walkies/internal/auth/auth_test.go

package auth_test

import (
	"testing"

	"git.unsupervised.ca/walkies/internal/auth"
)

func TestHashPassword_RoundTrip(t *testing.T) {
	hash, err := auth.HashPassword("mysecret")
	if err != nil {
		t.Fatalf("HashPassword: %v", err)
	}
	if hash == "mysecret" {
		t.Error("hash should not equal plaintext")
	}
	if len(hash) == 0 {
		t.Error("hash should not be empty")
	}
}

func TestHashPassword_DifferentInputs(t *testing.T) {
	h1, _ := auth.HashPassword("password1")
	h2, _ := auth.HashPassword("password2")
	if h1 == h2 {
		t.Error("different passwords should produce different hashes")
	}
}

func TestIssueToken_Parse_RoundTrip(t *testing.T) {
	svc := auth.NewService(nil, "test-secret")

	token, err := svc.IssueToken(42, "admin")
	if err != nil {
		t.Fatalf("IssueToken: %v", err)
	}
	if token == "" {
		t.Fatal("expected non-empty token")
	}

	claims, err := svc.Parse(token)
	if err != nil {
		t.Fatalf("Parse: %v", err)
	}
	if claims.VolunteerID != 42 {
		t.Errorf("expected volunteer_id 42, got %d", claims.VolunteerID)
	}
	if claims.Role != "admin" {
		t.Errorf("expected role admin, got %q", claims.Role)
	}
}

func TestParse_InvalidToken(t *testing.T) {
	svc := auth.NewService(nil, "test-secret")
	_, err := svc.Parse("not.a.token")
	if err == nil {
		t.Error("expected error parsing invalid token")
	}
}

func TestParse_WrongSecret(t *testing.T) {
	svc1 := auth.NewService(nil, "secret-A")
	svc2 := auth.NewService(nil, "secret-B")

	token, err := svc1.IssueToken(1, "volunteer")
	if err != nil {
		t.Fatalf("IssueToken: %v", err)
	}

	_, err = svc2.Parse(token)
	if err == nil {
		t.Error("token signed with secret-A should not parse with secret-B")
	}
}

func TestIssueToken_Volunteer(t *testing.T) {
	svc := auth.NewService(nil, "test-secret")
	token, err := svc.IssueToken(7, "volunteer")
	if err != nil {
		t.Fatalf("IssueToken: %v", err)
	}
	claims, err := svc.Parse(token)
	if err != nil {
		t.Fatalf("Parse: %v", err)
	}
	if claims.Role != "volunteer" {
		t.Errorf("expected role volunteer, got %q", claims.Role)
	}
	if claims.VolunteerID != 7 {
		t.Errorf("expected volunteer_id 7, got %d", claims.VolunteerID)
	}
}