commit b7c5620de04f7b4efe264fdd18acb413cb16913a · bretton.dev/coves

+107 -105

internal/api/middleware/auth.go

···

       1
       1
        
       package middleware

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       -
       	"Coves/internal/api/handlers/oauth"

     

       4
       4
       +
       	"Coves/internal/atproto/auth"

     

       5
       5
        
       	"context"

     

       6
       6
       -
       	"fmt"

     

       7
       6
        
       	"log"

     

       8
       7
        
       	"net/http"

     

       9
       9
       -
       	"os"

     

       10
       8
        
       	"strings"

     

       11
       11
       -
       

     

       12
       12
       -
       	atprotoOAuth "Coves/internal/atproto/oauth"

     

       13
       13
       -
       	oauthCore "Coves/internal/core/oauth"

     

       14
       9
        
       )

     

       15
       10
        
       

     

       16
       11
        
       // Context keys for storing user information

     
···

       18
       13
        
       

     

       19
       14
        
       const (

     

       20
       15
        
       	UserDIDKey      contextKey = "user_did"

     

       21
       21
       -
       	OAuthSessionKey contextKey = "oauth_session"

     

       16
       16
       +
       	JWTClaimsKey    contextKey = "jwt_claims"

     

       17
       17
       +
       	UserAccessToken contextKey = "user_access_token"

     

       22
       18
        
       )

     

       23
       19
        
       

     

       24
       24
       -
       const (

     

       25
       25
       -
       	sessionName = "coves_session"

     

       26
       26
       -
       	sessionDID  = "did"

     

       27
       27
       -
       )

     

       28
       28
       -
       

     

       29
       29
       -
       // AuthMiddleware enforces OAuth authentication for protected routes

     

       30
       30
       -
       type AuthMiddleware struct {

     

       31
       31
       -
       	authService *oauthCore.AuthService

     

       20
       20
       +
       // AtProtoAuthMiddleware enforces atProto OAuth authentication for protected routes

     

       21
       21
       +
       // Validates JWT Bearer tokens from the Authorization header

     

       22
       22
       +
       type AtProtoAuthMiddleware struct {

     

       23
       23
       +
       	jwksFetcher auth.JWKSFetcher

     

       24
       24
       +
       	skipVerify  bool // For Phase 1 testing only

     

       32
       25
        
       }

     

       33
       26
        
       

     

       34
       34
       -
       // NewAuthMiddleware creates a new auth middleware

     

       35
       35
       -
       func NewAuthMiddleware(sessionStore oauthCore.SessionStore) (*AuthMiddleware, error) {

     

       36
       36
       -
       	privateJWK := os.Getenv("OAUTH_PRIVATE_JWK")

     

       37
       37
       -
       	if privateJWK == "" {

     

       38
       38
       -
       		return nil, fmt.Errorf("OAUTH_PRIVATE_JWK not configured")

     

       39
       39
       -
       	}

     

       40
       40
       -
       

     

       41
       41
       -
       	// Parse OAuth client key

     

       42
       42
       -
       	privateKey, err := atprotoOAuth.ParseJWKFromJSON([]byte(privateJWK))

     

       43
       43
       -
       	if err != nil {

     

       44
       44
       -
       		return nil, fmt.Errorf("failed to parse OAuth private key: %w", err)

     

       45
       45
       -
       	}

     

       46
       46
       -
       

     

       47
       47
       -
       	// Get AppView URL

     

       48
       48
       -
       	appviewURL := os.Getenv("APPVIEW_PUBLIC_URL")

     

       49
       49
       -
       	if appviewURL == "" {

     

       50
       50
       -
       		appviewURL = "http://localhost:8081"

     

       51
       51
       -
       	}

     

       52
       52
       -
       

     

       53
       53
       -
       	// Determine client ID

     

       54
       54
       -
       	var clientID string

     

       55
       55
       -
       	if strings.HasPrefix(appviewURL, "http://localhost") || strings.HasPrefix(appviewURL, "http://127.0.0.1") {

     

       56
       56
       -
       		clientID = "http://localhost?redirect_uri=" + appviewURL + "/oauth/callback&scope=atproto%20transition:generic"

     

       57
       57
       -
       	} else {

     

       58
       58
       -
       		clientID = appviewURL + "/oauth/client-metadata.json"

     

       27
       27
       +
       // NewAtProtoAuthMiddleware creates a new atProto auth middleware

     

       28
       28
       +
       // skipVerify: if true, only parses JWT without signature verification (Phase 1)

     

       29
       29
       +
       //

     

       30
       30
       +
       //	if false, performs full signature verification (Phase 2)

     

       31
       31
       +
       func NewAtProtoAuthMiddleware(jwksFetcher auth.JWKSFetcher, skipVerify bool) *AtProtoAuthMiddleware {

     

       32
       32
       +
       	return &AtProtoAuthMiddleware{

     

       33
       33
       +
       		jwksFetcher: jwksFetcher,

     

       34
       34
       +
       		skipVerify:  skipVerify,

     

       59
       35
        
       	}

     

       60
       60
       -
       

     

       61
       61
       -
       	redirectURI := appviewURL + "/oauth/callback"

     

       62
       62
       -
       

     

       63
       63
       -
       	oauthClient := atprotoOAuth.NewClient(clientID, privateKey, redirectURI)

     

       64
       64
       -
       	authService := oauthCore.NewAuthService(sessionStore, oauthClient)

     

       65
       65
       -
       

     

       66
       66
       -
       	return &AuthMiddleware{

     

       67
       67
       -
       		authService: authService,

     

       68
       68
       -
       	}, nil

     

       69
       36
        
       }

     

       70
       37
        
       

     

       71
       71
       -
       // RequireAuth middleware ensures the user is authenticated

     

       38
       38
       +
       // RequireAuth middleware ensures the user is authenticated with a valid JWT

     

       72
       39
        
       // If not authenticated, returns 401

     

       73
       73
       -
       // If authenticated, injects user DID and OAuth session into context

     

       74
       74
       -
       func (m *AuthMiddleware) RequireAuth(next http.Handler) http.Handler {

     

       40
       40
       +
       // If authenticated, injects user DID and JWT claims into context

     

       41
       41
       +
       func (m *AtProtoAuthMiddleware) RequireAuth(next http.Handler) http.Handler {

     

       75
       42
        
       	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       76
       76
       -
       		// Get HTTP session

     

       77
       77
       -
       		cookieStore := oauth.GetCookieStore()

     

       78
       78
       -
       		httpSession, err := cookieStore.Get(r, sessionName)

     

       79
       79
       -
       		if err != nil || httpSession.IsNew {

     

       80
       80
       -
       			http.Error(w, "Unauthorized", http.StatusUnauthorized)

     

       43
       43
       +
       		// Extract Authorization header

     

       44
       44
       +
       		authHeader := r.Header.Get("Authorization")

     

       45
       45
       +
       		if authHeader == "" {

     

       46
       46
       +
       			writeAuthError(w, "Missing Authorization header")

     

       81
       47
        
       			return

     

       82
       48
        
       		}

     

       83
       49
        
       

     

       84
       84
       -
       		// Get DID from session

     

       85
       85
       -
       		did, ok := httpSession.Values[sessionDID].(string)

     

       86
       86
       -
       		if !ok || did == "" {

     

       87
       87
       -
       			http.Error(w, "Unauthorized", http.StatusUnauthorized)

     

       50
       50
       +
       		// Must be Bearer token

     

       51
       51
       +
       		if !strings.HasPrefix(authHeader, "Bearer ") {

     

       52
       52
       +
       			writeAuthError(w, "Invalid Authorization header format. Expected: Bearer <token>")

     

       88
       53
        
       			return

     

       89
       54
        
       		}

     

       90
       55
        
       

     

       91
       91
       -
       		// Load OAuth session from database

     

       92
       92
       -
       		session, err := m.authService.ValidateSession(r.Context(), did)

     

       93
       93
       -
       		if err != nil {

     

       94
       94
       -
       			log.Printf("Failed to load OAuth session for DID %s: %v", did, err)

     

       95
       95
       -
       			http.Error(w, "Session expired", http.StatusUnauthorized)

     

       96
       96
       -
       			return

     

       56
       56
       +
       		token := strings.TrimPrefix(authHeader, "Bearer ")

     

       57
       57
       +
       		token = strings.TrimSpace(token)

     

       58
       58
       +
       

     

       59
       59
       +
       		var claims *auth.Claims

     

       60
       60
       +
       		var err error

     

       61
       61
       +
       

     

       62
       62
       +
       		if m.skipVerify {

     

       63
       63
       +
       			// Phase 1: Parse only (no signature verification)

     

       64
       64
       +
       			claims, err = auth.ParseJWT(token)

     

       65
       65
       +
       			if err != nil {

     

       66
       66
       +
       				log.Printf("[AUTH_FAILURE] type=parse_error ip=%s method=%s path=%s error=%v",

     

       67
       67
       +
       					r.RemoteAddr, r.Method, r.URL.Path, err)

     

       68
       68
       +
       				writeAuthError(w, "Invalid token")

     

       69
       69
       +
       				return

     

       70
       70
       +
       			}

     

       71
       71
       +
       		} else {

     

       72
       72
       +
       			// Phase 2: Full verification with signature check

     

       73
       73
       +
       			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)

     

       74
       74
       +
       			if err != nil {

     

       75
       75
       +
       				// Try to extract issuer for better logging

     

       76
       76
       +
       				issuer := "unknown"

     

       77
       77
       +
       				if parsedClaims, parseErr := auth.ParseJWT(token); parseErr == nil {

     

       78
       78
       +
       					issuer = parsedClaims.Issuer

     

       79
       79
       +
       				}

     

       80
       80
       +
       				log.Printf("[AUTH_FAILURE] type=verification_failed ip=%s method=%s path=%s issuer=%s error=%v",

     

       81
       81
       +
       					r.RemoteAddr, r.Method, r.URL.Path, issuer, err)

     

       82
       82
       +
       				writeAuthError(w, "Invalid or expired token")

     

       83
       83
       +
       				return

     

       84
       84
       +
       			}

     

       97
       85
        
       		}

     

       98
       86
        
       

     

       99
       99
       -
       		// Check if token needs refresh and refresh if necessary

     

       100
       100
       -
       		session, err = m.authService.RefreshTokenIfNeeded(r.Context(), session, oauth.TokenRefreshThreshold)

     

       101
       101
       -
       		if err != nil {

     

       102
       102
       -
       			log.Printf("Failed to refresh token for DID %s: %v", did, err)

     

       103
       103
       -
       			http.Error(w, "Session expired", http.StatusUnauthorized)

     

       87
       87
       +
       		// Extract user DID from 'sub' claim

     

       88
       88
       +
       		userDID := claims.Subject

     

       89
       89
       +
       		if userDID == "" {

     

       90
       90
       +
       			writeAuthError(w, "Missing user DID in token")

     

       104
       91
        
       			return

     

       105
       92
        
       		}

     

       106
       93
        
       

     

       107
       107
       -
       		// Inject user info into context

     

       108
       108
       -
       		ctx := context.WithValue(r.Context(), UserDIDKey, did)

     

       109
       109
       -
       		ctx = context.WithValue(ctx, OAuthSessionKey, session)

     

       94
       94
       +
       		// Inject user info and access token into context

     

       95
       95
       +
       		ctx := context.WithValue(r.Context(), UserDIDKey, userDID)

     

       96
       96
       +
       		ctx = context.WithValue(ctx, JWTClaimsKey, claims)

     

       97
       97
       +
       		ctx = context.WithValue(ctx, UserAccessToken, token)

     

       110
       98
        
       

     

       111
       99
        
       		// Call next handler

     

       112
       100
        
       		next.ServeHTTP(w, r.WithContext(ctx))

     
···

       115
       103
        
       

     

       116
       104
        
       // OptionalAuth middleware loads user info if authenticated, but doesn't require it

     

       117
       105
        
       // Useful for endpoints that work for both authenticated and anonymous users

     

       118
       118
       -
       func (m *AuthMiddleware) OptionalAuth(next http.Handler) http.Handler {

     

       106
       106
       +
       func (m *AtProtoAuthMiddleware) OptionalAuth(next http.Handler) http.Handler {

     

       119
       107
        
       	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       120
       120
       -
       		// Get HTTP session

     

       121
       121
       -
       		cookieStore := oauth.GetCookieStore()

     

       122
       122
       -
       		httpSession, err := cookieStore.Get(r, sessionName)

     

       123
       123
       -
       		if err != nil || httpSession.IsNew {

     

       108
       108
       +
       		// Extract Authorization header

     

       109
       109
       +
       		authHeader := r.Header.Get("Authorization")

     

       110
       110
       +
       		if authHeader == "" || !strings.HasPrefix(authHeader, "Bearer ") {

     

       124
       111
        
       			// Not authenticated - continue without user context

     

       125
       112
        
       			next.ServeHTTP(w, r)

     

       126
       113
        
       			return

     

       127
       114
        
       		}

     

       128
       115
        
       

     

       129
       129
       -
       		// Get DID from session

     

       130
       130
       -
       		did, ok := httpSession.Values[sessionDID].(string)

     

       131
       131
       -
       		if !ok || did == "" {

     

       132
       132
       -
       			// No DID - continue without user context

     

       133
       133
       -
       			next.ServeHTTP(w, r)

     

       134
       134
       -
       			return

     

       116
       116
       +
       		token := strings.TrimPrefix(authHeader, "Bearer ")

     

       117
       117
       +
       		token = strings.TrimSpace(token)

     

       118
       118
       +
       

     

       119
       119
       +
       		var claims *auth.Claims

     

       120
       120
       +
       		var err error

     

       121
       121
       +
       

     

       122
       122
       +
       		if m.skipVerify {

     

       123
       123
       +
       			// Phase 1: Parse only

     

       124
       124
       +
       			claims, err = auth.ParseJWT(token)

     

       125
       125
       +
       		} else {

     

       126
       126
       +
       			// Phase 2: Full verification

     

       127
       127
       +
       			claims, err = auth.VerifyJWT(r.Context(), token, m.jwksFetcher)

     

       135
       128
        
       		}

     

       136
       129
        
       

     

       137
       137
       -
       		// Load OAuth session from database

     

       138
       138
       -
       		session, err := m.authService.ValidateSession(r.Context(), did)

     

       139
       130
        
       		if err != nil {

     

       140
       140
       -
       			// Session expired - continue without user context

     

       131
       131
       +
       			// Invalid token - continue without user context

     

       132
       132
       +
       			log.Printf("Optional auth failed: %v", err)

     

       141
       133
        
       			next.ServeHTTP(w, r)

     

       142
       134
        
       			return

     

       143
       135
        
       		}

     

       144
       136
        
       

     

       145
       145
       -
       		// Try to refresh token if needed (best effort)

     

       146
       146
       -
       		refreshedSession, err := m.authService.RefreshTokenIfNeeded(r.Context(), session, oauth.TokenRefreshThreshold)

     

       147
       147
       -
       		if err != nil {

     

       148
       148
       -
       			// If refresh fails, continue with old session (best effort)

     

       149
       149
       -
       			// Session will still be valid for a few more minutes

     

       150
       150
       -
       		} else {

     

       151
       151
       -
       			session = refreshedSession

     

       152
       152
       -
       		}

     

       153
       153
       -
       

     

       154
       154
       -
       		// Inject user info into context

     

       155
       155
       -
       		ctx := context.WithValue(r.Context(), UserDIDKey, did)

     

       156
       156
       -
       		ctx = context.WithValue(ctx, OAuthSessionKey, session)

     

       137
       137
       +
       		// Inject user info and access token into context

     

       138
       138
       +
       		ctx := context.WithValue(r.Context(), UserDIDKey, claims.Subject)

     

       139
       139
       +
       		ctx = context.WithValue(ctx, JWTClaimsKey, claims)

     

       140
       140
       +
       		ctx = context.WithValue(ctx, UserAccessToken, token)

     

       157
       141
        
       

     

       158
       142
        
       		// Call next handler

     

       159
       143
        
       		next.ServeHTTP(w, r.WithContext(ctx))

     
···

       167
       151
        
       	return did

     

       168
       152
        
       }

     

       169
       153
        
       

     

       170
       170
       -
       // GetOAuthSession extracts the OAuth session from the request context

     

       154
       154
       +
       // GetJWTClaims extracts the JWT claims from the request context

     

       171
       155
        
       // Returns nil if not authenticated

     

       172
       172
       -
       func GetOAuthSession(r *http.Request) *oauthCore.OAuthSession {

     

       173
       173
       -
       	session, _ := r.Context().Value(OAuthSessionKey).(*oauthCore.OAuthSession)

     

       174
       174
       -
       	return session

     

       156
       156
       +
       func GetJWTClaims(r *http.Request) *auth.Claims {

     

       157
       157
       +
       	claims, _ := r.Context().Value(JWTClaimsKey).(*auth.Claims)

     

       158
       158
       +
       	return claims

     

       159
       159
       +
       }

     

       160
       160
       +
       

     

       161
       161
       +
       // GetUserAccessToken extracts the user's access token from the request context

     

       162
       162
       +
       // Returns empty string if not authenticated

     

       163
       163
       +
       func GetUserAccessToken(r *http.Request) string {

     

       164
       164
       +
       	token, _ := r.Context().Value(UserAccessToken).(string)

     

       165
       165
       +
       	return token

     

       166
       166
       +
       }

     

       167
       167
       +
       

     

       168
       168
       +
       // writeAuthError writes a JSON error response for authentication failures

     

       169
       169
       +
       func writeAuthError(w http.ResponseWriter, message string) {

     

       170
       170
       +
       	w.Header().Set("Content-Type", "application/json")

     

       171
       171
       +
       	w.WriteHeader(http.StatusUnauthorized)

     

       172
       172
       +
       	// Simple error response matching XRPC error format

     

       173
       173
       +
       	response := `{"error":"AuthenticationRequired","message":"` + message + `"}`

     

       174
       174
       +
       	if _, err := w.Write([]byte(response)); err != nil {

     

       175
       175
       +
       		log.Printf("Failed to write auth error response: %v", err)

     

       176
       176
       +
       	}

     

       175
       177
        
       }

+328

internal/api/middleware/auth_test.go

···

       1
       1
       +
       package middleware

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"fmt"

     

       6
       6
       +
       	"net/http"

     

       7
       7
       +
       	"net/http/httptest"

     

       8
       8
       +
       	"testing"

     

       9
       9
       +
       	"time"

     

       10
       10
       +
       

     

       11
       11
       +
       	"github.com/golang-jwt/jwt/v5"

     

       12
       12
       +
       )

     

       13
       13
       +
       

     

       14
       14
       +
       // mockJWKSFetcher is a test double for JWKSFetcher

     

       15
       15
       +
       type mockJWKSFetcher struct {

     

       16
       16
       +
       	shouldFail bool

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       func (m *mockJWKSFetcher) FetchPublicKey(ctx context.Context, issuer, token string) (interface{}, error) {

     

       20
       20
       +
       	if m.shouldFail {

     

       21
       21
       +
       		return nil, fmt.Errorf("mock fetch failure")

     

       22
       22
       +
       	}

     

       23
       23
       +
       	// Return nil - we won't actually verify signatures in Phase 1 tests

     

       24
       24
       +
       	return nil, nil

     

       25
       25
       +
       }

     

       26
       26
       +
       

     

       27
       27
       +
       // createTestToken creates a test JWT with the given DID

     

       28
       28
       +
       func createTestToken(did string) string {

     

       29
       29
       +
       	claims := jwt.MapClaims{

     

       30
       30
       +
       		"sub":   did,

     

       31
       31
       +
       		"iss":   "https://test.pds.local",

     

       32
       32
       +
       		"scope": "atproto",

     

       33
       33
       +
       		"exp":   time.Now().Add(1 * time.Hour).Unix(),

     

       34
       34
       +
       		"iat":   time.Now().Unix(),

     

       35
       35
       +
       	}

     

       36
       36
       +
       

     

       37
       37
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       38
       38
       +
       	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       39
       39
       +
       	return tokenString

     

       40
       40
       +
       }

     

       41
       41
       +
       

     

       42
       42
       +
       // TestRequireAuth_ValidToken tests that valid tokens are accepted (Phase 1)

     

       43
       43
       +
       func TestRequireAuth_ValidToken(t *testing.T) {

     

       44
       44
       +
       	fetcher := &mockJWKSFetcher{}

     

       45
       45
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true) // skipVerify=true

     

       46
       46
       +
       

     

       47
       47
       +
       	handlerCalled := false

     

       48
       48
       +
       	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       49
       49
       +
       		handlerCalled = true

     

       50
       50
       +
       

     

       51
       51
       +
       		// Verify DID was extracted and injected into context

     

       52
       52
       +
       		did := GetUserDID(r)

     

       53
       53
       +
       		if did != "did:plc:test123" {

     

       54
       54
       +
       			t.Errorf("expected DID 'did:plc:test123', got %s", did)

     

       55
       55
       +
       		}

     

       56
       56
       +
       

     

       57
       57
       +
       		// Verify claims were injected

     

       58
       58
       +
       		claims := GetJWTClaims(r)

     

       59
       59
       +
       		if claims == nil {

     

       60
       60
       +
       			t.Error("expected claims to be non-nil")

     

       61
       61
       +
       			return

     

       62
       62
       +
       		}

     

       63
       63
       +
       		if claims.Subject != "did:plc:test123" {

     

       64
       64
       +
       			t.Errorf("expected claims.Subject 'did:plc:test123', got %s", claims.Subject)

     

       65
       65
       +
       		}

     

       66
       66
       +
       

     

       67
       67
       +
       		w.WriteHeader(http.StatusOK)

     

       68
       68
       +
       	}))

     

       69
       69
       +
       

     

       70
       70
       +
       	token := createTestToken("did:plc:test123")

     

       71
       71
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       72
       72
       +
       	req.Header.Set("Authorization", "Bearer "+token)

     

       73
       73
       +
       	w := httptest.NewRecorder()

     

       74
       74
       +
       

     

       75
       75
       +
       	handler.ServeHTTP(w, req)

     

       76
       76
       +
       

     

       77
       77
       +
       	if !handlerCalled {

     

       78
       78
       +
       		t.Error("handler was not called")

     

       79
       79
       +
       	}

     

       80
       80
       +
       

     

       81
       81
       +
       	if w.Code != http.StatusOK {

     

       82
       82
       +
       		t.Errorf("expected status 200, got %d: %s", w.Code, w.Body.String())

     

       83
       83
       +
       	}

     

       84
       84
       +
       }

     

       85
       85
       +
       

     

       86
       86
       +
       // TestRequireAuth_MissingAuthHeader tests that missing Authorization header is rejected

     

       87
       87
       +
       func TestRequireAuth_MissingAuthHeader(t *testing.T) {

     

       88
       88
       +
       	fetcher := &mockJWKSFetcher{}

     

       89
       89
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       90
       90
       +
       

     

       91
       91
       +
       	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       92
       92
       +
       		t.Error("handler should not be called")

     

       93
       93
       +
       	}))

     

       94
       94
       +
       

     

       95
       95
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       96
       96
       +
       	// No Authorization header

     

       97
       97
       +
       	w := httptest.NewRecorder()

     

       98
       98
       +
       

     

       99
       99
       +
       	handler.ServeHTTP(w, req)

     

       100
       100
       +
       

     

       101
       101
       +
       	if w.Code != http.StatusUnauthorized {

     

       102
       102
       +
       		t.Errorf("expected status 401, got %d", w.Code)

     

       103
       103
       +
       	}

     

       104
       104
       +
       }

     

       105
       105
       +
       

     

       106
       106
       +
       // TestRequireAuth_InvalidAuthHeaderFormat tests that non-Bearer tokens are rejected

     

       107
       107
       +
       func TestRequireAuth_InvalidAuthHeaderFormat(t *testing.T) {

     

       108
       108
       +
       	fetcher := &mockJWKSFetcher{}

     

       109
       109
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       110
       110
       +
       

     

       111
       111
       +
       	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       112
       112
       +
       		t.Error("handler should not be called")

     

       113
       113
       +
       	}))

     

       114
       114
       +
       

     

       115
       115
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       116
       116
       +
       	req.Header.Set("Authorization", "Basic dGVzdDp0ZXN0") // Wrong format

     

       117
       117
       +
       	w := httptest.NewRecorder()

     

       118
       118
       +
       

     

       119
       119
       +
       	handler.ServeHTTP(w, req)

     

       120
       120
       +
       

     

       121
       121
       +
       	if w.Code != http.StatusUnauthorized {

     

       122
       122
       +
       		t.Errorf("expected status 401, got %d", w.Code)

     

       123
       123
       +
       	}

     

       124
       124
       +
       }

     

       125
       125
       +
       

     

       126
       126
       +
       // TestRequireAuth_MalformedToken tests that malformed JWTs are rejected

     

       127
       127
       +
       func TestRequireAuth_MalformedToken(t *testing.T) {

     

       128
       128
       +
       	fetcher := &mockJWKSFetcher{}

     

       129
       129
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       130
       130
       +
       

     

       131
       131
       +
       	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       132
       132
       +
       		t.Error("handler should not be called")

     

       133
       133
       +
       	}))

     

       134
       134
       +
       

     

       135
       135
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       136
       136
       +
       	req.Header.Set("Authorization", "Bearer not-a-valid-jwt")

     

       137
       137
       +
       	w := httptest.NewRecorder()

     

       138
       138
       +
       

     

       139
       139
       +
       	handler.ServeHTTP(w, req)

     

       140
       140
       +
       

     

       141
       141
       +
       	if w.Code != http.StatusUnauthorized {

     

       142
       142
       +
       		t.Errorf("expected status 401, got %d", w.Code)

     

       143
       143
       +
       	}

     

       144
       144
       +
       }

     

       145
       145
       +
       

     

       146
       146
       +
       // TestRequireAuth_ExpiredToken tests that expired tokens are rejected

     

       147
       147
       +
       func TestRequireAuth_ExpiredToken(t *testing.T) {

     

       148
       148
       +
       	fetcher := &mockJWKSFetcher{}

     

       149
       149
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       150
       150
       +
       

     

       151
       151
       +
       	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       152
       152
       +
       		t.Error("handler should not be called for expired token")

     

       153
       153
       +
       	}))

     

       154
       154
       +
       

     

       155
       155
       +
       	// Create expired token

     

       156
       156
       +
       	claims := jwt.MapClaims{

     

       157
       157
       +
       		"sub":   "did:plc:test123",

     

       158
       158
       +
       		"iss":   "https://test.pds.local",

     

       159
       159
       +
       		"scope": "atproto",

     

       160
       160
       +
       		"exp":   time.Now().Add(-1 * time.Hour).Unix(), // Expired 1 hour ago

     

       161
       161
       +
       		"iat":   time.Now().Add(-2 * time.Hour).Unix(),

     

       162
       162
       +
       	}

     

       163
       163
       +
       

     

       164
       164
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       165
       165
       +
       	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       166
       166
       +
       

     

       167
       167
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       168
       168
       +
       	req.Header.Set("Authorization", "Bearer "+tokenString)

     

       169
       169
       +
       	w := httptest.NewRecorder()

     

       170
       170
       +
       

     

       171
       171
       +
       	handler.ServeHTTP(w, req)

     

       172
       172
       +
       

     

       173
       173
       +
       	if w.Code != http.StatusUnauthorized {

     

       174
       174
       +
       		t.Errorf("expected status 401, got %d", w.Code)

     

       175
       175
       +
       	}

     

       176
       176
       +
       }

     

       177
       177
       +
       

     

       178
       178
       +
       // TestRequireAuth_MissingDID tests that tokens without DID are rejected

     

       179
       179
       +
       func TestRequireAuth_MissingDID(t *testing.T) {

     

       180
       180
       +
       	fetcher := &mockJWKSFetcher{}

     

       181
       181
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       182
       182
       +
       

     

       183
       183
       +
       	handler := middleware.RequireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       184
       184
       +
       		t.Error("handler should not be called")

     

       185
       185
       +
       	}))

     

       186
       186
       +
       

     

       187
       187
       +
       	// Create token without sub claim

     

       188
       188
       +
       	claims := jwt.MapClaims{

     

       189
       189
       +
       		// "sub" missing

     

       190
       190
       +
       		"iss":   "https://test.pds.local",

     

       191
       191
       +
       		"scope": "atproto",

     

       192
       192
       +
       		"exp":   time.Now().Add(1 * time.Hour).Unix(),

     

       193
       193
       +
       		"iat":   time.Now().Unix(),

     

       194
       194
       +
       	}

     

       195
       195
       +
       

     

       196
       196
       +
       	token := jwt.NewWithClaims(jwt.SigningMethodNone, claims)

     

       197
       197
       +
       	tokenString, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)

     

       198
       198
       +
       

     

       199
       199
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       200
       200
       +
       	req.Header.Set("Authorization", "Bearer "+tokenString)

     

       201
       201
       +
       	w := httptest.NewRecorder()

     

       202
       202
       +
       

     

       203
       203
       +
       	handler.ServeHTTP(w, req)

     

       204
       204
       +
       

     

       205
       205
       +
       	if w.Code != http.StatusUnauthorized {

     

       206
       206
       +
       		t.Errorf("expected status 401, got %d", w.Code)

     

       207
       207
       +
       	}

     

       208
       208
       +
       }

     

       209
       209
       +
       

     

       210
       210
       +
       // TestOptionalAuth_WithToken tests that OptionalAuth accepts valid tokens

     

       211
       211
       +
       func TestOptionalAuth_WithToken(t *testing.T) {

     

       212
       212
       +
       	fetcher := &mockJWKSFetcher{}

     

       213
       213
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       214
       214
       +
       

     

       215
       215
       +
       	handlerCalled := false

     

       216
       216
       +
       	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       217
       217
       +
       		handlerCalled = true

     

       218
       218
       +
       

     

       219
       219
       +
       		// Verify DID was extracted

     

       220
       220
       +
       		did := GetUserDID(r)

     

       221
       221
       +
       		if did != "did:plc:test123" {

     

       222
       222
       +
       			t.Errorf("expected DID 'did:plc:test123', got %s", did)

     

       223
       223
       +
       		}

     

       224
       224
       +
       

     

       225
       225
       +
       		w.WriteHeader(http.StatusOK)

     

       226
       226
       +
       	}))

     

       227
       227
       +
       

     

       228
       228
       +
       	token := createTestToken("did:plc:test123")

     

       229
       229
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       230
       230
       +
       	req.Header.Set("Authorization", "Bearer "+token)

     

       231
       231
       +
       	w := httptest.NewRecorder()

     

       232
       232
       +
       

     

       233
       233
       +
       	handler.ServeHTTP(w, req)

     

       234
       234
       +
       

     

       235
       235
       +
       	if !handlerCalled {

     

       236
       236
       +
       		t.Error("handler was not called")

     

       237
       237
       +
       	}

     

       238
       238
       +
       

     

       239
       239
       +
       	if w.Code != http.StatusOK {

     

       240
       240
       +
       		t.Errorf("expected status 200, got %d", w.Code)

     

       241
       241
       +
       	}

     

       242
       242
       +
       }

     

       243
       243
       +
       

     

       244
       244
       +
       // TestOptionalAuth_WithoutToken tests that OptionalAuth allows requests without tokens

     

       245
       245
       +
       func TestOptionalAuth_WithoutToken(t *testing.T) {

     

       246
       246
       +
       	fetcher := &mockJWKSFetcher{}

     

       247
       247
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       248
       248
       +
       

     

       249
       249
       +
       	handlerCalled := false

     

       250
       250
       +
       	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       251
       251
       +
       		handlerCalled = true

     

       252
       252
       +
       

     

       253
       253
       +
       		// Verify no DID is set

     

       254
       254
       +
       		did := GetUserDID(r)

     

       255
       255
       +
       		if did != "" {

     

       256
       256
       +
       			t.Errorf("expected empty DID, got %s", did)

     

       257
       257
       +
       		}

     

       258
       258
       +
       

     

       259
       259
       +
       		w.WriteHeader(http.StatusOK)

     

       260
       260
       +
       	}))

     

       261
       261
       +
       

     

       262
       262
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       263
       263
       +
       	// No Authorization header

     

       264
       264
       +
       	w := httptest.NewRecorder()

     

       265
       265
       +
       

     

       266
       266
       +
       	handler.ServeHTTP(w, req)

     

       267
       267
       +
       

     

       268
       268
       +
       	if !handlerCalled {

     

       269
       269
       +
       		t.Error("handler was not called")

     

       270
       270
       +
       	}

     

       271
       271
       +
       

     

       272
       272
       +
       	if w.Code != http.StatusOK {

     

       273
       273
       +
       		t.Errorf("expected status 200, got %d", w.Code)

     

       274
       274
       +
       	}

     

       275
       275
       +
       }

     

       276
       276
       +
       

     

       277
       277
       +
       // TestOptionalAuth_InvalidToken tests that OptionalAuth continues without auth on invalid token

     

       278
       278
       +
       func TestOptionalAuth_InvalidToken(t *testing.T) {

     

       279
       279
       +
       	fetcher := &mockJWKSFetcher{}

     

       280
       280
       +
       	middleware := NewAtProtoAuthMiddleware(fetcher, true)

     

       281
       281
       +
       

     

       282
       282
       +
       	handlerCalled := false

     

       283
       283
       +
       	handler := middleware.OptionalAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       284
       284
       +
       		handlerCalled = true

     

       285
       285
       +
       

     

       286
       286
       +
       		// Verify no DID is set (invalid token ignored)

     

       287
       287
       +
       		did := GetUserDID(r)

     

       288
       288
       +
       		if did != "" {

     

       289
       289
       +
       			t.Errorf("expected empty DID for invalid token, got %s", did)

     

       290
       290
       +
       		}

     

       291
       291
       +
       

     

       292
       292
       +
       		w.WriteHeader(http.StatusOK)

     

       293
       293
       +
       	}))

     

       294
       294
       +
       

     

       295
       295
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       296
       296
       +
       	req.Header.Set("Authorization", "Bearer not-a-valid-jwt")

     

       297
       297
       +
       	w := httptest.NewRecorder()

     

       298
       298
       +
       

     

       299
       299
       +
       	handler.ServeHTTP(w, req)

     

       300
       300
       +
       

     

       301
       301
       +
       	if !handlerCalled {

     

       302
       302
       +
       		t.Error("handler was not called")

     

       303
       303
       +
       	}

     

       304
       304
       +
       

     

       305
       305
       +
       	if w.Code != http.StatusOK {

     

       306
       306
       +
       		t.Errorf("expected status 200, got %d", w.Code)

     

       307
       307
       +
       	}

     

       308
       308
       +
       }

     

       309
       309
       +
       

     

       310
       310
       +
       // TestGetUserDID_NotAuthenticated tests that GetUserDID returns empty string when not authenticated

     

       311
       311
       +
       func TestGetUserDID_NotAuthenticated(t *testing.T) {

     

       312
       312
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       313
       313
       +
       	did := GetUserDID(req)

     

       314
       314
       +
       

     

       315
       315
       +
       	if did != "" {

     

       316
       316
       +
       		t.Errorf("expected empty string, got %s", did)

     

       317
       317
       +
       	}

     

       318
       318
       +
       }

     

       319
       319
       +
       

     

       320
       320
       +
       // TestGetJWTClaims_NotAuthenticated tests that GetJWTClaims returns nil when not authenticated

     

       321
       321
       +
       func TestGetJWTClaims_NotAuthenticated(t *testing.T) {

     

       322
       322
       +
       	req := httptest.NewRequest("GET", "/test", nil)

     

       323
       323
       +
       	claims := GetJWTClaims(req)

     

       324
       324
       +
       

     

       325
       325
       +
       	if claims != nil {

     

       326
       326
       +
       		t.Errorf("expected nil claims, got %+v", claims)

     

       327
       327
       +
       	}

     

       328
       328
       +
       }