pluginsdk/auth/trustedheaders_test.go
Alex Dunmow b6d40ed8ac feat: bootstrap block/pluginsdk — the proto-first plugin SDK (P1)
Bootstrap the plugin-facing SDK module so the fleet migration (P2) becomes a
mechanical block/core/X -> block/pluginsdk/X import rewrite.

- abi/proto/v1: the single source-of-truth ABI proto tree, copied from the cms
  authoring source (cms/backend/abi/proto/v1) with go_package retargeted to
  git.dev.alexdunmow.com/block/pluginsdk/abi/v1;abiv1. Kills the hand-kept
  cms/core proto duplication (audit gap 4).
- abi/v1: generated Go bindings (buf generate); byte-identical to core's abi/v1
  save the embedded go_package path.
- plugin/ (registration + DI surface), plugin/wasmguest/** (transport shim,
  caps stubs, bnwasm db driver, testdata fixtures + golden .pb), and the
  guest-facing type packages: blocks (+builtin/shared/tags), templates
  (+pongo/bn), auth, settings, content, gating, crypto, rbac, video, ai,
  subscriptions, menus, datasources. Internal imports rewritten core ->
  pluginsdk; zero block/core references remain.
- README/AGENTS(+CLAUDE symlink)/Makefile: proto is the contract, Go is one
  binding; no replace directives; templates/bn is a synced copy authored in cms.

Spec: cms docs/superpowers/specs/2026-07-07-proto-first-plugin-sdk-design.md

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 10:51:00 +08:00

83 lines
2.7 KiB
Go

package auth
import (
"context"
"net/http"
"net/http/httptest"
"testing"
"github.com/google/uuid"
)
func TestContextFromTrustedHeaders(t *testing.T) {
adminID := uuid.New()
pubID := uuid.New()
h := http.Header{}
h.Set(HeaderVerifiedUserID, adminID.String())
h.Set(HeaderVerifiedRole, "superadmin")
h.Set(HeaderVerifiedEmail, "admin@example.com")
h.Set(HeaderVerifiedPublicUserID, pubID.String())
h.Set(HeaderVerifiedPublicUsername, "ninja")
h.Set(HeaderVerifiedPublicEmail, "ninja@example.com")
ctx := ContextFromTrustedHeaders(context.Background(), h)
c, ok := GetUserFromContext(ctx)
if !ok {
t.Fatal("admin claims missing")
}
if c.UserID != adminID || c.Role != "superadmin" || c.Email != "admin@example.com" {
t.Fatalf("admin claims mismatch: %+v", c)
}
p, ok := GetPublicUserFromContext(ctx)
if !ok {
t.Fatal("public claims missing")
}
if p.UserID != pubID || p.Username != "ninja" || p.Email != "ninja@example.com" {
t.Fatalf("public claims mismatch: %+v", p)
}
}
// TestContextFromTrustedHeaders_NoneWhenAbsent proves an anonymous request (no
// trusted headers) yields no principals — nothing is fabricated.
func TestContextFromTrustedHeaders_NoneWhenAbsent(t *testing.T) {
ctx := ContextFromTrustedHeaders(context.Background(), http.Header{})
if _, ok := GetUserFromContext(ctx); ok {
t.Fatal("unexpected admin claims for anonymous request")
}
if _, ok := GetPublicUserFromContext(ctx); ok {
t.Fatal("unexpected public claims for anonymous request")
}
}
// TestContextFromTrustedHeaders_BadUUIDIgnored proves a malformed id header is
// ignored rather than trusted (no panic, no principal).
func TestContextFromTrustedHeaders_BadUUIDIgnored(t *testing.T) {
h := http.Header{}
h.Set(HeaderVerifiedUserID, "not-a-uuid")
h.Set(HeaderVerifiedRole, "superadmin")
ctx := ContextFromTrustedHeaders(context.Background(), h)
if _, ok := GetUserFromContext(ctx); ok {
t.Fatal("malformed user-id header must not yield a principal")
}
}
// TestTrustedHeaderMiddleware proves the middleware installs the principal into
// the downstream handler's request context, keyed by the canonical header form.
func TestTrustedHeaderMiddleware(t *testing.T) {
adminID := uuid.New()
var got *Claims
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
got, _ = GetUserFromContext(r.Context())
})
req := httptest.NewRequest(http.MethodGet, "/x", nil)
// lower-case on the way in — net/http canonicalizes, middleware must still see it.
req.Header.Set("x-bn-verified-user-id", adminID.String())
req.Header.Set("x-bn-verified-role", "admin")
TrustedHeaderMiddleware(next).ServeHTTP(httptest.NewRecorder(), req)
if got == nil || got.UserID != adminID || got.Role != "admin" {
t.Fatalf("middleware did not install principal: %+v", got)
}
}