admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d5bb123cd0a1f2bfa4386c0a7231c63ae4351f2c
honeyDueAPI/internal/repositories/notification_repo_test.go
Trey t 7690f07a2b Harden API security: input validation, safe auth extraction, new tests, and deploy config 
Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-02 09:48:01 -06:00

97 lines
3.1 KiB
Go
Raw Blame History

package repositories
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/treytartt/casera-api/internal/models"
"github.com/treytartt/casera-api/internal/testutil"
)
func TestGetOrCreatePreferences_New_Creates(t *testing.T) {
db := testutil.SetupTestDB(t)
repo := NewNotificationRepository(db)
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
// No preferences exist yet for this user
prefs, err := repo.GetOrCreatePreferences(user.ID)
require.NoError(t, err)
require.NotNil(t, prefs)
// Verify defaults were set
assert.Equal(t, user.ID, prefs.UserID)
assert.True(t, prefs.TaskDueSoon)
assert.True(t, prefs.TaskOverdue)
assert.True(t, prefs.TaskCompleted)
assert.True(t, prefs.TaskAssigned)
assert.True(t, prefs.ResidenceShared)
assert.True(t, prefs.WarrantyExpiring)
assert.True(t, prefs.EmailTaskCompleted)
// Verify it was actually persisted
var count int64
db.Model(&models.NotificationPreference{}).Where("user_id = ?", user.ID).Count(&count)
assert.Equal(t, int64(1), count, "should have exactly one preferences record")
}
func TestGetOrCreatePreferences_AlreadyExists_Returns(t *testing.T) {
db := testutil.SetupTestDB(t)
repo := NewNotificationRepository(db)
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
// Create preferences manually first
existingPrefs := &models.NotificationPreference{
UserID: user.ID,
TaskDueSoon: true,
TaskOverdue: true,
TaskCompleted: true,
TaskAssigned: true,
ResidenceShared: true,
WarrantyExpiring: true,
EmailTaskCompleted: true,
}
err := db.Create(existingPrefs).Error
require.NoError(t, err)
require.NotZero(t, existingPrefs.ID)
// GetOrCreatePreferences should return the existing record, not create a new one
prefs, err := repo.GetOrCreatePreferences(user.ID)
require.NoError(t, err)
require.NotNil(t, prefs)
// The returned record should have the same ID as the existing one
assert.Equal(t, existingPrefs.ID, prefs.ID, "should return the existing record by ID")
assert.Equal(t, user.ID, prefs.UserID, "should have correct user_id")
// Verify still only one record exists (no duplicate created)
var count int64
db.Model(&models.NotificationPreference{}).Where("user_id = ?", user.ID).Count(&count)
assert.Equal(t, int64(1), count, "should still have exactly one preferences record")
}
func TestGetOrCreatePreferences_Idempotent(t *testing.T) {
db := testutil.SetupTestDB(t)
repo := NewNotificationRepository(db)
user := testutil.CreateTestUser(t, db, "owner", "owner@test.com", "password")
// Call twice in succession
prefs1, err := repo.GetOrCreatePreferences(user.ID)
require.NoError(t, err)
prefs2, err := repo.GetOrCreatePreferences(user.ID)
require.NoError(t, err)
// Both should return the same record
assert.Equal(t, prefs1.ID, prefs2.ID)
// Should only have one record
var count int64
db.Model(&models.NotificationPreference{}).Where("user_id = ?", user.ID).Count(&count)
assert.Equal(t, int64(1), count, "should have exactly one preferences record after two calls")
}
Reference in New Issue View Git Blame Copy Permalink