Trey t
c77ff07ce9
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps), tracked in deploy-k3s/SECURITY.md, plus fixes from two independent post-remediation reviews. Auth & sessions: - SHA-256 hashed auth-token storage (C1); prior-token cache eviction on re-login (MEDIUM-1) - local Google JWKS verification, iss/aud/exp checks (C2/C3) - constant-time login + generic errors (L1/LIVE-L11/LIVE-L13) - per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3) - verified-email gating, login rate limiting (LIVE-L19, H1-H3) IAP & webhooks: - Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6) - migrations 000003-000006 (token hashing, IAP replay, audit_log + webhook_event_log table creation, append-only audit log) Authorization & races: - file-ownership owner-OR-member fix (C7), atomic share-code join (C9/H9), device-token reassignment (C8/LOW-3) Secrets & deploy: - secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis password out of the ConfigMap (HIGH-1); B2 keys reconciled - digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban + unattended-upgrades at provision; secret-rotation runbook Build, vet, and the full test suite (incl. -race) pass; the goose migration chain is verified against PostgreSQL 16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
274 lines
9.6 KiB
Go
274 lines
9.6 KiB
Go
package repositories
|
|
|
|
import (
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"gorm.io/gorm"
|
|
|
|
"github.com/treytartt/honeydue-api/internal/models"
|
|
"github.com/treytartt/honeydue-api/internal/testutil"
|
|
)
|
|
|
|
func TestGetOrCreate_New_CreatesFreeTier(t *testing.T) {
|
|
db := testutil.SetupTestDB(t)
|
|
repo := NewSubscriptionRepository(db)
|
|
|
|
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
|
|
|
sub, err := repo.GetOrCreate(user.ID)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, sub)
|
|
|
|
assert.Equal(t, user.ID, sub.UserID)
|
|
assert.Equal(t, models.TierFree, sub.Tier)
|
|
assert.True(t, sub.AutoRenew)
|
|
|
|
// Verify persisted
|
|
var count int64
|
|
db.Model(&models.UserSubscription{}).Where("user_id = ?", user.ID).Count(&count)
|
|
assert.Equal(t, int64(1), count, "should have exactly one subscription record")
|
|
}
|
|
|
|
func TestGetOrCreate_AlreadyExists_Returns(t *testing.T) {
|
|
db := testutil.SetupTestDB(t)
|
|
repo := NewSubscriptionRepository(db)
|
|
|
|
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
|
|
|
// Create a pro subscription manually
|
|
existing := &models.UserSubscription{
|
|
UserID: user.ID,
|
|
Tier: models.TierPro,
|
|
AutoRenew: true,
|
|
}
|
|
err := db.Create(existing).Error
|
|
require.NoError(t, err)
|
|
|
|
// GetOrCreate should return existing, not overwrite with free defaults
|
|
sub, err := repo.GetOrCreate(user.ID)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, sub)
|
|
|
|
assert.Equal(t, existing.ID, sub.ID, "should return the existing record by ID")
|
|
assert.Equal(t, models.TierPro, sub.Tier, "should preserve existing pro tier, not overwrite with free")
|
|
|
|
// Verify still only one record
|
|
var count int64
|
|
db.Model(&models.UserSubscription{}).Where("user_id = ?", user.ID).Count(&count)
|
|
assert.Equal(t, int64(1), count, "should still have exactly one subscription record")
|
|
}
|
|
|
|
func TestGetOrCreate_Idempotent(t *testing.T) {
|
|
db := testutil.SetupTestDB(t)
|
|
repo := NewSubscriptionRepository(db)
|
|
|
|
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
|
|
|
sub1, err := repo.GetOrCreate(user.ID)
|
|
require.NoError(t, err)
|
|
|
|
sub2, err := repo.GetOrCreate(user.ID)
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, sub1.ID, sub2.ID)
|
|
|
|
var count int64
|
|
db.Model(&models.UserSubscription{}).Where("user_id = ?", user.ID).Count(&count)
|
|
assert.Equal(t, int64(1), count, "should have exactly one subscription record after two calls")
|
|
}
|
|
|
|
func TestFindByStripeCustomerID(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
customerID string
|
|
seedID string
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "finds existing subscription by stripe customer ID",
|
|
customerID: "cus_test123",
|
|
seedID: "cus_test123",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "returns error for unknown stripe customer ID",
|
|
customerID: "cus_unknown999",
|
|
seedID: "cus_test456",
|
|
wantErr: true,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
db := testutil.SetupTestDB(t)
|
|
repo := NewSubscriptionRepository(db)
|
|
|
|
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
|
sub := &models.UserSubscription{
|
|
UserID: user.ID,
|
|
Tier: models.TierFree,
|
|
StripeCustomerID: &tt.seedID,
|
|
}
|
|
err := db.Create(sub).Error
|
|
require.NoError(t, err)
|
|
|
|
found, err := repo.FindByStripeCustomerID(tt.customerID)
|
|
if tt.wantErr {
|
|
assert.Error(t, err)
|
|
assert.ErrorIs(t, err, gorm.ErrRecordNotFound)
|
|
} else {
|
|
require.NoError(t, err)
|
|
require.NotNil(t, found)
|
|
assert.Equal(t, user.ID, found.UserID)
|
|
assert.Equal(t, tt.seedID, *found.StripeCustomerID)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestUpdateStripeData(t *testing.T) {
|
|
db := testutil.SetupTestDB(t)
|
|
repo := NewSubscriptionRepository(db)
|
|
|
|
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
|
sub := &models.UserSubscription{
|
|
UserID: user.ID,
|
|
Tier: models.TierFree,
|
|
}
|
|
err := db.Create(sub).Error
|
|
require.NoError(t, err)
|
|
|
|
// Update all three Stripe fields
|
|
customerID := "cus_abc123"
|
|
subscriptionID := "sub_xyz789"
|
|
priceID := "price_monthly"
|
|
|
|
err = repo.UpdateStripeData(user.ID, customerID, subscriptionID, priceID)
|
|
require.NoError(t, err)
|
|
|
|
// Verify all three fields are set
|
|
var updated models.UserSubscription
|
|
err = db.Where("user_id = ?", user.ID).First(&updated).Error
|
|
require.NoError(t, err)
|
|
require.NotNil(t, updated.StripeCustomerID)
|
|
require.NotNil(t, updated.StripeSubscriptionID)
|
|
require.NotNil(t, updated.StripePriceID)
|
|
assert.Equal(t, customerID, *updated.StripeCustomerID)
|
|
assert.Equal(t, subscriptionID, *updated.StripeSubscriptionID)
|
|
assert.Equal(t, priceID, *updated.StripePriceID)
|
|
|
|
// Now call ClearStripeData
|
|
err = repo.ClearStripeData(user.ID)
|
|
require.NoError(t, err)
|
|
|
|
// Verify subscription_id and price_id are cleared, customer_id preserved
|
|
var cleared models.UserSubscription
|
|
err = db.Where("user_id = ?", user.ID).First(&cleared).Error
|
|
require.NoError(t, err)
|
|
require.NotNil(t, cleared.StripeCustomerID, "customer_id should be preserved after ClearStripeData")
|
|
assert.Equal(t, customerID, *cleared.StripeCustomerID)
|
|
assert.Nil(t, cleared.StripeSubscriptionID, "subscription_id should be nil after ClearStripeData")
|
|
assert.Nil(t, cleared.StripePriceID, "price_id should be nil after ClearStripeData")
|
|
}
|
|
|
|
func TestSetTrialDates(t *testing.T) {
|
|
db := testutil.SetupTestDB(t)
|
|
repo := NewSubscriptionRepository(db)
|
|
|
|
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
|
sub := &models.UserSubscription{
|
|
UserID: user.ID,
|
|
Tier: models.TierFree,
|
|
TrialUsed: false,
|
|
}
|
|
err := db.Create(sub).Error
|
|
require.NoError(t, err)
|
|
|
|
trialStart := time.Date(2026, 3, 1, 0, 0, 0, 0, time.UTC)
|
|
trialEnd := time.Date(2026, 3, 15, 0, 0, 0, 0, time.UTC)
|
|
|
|
err = repo.SetTrialDates(user.ID, trialStart, trialEnd)
|
|
require.NoError(t, err)
|
|
|
|
var updated models.UserSubscription
|
|
err = db.Where("user_id = ?", user.ID).First(&updated).Error
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, updated.TrialStart)
|
|
require.NotNil(t, updated.TrialEnd)
|
|
assert.True(t, updated.TrialUsed, "trial_used should be set to true")
|
|
assert.WithinDuration(t, trialStart, *updated.TrialStart, time.Second, "trial_start should match")
|
|
assert.WithinDuration(t, trialEnd, *updated.TrialEnd, time.Second, "trial_end should match")
|
|
}
|
|
|
|
func TestUpdateExpiresAt(t *testing.T) {
|
|
db := testutil.SetupTestDB(t)
|
|
repo := NewSubscriptionRepository(db)
|
|
|
|
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
|
sub := &models.UserSubscription{
|
|
UserID: user.ID,
|
|
Tier: models.TierPro,
|
|
}
|
|
err := db.Create(sub).Error
|
|
require.NoError(t, err)
|
|
|
|
newExpiry := time.Date(2027, 6, 15, 12, 0, 0, 0, time.UTC)
|
|
err = repo.UpdateExpiresAt(user.ID, newExpiry)
|
|
require.NoError(t, err)
|
|
|
|
var updated models.UserSubscription
|
|
err = db.Where("user_id = ?", user.ID).First(&updated).Error
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, updated.ExpiresAt)
|
|
assert.WithinDuration(t, newExpiry, *updated.ExpiresAt, time.Second, "expires_at should be updated")
|
|
}
|
|
|
|
// TestSubscriptionRepo_IAPTransactionReplayRejected is the regression test for
|
|
// audit C5/C6: an in-app-purchase transaction (an Apple original transaction
|
|
// ID or a Google purchase token) may be bound to exactly one account. Without
|
|
// that guarantee a valid receipt could be replayed against a second account
|
|
// to grant Pro for free. The guarantee is the pair of partial unique indexes
|
|
// added by migration 000004; AutoMigrate does not create them, so this test
|
|
// recreates them verbatim to exercise the same DB-level enforcement.
|
|
func TestSubscriptionRepo_IAPTransactionReplayRejected(t *testing.T) {
|
|
db := testutil.SetupTestDB(t)
|
|
require.NoError(t, db.Exec(`CREATE UNIQUE INDEX uq_subscription_apple_original_txn `+
|
|
`ON subscription_usersubscription (apple_original_transaction_id) `+
|
|
`WHERE apple_original_transaction_id IS NOT NULL AND apple_original_transaction_id <> ''`).Error)
|
|
require.NoError(t, db.Exec(`CREATE UNIQUE INDEX uq_subscription_google_purchase_token `+
|
|
`ON subscription_usersubscription (google_purchase_token) `+
|
|
`WHERE google_purchase_token IS NOT NULL AND google_purchase_token <> ''`).Error)
|
|
|
|
repo := NewSubscriptionRepository(db)
|
|
userA := testutil.CreateTestUser(t, db, "iapusera", "iapa@test.com", "password")
|
|
userB := testutil.CreateTestUser(t, db, "iapuserb", "iapb@test.com", "password")
|
|
require.NoError(t, db.Create(&models.UserSubscription{UserID: userA.ID, Tier: models.TierFree}).Error)
|
|
require.NoError(t, db.Create(&models.UserSubscription{UserID: userB.ID, Tier: models.TierFree}).Error)
|
|
|
|
t.Run("apple transaction cannot be claimed by a second account", func(t *testing.T) {
|
|
require.NoError(t, repo.UpdateAppleOriginalTransactionID(userA.ID, "apple-original-txn-1"),
|
|
"the first account binding the transaction must succeed")
|
|
err := repo.UpdateAppleOriginalTransactionID(userB.ID, "apple-original-txn-1")
|
|
require.Error(t, err,
|
|
"replaying account A's Apple transaction onto account B must be rejected (C5)")
|
|
})
|
|
|
|
t.Run("google purchase token cannot be claimed by a second account", func(t *testing.T) {
|
|
require.NoError(t, repo.UpdatePurchaseToken(userA.ID, "google-purchase-token-1"),
|
|
"the first account binding the token must succeed")
|
|
err := repo.UpdatePurchaseToken(userB.ID, "google-purchase-token-1")
|
|
require.Error(t, err,
|
|
"replaying account A's Google purchase token onto account B must be rejected (C6)")
|
|
})
|
|
|
|
t.Run("re-binding the same transaction to the same account is allowed", func(t *testing.T) {
|
|
// A renewal re-submitting the same transaction for its owner must not
|
|
// be rejected — the partial unique index excludes the row's own value.
|
|
require.NoError(t, repo.UpdateAppleOriginalTransactionID(userA.ID, "apple-original-txn-1"))
|
|
})
|
|
}
|