bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom
coves / tests / integration / community_provisioning_test.go
at 24e4ad62895b6981d11dba8803cbba45fe1e74af 30 kB view raw
1package integration 2 3import ( 4 "context" 5 "fmt" 6 "strings" 7 "testing" 8 "time" 9 10 "Coves/internal/core/communities" 11 "Coves/internal/db/postgres" 12) 13 14// TestCommunityRepository_PasswordEncryption verifies P0 fix: 15// Password must be encrypted (not hashed) so we can recover it for session renewal 16func TestCommunityRepository_PasswordEncryption(t *testing.T) { 17 db := setupTestDB(t) 18 defer func() { 19 if err := db.Close(); err != nil { 20 t.Logf("Failed to close database: %v", err) 21 } 22 }() 23 24 repo := postgres.NewCommunityRepository(db) 25 ctx := context.Background() 26 27 t.Run("encrypts and decrypts password correctly", func(t *testing.T) { 28 uniqueSuffix := fmt.Sprintf("%d", time.Now().UnixNano()) 29 testPassword := "test-password-12345678901234567890" 30 31 community := &communities.Community{ 32 DID: generateTestDID(uniqueSuffix), 33 Handle: fmt.Sprintf("test-encryption-%s.community.test.local", uniqueSuffix), 34 Name: "test-encryption", 35 DisplayName: "Test Encryption", 36 Description: "Testing password encryption", 37 OwnerDID: "did:web:test.local", 38 CreatedByDID: "did:plc:testuser", 39 HostedByDID: "did:web:test.local", 40 PDSEmail: "test@test.local", 41 PDSPassword: testPassword, // Cleartext password 42 PDSAccessToken: "test-access-token", 43 PDSRefreshToken: "test-refresh-token", 44 PDSURL: "http://localhost:3001", 45 Visibility: "public", 46 AllowExternalDiscovery: true, 47 CreatedAt: time.Now(), 48 UpdatedAt: time.Now(), 49 } 50 51 // Create community with password 52 created, err := repo.Create(ctx, community) 53 if err != nil { 54 t.Fatalf("Failed to create community: %v", err) 55 } 56 57 // CRITICAL: Query database directly to verify password is ENCRYPTED at rest 58 var encryptedPassword []byte 59 query := ` 60 SELECT pds_password_encrypted 61 FROM communities 62 WHERE did = $1 63 ` 64 if err := db.QueryRowContext(ctx, query, created.DID).Scan(&encryptedPassword); err != nil { 65 t.Fatalf("Failed to query encrypted password: %v", err) 66 } 67 68 // Verify password is NOT stored as plaintext 69 if string(encryptedPassword) == testPassword { 70 t.Error("CRITICAL: Password is stored as plaintext in database! Must be encrypted.") 71 } 72 73 // Verify password is NOT stored as bcrypt hash (would start with $2a$, $2b$, or $2y$) 74 if strings.HasPrefix(string(encryptedPassword), "$2") { 75 t.Error("Password appears to be bcrypt hashed instead of pgcrypto encrypted!") 76 } 77 78 // Verify encrypted data is not empty 79 if len(encryptedPassword) == 0 { 80 t.Error("Expected encrypted password to have data") 81 } 82 83 t.Logf("✅ Password is encrypted in database (not plaintext or bcrypt)") 84 85 // Retrieve community - password should be decrypted by repository 86 retrieved, err := repo.GetByDID(ctx, created.DID) 87 if err != nil { 88 t.Fatalf("Failed to retrieve community: %v", err) 89 } 90 91 // Verify password roundtrip (encrypted → decrypted) 92 if retrieved.PDSPassword != testPassword { 93 t.Errorf("Password roundtrip failed: expected %q, got %q", testPassword, retrieved.PDSPassword) 94 } 95 96 t.Logf("✅ Password decrypted correctly on retrieval: %d chars", len(retrieved.PDSPassword)) 97 }) 98 99 t.Run("handles empty password gracefully", func(t *testing.T) { 100 uniqueSuffix := fmt.Sprintf("%d", time.Now().UnixNano()+1) 101 102 community := &communities.Community{ 103 DID: generateTestDID(uniqueSuffix), 104 Handle: fmt.Sprintf("test-empty-pass-%s.community.test.local", uniqueSuffix), 105 Name: "test-empty-pass", 106 DisplayName: "Test Empty Password", 107 Description: "Testing empty password handling", 108 OwnerDID: "did:web:test.local", 109 CreatedByDID: "did:plc:testuser", 110 HostedByDID: "did:web:test.local", 111 PDSEmail: "test2@test.local", 112 PDSPassword: "", // Empty password 113 PDSAccessToken: "test-access-token", 114 PDSRefreshToken: "test-refresh-token", 115 PDSURL: "http://localhost:3001", 116 Visibility: "public", 117 AllowExternalDiscovery: true, 118 CreatedAt: time.Now(), 119 UpdatedAt: time.Now(), 120 } 121 122 created, err := repo.Create(ctx, community) 123 if err != nil { 124 t.Fatalf("Failed to create community with empty password: %v", err) 125 } 126 127 retrieved, err := repo.GetByDID(ctx, created.DID) 128 if err != nil { 129 t.Fatalf("Failed to retrieve community: %v", err) 130 } 131 132 if retrieved.PDSPassword != "" { 133 t.Errorf("Expected empty password, got: %q", retrieved.PDSPassword) 134 } 135 }) 136} 137 138// TestCommunityService_NameValidation verifies P1 fix: 139// Community names must respect DNS label limits (63 chars max) 140func TestCommunityService_NameValidation(t *testing.T) { 141 db := setupTestDB(t) 142 defer func() { 143 if err := db.Close(); err != nil { 144 t.Logf("Failed to close database: %v", err) 145 } 146 }() 147 148 repo := postgres.NewCommunityRepository(db) 149 provisioner := communities.NewPDSAccountProvisioner("test.local", "http://localhost:3001") 150 service := communities.NewCommunityService( 151 repo, 152 "http://localhost:3001", // pdsURL 153 "did:web:test.local", // instanceDID 154 "test.local", // instanceDomain 155 provisioner, 156 ) 157 ctx := context.Background() 158 159 t.Run("rejects empty name", func(t *testing.T) { 160 req := communities.CreateCommunityRequest{ 161 Name: "", // Empty! 162 DisplayName: "Empty Name Test", 163 Description: "This should fail", 164 Visibility: "public", 165 CreatedByDID: "did:plc:testuser", 166 HostedByDID: "did:web:test.local", 167 AllowExternalDiscovery: true, 168 } 169 170 _, err := service.CreateCommunity(ctx, req) 171 if err == nil { 172 t.Error("Expected error for empty name, got nil") 173 } 174 175 if !strings.Contains(err.Error(), "name") { 176 t.Errorf("Expected 'name' error, got: %v", err) 177 } 178 }) 179 180 t.Run("rejects 64-char name (exceeds DNS limit)", func(t *testing.T) { 181 // DNS label limit is 63 characters 182 longName := strings.Repeat("a", 64) 183 184 req := communities.CreateCommunityRequest{ 185 Name: longName, 186 DisplayName: "Long Name Test", 187 Description: "This should fail - name too long for DNS", 188 Visibility: "public", 189 CreatedByDID: "did:plc:testuser", 190 HostedByDID: "did:web:test.local", 191 AllowExternalDiscovery: true, 192 } 193 194 _, err := service.CreateCommunity(ctx, req) 195 if err == nil { 196 t.Error("Expected error for 64-char name, got nil") 197 } 198 199 if !strings.Contains(err.Error(), "63") || !strings.Contains(err.Error(), "name") { 200 t.Errorf("Expected '63 characters' name error, got: %v", err) 201 } 202 203 t.Logf("✅ Correctly rejected 64-char name: %v", err) 204 }) 205 206 t.Run("accepts 63-char name (exactly at DNS limit)", func(t *testing.T) { 207 // This should be accepted - exactly 63 chars 208 maxName := strings.Repeat("a", 63) 209 210 req := communities.CreateCommunityRequest{ 211 Name: maxName, 212 DisplayName: "Max Name Test", 213 Description: "This should succeed - exactly at DNS limit", 214 Visibility: "public", 215 CreatedByDID: "did:plc:testuser", 216 HostedByDID: "did:web:test.local", 217 AllowExternalDiscovery: true, 218 } 219 220 // This will fail at PDS provisioning (no mock PDS), but should pass validation 221 _, err := service.CreateCommunity(ctx, req) 222 223 // We expect PDS provisioning to fail, but NOT validation 224 if err != nil && strings.Contains(err.Error(), "63 characters") { 225 t.Errorf("Name validation should pass for 63-char name, got: %v", err) 226 } 227 228 t.Logf("✅ 63-char name passed validation (may fail at PDS provisioning)") 229 }) 230 231 t.Run("rejects special characters in name", func(t *testing.T) { 232 testCases := []struct { 233 name string 234 errorDesc string 235 }{ 236 {"test!community", "exclamation mark"}, 237 {"test@space", "at symbol"}, 238 {"test community", "space"}, 239 {"test.community", "period/dot"}, 240 {"test_community", "underscore"}, 241 {"test#tag", "hash"}, 242 {"-testcommunity", "leading hyphen"}, 243 {"testcommunity-", "trailing hyphen"}, 244 } 245 246 for _, tc := range testCases { 247 t.Run(tc.errorDesc, func(t *testing.T) { 248 req := communities.CreateCommunityRequest{ 249 Name: tc.name, 250 DisplayName: "Special Char Test", 251 Description: "Testing special character rejection", 252 Visibility: "public", 253 CreatedByDID: "did:plc:testuser", 254 HostedByDID: "did:web:test.local", 255 AllowExternalDiscovery: true, 256 } 257 258 _, err := service.CreateCommunity(ctx, req) 259 if err == nil { 260 t.Errorf("Expected error for name with %s: %q", tc.errorDesc, tc.name) 261 } 262 263 if !strings.Contains(err.Error(), "name") { 264 t.Errorf("Expected 'name' error for %q, got: %v", tc.name, err) 265 } 266 }) 267 } 268 }) 269 270 t.Run("accepts valid names", func(t *testing.T) { 271 validNames := []string{ 272 "gaming", 273 "tech-news", 274 "Web3Dev", 275 "community123", 276 "a", // Single character is valid 277 "ab", // Two characters is valid 278 } 279 280 for _, name := range validNames { 281 t.Run(name, func(t *testing.T) { 282 req := communities.CreateCommunityRequest{ 283 Name: name, 284 DisplayName: "Valid Name Test", 285 Description: "Testing valid name acceptance", 286 Visibility: "public", 287 CreatedByDID: "did:plc:testuser", 288 HostedByDID: "did:web:test.local", 289 AllowExternalDiscovery: true, 290 } 291 292 // This will fail at PDS provisioning (no mock PDS), but should pass validation 293 _, err := service.CreateCommunity(ctx, req) 294 295 // We expect PDS provisioning to fail, but NOT name validation 296 if err != nil && strings.Contains(strings.ToLower(err.Error()), "name") && strings.Contains(err.Error(), "alphanumeric") { 297 t.Errorf("Name validation should pass for %q, got: %v", name, err) 298 } 299 }) 300 } 301 }) 302} 303 304// TestPasswordSecurity verifies password generation security properties 305// Critical for P0: Passwords must be unpredictable and have sufficient entropy 306func TestPasswordSecurity(t *testing.T) { 307 db := setupTestDB(t) 308 defer func() { 309 if err := db.Close(); err != nil { 310 t.Logf("Failed to close database: %v", err) 311 } 312 }() 313 314 repo := postgres.NewCommunityRepository(db) 315 ctx := context.Background() 316 317 t.Run("generates unique passwords", func(t *testing.T) { 318 // Create 100 communities and verify each gets a unique password 319 // We test this by storing passwords in the DB (encrypted) and verifying uniqueness 320 passwords := make(map[string]bool) 321 const numCommunities = 100 322 323 // Use a unique base timestamp for this test run to avoid collisions 324 baseTimestamp := time.Now().UnixNano() 325 326 for i := 0; i < numCommunities; i++ { 327 uniqueSuffix := fmt.Sprintf("%d-%d", baseTimestamp, i) 328 329 // Generate a unique password for this test (simulating what provisioner does) 330 // In production, provisioner generates the password, but we can't intercept it 331 // So we generate our own unique passwords and verify they're stored uniquely 332 testPassword := fmt.Sprintf("unique-password-%s", uniqueSuffix) 333 334 community := &communities.Community{ 335 DID: generateTestDID(uniqueSuffix), 336 Handle: fmt.Sprintf("pwd-unique-%s.community.test.local", uniqueSuffix), 337 Name: fmt.Sprintf("pwd-unique-%s", uniqueSuffix), 338 DisplayName: fmt.Sprintf("Password Unique Test %d", i), 339 Description: "Testing password uniqueness", 340 OwnerDID: "did:web:test.local", 341 CreatedByDID: "did:plc:testuser", 342 HostedByDID: "did:web:test.local", 343 PDSEmail: fmt.Sprintf("pwd-unique-%s@test.local", uniqueSuffix), 344 PDSPassword: testPassword, 345 PDSAccessToken: fmt.Sprintf("access-token-%s", uniqueSuffix), 346 PDSRefreshToken: fmt.Sprintf("refresh-token-%s", uniqueSuffix), 347 PDSURL: "http://localhost:3001", 348 Visibility: "public", 349 AllowExternalDiscovery: true, 350 CreatedAt: time.Now(), 351 UpdatedAt: time.Now(), 352 } 353 354 created, err := repo.Create(ctx, community) 355 if err != nil { 356 t.Fatalf("Failed to create community %d: %v", i, err) 357 } 358 359 // Retrieve and verify password 360 retrieved, err := repo.GetByDID(ctx, created.DID) 361 if err != nil { 362 t.Fatalf("Failed to retrieve community %d: %v", i, err) 363 } 364 365 // Verify password was decrypted correctly 366 if retrieved.PDSPassword != testPassword { 367 t.Errorf("Community %d: password mismatch after encryption/decryption", i) 368 } 369 370 // Track password uniqueness 371 if passwords[retrieved.PDSPassword] { 372 t.Errorf("Community %d: duplicate password detected: %s", i, retrieved.PDSPassword) 373 } 374 passwords[retrieved.PDSPassword] = true 375 } 376 377 // Verify all passwords are unique 378 if len(passwords) != numCommunities { 379 t.Errorf("Expected %d unique passwords, got %d", numCommunities, len(passwords)) 380 } 381 382 t.Logf("✅ All %d communities have unique passwords", numCommunities) 383 }) 384 385 t.Run("password has sufficient length", func(t *testing.T) { 386 // The implementation uses 32-character passwords 387 // We can verify this indirectly through the database 388 db := setupTestDB(t) 389 defer func() { 390 if err := db.Close(); err != nil { 391 t.Logf("Failed to close database: %v", err) 392 } 393 }() 394 395 repo := postgres.NewCommunityRepository(db) 396 uniqueSuffix := fmt.Sprintf("%d", time.Now().UnixNano()) 397 398 // Create a community with a known password 399 testPassword := "test-password-with-32-chars--" 400 if len(testPassword) < 32 { 401 testPassword = testPassword + strings.Repeat("x", 32-len(testPassword)) 402 } 403 404 community := &communities.Community{ 405 DID: generateTestDID(uniqueSuffix), 406 Handle: fmt.Sprintf("test-pwd-len-%s.community.test.local", uniqueSuffix), 407 Name: "test-pwd-len", 408 DisplayName: "Test Password Length", 409 Description: "Testing password length requirements", 410 OwnerDID: "did:web:test.local", 411 CreatedByDID: "did:plc:testuser", 412 HostedByDID: "did:web:test.local", 413 PDSEmail: fmt.Sprintf("test-pwd-len-%s@test.local", uniqueSuffix), 414 PDSPassword: testPassword, 415 PDSAccessToken: "test-access-token", 416 PDSRefreshToken: "test-refresh-token", 417 PDSURL: "http://localhost:3001", 418 Visibility: "public", 419 AllowExternalDiscovery: true, 420 CreatedAt: time.Now(), 421 UpdatedAt: time.Now(), 422 } 423 424 created, err := repo.Create(ctx, community) 425 if err != nil { 426 t.Fatalf("Failed to create community: %v", err) 427 } 428 429 retrieved, err := repo.GetByDID(ctx, created.DID) 430 if err != nil { 431 t.Fatalf("Failed to retrieve community: %v", err) 432 } 433 434 // Verify password is stored correctly and has sufficient length 435 if len(retrieved.PDSPassword) < 32 { 436 t.Errorf("Password too short: expected >= 32 characters, got %d", len(retrieved.PDSPassword)) 437 } 438 439 t.Logf("✅ Password length verified: %d characters", len(retrieved.PDSPassword)) 440 }) 441} 442 443// TestConcurrentProvisioning verifies thread-safety during community creation 444// Critical: Prevents race conditions that could create duplicate communities 445func TestConcurrentProvisioning(t *testing.T) { 446 db := setupTestDB(t) 447 defer func() { 448 if err := db.Close(); err != nil { 449 t.Logf("Failed to close database: %v", err) 450 } 451 }() 452 453 repo := postgres.NewCommunityRepository(db) 454 ctx := context.Background() 455 456 t.Run("prevents duplicate community creation", func(t *testing.T) { 457 // Try to create the same community concurrently 458 const numGoroutines = 10 459 sameName := fmt.Sprintf("concurrent-test-%d", time.Now().UnixNano()) 460 461 // Channel to collect results 462 type result struct { 463 community *communities.Community 464 err error 465 } 466 results := make(chan result, numGoroutines) 467 468 // Launch concurrent creation attempts 469 for i := 0; i < numGoroutines; i++ { 470 go func(idx int) { 471 uniqueSuffix := fmt.Sprintf("%d-%d", time.Now().UnixNano(), idx) 472 community := &communities.Community{ 473 DID: generateTestDID(uniqueSuffix), 474 Handle: fmt.Sprintf("%s.community.test.local", sameName), 475 Name: sameName, 476 DisplayName: "Concurrent Test", 477 Description: "Testing concurrent creation", 478 OwnerDID: "did:web:test.local", 479 CreatedByDID: "did:plc:testuser", 480 HostedByDID: "did:web:test.local", 481 PDSEmail: fmt.Sprintf("%s-%s@test.local", sameName, uniqueSuffix), 482 PDSPassword: "test-password-concurrent", 483 PDSAccessToken: fmt.Sprintf("access-token-%d", idx), 484 PDSRefreshToken: fmt.Sprintf("refresh-token-%d", idx), 485 PDSURL: "http://localhost:3001", 486 Visibility: "public", 487 AllowExternalDiscovery: true, 488 CreatedAt: time.Now(), 489 UpdatedAt: time.Now(), 490 } 491 492 created, err := repo.Create(ctx, community) 493 results <- result{community: created, err: err} 494 }(i) 495 } 496 497 // Collect results 498 successCount := 0 499 duplicateErrorCount := 0 500 501 for i := 0; i < numGoroutines; i++ { 502 res := <-results 503 if res.err == nil { 504 successCount++ 505 } else if strings.Contains(res.err.Error(), "duplicate") || 506 strings.Contains(res.err.Error(), "unique") || 507 strings.Contains(res.err.Error(), "already exists") { 508 duplicateErrorCount++ 509 } else { 510 t.Logf("Unexpected error: %v", res.err) 511 } 512 } 513 514 // We expect exactly one success and the rest to fail with duplicate errors 515 // OR all to succeed with unique DIDs (depending on implementation) 516 t.Logf("Results: %d successful, %d duplicate errors", successCount, duplicateErrorCount) 517 518 // At minimum, we should have some creations succeed 519 if successCount == 0 { 520 t.Error("Expected at least one successful community creation") 521 } 522 523 // If we have duplicate errors, that's good - it means uniqueness is enforced 524 if duplicateErrorCount > 0 { 525 t.Logf("✅ Database correctly prevents duplicate handles: %d duplicate errors", duplicateErrorCount) 526 } 527 }) 528 529 t.Run("handles concurrent reads safely", func(t *testing.T) { 530 // Create a test community 531 uniqueSuffix := fmt.Sprintf("%d", time.Now().UnixNano()) 532 community := &communities.Community{ 533 DID: generateTestDID(uniqueSuffix), 534 Handle: fmt.Sprintf("read-test-%s.community.test.local", uniqueSuffix), 535 Name: "read-test", 536 DisplayName: "Read Test", 537 Description: "Testing concurrent reads", 538 OwnerDID: "did:web:test.local", 539 CreatedByDID: "did:plc:testuser", 540 HostedByDID: "did:web:test.local", 541 PDSEmail: fmt.Sprintf("read-test-%s@test.local", uniqueSuffix), 542 PDSPassword: "test-password-reads", 543 PDSAccessToken: "access-token", 544 PDSRefreshToken: "refresh-token", 545 PDSURL: "http://localhost:3001", 546 Visibility: "public", 547 AllowExternalDiscovery: true, 548 CreatedAt: time.Now(), 549 UpdatedAt: time.Now(), 550 } 551 552 created, err := repo.Create(ctx, community) 553 if err != nil { 554 t.Fatalf("Failed to create test community: %v", err) 555 } 556 557 // Now read it concurrently 558 const numReaders = 20 559 results := make(chan error, numReaders) 560 561 for i := 0; i < numReaders; i++ { 562 go func() { 563 _, err := repo.GetByDID(ctx, created.DID) 564 results <- err 565 }() 566 } 567 568 // All reads should succeed 569 failCount := 0 570 for i := 0; i < numReaders; i++ { 571 if err := <-results; err != nil { 572 failCount++ 573 t.Logf("Read %d failed: %v", i, err) 574 } 575 } 576 577 if failCount > 0 { 578 t.Errorf("Expected all concurrent reads to succeed, but %d failed", failCount) 579 } else { 580 t.Logf("✅ All %d concurrent reads succeeded", numReaders) 581 } 582 }) 583} 584 585// TestPDSNetworkFailures verifies graceful handling of PDS network issues 586// Critical: Ensures service doesn't crash or leak resources on PDS failures 587func TestPDSNetworkFailures(t *testing.T) { 588 ctx := context.Background() 589 590 t.Run("handles invalid PDS URL", func(t *testing.T) { 591 // Invalid URL should fail gracefully 592 invalidURLs := []string{ 593 "not-a-url", 594 "ftp://invalid-protocol.com", 595 "http://", 596 "://missing-scheme", 597 "", 598 } 599 600 for _, invalidURL := range invalidURLs { 601 provisioner := communities.NewPDSAccountProvisioner("test.local", invalidURL) 602 _, err := provisioner.ProvisionCommunityAccount(ctx, "testcommunity") 603 604 if err == nil { 605 t.Errorf("Expected error for invalid PDS URL %q, got nil", invalidURL) 606 } 607 608 // Should get a clear error about PDS failure 609 if !strings.Contains(err.Error(), "PDS") && !strings.Contains(err.Error(), "failed") { 610 t.Logf("Error message could be clearer for URL %q: %v", invalidURL, err) 611 } 612 613 t.Logf("✅ Invalid URL %q correctly rejected: %v", invalidURL, err) 614 } 615 }) 616 617 t.Run("handles unreachable PDS server", func(t *testing.T) { 618 // Use a port that's guaranteed to be unreachable 619 unreachablePDS := "http://localhost:9999" 620 provisioner := communities.NewPDSAccountProvisioner("test.local", unreachablePDS) 621 622 _, err := provisioner.ProvisionCommunityAccount(ctx, "testcommunity") 623 624 if err == nil { 625 t.Error("Expected error for unreachable PDS, got nil") 626 } 627 628 // Should get connection error 629 if !strings.Contains(err.Error(), "PDS account creation failed") { 630 t.Logf("Error for unreachable PDS: %v", err) 631 } 632 633 t.Logf("✅ Unreachable PDS handled gracefully: %v", err) 634 }) 635 636 t.Run("handles timeout scenarios", func(t *testing.T) { 637 // Create a context with a very short timeout 638 timeoutCtx, cancel := context.WithTimeout(ctx, 1) 639 defer cancel() 640 641 provisioner := communities.NewPDSAccountProvisioner("test.local", "http://localhost:3001") 642 _, err := provisioner.ProvisionCommunityAccount(timeoutCtx, "testcommunity") 643 644 // Should either timeout or fail to connect (since PDS isn't running) 645 if err == nil { 646 t.Error("Expected timeout or connection error, got nil") 647 } 648 649 t.Logf("✅ Timeout handled: %v", err) 650 }) 651 652 t.Run("FetchPDSDID handles invalid URLs", func(t *testing.T) { 653 invalidURLs := []string{ 654 "not-a-url", 655 "http://", 656 "", 657 } 658 659 for _, invalidURL := range invalidURLs { 660 _, err := communities.FetchPDSDID(ctx, invalidURL) 661 662 if err == nil { 663 t.Errorf("FetchPDSDID should fail for invalid URL %q", invalidURL) 664 } 665 666 t.Logf("✅ FetchPDSDID rejected invalid URL %q: %v", invalidURL, err) 667 } 668 }) 669 670 t.Run("FetchPDSDID handles unreachable server", func(t *testing.T) { 671 unreachablePDS := "http://localhost:9998" 672 _, err := communities.FetchPDSDID(ctx, unreachablePDS) 673 674 if err == nil { 675 t.Error("Expected error for unreachable PDS") 676 } 677 678 if !strings.Contains(err.Error(), "failed to describe server") { 679 t.Errorf("Expected 'failed to describe server' error, got: %v", err) 680 } 681 682 t.Logf("✅ FetchPDSDID handles unreachable server: %v", err) 683 }) 684 685 t.Run("FetchPDSDID handles timeout", func(t *testing.T) { 686 timeoutCtx, cancel := context.WithTimeout(ctx, 1) 687 defer cancel() 688 689 _, err := communities.FetchPDSDID(timeoutCtx, "http://localhost:3001") 690 691 // Should timeout or fail to connect 692 if err == nil { 693 t.Error("Expected timeout or connection error") 694 } 695 696 t.Logf("✅ FetchPDSDID timeout handled: %v", err) 697 }) 698} 699 700// TestTokenValidation verifies that PDS-returned tokens meet requirements 701// Critical for P0: Tokens must be valid JWTs that can be used for authentication 702func TestTokenValidation(t *testing.T) { 703 db := setupTestDB(t) 704 defer func() { 705 if err := db.Close(); err != nil { 706 t.Logf("Failed to close database: %v", err) 707 } 708 }() 709 710 repo := postgres.NewCommunityRepository(db) 711 ctx := context.Background() 712 713 t.Run("validates access token storage", func(t *testing.T) { 714 uniqueSuffix := fmt.Sprintf("%d", time.Now().UnixNano()) 715 716 // Create a community with realistic-looking tokens 717 // Real atProto JWTs are typically 200+ characters 718 accessToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkaWQ6cGxjOnRlc3QiLCJpYXQiOjE1MTYyMzkwMjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" 719 refreshToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkaWQ6cGxjOnRlc3QiLCJ0eXBlIjoicmVmcmVzaCIsImlhdCI6MTUxNjIzOTAyMn0.different_signature_here" 720 721 community := &communities.Community{ 722 DID: generateTestDID(uniqueSuffix), 723 Handle: fmt.Sprintf("token-test-%s.community.test.local", uniqueSuffix), 724 Name: "token-test", 725 DisplayName: "Token Test", 726 Description: "Testing token storage", 727 OwnerDID: "did:web:test.local", 728 CreatedByDID: "did:plc:testuser", 729 HostedByDID: "did:web:test.local", 730 PDSEmail: fmt.Sprintf("token-test-%s@test.local", uniqueSuffix), 731 PDSPassword: "test-password-tokens", 732 PDSAccessToken: accessToken, 733 PDSRefreshToken: refreshToken, 734 PDSURL: "http://localhost:3001", 735 Visibility: "public", 736 AllowExternalDiscovery: true, 737 CreatedAt: time.Now(), 738 UpdatedAt: time.Now(), 739 } 740 741 created, err := repo.Create(ctx, community) 742 if err != nil { 743 t.Fatalf("Failed to create community: %v", err) 744 } 745 746 // Retrieve and verify tokens 747 retrieved, err := repo.GetByDID(ctx, created.DID) 748 if err != nil { 749 t.Fatalf("Failed to retrieve community: %v", err) 750 } 751 752 // Verify access token stored correctly 753 if retrieved.PDSAccessToken != accessToken { 754 t.Errorf("Access token mismatch: expected %q, got %q", accessToken, retrieved.PDSAccessToken) 755 } 756 757 // Verify refresh token stored correctly 758 if retrieved.PDSRefreshToken != refreshToken { 759 t.Errorf("Refresh token mismatch: expected %q, got %q", refreshToken, retrieved.PDSRefreshToken) 760 } 761 762 // Verify tokens are not empty 763 if retrieved.PDSAccessToken == "" { 764 t.Error("Access token should not be empty") 765 } 766 if retrieved.PDSRefreshToken == "" { 767 t.Error("Refresh token should not be empty") 768 } 769 770 // Verify tokens have reasonable length (JWTs are typically 100+ chars) 771 if len(retrieved.PDSAccessToken) < 50 { 772 t.Errorf("Access token seems too short: %d characters", len(retrieved.PDSAccessToken)) 773 } 774 if len(retrieved.PDSRefreshToken) < 50 { 775 t.Errorf("Refresh token seems too short: %d characters", len(retrieved.PDSRefreshToken)) 776 } 777 778 t.Logf("✅ Tokens stored and retrieved correctly:") 779 t.Logf(" Access token: %d chars", len(retrieved.PDSAccessToken)) 780 t.Logf(" Refresh token: %d chars", len(retrieved.PDSRefreshToken)) 781 }) 782 783 t.Run("handles empty tokens gracefully", func(t *testing.T) { 784 uniqueSuffix := fmt.Sprintf("%d", time.Now().UnixNano()+1) 785 786 community := &communities.Community{ 787 DID: generateTestDID(uniqueSuffix), 788 Handle: fmt.Sprintf("empty-token-%s.community.test.local", uniqueSuffix), 789 Name: "empty-token", 790 DisplayName: "Empty Token Test", 791 Description: "Testing empty token handling", 792 OwnerDID: "did:web:test.local", 793 CreatedByDID: "did:plc:testuser", 794 HostedByDID: "did:web:test.local", 795 PDSEmail: fmt.Sprintf("empty-token-%s@test.local", uniqueSuffix), 796 PDSPassword: "test-password", 797 PDSAccessToken: "", // Empty 798 PDSRefreshToken: "", // Empty 799 PDSURL: "http://localhost:3001", 800 Visibility: "public", 801 AllowExternalDiscovery: true, 802 CreatedAt: time.Now(), 803 UpdatedAt: time.Now(), 804 } 805 806 created, err := repo.Create(ctx, community) 807 if err != nil { 808 t.Fatalf("Failed to create community with empty tokens: %v", err) 809 } 810 811 retrieved, err := repo.GetByDID(ctx, created.DID) 812 if err != nil { 813 t.Fatalf("Failed to retrieve community: %v", err) 814 } 815 816 // Empty tokens should be preserved 817 if retrieved.PDSAccessToken != "" { 818 t.Errorf("Expected empty access token, got: %q", retrieved.PDSAccessToken) 819 } 820 if retrieved.PDSRefreshToken != "" { 821 t.Errorf("Expected empty refresh token, got: %q", retrieved.PDSRefreshToken) 822 } 823 824 t.Logf("✅ Empty tokens handled correctly (NULL/empty string)") 825 }) 826 827 t.Run("validates token encryption in database", func(t *testing.T) { 828 uniqueSuffix := fmt.Sprintf("%d", time.Now().UnixNano()+2) 829 830 // Use distinct tokens so we can verify they're encrypted separately 831 accessToken := "access-token-should-be-encrypted-" + uniqueSuffix 832 refreshToken := "refresh-token-should-be-encrypted-" + uniqueSuffix 833 834 community := &communities.Community{ 835 DID: generateTestDID(uniqueSuffix), 836 Handle: fmt.Sprintf("encrypted-token-%s.community.test.local", uniqueSuffix), 837 Name: "encrypted-token", 838 DisplayName: "Encrypted Token Test", 839 Description: "Testing token encryption", 840 OwnerDID: "did:web:test.local", 841 CreatedByDID: "did:plc:testuser", 842 HostedByDID: "did:web:test.local", 843 PDSEmail: fmt.Sprintf("encrypted-token-%s@test.local", uniqueSuffix), 844 PDSPassword: "test-password", 845 PDSAccessToken: accessToken, 846 PDSRefreshToken: refreshToken, 847 PDSURL: "http://localhost:3001", 848 Visibility: "public", 849 AllowExternalDiscovery: true, 850 CreatedAt: time.Now(), 851 UpdatedAt: time.Now(), 852 } 853 854 created, err := repo.Create(ctx, community) 855 if err != nil { 856 t.Fatalf("Failed to create community: %v", err) 857 } 858 859 retrieved, err := repo.GetByDID(ctx, created.DID) 860 if err != nil { 861 t.Fatalf("Failed to retrieve community: %v", err) 862 } 863 864 // Verify tokens are decrypted correctly 865 if retrieved.PDSAccessToken != accessToken { 866 t.Errorf("Access token decryption failed: expected %q, got %q", accessToken, retrieved.PDSAccessToken) 867 } 868 if retrieved.PDSRefreshToken != refreshToken { 869 t.Errorf("Refresh token decryption failed: expected %q, got %q", refreshToken, retrieved.PDSRefreshToken) 870 } 871 872 t.Logf("✅ Tokens encrypted/decrypted correctly") 873 }) 874}