Implement Issue #1: User Accounts & Profiles
- Admin-only account creation (no self-registration); invite-token flow
replaces the public /auth/register endpoint
- New volunteer fields: phone, is_trainee, operational_roles,
notification_preference, admin_notes, last_login, completed_shifts
- Role-scoped profile editing: volunteers update name/phone only;
admins update all fields including notes and trainee flag
- /auth/activate endpoint for invite-token-based account activation
- /api/v1/volunteers/{id}/invite for admin to resend invite links
- last_login recorded on each successful authentication
Tests:
- Go: handler tests (auth rules, create, activate, update scoping) via
Storer/AuthServicer interfaces and fake store; auth unit tests for
HashPassword, IssueToken, and Parse
- Frontend: RTL tests for Activate, Profile, and Volunteers pages
- Fixed CRA 5 + React Router v7 Jest compatibility (moduleNameMapper +
TextEncoder polyfill)
- Replaced stale CRA App.test.tsx placeholder with real tests
CI:
- .gitea/workflows/ci.yml runs go vet, go test, tsc, and npm test on
every push and pull request
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -28,23 +28,25 @@ func NewService(db *sql.DB, secret string) *Service {
|
||||
return &Service{db: db, jwtSecret: []byte(secret)}
|
||||
}
|
||||
|
||||
func (s *Service) Login(ctx context.Context, email, password string) (string, error) {
|
||||
// Login authenticates by email/password and returns the volunteer ID and JWT token.
|
||||
func (s *Service) Login(ctx context.Context, email, password string) (int64, string, error) {
|
||||
var id int64
|
||||
var hash, role string
|
||||
err := s.db.QueryRowContext(ctx,
|
||||
`SELECT id, password, role FROM volunteers WHERE email = ? AND active = 1`,
|
||||
`SELECT id, password, role FROM volunteers WHERE email = ? AND active = 1 AND (password != '' AND password IS NOT NULL)`,
|
||||
email,
|
||||
).Scan(&id, &hash, &role)
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return "", ErrInvalidCredentials
|
||||
return 0, "", ErrInvalidCredentials
|
||||
}
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("query volunteer: %w", err)
|
||||
return 0, "", fmt.Errorf("query volunteer: %w", err)
|
||||
}
|
||||
if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)); err != nil {
|
||||
return "", ErrInvalidCredentials
|
||||
return 0, "", ErrInvalidCredentials
|
||||
}
|
||||
return s.issueToken(id, role)
|
||||
token, err := s.issueToken(id, role)
|
||||
return id, token, err
|
||||
}
|
||||
|
||||
func (s *Service) issueToken(volunteerID int64, role string) (string, error) {
|
||||
@@ -81,3 +83,9 @@ func HashPassword(password string) (string, error) {
|
||||
b, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
||||
return string(b), err
|
||||
}
|
||||
|
||||
// IssueToken mints a JWT for the given volunteer ID and role without querying the DB.
|
||||
// Intended for use in tests and invite-activation flows.
|
||||
func (s *Service) IssueToken(volunteerID int64, role string) (string, error) {
|
||||
return s.issueToken(volunteerID, role)
|
||||
}
|
||||
|
||||
92
internal/auth/auth_test.go
Normal file
92
internal/auth/auth_test.go
Normal file
@@ -0,0 +1,92 @@
|
||||
package auth_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"git.unsupervised.ca/walkies/internal/auth"
|
||||
)
|
||||
|
||||
func TestHashPassword_RoundTrip(t *testing.T) {
|
||||
hash, err := auth.HashPassword("mysecret")
|
||||
if err != nil {
|
||||
t.Fatalf("HashPassword: %v", err)
|
||||
}
|
||||
if hash == "mysecret" {
|
||||
t.Error("hash should not equal plaintext")
|
||||
}
|
||||
if len(hash) == 0 {
|
||||
t.Error("hash should not be empty")
|
||||
}
|
||||
}
|
||||
|
||||
func TestHashPassword_DifferentInputs(t *testing.T) {
|
||||
h1, _ := auth.HashPassword("password1")
|
||||
h2, _ := auth.HashPassword("password2")
|
||||
if h1 == h2 {
|
||||
t.Error("different passwords should produce different hashes")
|
||||
}
|
||||
}
|
||||
|
||||
func TestIssueToken_Parse_RoundTrip(t *testing.T) {
|
||||
svc := auth.NewService(nil, "test-secret")
|
||||
|
||||
token, err := svc.IssueToken(42, "admin")
|
||||
if err != nil {
|
||||
t.Fatalf("IssueToken: %v", err)
|
||||
}
|
||||
if token == "" {
|
||||
t.Fatal("expected non-empty token")
|
||||
}
|
||||
|
||||
claims, err := svc.Parse(token)
|
||||
if err != nil {
|
||||
t.Fatalf("Parse: %v", err)
|
||||
}
|
||||
if claims.VolunteerID != 42 {
|
||||
t.Errorf("expected volunteer_id 42, got %d", claims.VolunteerID)
|
||||
}
|
||||
if claims.Role != "admin" {
|
||||
t.Errorf("expected role admin, got %q", claims.Role)
|
||||
}
|
||||
}
|
||||
|
||||
func TestParse_InvalidToken(t *testing.T) {
|
||||
svc := auth.NewService(nil, "test-secret")
|
||||
_, err := svc.Parse("not.a.token")
|
||||
if err == nil {
|
||||
t.Error("expected error parsing invalid token")
|
||||
}
|
||||
}
|
||||
|
||||
func TestParse_WrongSecret(t *testing.T) {
|
||||
svc1 := auth.NewService(nil, "secret-A")
|
||||
svc2 := auth.NewService(nil, "secret-B")
|
||||
|
||||
token, err := svc1.IssueToken(1, "volunteer")
|
||||
if err != nil {
|
||||
t.Fatalf("IssueToken: %v", err)
|
||||
}
|
||||
|
||||
_, err = svc2.Parse(token)
|
||||
if err == nil {
|
||||
t.Error("token signed with secret-A should not parse with secret-B")
|
||||
}
|
||||
}
|
||||
|
||||
func TestIssueToken_Volunteer(t *testing.T) {
|
||||
svc := auth.NewService(nil, "test-secret")
|
||||
token, err := svc.IssueToken(7, "volunteer")
|
||||
if err != nil {
|
||||
t.Fatalf("IssueToken: %v", err)
|
||||
}
|
||||
claims, err := svc.Parse(token)
|
||||
if err != nil {
|
||||
t.Fatalf("Parse: %v", err)
|
||||
}
|
||||
if claims.Role != "volunteer" {
|
||||
t.Errorf("expected role volunteer, got %q", claims.Role)
|
||||
}
|
||||
if claims.VolunteerID != 7 {
|
||||
t.Errorf("expected volunteer_id 7, got %d", claims.VolunteerID)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user