Harden API security: input validation, safe auth extraction, new tests, and deploy config
Comprehensive security hardening from audit findings: - Add validation tags to all DTO request structs (max lengths, ranges, enums) - Replace unsafe type assertions with MustGetAuthUser helper across all handlers - Remove query-param token auth from admin middleware (prevents URL token leakage) - Add request validation calls in handlers that were missing c.Validate() - Remove goroutines in handlers (timezone update now synchronous) - Add sanitize middleware and path traversal protection (path_utils) - Stop resetting admin passwords on migration restart - Warn on well-known default SECRET_KEY - Add ~30 new test files covering security regressions, auth safety, repos, and services - Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
43
internal/handlers/upload_handler_test.go
Normal file
43
internal/handlers/upload_handler_test.go
Normal file
@@ -0,0 +1,43 @@
|
||||
package handlers
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
"github.com/treytartt/casera-api/internal/i18n"
|
||||
"github.com/treytartt/casera-api/internal/testutil"
|
||||
)
|
||||
|
||||
func init() {
|
||||
// Initialize i18n so the custom error handler can localize error messages.
|
||||
// Other handler tests get this from testutil.SetupTestDB, but these tests
|
||||
// don't need a database.
|
||||
i18n.Init()
|
||||
}
|
||||
|
||||
func TestDeleteFile_MissingURL_Returns400(t *testing.T) {
|
||||
// Use a test storage service — DeleteFile won't reach storage since validation fails first
|
||||
storageSvc := newTestStorageService("/var/uploads")
|
||||
handler := NewUploadHandler(storageSvc)
|
||||
|
||||
e := testutil.SetupTestRouter()
|
||||
|
||||
// Register route
|
||||
e.DELETE("/api/uploads/", handler.DeleteFile)
|
||||
|
||||
// Send request with empty JSON body (url field missing)
|
||||
w := testutil.MakeRequest(e, http.MethodDelete, "/api/uploads/", map[string]string{}, "test-token")
|
||||
testutil.AssertStatusCode(t, w, http.StatusBadRequest)
|
||||
}
|
||||
|
||||
func TestDeleteFile_EmptyURL_Returns400(t *testing.T) {
|
||||
storageSvc := newTestStorageService("/var/uploads")
|
||||
handler := NewUploadHandler(storageSvc)
|
||||
|
||||
e := testutil.SetupTestRouter()
|
||||
e.DELETE("/api/uploads/", handler.DeleteFile)
|
||||
|
||||
// Send request with empty url field
|
||||
w := testutil.MakeRequest(e, http.MethodDelete, "/api/uploads/", map[string]string{"url": ""}, "test-token")
|
||||
testutil.AssertStatusCode(t, w, http.StatusBadRequest)
|
||||
}
|
||||
Reference in New Issue
Block a user