Harden API security: input validation, safe auth extraction, new tests, and deploy config
Comprehensive security hardening from audit findings: - Add validation tags to all DTO request structs (max lengths, ranges, enums) - Replace unsafe type assertions with MustGetAuthUser helper across all handlers - Remove query-param token auth from admin middleware (prevents URL token leakage) - Add request validation calls in handlers that were missing c.Validate() - Remove goroutines in handlers (timezone update now synchronous) - Add sanitize middleware and path traversal protection (path_utils) - Stop resetting admin passwords on migration restart - Warn on well-known default SECRET_KEY - Add ~30 new test files covering security regressions, auth safety, repos, and services - Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
@@ -506,6 +506,52 @@ func TestTaskHandler_CreateCompletion(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func TestTaskHandler_CreateCompletion_Rating6_Returns400(t *testing.T) {
|
||||
handler, e, db := setupTaskHandler(t)
|
||||
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
||||
residence := testutil.CreateTestResidence(t, db, user.ID, "Test House")
|
||||
task := testutil.CreateTestTask(t, db, residence.ID, user.ID, "Rate Me")
|
||||
|
||||
authGroup := e.Group("/api/task-completions")
|
||||
authGroup.Use(testutil.MockAuthMiddleware(user))
|
||||
authGroup.POST("/", handler.CreateCompletion)
|
||||
|
||||
t.Run("rating out of bounds rejected", func(t *testing.T) {
|
||||
rating := 6
|
||||
req := requests.CreateTaskCompletionRequest{
|
||||
TaskID: task.ID,
|
||||
Rating: &rating,
|
||||
}
|
||||
|
||||
w := testutil.MakeRequest(e, "POST", "/api/task-completions/", req, "test-token")
|
||||
testutil.AssertStatusCode(t, w, http.StatusBadRequest)
|
||||
})
|
||||
|
||||
t.Run("rating zero rejected", func(t *testing.T) {
|
||||
rating := 0
|
||||
req := requests.CreateTaskCompletionRequest{
|
||||
TaskID: task.ID,
|
||||
Rating: &rating,
|
||||
}
|
||||
|
||||
w := testutil.MakeRequest(e, "POST", "/api/task-completions/", req, "test-token")
|
||||
testutil.AssertStatusCode(t, w, http.StatusBadRequest)
|
||||
})
|
||||
|
||||
t.Run("rating 5 accepted", func(t *testing.T) {
|
||||
rating := 5
|
||||
completedAt := time.Now().UTC()
|
||||
req := requests.CreateTaskCompletionRequest{
|
||||
TaskID: task.ID,
|
||||
CompletedAt: &completedAt,
|
||||
Rating: &rating,
|
||||
}
|
||||
|
||||
w := testutil.MakeRequest(e, "POST", "/api/task-completions/", req, "test-token")
|
||||
testutil.AssertStatusCode(t, w, http.StatusCreated)
|
||||
})
|
||||
}
|
||||
|
||||
func TestTaskHandler_ListCompletions(t *testing.T) {
|
||||
handler, e, db := setupTaskHandler(t)
|
||||
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
||||
@@ -603,6 +649,71 @@ func TestTaskHandler_DeleteCompletion(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func TestTaskHandler_CreateTask_EmptyTitle_Returns400(t *testing.T) {
|
||||
handler, e, db := setupTaskHandler(t)
|
||||
testutil.SeedLookupData(t, db)
|
||||
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
||||
residence := testutil.CreateTestResidence(t, db, user.ID, "Test House")
|
||||
|
||||
authGroup := e.Group("/api/tasks")
|
||||
authGroup.Use(testutil.MockAuthMiddleware(user))
|
||||
authGroup.POST("/", handler.CreateTask)
|
||||
|
||||
t.Run("empty body returns 400 with validation errors", func(t *testing.T) {
|
||||
w := testutil.MakeRequest(e, "POST", "/api/tasks/", map[string]interface{}{}, "test-token")
|
||||
|
||||
testutil.AssertStatusCode(t, w, http.StatusBadRequest)
|
||||
|
||||
var response map[string]interface{}
|
||||
err := json.Unmarshal(w.Body.Bytes(), &response)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Should contain structured validation error
|
||||
assert.Contains(t, response, "error")
|
||||
assert.Contains(t, response, "fields")
|
||||
|
||||
fields := response["fields"].(map[string]interface{})
|
||||
assert.Contains(t, fields, "residence_id", "validation error should reference 'residence_id'")
|
||||
assert.Contains(t, fields, "title", "validation error should reference 'title'")
|
||||
})
|
||||
|
||||
t.Run("missing title returns 400", func(t *testing.T) {
|
||||
req := map[string]interface{}{
|
||||
"residence_id": residence.ID,
|
||||
}
|
||||
|
||||
w := testutil.MakeRequest(e, "POST", "/api/tasks/", req, "test-token")
|
||||
|
||||
testutil.AssertStatusCode(t, w, http.StatusBadRequest)
|
||||
|
||||
var response map[string]interface{}
|
||||
err := json.Unmarshal(w.Body.Bytes(), &response)
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.Contains(t, response, "fields")
|
||||
fields := response["fields"].(map[string]interface{})
|
||||
assert.Contains(t, fields, "title", "validation error should reference 'title'")
|
||||
})
|
||||
|
||||
t.Run("missing residence_id returns 400", func(t *testing.T) {
|
||||
req := map[string]interface{}{
|
||||
"title": "Test Task",
|
||||
}
|
||||
|
||||
w := testutil.MakeRequest(e, "POST", "/api/tasks/", req, "test-token")
|
||||
|
||||
testutil.AssertStatusCode(t, w, http.StatusBadRequest)
|
||||
|
||||
var response map[string]interface{}
|
||||
err := json.Unmarshal(w.Body.Bytes(), &response)
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.Contains(t, response, "fields")
|
||||
fields := response["fields"].(map[string]interface{})
|
||||
assert.Contains(t, fields, "residence_id", "validation error should reference 'residence_id'")
|
||||
})
|
||||
}
|
||||
|
||||
func TestTaskHandler_GetLookups(t *testing.T) {
|
||||
handler, e, db := setupTaskHandler(t)
|
||||
testutil.SeedLookupData(t, db)
|
||||
|
||||
Reference in New Issue
Block a user