7690f07a2b
Comprehensive security hardening from audit findings: - Add validation tags to all DTO request structs (max lengths, ranges, enums) - Replace unsafe type assertions with MustGetAuthUser helper across all handlers - Remove query-param token auth from admin middleware (prevents URL token leakage) - Add request validation calls in handlers that were missing c.Validate() - Remove goroutines in handlers (timezone update now synchronous) - Add sanitize middleware and path traversal protection (path_utils) - Stop resetting admin passwords on migration restart - Warn on well-known default SECRET_KEY - Add ~30 new test files covering security regressions, auth safety, repos, and services - Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
89 lines
2.9 KiB
Go
89 lines
2.9 KiB
Go
package handlers
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"testing"
|
|
|
|
"github.com/labstack/echo/v4"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"gorm.io/gorm"
|
|
|
|
"github.com/treytartt/casera-api/internal/models"
|
|
"github.com/treytartt/casera-api/internal/repositories"
|
|
"github.com/treytartt/casera-api/internal/services"
|
|
"github.com/treytartt/casera-api/internal/testutil"
|
|
)
|
|
|
|
func setupNotificationHandler(t *testing.T) (*NotificationHandler, *echo.Echo, *gorm.DB) {
|
|
db := testutil.SetupTestDB(t)
|
|
notifRepo := repositories.NewNotificationRepository(db)
|
|
notifService := services.NewNotificationService(notifRepo, nil)
|
|
handler := NewNotificationHandler(notifService)
|
|
e := testutil.SetupTestRouter()
|
|
return handler, e, db
|
|
}
|
|
|
|
func createTestNotifications(t *testing.T, db *gorm.DB, userID uint, count int) {
|
|
for i := 0; i < count; i++ {
|
|
notif := &models.Notification{
|
|
UserID: userID,
|
|
NotificationType: models.NotificationTaskDueSoon,
|
|
Title: fmt.Sprintf("Test Notification %d", i+1),
|
|
Body: fmt.Sprintf("Body %d", i+1),
|
|
}
|
|
err := db.Create(notif).Error
|
|
require.NoError(t, err)
|
|
}
|
|
}
|
|
|
|
func TestNotificationHandler_ListNotifications_LimitCappedAt200(t *testing.T) {
|
|
handler, e, db := setupNotificationHandler(t)
|
|
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
|
|
|
|
// Create 210 notifications to exceed the cap
|
|
createTestNotifications(t, db, user.ID, 210)
|
|
|
|
authGroup := e.Group("/api/notifications")
|
|
authGroup.Use(testutil.MockAuthMiddleware(user))
|
|
authGroup.GET("/", handler.ListNotifications)
|
|
|
|
t.Run("limit is capped at 200 when user requests more", func(t *testing.T) {
|
|
w := testutil.MakeRequest(e, "GET", "/api/notifications/?limit=999", nil, "test-token")
|
|
testutil.AssertStatusCode(t, w, http.StatusOK)
|
|
|
|
var response map[string]interface{}
|
|
err := json.Unmarshal(w.Body.Bytes(), &response)
|
|
require.NoError(t, err)
|
|
|
|
count := int(response["count"].(float64))
|
|
assert.Equal(t, 200, count, "response should contain at most 200 notifications when limit exceeds cap")
|
|
})
|
|
|
|
t.Run("limit below cap is respected", func(t *testing.T) {
|
|
w := testutil.MakeRequest(e, "GET", "/api/notifications/?limit=10", nil, "test-token")
|
|
testutil.AssertStatusCode(t, w, http.StatusOK)
|
|
|
|
var response map[string]interface{}
|
|
err := json.Unmarshal(w.Body.Bytes(), &response)
|
|
require.NoError(t, err)
|
|
|
|
count := int(response["count"].(float64))
|
|
assert.Equal(t, 10, count, "response should respect limit when below cap")
|
|
})
|
|
|
|
t.Run("default limit is used when no limit param", func(t *testing.T) {
|
|
w := testutil.MakeRequest(e, "GET", "/api/notifications/", nil, "test-token")
|
|
testutil.AssertStatusCode(t, w, http.StatusOK)
|
|
|
|
var response map[string]interface{}
|
|
err := json.Unmarshal(w.Body.Bytes(), &response)
|
|
require.NoError(t, err)
|
|
|
|
count := int(response["count"].(float64))
|
|
assert.Equal(t, 50, count, "response should use default limit of 50")
|
|
})
|
|
}
|