commit 185f7ae0977cb4e0bc97eb78ec04fa7871fad6e8 · bretton.dev/coves

+20 -19

tests/integration/aggregator_e2e_test.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"Coves/internal/api/handlers/aggregator"

     

       5
       5
        
       	"Coves/internal/api/handlers/post"

     

       6
       6
       -
       	"Coves/internal/api/middleware"

     

       7
       6
        
       	"Coves/internal/atproto/identity"

     

       8
       7
        
       	"Coves/internal/atproto/jetstream"

     

       9
       8
        
       	"Coves/internal/core/aggregators"

     
···

       82
       81
        
       	getAuthorizationsHandler := aggregator.NewGetAuthorizationsHandler(aggregatorService)

     

       83
       82
        
       	listForCommunityHandler := aggregator.NewListForCommunityHandler(aggregatorService)

     

       84
       83
        
       	createPostHandler := post.NewCreateHandler(postService)

     

       85
       85
       -
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true) // Skip JWT verification for testing

     

       86
       86
       -
       	defer authMiddleware.Stop()                                      // Clean up DPoP replay cache goroutine

     

       84
       84
       +
       	e2eAuth := NewE2EOAuthMiddleware()

     

       87
       85
        
       

     

       88
       86
        
       	ctx := context.Background()

     

       89
       87
        
       

     
···

       99
       97
        
       	// Part 1: Service Declaration via Real PDS

     

       100
       98
        
       	// ====================================================================================

     

       101
       99
        
       	// Store DIDs, tokens, and URIs for use across all test parts

     

       102
       102
       -
       	var aggregatorDID, aggregatorToken, aggregatorHandle, communityDID, communityToken, authorizationRkey string

     

       100
       100
       +
       	var aggregatorDID, aggregatorToken, aggregatorAPIToken, aggregatorHandle, communityDID, communityToken, authorizationRkey string

     

       103
       101
        
       

     

       104
       102
        
       	t.Run("1. Service Declaration - PDS Account → Write Record → Jetstream → AppView DB", func(t *testing.T) {

     

       105
       103
        
       		t.Log("\n📝 Part 1: Create aggregator account and publish service declaration to PDS...")

     
···

       118
       116
        
       		require.NotEmpty(t, aggregatorDID, "Should receive DID")

     

       119
       117
        
       

     

       120
       118
        
       		t.Logf("✓ Created aggregator account: %s (%s)", aggregatorHandle, aggregatorDID)

     

       119
       119
       +
       

     

       120
       120
       +
       		// Register aggregator user with OAuth middleware for API requests

     

       121
       121
       +
       		aggregatorAPIToken = e2eAuth.AddUser(aggregatorDID)

     

       121
       122
        
       

     

       122
       123
        
       		// STEP 2: Write service declaration to aggregator's repository on PDS

     

       123
       124
        
       		configSchema := map[string]interface{}{

     
···

       335
       336
        
       

     

       336
       337
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       337
       338
        
       		req.Header.Set("Content-Type", "application/json")

     

       338
       338
       -
       

     

       339
       339
       -
       		// Create JWT for aggregator (not a user)

     

       340
       340
       -
       		aggregatorJWT := createSimpleTestJWT(aggregatorDID)

     

       341
       341
       -
       		req.Header.Set("Authorization", "DPoP "+aggregatorJWT)

     

       339
       339
       +
       		req.Header.Set("Authorization", "Bearer "+aggregatorAPIToken)

     

       342
       340
        
       

     

       343
       341
        
       		// Execute request through auth middleware + handler

     

       344
       342
        
       		rr := httptest.NewRecorder()

     

       345
       345
       -
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       343
       343
       +
       		handler := e2eAuth.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       346
       344
        
       		handler.ServeHTTP(rr, req)

     

       347
       345
        
       

     

       348
       346
        
       		// STEP 2: Verify post creation succeeded

     
···

       425
       423
        
       

     

       426
       424
        
       			req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       427
       425
        
       			req.Header.Set("Content-Type", "application/json")

     

       428
       428
       -
       			req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       426
       426
       +
       			req.Header.Set("Authorization", "Bearer "+aggregatorAPIToken)

     

       429
       427
        
       

     

       430
       428
        
       			rr := httptest.NewRecorder()

     

       431
       431
       -
       			handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       429
       429
       +
       			handler := e2eAuth.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       432
       430
        
       			handler.ServeHTTP(rr, req)

     

       433
       431
        
       

     

       434
       432
        
       			require.Equal(t, http.StatusOK, rr.Code, "Post %d should succeed", i)

     
···

       447
       445
        
       

     

       448
       446
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       449
       447
        
       		req.Header.Set("Content-Type", "application/json")

     

       450
       450
       -
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       448
       448
       +
       		req.Header.Set("Authorization", "Bearer "+aggregatorAPIToken)

     

       451
       449
        
       

     

       452
       450
        
       		rr := httptest.NewRecorder()

     

       453
       453
       -
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       451
       451
       +
       		handler := e2eAuth.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       454
       452
        
       		handler.ServeHTTP(rr, req)

     

       455
       453
        
       

     

       456
       454
        
       		require.Equal(t, http.StatusOK, rr.Code, "10th post should succeed (at limit)")

     
···

       468
       466
        
       

     

       469
       467
        
       		req = httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       470
       468
        
       		req.Header.Set("Content-Type", "application/json")

     

       471
       471
       -
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       469
       469
       +
       		req.Header.Set("Authorization", "Bearer "+aggregatorAPIToken)

     

       472
       470
        
       

     

       473
       471
        
       		rr = httptest.NewRecorder()

     

       474
       474
       -
       		handler = authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       472
       472
       +
       		handler = e2eAuth.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       475
       473
        
       		handler.ServeHTTP(rr, req)

     

       476
       474
        
       

     

       477
       475
        
       		// Should be rate limited

     
···

       649
       647
        
       		err := aggregatorConsumer.HandleEvent(ctx, &unAuthAggEvent)

     

       650
       648
        
       		require.NoError(t, err)

     

       651
       649
        
       

     

       650
       650
       +
       		// Register unauthorized aggregator with OAuth middleware

     

       651
       651
       +
       		unauthorizedAPIToken := e2eAuth.AddUser(unauthorizedAggDID)

     

       652
       652
       +
       

     

       652
       653
        
       		// Try to create post without authorization

     

       653
       654
        
       		reqBody := map[string]interface{}{

     

       654
       655
        
       			"community": communityDID,

     
···

       660
       661
        
       

     

       661
       662
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       662
       663
        
       		req.Header.Set("Content-Type", "application/json")

     

       663
       663
       -
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(unauthorizedAggDID))

     

       664
       664
       +
       		req.Header.Set("Authorization", "Bearer "+unauthorizedAPIToken)

     

       664
       665
        
       

     

       665
       666
        
       		rr := httptest.NewRecorder()

     

       666
       666
       -
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       667
       667
       +
       		handler := e2eAuth.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       667
       668
        
       		handler.ServeHTTP(rr, req)

     

       668
       669
        
       

     

       669
       670
        
       		// Should be forbidden

     
···

       784
       785
        
       

     

       785
       786
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       786
       787
        
       		req.Header.Set("Content-Type", "application/json")

     

       787
       787
       -
       		req.Header.Set("Authorization", "DPoP "+createSimpleTestJWT(aggregatorDID))

     

       788
       788
       +
       		req.Header.Set("Authorization", "Bearer "+aggregatorAPIToken)

     

       788
       789
        
       

     

       789
       790
        
       		rr := httptest.NewRecorder()

     

       790
       790
       -
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       791
       791
       +
       		handler := e2eAuth.RequireAuth(http.HandlerFunc(createPostHandler.HandleCreate))

     

       791
       792
        
       		handler.ServeHTTP(rr, req)

     

       792
       793
        
       

     

       793
       794
        
       		assert.Equal(t, http.StatusForbidden, rr.Code, "Should reject post from disabled aggregator")

+16 -20

tests/integration/community_e2e_test.go

···

       1
       1
        
       package integration

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       -
       	"Coves/internal/api/middleware"

     

       5
       4
        
       	"Coves/internal/api/routes"

     

       6
       5
        
       	"Coves/internal/atproto/identity"

     

       7
       6
        
       	"Coves/internal/atproto/jetstream"

     
···

       108
       107
        
       

     

       109
       108
        
       	t.Logf("✅ Authenticated - Instance DID: %s", instanceDID)

     

       110
       109
        
       

     

       111
       111
       -
       	// Initialize auth middleware with skipVerify=true

     

       112
       112
       -
       	// IMPORTANT: PDS password authentication returns Bearer tokens (not DPoP-bound tokens).

     

       113
       113
       -
       	// E2E tests use these Bearer tokens with the DPoP scheme header, which only works

     

       114
       114
       -
       	// because skipVerify=true bypasses signature and DPoP binding verification.

     

       115
       115
       -
       	// In production, skipVerify=false requires proper DPoP-bound tokens from OAuth flow.

     

       116
       116
       -
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       117
       117
       -
       	defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       110
       110
       +
       	// Initialize OAuth auth middleware for E2E testing

     

       111
       111
       +
       	e2eAuth := NewE2EOAuthMiddleware()

     

       112
       112
       +
       	// Register the instance user for OAuth authentication

     

       113
       113
       +
       	token := e2eAuth.AddUser(instanceDID)

     

       118
       114
        
       

     

       119
       115
        
       	// V2.0: Extract instance domain for community provisioning

     

       120
       116
        
       	var instanceDomain string

     
···

       152
       148
        
       

     

       153
       149
        
       	// Setup HTTP server with XRPC routes

     

       154
       150
        
       	r := chi.NewRouter()

     

       155
       155
       -
       	routes.RegisterCommunityRoutes(r, communityService, authMiddleware, nil) // nil = allow all community creators

     

       151
       151
       +
       	routes.RegisterCommunityRoutes(r, communityService, e2eAuth.OAuthAuthMiddleware, nil) // nil = allow all community creators

     

       156
       152
        
       	httpServer := httptest.NewServer(r)

     

       157
       153
        
       	defer httpServer.Close()

     

       158
       154
        
       

     
···

       387
       383
        
       				t.Fatalf("Failed to create request: %v", err)

     

       388
       384
        
       			}

     

       389
       385
        
       			req.Header.Set("Content-Type", "application/json")

     

       390
       390
       -
       			// Use real PDS access token for E2E authentication

     

       391
       391
       -
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       386
       386
       +
       			// Use OAuth token for Coves API authentication

     

       387
       387
       +
       			req.Header.Set("Authorization", "Bearer "+token)

     

       392
       388
        
       

     

       393
       389
        
       			resp, err := http.DefaultClient.Do(req)

     

       394
       390
        
       			if err != nil {

     
···

       773
       769
        
       				t.Fatalf("Failed to create request: %v", err)

     

       774
       770
        
       			}

     

       775
       771
        
       			req.Header.Set("Content-Type", "application/json")

     

       776
       776
       -
       			// Use real PDS access token for E2E authentication

     

       777
       777
       -
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       772
       772
       +
       			// Use OAuth token for Coves API authentication

     

       773
       773
       +
       			req.Header.Set("Authorization", "Bearer "+token)

     

       778
       774
        
       

     

       779
       775
        
       			resp, err := http.DefaultClient.Do(req)

     

       780
       776
        
       			if err != nil {

     
···

       1008
       1004
        
       				t.Fatalf("Failed to create request: %v", err)

     

       1009
       1005
        
       			}

     

       1010
       1006
        
       			req.Header.Set("Content-Type", "application/json")

     

       1011
       1011
       -
       			// Use real PDS access token for E2E authentication

     

       1012
       1012
       -
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1007
       1007
       +
       			// Use OAuth token for Coves API authentication

     

       1008
       1008
       +
       			req.Header.Set("Authorization", "Bearer "+token)

     

       1013
       1009
        
       

     

       1014
       1010
        
       			resp, err := http.DefaultClient.Do(req)

     

       1015
       1011
        
       			if err != nil {

     
···

       1141
       1137
        
       				t.Fatalf("Failed to create block request: %v", err)

     

       1142
       1138
        
       			}

     

       1143
       1139
        
       			req.Header.Set("Content-Type", "application/json")

     

       1144
       1144
       -
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1140
       1140
       +
       			req.Header.Set("Authorization", "Bearer "+token)

     

       1145
       1141
        
       

     

       1146
       1142
        
       			resp, err := http.DefaultClient.Do(req)

     

       1147
       1143
        
       			if err != nil {

     
···

       1261
       1257
        
       				t.Fatalf("Failed to create block request: %v", err)

     

       1262
       1258
        
       			}

     

       1263
       1259
        
       			blockHttpReq.Header.Set("Content-Type", "application/json")

     

       1264
       1264
       -
       			blockHttpReq.Header.Set("Authorization", "DPoP "+accessToken)

     

       1260
       1260
       +
       			blockHttpReq.Header.Set("Authorization", "Bearer "+token)

     

       1265
       1261
        
       

     

       1266
       1262
        
       			blockResp, err := http.DefaultClient.Do(blockHttpReq)

     

       1267
       1263
        
       			if err != nil {

     
···

       1321
       1317
        
       				t.Fatalf("Failed to create unblock request: %v", err)

     

       1322
       1318
        
       			}

     

       1323
       1319
        
       			req.Header.Set("Content-Type", "application/json")

     

       1324
       1324
       -
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1320
       1320
       +
       			req.Header.Set("Authorization", "Bearer "+token)

     

       1325
       1321
        
       

     

       1326
       1322
        
       			resp, err := http.DefaultClient.Do(req)

     

       1327
       1323
        
       			if err != nil {

     
···

       1477
       1473
        
       				t.Fatalf("Failed to create request: %v", err)

     

       1478
       1474
        
       			}

     

       1479
       1475
        
       			req.Header.Set("Content-Type", "application/json")

     

       1480
       1480
       -
       			// Use real PDS access token for E2E authentication

     

       1481
       1481
       -
       			req.Header.Set("Authorization", "DPoP "+accessToken)

     

       1476
       1476
       +
       			// Use OAuth token for Coves API authentication

     

       1477
       1477
       +
       			req.Header.Set("Authorization", "Bearer "+token)

     

       1482
       1478
        
       

     

       1483
       1479
        
       			resp, err := http.DefaultClient.Do(req)

     

       1484
       1480
        
       			if err != nil {

+136 -37

tests/integration/helpers.go

···

       1
       1
        
       package integration

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       -
       	"Coves/internal/atproto/auth"

     

       4
       4
       +
       	"Coves/internal/api/middleware"

     

       5
       5
       +
       	"Coves/internal/atproto/oauth"

     

       5
       6
        
       	"Coves/internal/core/users"

     

       6
       7
        
       	"bytes"

     

       7
       8
        
       	"context"

     

       8
       9
        
       	"database/sql"

     

       9
       9
       -
       	"encoding/base64"

     

       10
       10
        
       	"encoding/json"

     

       11
       11
        
       	"fmt"

     

       12
       12
        
       	"io"

     
···

       16
       16
        
       	"testing"

     

       17
       17
        
       	"time"

     

       18
       18
        
       

     

       19
       19
       -
       	"github.com/golang-jwt/jwt/v5"

     

       19
       19
       +
       	oauthlib "github.com/bluesky-social/indigo/atproto/auth/oauth"

     

       20
       20
       +
       	"github.com/bluesky-social/indigo/atproto/syntax"

     

       20
       21
        
       )

     

       21
       22
        
       

     

       22
       23
        
       // getTestPDSURL returns the PDS URL for testing from env var or default

     
···

       113
       114
        
       	}

     

       114
       115
        
       

     

       115
       116
        
       	return sessionResp.AccessJwt, sessionResp.DID, nil

     

       116
       116
       -
       }

     

       117
       117
       -
       

     

       118
       118
       -
       // createSimpleTestJWT creates a minimal JWT for testing (Phase 1 - no signature)

     

       119
       119
       -
       // In production, this would be a real OAuth token from PDS with proper signatures

     

       120
       120
       -
       func createSimpleTestJWT(userDID string) string {

     

       121
       121
       -
       	// Create minimal JWT claims using RegisteredClaims

     

       122
       122
       -
       	// Use userDID as issuer since we don't have a proper PDS DID for testing

     

       123
       123
       -
       	claims := auth.Claims{

     

       124
       124
       -
       		RegisteredClaims: jwt.RegisteredClaims{

     

       125
       125
       -
       			Subject:   userDID,

     

       126
       126
       -
       			Issuer:    userDID, // Use DID as issuer for testing (valid per atProto)

     

       127
       127
       -
       			Audience:  jwt.ClaimStrings{getTestInstanceDID()},

     

       128
       128
       -
       			IssuedAt:  jwt.NewNumericDate(time.Now()),

     

       129
       129
       -
       			ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),

     

       130
       130
       -
       		},

     

       131
       131
       -
       		Scope: "com.atproto.access",

     

       132
       132
       -
       	}

     

       133
       133
       -
       

     

       134
       134
       -
       	// For Phase 1 testing, we create an unsigned JWT

     

       135
       135
       -
       	// The middleware is configured with skipVerify=true for testing

     

       136
       136
       -
       	header := map[string]interface{}{

     

       137
       137
       -
       		"alg": "none",

     

       138
       138
       -
       		"typ": "JWT",

     

       139
       139
       -
       	}

     

       140
       140
       -
       

     

       141
       141
       -
       	headerJSON, _ := json.Marshal(header)

     

       142
       142
       -
       	claimsJSON, _ := json.Marshal(claims)

     

       143
       143
       -
       

     

       144
       144
       -
       	// Base64url encode (without padding)

     

       145
       145
       -
       	headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)

     

       146
       146
       -
       	claimsB64 := base64.RawURLEncoding.EncodeToString(claimsJSON)

     

       147
       147
       -
       

     

       148
       148
       -
       	// For "alg: none", signature is empty

     

       149
       149
       -
       	return headerB64 + "." + claimsB64 + "."

     

       150
       117
        
       }

     

       151
       118
        
       

     

       152
       119
        
       // generateTID generates a simple timestamp-based identifier for testing

     
···

       310
       277
        
       

     

       311
       278
        
       	return uri

     

       312
       279
        
       }

     

       280
       280
       +
       

     

       281
       281
       +
       // MockSessionUnsealer is a mock implementation of SessionUnsealer for testing

     

       282
       282
       +
       // It returns predefined sessions based on token value

     

       283
       283
       +
       type MockSessionUnsealer struct {

     

       284
       284
       +
       	sessions map[string]*oauth.SealedSession

     

       285
       285
       +
       }

     

       286
       286
       +
       

     

       287
       287
       +
       // NewMockSessionUnsealer creates a new mock unsealer

     

       288
       288
       +
       func NewMockSessionUnsealer() *MockSessionUnsealer {

     

       289
       289
       +
       	return &MockSessionUnsealer{

     

       290
       290
       +
       		sessions: make(map[string]*oauth.SealedSession),

     

       291
       291
       +
       	}

     

       292
       292
       +
       }

     

       293
       293
       +
       

     

       294
       294
       +
       // AddSession adds a token -> session mapping

     

       295
       295
       +
       func (m *MockSessionUnsealer) AddSession(token, did, sessionID string) {

     

       296
       296
       +
       	m.sessions[token] = &oauth.SealedSession{

     

       297
       297
       +
       		DID:       did,

     

       298
       298
       +
       		SessionID: sessionID,

     

       299
       299
       +
       		ExpiresAt: time.Now().Add(1 * time.Hour).Unix(),

     

       300
       300
       +
       	}

     

       301
       301
       +
       }

     

       302
       302
       +
       

     

       303
       303
       +
       // UnsealSession returns the predefined session for a token

     

       304
       304
       +
       func (m *MockSessionUnsealer) UnsealSession(token string) (*oauth.SealedSession, error) {

     

       305
       305
       +
       	if sess, ok := m.sessions[token]; ok {

     

       306
       306
       +
       		return sess, nil

     

       307
       307
       +
       	}

     

       308
       308
       +
       	return nil, fmt.Errorf("unknown token")

     

       309
       309
       +
       }

     

       310
       310
       +
       

     

       311
       311
       +
       // MockOAuthStore is a mock implementation of ClientAuthStore for testing

     

       312
       312
       +
       type MockOAuthStore struct {

     

       313
       313
       +
       	sessions map[string]*oauthlib.ClientSessionData

     

       314
       314
       +
       }

     

       315
       315
       +
       

     

       316
       316
       +
       // NewMockOAuthStore creates a new mock OAuth store

     

       317
       317
       +
       func NewMockOAuthStore() *MockOAuthStore {

     

       318
       318
       +
       	return &MockOAuthStore{

     

       319
       319
       +
       		sessions: make(map[string]*oauthlib.ClientSessionData),

     

       320
       320
       +
       	}

     

       321
       321
       +
       }

     

       322
       322
       +
       

     

       323
       323
       +
       // AddSession adds a session to the store

     

       324
       324
       +
       func (m *MockOAuthStore) AddSession(did, sessionID, accessToken string) {

     

       325
       325
       +
       	key := did + ":" + sessionID

     

       326
       326
       +
       	parsedDID, _ := syntax.ParseDID(did)

     

       327
       327
       +
       	m.sessions[key] = &oauthlib.ClientSessionData{

     

       328
       328
       +
       		AccountDID:  parsedDID,

     

       329
       329
       +
       		SessionID:   sessionID,

     

       330
       330
       +
       		AccessToken: accessToken,

     

       331
       331
       +
       	}

     

       332
       332
       +
       }

     

       333
       333
       +
       

     

       334
       334
       +
       // GetSession implements ClientAuthStore

     

       335
       335
       +
       func (m *MockOAuthStore) GetSession(ctx context.Context, did syntax.DID, sessionID string) (*oauthlib.ClientSessionData, error) {

     

       336
       336
       +
       	key := did.String() + ":" + sessionID

     

       337
       337
       +
       	if sess, ok := m.sessions[key]; ok {

     

       338
       338
       +
       		return sess, nil

     

       339
       339
       +
       	}

     

       340
       340
       +
       	return nil, fmt.Errorf("session not found")

     

       341
       341
       +
       }

     

       342
       342
       +
       

     

       343
       343
       +
       // SaveSession implements ClientAuthStore

     

       344
       344
       +
       func (m *MockOAuthStore) SaveSession(ctx context.Context, sess oauthlib.ClientSessionData) error {

     

       345
       345
       +
       	key := sess.AccountDID.String() + ":" + sess.SessionID

     

       346
       346
       +
       	m.sessions[key] = &sess

     

       347
       347
       +
       	return nil

     

       348
       348
       +
       }

     

       349
       349
       +
       

     

       350
       350
       +
       // DeleteSession implements ClientAuthStore

     

       351
       351
       +
       func (m *MockOAuthStore) DeleteSession(ctx context.Context, did syntax.DID, sessionID string) error {

     

       352
       352
       +
       	key := did.String() + ":" + sessionID

     

       353
       353
       +
       	delete(m.sessions, key)

     

       354
       354
       +
       	return nil

     

       355
       355
       +
       }

     

       356
       356
       +
       

     

       357
       357
       +
       // GetAuthRequestInfo implements ClientAuthStore

     

       358
       358
       +
       func (m *MockOAuthStore) GetAuthRequestInfo(ctx context.Context, state string) (*oauthlib.AuthRequestData, error) {

     

       359
       359
       +
       	return nil, fmt.Errorf("not implemented in mock")

     

       360
       360
       +
       }

     

       361
       361
       +
       

     

       362
       362
       +
       // SaveAuthRequestInfo implements ClientAuthStore

     

       363
       363
       +
       func (m *MockOAuthStore) SaveAuthRequestInfo(ctx context.Context, info oauthlib.AuthRequestData) error {

     

       364
       364
       +
       	return nil

     

       365
       365
       +
       }

     

       366
       366
       +
       

     

       367
       367
       +
       // DeleteAuthRequestInfo implements ClientAuthStore

     

       368
       368
       +
       func (m *MockOAuthStore) DeleteAuthRequestInfo(ctx context.Context, state string) error {

     

       369
       369
       +
       	return nil

     

       370
       370
       +
       }

     

       371
       371
       +
       

     

       372
       372
       +
       // CreateTestOAuthMiddleware creates an OAuth middleware with mock implementations for testing

     

       373
       373
       +
       // The returned middleware accepts a test token that maps to the specified userDID

     

       374
       374
       +
       func CreateTestOAuthMiddleware(userDID string) (*middleware.OAuthAuthMiddleware, string) {

     

       375
       375
       +
       	unsealer := NewMockSessionUnsealer()

     

       376
       376
       +
       	store := NewMockOAuthStore()

     

       377
       377
       +
       

     

       378
       378
       +
       	testToken := "test-token-" + userDID

     

       379
       379
       +
       	sessionID := "test-session-123"

     

       380
       380
       +
       

     

       381
       381
       +
       	// Add the test session

     

       382
       382
       +
       	unsealer.AddSession(testToken, userDID, sessionID)

     

       383
       383
       +
       	store.AddSession(userDID, sessionID, "test-access-token")

     

       384
       384
       +
       

     

       385
       385
       +
       	authMiddleware := middleware.NewOAuthAuthMiddleware(unsealer, store)

     

       386
       386
       +
       	return authMiddleware, testToken

     

       387
       387
       +
       }

     

       388
       388
       +
       

     

       389
       389
       +
       // E2EOAuthMiddleware wraps OAuth middleware for E2E testing with multiple users

     

       390
       390
       +
       type E2EOAuthMiddleware struct {

     

       391
       391
       +
       	*middleware.OAuthAuthMiddleware

     

       392
       392
       +
       	unsealer *MockSessionUnsealer

     

       393
       393
       +
       	store    *MockOAuthStore

     

       394
       394
       +
       }

     

       395
       395
       +
       

     

       396
       396
       +
       // NewE2EOAuthMiddleware creates an OAuth middleware for E2E testing

     

       397
       397
       +
       func NewE2EOAuthMiddleware() *E2EOAuthMiddleware {

     

       398
       398
       +
       	unsealer := NewMockSessionUnsealer()

     

       399
       399
       +
       	store := NewMockOAuthStore()

     

       400
       400
       +
       	m := middleware.NewOAuthAuthMiddleware(unsealer, store)

     

       401
       401
       +
       	return &E2EOAuthMiddleware{m, unsealer, store}

     

       402
       402
       +
       }

     

       403
       403
       +
       

     

       404
       404
       +
       // AddUser registers a user DID and returns the token to use in Authorization header

     

       405
       405
       +
       func (e *E2EOAuthMiddleware) AddUser(did string) string {

     

       406
       406
       +
       	token := "test-token-" + did

     

       407
       407
       +
       	sessionID := "session-" + did

     

       408
       408
       +
       	e.unsealer.AddSession(token, did, sessionID)

     

       409
       409
       +
       	e.store.AddSession(did, sessionID, "access-token-"+did)

     

       410
       410
       +
       	return token

     

       411
       411
       +
       }

+7 -9

tests/integration/post_e2e_test.go

···

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
        
       	"Coves/internal/api/handlers/post"

     

       5
       5
       -
       	"Coves/internal/api/middleware"

     

       6
       5
        
       	"Coves/internal/atproto/identity"

     

       7
       6
        
       	"Coves/internal/atproto/jetstream"

     

       8
       7
        
       	"Coves/internal/core/communities"

     
···

       405
       404
        
       

     

       406
       405
        
       	postService := posts.NewPostService(postRepo, communityService, nil, nil, nil, pdsURL) // nil aggregatorService, blobService, unfurlService for user-only tests

     

       407
       406
        
       

     

       408
       408
       -
       	// Setup auth middleware (skip JWT verification for testing)

     

       409
       409
       -
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       410
       410
       -
       	defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       407
       407
       +
       	// Setup OAuth auth middleware for E2E testing

     

       408
       408
       +
       	e2eAuth := NewE2EOAuthMiddleware()

     

       411
       409
        
       

     

       412
       410
        
       	// Setup HTTP handler

     

       413
       411
        
       	createHandler := post.NewCreateHandler(postService)

     
···

       476
       474
        
       		req := httptest.NewRequest("POST", "/xrpc/social.coves.community.post.create", bytes.NewReader(reqJSON))

     

       477
       475
        
       		req.Header.Set("Content-Type", "application/json")

     

       478
       476
        
       

     

       479
       479
       -
       		// Create a simple JWT for testing (Phase 1: no signature verification)

     

       480
       480
       -
       		// In production, this would be a real OAuth token from PDS

     

       481
       481
       -
       		testJWT := createSimpleTestJWT(author.DID)

     

       482
       482
       -
       		req.Header.Set("Authorization", "DPoP "+testJWT)

     

       477
       477
       +
       		// Register the author user with OAuth middleware and get test token

     

       478
       478
       +
       		// For Coves API handlers, use Bearer scheme with OAuth middleware

     

       479
       479
       +
       		token := e2eAuth.AddUser(author.DID)

     

       480
       480
       +
       		req.Header.Set("Authorization", "Bearer "+token)

     

       483
       481
        
       

     

       484
       482
        
       		// Execute request through auth middleware + handler

     

       485
       483
        
       		rr := httptest.NewRecorder()

     

       486
       486
       -
       		handler := authMiddleware.RequireAuth(http.HandlerFunc(createHandler.HandleCreate))

     

       484
       484
       +
       		handler := e2eAuth.RequireAuth(http.HandlerFunc(createHandler.HandleCreate))

     

       487
       485
        
       		handler.ServeHTTP(rr, req)

     

       488
       486
        
       

     

       489
       487
        
       		// Check response

+22 -19

tests/integration/user_journey_e2e_test.go

···

       1
       1
        
       package integration

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       -
       	"Coves/internal/api/middleware"

     

       5
       4
        
       	"Coves/internal/api/routes"

     

       6
       5
        
       	"Coves/internal/atproto/identity"

     

       7
       6
        
       	"Coves/internal/atproto/jetstream"

     
···

       22
       21
        
       	"testing"

     

       23
       22
        
       	"time"

     

       24
       23
        
       

     

       25
       25
       -
       	timelineCore "Coves/internal/core/timeline"

     

       26
       26
       -
       

     

       27
       24
        
       	"github.com/go-chi/chi/v5"

     

       28
       25
        
       	"github.com/gorilla/websocket"

     

       29
       26
        
       	_ "github.com/lib/pq"

     

       30
       27
        
       	"github.com/pressly/goose/v3"

     

       31
       28
        
       	"github.com/stretchr/testify/assert"

     

       32
       29
        
       	"github.com/stretchr/testify/require"

     

       30
       30
       +
       

     

       31
       31
       +
       	timelineCore "Coves/internal/core/timeline"

     

       33
       32
        
       )

     

       34
       33
        
       

     

       35
       34
        
       // TestFullUserJourney_E2E tests the complete user experience from signup to interaction:

     
···

       139
       138
        
       	commentConsumer := jetstream.NewCommentEventConsumer(commentRepo, db)

     

       140
       139
        
       	voteConsumer := jetstream.NewVoteEventConsumer(voteRepo, userService, db)

     

       141
       140
        
       

     

       142
       142
       -
       	// Setup HTTP server with all routes

     

       143
       143
       -
       	// IMPORTANT: skipVerify=true because PDS password auth returns Bearer tokens (not DPoP-bound).

     

       144
       144
       -
       	// E2E tests use Bearer tokens with DPoP scheme header, which only works with skipVerify=true.

     

       145
       145
       -
       	// In production, skipVerify=false requires proper DPoP-bound tokens from OAuth flow.

     

       146
       146
       -
       	authMiddleware := middleware.NewAtProtoAuthMiddleware(nil, true)

     

       147
       147
       -
       	defer authMiddleware.Stop() // Clean up DPoP replay cache goroutine

     

       141
       141
       +
       	// Setup HTTP server with all routes using OAuth middleware

     

       142
       142
       +
       	e2eAuth := NewE2EOAuthMiddleware()

     

       148
       143
        
       	r := chi.NewRouter()

     

       149
       149
       -
       	routes.RegisterCommunityRoutes(r, communityService, authMiddleware, nil) // nil = allow all community creators

     

       150
       150
       -
       	routes.RegisterPostRoutes(r, postService, authMiddleware)

     

       151
       151
       -
       	routes.RegisterTimelineRoutes(r, timelineService, authMiddleware)

     

       144
       144
       +
       	routes.RegisterCommunityRoutes(r, communityService, e2eAuth.OAuthAuthMiddleware, nil) // nil = allow all community creators

     

       145
       145
       +
       	routes.RegisterPostRoutes(r, postService, e2eAuth.OAuthAuthMiddleware)

     

       146
       146
       +
       	routes.RegisterTimelineRoutes(r, timelineService, e2eAuth.OAuthAuthMiddleware)

     

       152
       147
        
       	httpServer := httptest.NewServer(r)

     

       153
       148
        
       	defer httpServer.Close()

     

       154
       149
        
       

     
···

       181
       176
        
       	var (

     

       182
       177
        
       		userAHandle     string

     

       183
       178
        
       		userADID        string

     

       184
       184
       -
       		userAToken      string

     

       179
       179
       +
       		userAToken      string // PDS access token for direct PDS requests

     

       180
       180
       +
       		userAAPIToken   string // Coves API token for Coves API requests

     

       185
       181
        
       		userBHandle     string

     

       186
       182
        
       		userBDID        string

     

       187
       187
       -
       		userBToken      string

     

       183
       183
       +
       		userBToken      string // PDS access token for direct PDS requests

     

       184
       184
       +
       		userBAPIToken   string // Coves API token for Coves API requests

     

       188
       185
        
       		communityDID    string

     

       189
       186
        
       		communityHandle string

     

       190
       187
        
       		postURI         string

     
···

       217
       214
        
       		userA := createTestUser(t, db, userAHandle, userADID)

     

       218
       215
        
       		require.NotNil(t, userA)

     

       219
       216
        
       

     

       217
       217
       +
       		// Register user with OAuth middleware for Coves API requests

     

       218
       218
       +
       		userAAPIToken = e2eAuth.AddUser(userADID)

     

       219
       219
       +
       

     

       220
       220
        
       		t.Logf("✅ User A indexed in AppView")

     

       221
       221
        
       	})

     

       222
       222
        
       

     
···

       244
       244
        
       			httpServer.URL+"/xrpc/social.coves.community.create",

     

       245
       245
        
       			bytes.NewBuffer(reqBody))

     

       246
       246
        
       		req.Header.Set("Content-Type", "application/json")

     

       247
       247
       -
       		req.Header.Set("Authorization", "DPoP "+userAToken)

     

       247
       247
       +
       		req.Header.Set("Authorization", "Bearer "+userAAPIToken)

     

       248
       248
        
       

     

       249
       249
        
       		resp, err := http.DefaultClient.Do(req)

     

       250
       250
        
       		require.NoError(t, err)

     
···

       328
       328
        
       			httpServer.URL+"/xrpc/social.coves.community.post.create",

     

       329
       329
        
       			bytes.NewBuffer(reqBody))

     

       330
       330
        
       		req.Header.Set("Content-Type", "application/json")

     

       331
       331
       -
       		req.Header.Set("Authorization", "DPoP "+userAToken)

     

       331
       331
       +
       		req.Header.Set("Authorization", "Bearer "+userAAPIToken)

     

       332
       332
        
       

     

       333
       333
        
       		resp, err := http.DefaultClient.Do(req)

     

       334
       334
        
       		require.NoError(t, err)

     
···

       413
       413
        
       		userB := createTestUser(t, db, userBHandle, userBDID)

     

       414
       414
        
       		require.NotNil(t, userB)

     

       415
       415
        
       

     

       416
       416
       +
       		// Register user with OAuth middleware for Coves API requests

     

       417
       417
       +
       		userBAPIToken = e2eAuth.AddUser(userBDID)

     

       418
       418
       +
       

     

       416
       419
        
       		t.Logf("✅ User B indexed in AppView")

     

       417
       420
        
       	})

     

       418
       421
        
       

     
···

       437
       440
        
       			httpServer.URL+"/xrpc/social.coves.community.subscribe",

     

       438
       441
        
       			bytes.NewBuffer(reqBody))

     

       439
       442
        
       		req.Header.Set("Content-Type", "application/json")

     

       440
       440
       -
       		req.Header.Set("Authorization", "DPoP "+userBToken)

     

       443
       443
       +
       		req.Header.Set("Authorization", "Bearer "+userBAPIToken)

     

       441
       444
        
       

     

       442
       445
        
       		resp, err := http.DefaultClient.Do(req)

     

       443
       446
        
       		require.NoError(t, err)

     
···

       669
       672
        
       	t.Run("9. User B - Verify Timeline Feed Shows Subscribed Community Posts", func(t *testing.T) {

     

       670
       673
        
       		t.Log("\n📰 Part 9: User B checks timeline feed...")

     

       671
       674
        
       

     

       672
       672
       -
       		// Use HTTP client to properly go through auth middleware with DPoP token

     

       675
       675
       +
       		// Use HTTP client to properly go through auth middleware with Bearer token

     

       673
       676
        
       		req, _ := http.NewRequest(http.MethodGet,

     

       674
       677
        
       			httpServer.URL+"/xrpc/social.coves.feed.getTimeline?sort=new&limit=10", nil)

     

       675
       675
       -
       		req.Header.Set("Authorization", "DPoP "+userBToken)

     

       678
       678
       +
       		req.Header.Set("Authorization", "Bearer "+userBAPIToken)

     

       676
       679
        
       

     

       677
       680
        
       		resp, err := http.DefaultClient.Do(req)

     

       678
       681
        
       		require.NoError(t, err)