service/session_test.go

package service

import (
	"apigo.cc/go/log"
	"net/http"
	"net/http/httptest"
	"testing"
)

func TestSessionLogic(t *testing.T) {
	SetClientKeys("", "", "sessid")
	Config.SessionTimeout = 3600

	// 1. 测试 Session 数据存取
	sess := NewSession("test_id", nil)
	sess.Set("key1", "value1")
	if sess.Get("key1") != "value1" {
		t.Errorf("Expected value1, got %v", sess.Get("key1"))
	}

	if err := sess.Save(); err != nil {
		t.Errorf("Save failed: %v", err)
	}

	sess2 := NewSession("test_id", nil)
	if sess2.Get("key1") != "value1" {
		t.Errorf("Expected value1 in new session instance, got %v", sess2.Get("key1"))
	}

	// 2. 测试 AuthFuncs 逻辑
	sess.Set("funcs", []string{"user.read", "user.write", "system.admin"})
	
	if !sess.AuthFuncs("user.read") {
		t.Error("Expected true for user.read")
	}
	if !sess.AuthFuncs("user.read", "user.write") {
		t.Error("Expected true for user.read and user.write")
	}
	if sess.AuthFuncs("user.delete") {
		t.Error("Expected false for user.delete")
	}

	// 测试必需权限 &
	if sess.AuthFuncs("&user.read", "other") {
		t.Error("Expected false for &user.read when other is missing")
	}
	if !sess.AuthFuncs("&user.read") {
		t.Error("Expected true for &user.read")
	}

	if sess.AuthFuncs("&user.delete", "user.read") {
		t.Error("Expected false for &user.delete even if user.read exists")
	}

	// 测试超级管理员
	sess.Set("funcs", []string{"system.superAdmin.all"})
	if !sess.AuthFuncs("any.thing") {
		t.Error("Expected true for superAdmin")
	}
}

func TestSessionInjection(t *testing.T) {
	SetClientKeys("", "", "sessid")
	
	handler := func(s *Session) string {
		if s == nil {
			return "no session"
		}
		s.Set("name", "star")
		_ = s.Save()
		return "ok"
	}
	Host("*").GET("/test-session", handler)

	rh := &RouteHandler{}
	req := httptest.NewRequest("GET", "/test-session", nil)
	req.Header.Set("sessid", "sess_123")
	w := httptest.NewRecorder()

	rh.ServeHTTP(w, req)

	if w.Code != http.StatusOK {
		t.Errorf("Expected 200, got %d", w.Code)
	}
	if w.Body.String() != "ok" {
		t.Errorf("Expected ok, got %s", w.Body.String())
	}

	// 验证 Session 是否真的保存了
	sess := NewSession("sess_123", nil)
	if sess.Get("name") != "star" {
		t.Errorf("Expected star, got %v", sess.Get("name"))
	}
}

type CustomAuth struct {
	User string
}

func TestCustomAuthInjection(t *testing.T) {
	AddAuthChecker([]int{10}, func(authLevel int, logger *log.Logger, url *string, in map[string]any, request *Request, response *Response, options *WebServiceOptions) (pass bool, object any) {
		return true, &CustomAuth{User: "custom_user"}
	})

	handler := func(auth *CustomAuth) string {
		if auth == nil {
			return "no auth"
		}
		return auth.User
	}
	Host("*").GET("/test-auth", handler).Auth(10)

	rh := &RouteHandler{}
	req := httptest.NewRequest("GET", "/test-auth", nil)
	w := httptest.NewRecorder()

	rh.ServeHTTP(w, req)

	if w.Code != http.StatusOK {
		t.Errorf("Expected 200, got %d", w.Code)
	}
	if w.Body.String() != "custom_user" {
		t.Errorf("Expected custom_user, got %s", w.Body.String())
	}
}

func TestAutomaticAuthLevelCheck(t *testing.T) {
	SetClientKeys("", "", "sessid")
	
	handler := func() string {
		return "ok"
	}
	Host("*").GET("/test-auto-auth", handler).Auth(1)

	rh := &RouteHandler{}
	
	// 1. 无 Session 或 AuthLevel=0 时应失败
	req1 := httptest.NewRequest("GET", "/test-auto-auth", nil)
	req1.Header.Set("sessid", "sess_auto_1")
	w1 := httptest.NewRecorder()
	rh.ServeHTTP(w1, req1)
	if w1.Code != http.StatusForbidden {
		t.Errorf("Expected 403, got %d", w1.Code)
	}

	// 2. 设置 Session AuthLevel=1 后应成功
	sess := NewSession("sess_auto_2", nil)
	sess.SetAuthLevel(1)
	_ = sess.Save()

	req2 := httptest.NewRequest("GET", "/test-auto-auth", nil)
	req2.Header.Set("sessid", "sess_auto_2")
	w2 := httptest.NewRecorder()
	rh.ServeHTTP(w2, req2)
	if w2.Code != http.StatusOK {
		t.Errorf("Expected 200, got %d", w2.Code)
	}
}