package middleware import ( "context" "encoding/json" "net/http" "net/http/httptest" "os" "testing" "time" "github.com/gin-gonic/gin" "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" "go.uber.org/zap" "veza-backend-api/internal/services" ) func setupTestJWTService(t *testing.T) *services.JWTService { // Set a test JWT_SECRET originalSecret := os.Getenv("JWT_SECRET") os.Setenv("JWT_SECRET", "test-secret-key-for-jwt-service-testing-only") t.Cleanup(func() { if originalSecret != "" { os.Setenv("JWT_SECRET", originalSecret) } else { os.Unsetenv("JWT_SECRET") } }) return services.NewJWTService("test-secret-key-for-jwt-service-testing-only") // Pass secret } // generateTestToken crée un token JWT compatible avec AuthMiddleware.validateJWTToken // Le middleware attend claims["user_id"] en string UUID (pas "sub" en int64) // ÉTAPE 3.4: Helper pour créer des tokens compatibles avec le nouveau middleware func generateTestToken(t *testing.T, userID uuid.UUID, expiresIn time.Duration) string { secret := os.Getenv("JWT_SECRET") if secret == "" { secret = "test-secret-key-for-jwt-service-testing-only" } claims := jwt.MapClaims{ "user_id": userID.String(), // Le middleware attend user_id en string UUID "exp": time.Now().Add(expiresIn).Unix(), "iat": time.Now().Unix(), // Use Unix timestamp for iat "iss": "veza-api", } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) tokenString, err := token.SignedString([]byte(secret)) require.NoError(t, err) return tokenString } // generateExpiredTestToken crée un token JWT expiré pour les tests // ÉTAPE 3.4: Helper pour créer des tokens expirés compatibles avec le middleware func generateExpiredTestToken(t *testing.T, userID uuid.UUID) string { secret := os.Getenv("JWT_SECRET") if secret == "" { secret = "test-secret-key-for-jwt-service-testing-only" } claims := jwt.MapClaims{ "user_id": userID.String(), "exp": time.Now().Add(-1 * time.Hour).Unix(), // Expiré il y a 1 heure "iat": time.Now().Add(-2 * time.Hour).Unix(), "iss": "veza-api", } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) tokenString, err := token.SignedString([]byte(secret)) require.NoError(t, err) return tokenString } // MockSessionService pour les tests (évite cycle d'import avec testutils) type MockSessionService struct { mock.Mock } func (m *MockSessionService) CreateSession(ctx context.Context, req *services.SessionCreateRequest) (*services.Session, error) { args := m.Called(ctx, req) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).(*services.Session), args.Error(1) } func (m *MockSessionService) ValidateSession(ctx context.Context, token string) (*services.Session, error) { args := m.Called(ctx, token) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).(*services.Session), args.Error(1) } func (m *MockSessionService) RevokeSession(ctx context.Context, token string) error { args := m.Called(ctx, token) return args.Error(0) } func (m *MockSessionService) RevokeAllUserSessions(ctx context.Context, userID uuid.UUID) (int64, error) { args := m.Called(ctx, userID) return args.Get(0).(int64), args.Error(1) } func (m *MockSessionService) GetUserSessions(ctx context.Context, userID uuid.UUID) ([]*services.Session, error) { args := m.Called(ctx, userID) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).([]*services.Session), args.Error(1) } func (m *MockSessionService) CleanupExpiredSessions(ctx context.Context) (int64, error) { args := m.Called(ctx) return args.Get(0).(int64), args.Error(1) } func (m *MockSessionService) RefreshSession(ctx context.Context, token string, newExpiresIn time.Duration) error { args := m.Called(ctx, token, newExpiresIn) return args.Error(0) } func (m *MockSessionService) GetSessionStats(ctx context.Context) (map[string]interface{}, error) { args := m.Called(ctx) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).(map[string]interface{}), args.Error(1) } // MockAuditService pour les tests (évite cycle d'import avec testutils) type MockAuditService struct { mock.Mock } func (m *MockAuditService) LogAction(ctx context.Context, req *services.AuditLogCreateRequest) error { args := m.Called(ctx, req) return args.Error(0) } func (m *MockAuditService) LogLogin(ctx context.Context, userID *uuid.UUID, success bool, ipAddress, userAgent string, metadata map[string]interface{}) error { args := m.Called(ctx, userID, success, ipAddress, userAgent, metadata) return args.Error(0) } func (m *MockAuditService) LogLogout(ctx context.Context, userID uuid.UUID, ipAddress, userAgent string) error { args := m.Called(ctx, userID, ipAddress, userAgent) return args.Error(0) } func (m *MockAuditService) LogUpload(ctx context.Context, userID uuid.UUID, resourceID uuid.UUID, fileName string, fileSize int64, ipAddress, userAgent string) error { args := m.Called(ctx, userID, resourceID, fileName, fileSize, ipAddress, userAgent) return args.Error(0) } func (m *MockAuditService) LogPermissionChange(ctx context.Context, userID uuid.UUID, targetUserID uuid.UUID, oldPermissions, newPermissions []string, ipAddress, userAgent string) error { args := m.Called(ctx, userID, targetUserID, oldPermissions, newPermissions, ipAddress, userAgent) return args.Error(0) } func (m *MockAuditService) LogDeletion(ctx context.Context, userID uuid.UUID, resource string, resourceID uuid.UUID, ipAddress, userAgent string) error { args := m.Called(ctx, userID, resource, resourceID, ipAddress, userAgent) return args.Error(0) } func (m *MockAuditService) SearchLogs(ctx context.Context, req *services.AuditLogSearchRequest) ([]*services.AuditLog, error) { args := m.Called(ctx, req) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).([]*services.AuditLog), args.Error(1) } func (m *MockAuditService) GetStats(ctx context.Context, startDate, endDate time.Time) ([]*services.AuditStats, error) { args := m.Called(ctx, startDate, endDate) if args.Get(0) == nil { return nil, args.Error(1) } return args.Get(0).([]*services.AuditStats), args.Error(1) } // MockPermissionService pour les tests type MockPermissionService struct { mock.Mock } func (m *MockPermissionService) HasRole(ctx context.Context, userID uuid.UUID, roleName string) (bool, error) { args := m.Called(ctx, userID, roleName) return args.Bool(0), args.Error(1) } func (m *MockPermissionService) HasPermission(ctx context.Context, userID uuid.UUID, permissionName string) (bool, error) { args := m.Called(ctx, userID, permissionName) return args.Bool(0), args.Error(1) } // setupTestAuthMiddleware crée un AuthMiddleware configuré pour les tests // ÉTAPE 3.4: Utilise les interfaces pour permettre l'injection directe des mocks func setupTestAuthMiddleware(t *testing.T, jwtService *services.JWTService) (*AuthMiddleware, *MockSessionService, *MockAuditService, *MockPermissionService) { logger, _ := zap.NewDevelopment() mockSessionService := new(MockSessionService) mockAuditService := new(MockAuditService) mockPermissionService := new(MockPermissionService) // Configurer le mock audit pour ne pas faire échouer les tests (tous les appels retournent nil) mockAuditService.On("LogAction", mock.Anything, mock.Anything).Return(nil).Maybe() jwtSecret := os.Getenv("JWT_SECRET") if jwtSecret == "" { jwtSecret = "test-secret-key-for-jwt-service-testing-only" } // ÉTAPE 3.4: Les mocks implémentent maintenant directement les interfaces // Plus besoin de wrappers ou de hacks - injection directe des mocks authMiddleware := NewAuthMiddleware(mockSessionService, mockAuditService, mockPermissionService, logger, jwtSecret) return authMiddleware, mockSessionService, mockAuditService, mockPermissionService } // T0173: Tests pour AuthMiddleware // ÉTAPE 3.4: Test du happy path - token valide, user_id en uuid.UUID dans le contexte // Maintenant fonctionnel grâce aux interfaces func TestAuthMiddleware_ValidToken(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, nil) userUUID := uuid.MustParse("00000000-0000-0000-0000-000000000042") token := generateTestToken(t, userUUID, 15*time.Minute) sessionID := uuid.New() mockSession := &services.Session{ ID: sessionID, UserID: userUUID, CreatedAt: time.Now(), ExpiresAt: time.Now().Add(24 * time.Hour), } mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { userIDInterface, exists := c.Get("user_id") assert.True(t, exists, "user_id should exist in context") userID, ok := userIDInterface.(uuid.UUID) assert.True(t, ok, "user_id should be uuid.UUID") assert.Equal(t, userUUID, userID, "user_id should match expected UUID") sessionIDCtx, exists := c.Get("session_id") assert.True(t, exists, "session_id should exist in context") assert.Equal(t, mockSession.ID, sessionIDCtx, "session_id should match session ID") c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) mockSessionService.AssertExpectations(t) } func TestAuthMiddleware_MissingHeader(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) assert.Equal(t, "Authorization header required", response["error"]) } func TestAuthMiddleware_InvalidHeaderFormat(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) testCases := []struct { name string header string expectedError string }{ {"No Bearer prefix", "token123", "Invalid"}, {"Wrong prefix", "Basic token123", "Invalid"}, {"Multiple spaces", "Bearer token123", "Invalid"}, {"Empty token", "Bearer ", "Invalid"}, {"Empty header", "", "Authorization header required"}, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { req, _ := http.NewRequest("GET", "/test", nil) if tc.header != "" { req.Header.Set("Authorization", tc.header) } w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) assert.Contains(t, response["error"], tc.expectedError) }) } } func TestAuthMiddleware_InvalidToken(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) testCases := []struct { name string token string }{ {"Invalid token string", "invalid.token.string"}, {"Malformed token", "not.a.valid.token"}, {"Empty token", ""}, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+tc.token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) assert.Contains(t, response["error"], "Invalid") }) } } func TestAuthMiddleware_ExpiredToken(t *testing.T) { gin.SetMode(gin.TestMode) jwtService := setupTestJWTService(t) authMiddleware, _, _, _ := setupTestAuthMiddleware(t, jwtService) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) userUUID := uuid.New() expiredToken := generateExpiredTestToken(t, userUUID) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+expiredToken) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) assert.Contains(t, response["error"], "Invalid") } func TestAuthMiddleware_ContextValues(t *testing.T) { gin.SetMode(gin.TestMode) jwtService := setupTestJWTService(t) testCases := []struct { name string userUUID uuid.UUID }{ {"Regular user", uuid.MustParse("00000000-0000-0000-0000-000000000001")}, {"Admin user", uuid.MustParse("00000000-0000-0000-0000-000000000002")}, {"Moderator", uuid.MustParse("00000000-0000-0000-0000-000000000003")}, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, jwtService) token := generateTestToken(t, tc.userUUID, 15*time.Minute) sessionID := uuid.New() mockSession := &services.Session{ ID: sessionID, UserID: tc.userUUID, CreatedAt: time.Now(), ExpiresAt: time.Now().Add(24 * time.Hour), } mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { userIDInterface, exists := c.Get("user_id") assert.True(t, exists, "user_id should exist in context") userID, ok := userIDInterface.(uuid.UUID) assert.True(t, ok, "user_id should be uuid.UUID") assert.Equal(t, tc.userUUID, userID, "user_id should match expected UUID") sessionIDCtx, exists := c.Get("session_id") assert.True(t, exists, "session_id should exist in context") assert.Equal(t, mockSession.ID, sessionIDCtx, "session_id should match session ID") c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) mockSessionService.AssertExpectations(t) }) } } func TestAuthMiddleware_NextCalled(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, nil) userUUID := uuid.New() token := generateTestToken(t, userUUID, 15*time.Minute) sessionID := uuid.New() mockSession := &services.Session{ ID: sessionID, UserID: userUUID, CreatedAt: time.Now(), ExpiresAt: time.Now().Add(24 * time.Hour), } mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil) nextCalled := false router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { nextCalled = true c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.True(t, nextCalled, "Next handler should be called with valid token") assert.Equal(t, http.StatusOK, w.Code) mockSessionService.AssertExpectations(t) } func TestAuthMiddleware_NextNotCalledOnError(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil) nextCalled := false router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { nextCalled = true c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.False(t, nextCalled, "Next handler should not be called when authentication fails") assert.Equal(t, http.StatusUnauthorized, w.Code) } func TestAuthMiddleware_TokenExpired(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil) userUUID := uuid.New() tokenString := generateExpiredTestToken(t, userUUID) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+tokenString) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) assert.Contains(t, response["error"], "Invalid") } func TestAuthMiddleware_TokenExpired_NextNotCalled(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, _, _, _ := setupTestAuthMiddleware(t, nil) userUUID := uuid.New() tokenString := generateExpiredTestToken(t, userUUID) nextCalled := false router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { nextCalled = true c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+tokenString) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.False(t, nextCalled, "Next handler should not be called when token is expired") assert.Equal(t, http.StatusUnauthorized, w.Code) } func TestAuthMiddleware_InvalidToken_NoExpiredHeader(t *testing.T) { gin.SetMode(gin.TestMode) jwtService := setupTestJWTService(t) authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, jwtService) invalidToken := "invalid.token.string" mockSessionService.On("ValidateSession", mock.Anything, invalidToken).Return(nil, assert.AnError).Maybe() router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+invalidToken) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusUnauthorized, w.Code) var response map[string]interface{} err := json.Unmarshal(w.Body.Bytes(), &response) assert.NoError(t, err) assert.Contains(t, response["error"], "Invalid") } func TestAuthMiddleware_ValidToken_NoExpiredHeader(t *testing.T) { gin.SetMode(gin.TestMode) authMiddleware, mockSessionService, _, _ := setupTestAuthMiddleware(t, nil) userUUID := uuid.New() token := generateTestToken(t, userUUID, 15*time.Minute) sessionID := uuid.New() mockSession := &services.Session{ ID: sessionID, UserID: userUUID, CreatedAt: time.Now(), ExpiresAt: time.Now().Add(24 * time.Hour), } mockSessionService.On("ValidateSession", mock.Anything, token).Return(mockSession, nil) router := gin.New() router.Use(authMiddleware.RequireAuth()) router.GET("/test", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "success"}) }) req, _ := http.NewRequest("GET", "/test", nil) req.Header.Set("Authorization", "Bearer "+token) w := httptest.NewRecorder() router.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) mockSessionService.AssertExpectations(t) }