EventHub/EventHubBack
1
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Перенести все админские эндпоинты на порт 8445 и добавить отдельную авторизацию для админов. Часть 2. Final #3

Browse Source
This commit is contained in:
Алексей Сабилин
2026-04-28 12:42:10 +03:00
parent 4ed6a961ab
commit 7ea4efd7d9
38 changed files with 1252 additions and 1124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
test/unit/auth_test.erl
View File

@@ -27,21 +27,21 @@ generate_user_token_test_() ->
{setup, fun setup/0, fun cleanup/1, [
{"Generate user token returns a binary",
fun() ->
Token = auth:generate_user_token(<<"user123">>, <<"user">>),
Token = eventhub_auth:generate_user_token(<<"user123">>, <<"user">>),
?assert(is_binary(Token)),
?assert(size(Token) > 0)
end},
{"Generated user token can be verified",
fun() ->
Token = auth:generate_user_token(<<"user123">>, <<"user">>),
{ok, UserId, Role} = auth:verify_user_token(Token),
Token = eventhub_auth:generate_user_token(<<"user123">>, <<"user">>),
{ok, UserId, Role} = eventhub_auth:verify_user_token(Token),
?assertEqual(<<"user123">>, UserId),
?assertEqual(<<"user">>, Role)
end},
{"Generate admin token with superadmin role",
fun() ->
Token = auth:generate_admin_token(<<"admin1">>, <<"superadmin">>),
{ok, UserId, Role} = auth:verify_admin_token(Token),
Token = eventhub_auth:generate_admin_token(<<"admin1">>, <<"superadmin">>),
{ok, UserId, Role} = eventhub_auth:verify_admin_token(Token),
?assertEqual(<<"admin1">>, UserId),
?assertEqual(<<"superadmin">>, Role)
end}
@@ -55,19 +55,19 @@ verify_token_errors_test_() ->
{"Invalid token signature returns error",
fun() ->
FakeToken = <<"not.a.valid.token">>,
?assertEqual({error, invalid_token}, auth:verify_user_token(FakeToken)),
?assertEqual({error, invalid_token}, auth:verify_admin_token(FakeToken))
?assertEqual({error, invalid_token}, eventhub_auth:verify_user_token(FakeToken)),
?assertEqual({error, invalid_token}, eventhub_auth:verify_admin_token(FakeToken))
end},
{"User token rejected by admin verifier (different secret)",
fun() ->
Token = auth:generate_user_token(<<"x">>, <<"user">>),
Token = eventhub_auth:generate_user_token(<<"x">>, <<"user">>),
% Разные секреты → подпись недействительна для admin JWK
?assertEqual({error, invalid_signature}, auth:verify_admin_token(Token))
?assertEqual({error, invalid_signature}, eventhub_auth:verify_admin_token(Token))
end},
{"Admin token rejected by user verifier (different secret)",
fun() ->
Token = auth:generate_admin_token(<<"x">>, <<"admin">>),
?assertEqual({error, invalid_signature}, auth:verify_user_token(Token))
Token = eventhub_auth:generate_admin_token(<<"x">>, <<"admin">>),
?assertEqual({error, invalid_signature}, eventhub_auth:verify_user_token(Token))
end}
]}.
@@ -81,10 +81,10 @@ authenticate_user_request_test_() ->
UserMap = #{id => <<"user1">>, email => <<"u@test.com">>, role => <<"user">>},
ok = meck:expect(logic_auth, authenticate_user, fun(_Email, _Password) -> {ok, UserMap} end),
Req = undefined,
{ok, Token, ReturnedUser} = auth:authenticate_user_request(Req, <<"u@test.com">>, <<"pass">>),
{ok, Token, ReturnedUser} = eventhub_auth:authenticate_user_request(Req, <<"u@test.com">>, <<"pass">>),
?assert(is_binary(Token)),
?assertEqual(UserMap, ReturnedUser),
{ok, UserId, Role} = auth:verify_user_token(Token),
{ok, UserId, Role} = eventhub_auth:verify_user_token(Token),
?assertEqual(<<"user1">>, UserId),
?assertEqual(<<"user">>, Role)
end},
@@ -92,7 +92,7 @@ authenticate_user_request_test_() ->
fun() ->
ok = meck:expect(logic_auth, authenticate_user, fun(_Email, _Password) -> {error, bad_credentials} end),
Req = undefined,
?assertEqual({error, bad_credentials}, auth:authenticate_user_request(Req, <<"bad">>, <<"pwd">>))
?assertEqual({error, bad_credentials}, eventhub_auth:authenticate_user_request(Req, <<"bad">>, <<"pwd">>))
end}
]}.
@@ -106,10 +106,10 @@ authenticate_admin_request_test_() ->
AdminMap = #{id => <<"adm1">>, email => <<"admin@test.com">>, role => <<"superadmin">>},
ok = meck:expect(logic_auth, authenticate_user, fun(_Email, _Password) -> {ok, AdminMap} end),
Req = undefined,
{ok, Token, ReturnedUser} = auth:authenticate_admin_request(Req, <<"admin@test.com">>, <<"pass">>),
{ok, Token, ReturnedUser} = eventhub_auth:authenticate_admin_request(Req, <<"admin@test.com">>, <<"pass">>),
?assert(is_binary(Token)),
?assertEqual(AdminMap, ReturnedUser),
{ok, UserId, Role} = auth:verify_admin_token(Token),
{ok, UserId, Role} = eventhub_auth:verify_admin_token(Token),
?assertEqual(<<"adm1">>, UserId),
?assertEqual(<<"superadmin">>, Role)
end},
@@ -119,15 +119,15 @@ authenticate_admin_request_test_() ->
ok = meck:expect(logic_auth, authenticate_user, fun(_Email, _Password) -> {ok, UserMap} end),
Req = undefined,
?assertEqual({error, insufficient_permissions},
auth:authenticate_admin_request(Req, <<"u@test.com">>, <<"pwd">>))
eventhub_auth:authenticate_admin_request(Req, <<"u@test.com">>, <<"pwd">>))
end},
{"Moderator role is accepted as admin",
fun() ->
ModMap = #{id => <<"moder1">>, email => <<"mod@test.com">>, role => <<"moderator">>},
ok = meck:expect(logic_auth, authenticate_user, fun(_Email, _Password) -> {ok, ModMap} end),
Req = undefined,
{ok, Token, _} = auth:authenticate_admin_request(Req, <<"mod@test.com">>, <<"pwd">>),
{ok, _, Role} = auth:verify_admin_token(Token),
{ok, Token, _} = eventhub_auth:authenticate_admin_request(Req, <<"mod@test.com">>, <<"pwd">>),
{ok, _, Role} = eventhub_auth:verify_admin_token(Token),
?assertEqual(<<"moderator">>, Role)
end}
]}.
@@ -136,4 +136,4 @@ authenticate_admin_request_test_() ->
%% Тест generate_refresh_token/1
%% ------------------------------------------------------------------
generate_refresh_token_test() ->
{_, _} = auth:generate_refresh_token(<<"anyuser">>).
{_, _} = eventhub_auth:generate_refresh_token(<<"anyuser">>).