Harden API security: input validation, safe auth extraction, new tests, and deploy config
Comprehensive security hardening from audit findings: - Add validation tags to all DTO request structs (max lengths, ranges, enums) - Replace unsafe type assertions with MustGetAuthUser helper across all handlers - Remove query-param token auth from admin middleware (prevents URL token leakage) - Add request validation calls in handlers that were missing c.Validate() - Remove goroutines in handlers (timezone update now synchronous) - Add sanitize middleware and path traversal protection (path_utils) - Stop resetting admin passwords on migration restart - Warn on well-known default SECRET_KEY - Add ~30 new test files covering security regressions, auth safety, repos, and services - Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
96
internal/repositories/notification_repo_test.go
Normal file
96
internal/repositories/notification_repo_test.go
Normal file
@@ -0,0 +1,96 @@
|
||||
package repositories
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/treytartt/casera-api/internal/models"
|
||||
"github.com/treytartt/casera-api/internal/testutil"
|
||||
)
|
||||
|
||||
func TestGetOrCreatePreferences_New_Creates(t *testing.T) {
|
||||
db := testutil.SetupTestDB(t)
|
||||
repo := NewNotificationRepository(db)
|
||||
|
||||
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
||||
|
||||
// No preferences exist yet for this user
|
||||
prefs, err := repo.GetOrCreatePreferences(user.ID)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, prefs)
|
||||
|
||||
// Verify defaults were set
|
||||
assert.Equal(t, user.ID, prefs.UserID)
|
||||
assert.True(t, prefs.TaskDueSoon)
|
||||
assert.True(t, prefs.TaskOverdue)
|
||||
assert.True(t, prefs.TaskCompleted)
|
||||
assert.True(t, prefs.TaskAssigned)
|
||||
assert.True(t, prefs.ResidenceShared)
|
||||
assert.True(t, prefs.WarrantyExpiring)
|
||||
assert.True(t, prefs.EmailTaskCompleted)
|
||||
|
||||
// Verify it was actually persisted
|
||||
var count int64
|
||||
db.Model(&models.NotificationPreference{}).Where("user_id = ?", user.ID).Count(&count)
|
||||
assert.Equal(t, int64(1), count, "should have exactly one preferences record")
|
||||
}
|
||||
|
||||
func TestGetOrCreatePreferences_AlreadyExists_Returns(t *testing.T) {
|
||||
db := testutil.SetupTestDB(t)
|
||||
repo := NewNotificationRepository(db)
|
||||
|
||||
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
||||
|
||||
// Create preferences manually first
|
||||
existingPrefs := &models.NotificationPreference{
|
||||
UserID: user.ID,
|
||||
TaskDueSoon: true,
|
||||
TaskOverdue: true,
|
||||
TaskCompleted: true,
|
||||
TaskAssigned: true,
|
||||
ResidenceShared: true,
|
||||
WarrantyExpiring: true,
|
||||
EmailTaskCompleted: true,
|
||||
}
|
||||
err := db.Create(existingPrefs).Error
|
||||
require.NoError(t, err)
|
||||
require.NotZero(t, existingPrefs.ID)
|
||||
|
||||
// GetOrCreatePreferences should return the existing record, not create a new one
|
||||
prefs, err := repo.GetOrCreatePreferences(user.ID)
|
||||
require.NoError(t, err)
|
||||
require.NotNil(t, prefs)
|
||||
|
||||
// The returned record should have the same ID as the existing one
|
||||
assert.Equal(t, existingPrefs.ID, prefs.ID, "should return the existing record by ID")
|
||||
assert.Equal(t, user.ID, prefs.UserID, "should have correct user_id")
|
||||
|
||||
// Verify still only one record exists (no duplicate created)
|
||||
var count int64
|
||||
db.Model(&models.NotificationPreference{}).Where("user_id = ?", user.ID).Count(&count)
|
||||
assert.Equal(t, int64(1), count, "should still have exactly one preferences record")
|
||||
}
|
||||
|
||||
func TestGetOrCreatePreferences_Idempotent(t *testing.T) {
|
||||
db := testutil.SetupTestDB(t)
|
||||
repo := NewNotificationRepository(db)
|
||||
|
||||
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
||||
|
||||
// Call twice in succession
|
||||
prefs1, err := repo.GetOrCreatePreferences(user.ID)
|
||||
require.NoError(t, err)
|
||||
|
||||
prefs2, err := repo.GetOrCreatePreferences(user.ID)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Both should return the same record
|
||||
assert.Equal(t, prefs1.ID, prefs2.ID)
|
||||
|
||||
// Should only have one record
|
||||
var count int64
|
||||
db.Model(&models.NotificationPreference{}).Where("user_id = ?", user.ID).Count(&count)
|
||||
assert.Equal(t, int64(1), count, "should have exactly one preferences record after two calls")
|
||||
}
|
||||
Reference in New Issue
Block a user