feat(auth): replace hand-rolled auth with Ory Kratos — phase 2 backend

Delegates all credential management (login, register, password reset, email verification, social sign-in) to Ory Kratos. The Go API now acts as a resource server: the new KratosAuth middleware validates sessions against the Kratos whoami endpoint, writes the local User mirror into Echo context, and all existing domain handlers continue working unchanged. Hand-rolled token auth, AuthToken model, apple_auth/ google_auth services, and the auth refresh flow are removed. Tests are updated to use the fake-token middleware pattern so existing integration assertions require no rewrite. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 17:55:56 -05:00
parent b66151ddd9
commit 81578f6e27
36 changed files with 927 additions and 7002 deletions
@@ -2,7 +2,6 @@ package repositories

 import (
 	"testing"
-	"time"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -78,99 +77,25 @@ func TestUserRepository_ExistsByEmail_CaseInsensitive(t *testing.T) {
 	assert.True(t, exists)
 }

-func TestUserRepository_GetOrCreateToken(t *testing.T) {
+func TestUserRepository_FindByKratosID(t *testing.T) {
 	db := testutil.SetupTestDB(t)
 	repo := NewUserRepository(db)

-	user := testutil.CreateTestUser(t, db, "testuser", "test@example.com", "Password123")
+	user := testutil.CreateTestUser(t, db, "kratosuser", "kratos@example.com", "")

-	// Create token
-	token1, err := repo.GetOrCreateToken(user.ID)
+	found, err := repo.FindByKratosID(user.KratosID)
 	require.NoError(t, err)
-	assert.NotEmpty(t, token1.Key)
-
-	// Should return same token
-	token2, err := repo.GetOrCreateToken(user.ID)
-	require.NoError(t, err)
-	assert.Equal(t, token1.Key, token2.Key)
+	assert.Equal(t, user.ID, found.ID)
+	assert.Equal(t, user.KratosID, found.KratosID)
 }

-func TestUserRepository_FindTokenByKey(t *testing.T) {
+func TestUserRepository_FindByKratosID_NotFound(t *testing.T) {
 	db := testutil.SetupTestDB(t)
 	repo := NewUserRepository(db)

-	user := testutil.CreateTestUser(t, db, "testuser", "test@example.com", "Password123")
-
-	token, err := repo.GetOrCreateToken(user.ID)
-	require.NoError(t, err)
-
-	found, err := repo.FindTokenByKey(token.Plaintext)
-	require.NoError(t, err)
-	assert.Equal(t, token.Key, found.Key)
-	assert.Equal(t, user.ID, found.UserID)
-}
-
-func TestUserRepository_FindTokenByKey_NotFound(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	_, err := repo.FindTokenByKey("nonexistent-token-key")
+	_, err := repo.FindByKratosID("nonexistent-kratos-id")
 	assert.Error(t, err)
-	assert.ErrorIs(t, err, ErrTokenNotFound)
-}
-
-func TestUserRepository_DeleteToken(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	user := testutil.CreateTestUser(t, db, "testuser", "test@example.com", "Password123")
-
-	token, err := repo.GetOrCreateToken(user.ID)
-	require.NoError(t, err)
-
-	err = repo.DeleteToken(token.Plaintext)
-	require.NoError(t, err)
-
-	_, err = repo.FindTokenByKey(token.Plaintext)
-	assert.ErrorIs(t, err, ErrTokenNotFound)
-}
-
-func TestUserRepository_DeleteToken_NotFound(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	err := repo.DeleteToken("nonexistent-key")
-	assert.ErrorIs(t, err, ErrTokenNotFound)
-}
-
-func TestUserRepository_DeleteTokenByUserID(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	user := testutil.CreateTestUser(t, db, "testuser", "test@example.com", "Password123")
-
-	_, err := repo.GetOrCreateToken(user.ID)
-	require.NoError(t, err)
-
-	err = repo.DeleteTokenByUserID(user.ID)
-	require.NoError(t, err)
-
-	// Token should be gone
-	var count int64
-	db.Model(&models.AuthToken{}).Where("user_id = ?", user.ID).Count(&count)
-	assert.Equal(t, int64(0), count)
-}
-
-func TestUserRepository_CreateToken(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	user := testutil.CreateTestUser(t, db, "testuser", "test@example.com", "Password123")
-
-	token, err := repo.CreateToken(user.ID)
-	require.NoError(t, err)
-	assert.NotEmpty(t, token.Key)
-	assert.Equal(t, user.ID, token.UserID)
+	assert.ErrorIs(t, err, ErrUserNotFound)
 }

 func TestUserRepository_UpdateLastLogin(t *testing.T) {
@@ -255,54 +180,6 @@ func TestUserRepository_FindByIDWithProfile_NotFound(t *testing.T) {
 	assert.ErrorIs(t, err, ErrUserNotFound)
 }

-func TestUserRepository_ConfirmationCode_Lifecycle(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	user := testutil.CreateTestUser(t, db, "testuser", "test@example.com", "Password123")
-
-	// Create confirmation code
-	expiresAt := time.Now().UTC().Add(1 * time.Hour)
-	code, err := repo.CreateConfirmationCode(user.ID, "123456", expiresAt)
-	require.NoError(t, err)
-	assert.NotZero(t, code.ID)
-
-	// Find it
-	found, err := repo.FindConfirmationCode(user.ID, "123456")
-	require.NoError(t, err)
-	assert.Equal(t, code.ID, found.ID)
-
-	// Mark as used
-	err = repo.MarkConfirmationCodeUsed(code.ID)
-	require.NoError(t, err)
-
-	// Should not find used code
-	_, err = repo.FindConfirmationCode(user.ID, "123456")
-	assert.Error(t, err)
-}
-
-func TestUserRepository_ConfirmationCode_InvalidatesExisting(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	user := testutil.CreateTestUser(t, db, "testuser", "test@example.com", "Password123")
-
-	expiresAt := time.Now().UTC().Add(1 * time.Hour)
-
-	// Create first code
-	code1, err := repo.CreateConfirmationCode(user.ID, "111111", expiresAt)
-	require.NoError(t, err)
-
-	// Create second code (should invalidate first)
-	_, err = repo.CreateConfirmationCode(user.ID, "222222", expiresAt)
-	require.NoError(t, err)
-
-	// First code should be used/invalidated
-	var c models.ConfirmationCode
-	db.First(&c, code1.ID)
-	assert.True(t, c.IsUsed)
-}
-
 func TestUserRepository_Transaction(t *testing.T) {
 	db := testutil.SetupTestDB(t)
 	repo := NewUserRepository(db)
@@ -331,105 +208,6 @@ func TestUserRepository_DB(t *testing.T) {
 	assert.NotNil(t, repo.DB())
 }

-func TestUserRepository_FindByAppleID(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	user := testutil.CreateTestUser(t, db, "appleuser", "apple@test.com", "Password123")
-	appleAuth := &models.AppleSocialAuth{
-		UserID:  user.ID,
-		AppleID: "apple_sub_123",
-		Email:   "apple@test.com",
-	}
-	require.NoError(t, db.Create(appleAuth).Error)
-
-	found, err := repo.FindByAppleID("apple_sub_123")
-	require.NoError(t, err)
-	assert.Equal(t, user.ID, found.UserID)
-}
-
-func TestUserRepository_FindByAppleID_NotFound(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	_, err := repo.FindByAppleID("nonexistent_apple_id")
-	assert.ErrorIs(t, err, ErrAppleAuthNotFound)
-}
-
-func TestUserRepository_FindByGoogleID(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	user := testutil.CreateTestUser(t, db, "googleuser", "google@test.com", "Password123")
-	googleAuth := &models.GoogleSocialAuth{
-		UserID:   user.ID,
-		GoogleID: "google_sub_123",
-		Email:    "google@test.com",
-	}
-	require.NoError(t, db.Create(googleAuth).Error)
-
-	found, err := repo.FindByGoogleID("google_sub_123")
-	require.NoError(t, err)
-	assert.Equal(t, user.ID, found.UserID)
-}
-
-func TestUserRepository_FindByGoogleID_NotFound(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	_, err := repo.FindByGoogleID("nonexistent_google_id")
-	assert.ErrorIs(t, err, ErrGoogleAuthNotFound)
-}
-
-func TestUserRepository_CreateAndUpdateAppleSocialAuth(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	user := testutil.CreateTestUser(t, db, "appleuser", "apple@test.com", "Password123")
-
-	auth := &models.AppleSocialAuth{
-		UserID:  user.ID,
-		AppleID: "apple_sub_456",
-		Email:   "apple@test.com",
-	}
-	err := repo.CreateAppleSocialAuth(auth)
-	require.NoError(t, err)
-	assert.NotZero(t, auth.ID)
-
-	auth.Email = "updated@test.com"
-	err = repo.UpdateAppleSocialAuth(auth)
-	require.NoError(t, err)
-
-	found, err := repo.FindByAppleID("apple_sub_456")
-	require.NoError(t, err)
-	assert.Equal(t, "updated@test.com", found.Email)
-}
-
-func TestUserRepository_CreateAndUpdateGoogleSocialAuth(t *testing.T) {
-	db := testutil.SetupTestDB(t)
-	repo := NewUserRepository(db)
-
-	user := testutil.CreateTestUser(t, db, "googleuser", "google@test.com", "Password123")
-
-	auth := &models.GoogleSocialAuth{
-		UserID:   user.ID,
-		GoogleID: "google_sub_456",
-		Email:    "google@test.com",
-		Name:     "Test User",
-	}
-	err := repo.CreateGoogleSocialAuth(auth)
-	require.NoError(t, err)
-	assert.NotZero(t, auth.ID)
-
-	auth.Name = "Updated Name"
-	err = repo.UpdateGoogleSocialAuth(auth)
-	require.NoError(t, err)
-
-	found, err := repo.FindByGoogleID("google_sub_456")
-	require.NoError(t, err)
-	assert.Equal(t, "Updated Name", found.Name)
-}
-
 func TestUserRepository_SearchUsers(t *testing.T) {
 	db := testutil.SetupTestDB(t)
 	repo := NewUserRepository(db)