http: POST /setup — set password, drop session, audit setup_completed
Replaces the 501 stub with the full handler: validates the token and password, hashes and stores the password, deletes the setup token, mints an 8-hour session cookie, appends a user.setup_completed audit entry, and redirects to /. Adds TestSetupPostHappyPath covering the full round-trip including normal-login verification after setup.
This commit is contained in:
@@ -1,11 +1,14 @@
|
||||
package http
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"io"
|
||||
stdhttp "net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
@@ -88,3 +91,62 @@ func TestSetupGetExpiredToken(t *testing.T) {
|
||||
t.Errorf("status: got %d want 410", res.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSetupPostHappyPath(t *testing.T) {
|
||||
t.Parallel()
|
||||
srv, ts, _ := rawTestServerWithUI(t)
|
||||
urlBase := ts.URL
|
||||
now := time.Now().UTC()
|
||||
|
||||
uid := ulid.Make().String()
|
||||
_ = srv.deps.Store.CreateUser(t.Context(), store.User{
|
||||
ID: uid, Username: "newbie",
|
||||
PasswordHash: "", Role: store.RoleOperator, CreatedAt: now,
|
||||
MustChangePassword: true,
|
||||
})
|
||||
raw := "happy-token"
|
||||
_ = srv.deps.Store.SetSetupToken(t.Context(), store.SetupToken{
|
||||
UserID: uid, TokenHash: sha256Hex(raw),
|
||||
ExpiresAt: now.Add(time.Hour), CreatedAt: now,
|
||||
})
|
||||
|
||||
form := url.Values{}
|
||||
form.Set("token", raw)
|
||||
form.Set("password", "averylongpassword")
|
||||
form.Set("password_confirm", "averylongpassword")
|
||||
req, _ := stdhttp.NewRequest("POST", urlBase+"/setup",
|
||||
strings.NewReader(form.Encode()))
|
||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||
|
||||
c := &stdhttp.Client{CheckRedirect: func(*stdhttp.Request, []*stdhttp.Request) error {
|
||||
return stdhttp.ErrUseLastResponse
|
||||
}}
|
||||
res, err := c.Do(req)
|
||||
if err != nil {
|
||||
t.Fatalf("POST: %v", err)
|
||||
}
|
||||
defer res.Body.Close()
|
||||
if res.StatusCode != stdhttp.StatusSeeOther {
|
||||
t.Errorf("status: got %d want 303", res.StatusCode)
|
||||
}
|
||||
if res.Header.Get("Location") != "/" {
|
||||
t.Errorf("location: got %q want /", res.Header.Get("Location"))
|
||||
}
|
||||
|
||||
// Token is consumed.
|
||||
if _, err := srv.deps.Store.LookupSetupToken(t.Context(), sha256Hex(raw)); err == nil {
|
||||
t.Error("token should be deleted after consumption")
|
||||
}
|
||||
|
||||
// User can now log in via the normal route.
|
||||
logBody, _ := json.Marshal(map[string]string{
|
||||
"username": "newbie", "password": "averylongpassword",
|
||||
})
|
||||
loginRes, _ := stdhttp.Post(urlBase+"/api/auth/login",
|
||||
"application/json", bytes.NewReader(logBody))
|
||||
defer loginRes.Body.Close()
|
||||
if loginRes.StatusCode != stdhttp.StatusOK {
|
||||
body, _ := io.ReadAll(loginRes.Body)
|
||||
t.Errorf("login: %d %s", loginRes.StatusCode, body)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user