package services import ( "context" "encoding/json" "net/http" "net/http/httptest" "testing" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/zap" ) // TestCaptchaService_Disabled verifies that disabled CAPTCHA always passes. func TestCaptchaService_Disabled(t *testing.T) { svc := NewCaptchaService(CaptchaConfig{Enabled: false}, zap.NewNop()) err := svc.Verify(context.Background(), "", "127.0.0.1") assert.NoError(t, err, "disabled CAPTCHA should always pass") } // TestCaptchaService_EmptyToken verifies that enabled CAPTCHA rejects empty token. func TestCaptchaService_EmptyToken(t *testing.T) { svc := NewCaptchaService(CaptchaConfig{Enabled: true, SecretKey: "test"}, zap.NewNop()) err := svc.Verify(context.Background(), "", "127.0.0.1") assert.Error(t, err) assert.Contains(t, err.Error(), "captcha token required") } // TestCaptchaService_VerifySuccess verifies that a valid CAPTCHA token is accepted. func TestCaptchaService_VerifySuccess(t *testing.T) { // Mock Turnstile API server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { resp := map[string]interface{}{"success": true} json.NewEncoder(w).Encode(resp) })) defer server.Close() svc := &CaptchaService{ secretKey: "test-secret", verifyURL: server.URL, enabled: true, httpClient: server.Client(), logger: zap.NewNop(), } err := svc.Verify(context.Background(), "valid-token", "127.0.0.1") assert.NoError(t, err) } // TestCaptchaService_VerifyFailure verifies that an invalid CAPTCHA token is rejected. func TestCaptchaService_VerifyFailure(t *testing.T) { server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { resp := map[string]interface{}{ "success": false, "error-codes": []string{"invalid-input-response"}, } json.NewEncoder(w).Encode(resp) })) defer server.Close() svc := &CaptchaService{ secretKey: "test-secret", verifyURL: server.URL, enabled: true, httpClient: server.Client(), logger: zap.NewNop(), } err := svc.Verify(context.Background(), "bad-token", "127.0.0.1") assert.Error(t, err) assert.Contains(t, err.Error(), "captcha verification failed") } // TestCaptchaService_IsEnabled returns correct state. func TestCaptchaService_IsEnabled(t *testing.T) { disabled := NewCaptchaService(CaptchaConfig{Enabled: false}, zap.NewNop()) assert.False(t, disabled.IsEnabled()) enabled := NewCaptchaService(CaptchaConfig{Enabled: true, SecretKey: "k"}, zap.NewNop()) assert.True(t, enabled.IsEnabled()) } // TestCaptchaService_FailOpen verifies that if the CAPTCHA server is unreachable, we fail open. func TestCaptchaService_FailOpen(t *testing.T) { svc := &CaptchaService{ secretKey: "test-secret", verifyURL: "http://localhost:1", // unreachable enabled: true, httpClient: &http.Client{}, logger: zap.NewNop(), } err := svc.Verify(context.Background(), "some-token", "127.0.0.1") // Should fail open (not block users when CAPTCHA service is down) require.NoError(t, err, "should fail open when CAPTCHA service is unreachable") }