError(t, err)
req2.AddCookie(&http.Cookie{Name: "koito_session", Value: adminSession})
resp4, err := http.DefaultClient.Do(req2)
require.NoError(t, err)
defer resp4.Body.Close()
require.Equal(t, http.StatusNoContent, resp4.StatusCode)
}