package auth_test import ( "testing" "git.unsupervised.ca/walkies/internal/auth" ) func TestHashPassword_RoundTrip(t *testing.T) { hash, err := auth.HashPassword("mysecret") if err != nil { t.Fatalf("HashPassword: %v", err) } if hash == "mysecret" { t.Error("hash should not equal plaintext") } if len(hash) == 0 { t.Error("hash should not be empty") } } func TestHashPassword_DifferentInputs(t *testing.T) { h1, _ := auth.HashPassword("password1") h2, _ := auth.HashPassword("password2") if h1 == h2 { t.Error("different passwords should produce different hashes") } } func TestIssueToken_Parse_RoundTrip(t *testing.T) { svc := auth.NewService(nil, "test-secret") token, err := svc.IssueToken(42, "admin") if err != nil { t.Fatalf("IssueToken: %v", err) } if token == "" { t.Fatal("expected non-empty token") } claims, err := svc.Parse(token) if err != nil { t.Fatalf("Parse: %v", err) } if claims.VolunteerID != 42 { t.Errorf("expected volunteer_id 42, got %d", claims.VolunteerID) } if claims.Role != "admin" { t.Errorf("expected role admin, got %q", claims.Role) } } func TestParse_InvalidToken(t *testing.T) { svc := auth.NewService(nil, "test-secret") _, err := svc.Parse("not.a.token") if err == nil { t.Error("expected error parsing invalid token") } } func TestParse_WrongSecret(t *testing.T) { svc1 := auth.NewService(nil, "secret-A") svc2 := auth.NewService(nil, "secret-B") token, err := svc1.IssueToken(1, "volunteer") if err != nil { t.Fatalf("IssueToken: %v", err) } _, err = svc2.Parse(token) if err == nil { t.Error("token signed with secret-A should not parse with secret-B") } } func TestIssueToken_Volunteer(t *testing.T) { svc := auth.NewService(nil, "test-secret") token, err := svc.IssueToken(7, "volunteer") if err != nil { t.Fatalf("IssueToken: %v", err) } claims, err := svc.Parse(token) if err != nil { t.Fatalf("Parse: %v", err) } if claims.Role != "volunteer" { t.Errorf("expected role volunteer, got %q", claims.Role) } if claims.VolunteerID != 7 { t.Errorf("expected volunteer_id 7, got %d", claims.VolunteerID) } }