package auth_test import ( "net/http" "net/http/httptest" "testing" "gitea.d-ma.be/mathias/gitea-mcp/internal/auth" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) func okHandler(called *bool) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { if called != nil { *called = true } w.WriteHeader(http.StatusOK) }) } func TestBearerMiddleware_NoAuthHeader(t *testing.T) { srv := httptest.NewServer(auth.BearerMiddleware(nil, "", okHandler(nil))) defer srv.Close() resp, err := http.Post(srv.URL+"/mcp", "application/json", nil) require.NoError(t, err) defer func() { _ = resp.Body.Close() }() assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) } func TestBearerMiddleware_NoAuthHeader_RejectsEvenWhenStaticConfigured(t *testing.T) { // A configured staticToken must not allow unauthenticated callers through. srv := httptest.NewServer(auth.BearerMiddleware(nil, "any-static", okHandler(nil))) defer srv.Close() resp, err := http.Post(srv.URL+"/mcp", "application/json", nil) require.NoError(t, err) defer func() { _ = resp.Body.Close() }() assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) } func TestBearerMiddleware_EmptyBearer(t *testing.T) { srv := httptest.NewServer(auth.BearerMiddleware(nil, "static", okHandler(nil))) defer srv.Close() req, _ := http.NewRequest(http.MethodPost, srv.URL+"/mcp", nil) req.Header.Set("Authorization", "Bearer ") resp, err := http.DefaultClient.Do(req) require.NoError(t, err) defer func() { _ = resp.Body.Close() }() assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) } func TestBearerMiddleware_StaticToken_Valid(t *testing.T) { const staticToken = "my-static-token" called := false srv := httptest.NewServer(auth.BearerMiddleware(nil, staticToken, okHandler(&called))) defer srv.Close() req, _ := http.NewRequest(http.MethodPost, srv.URL+"/mcp", nil) req.Header.Set("Authorization", "Bearer "+staticToken) resp, err := http.DefaultClient.Do(req) require.NoError(t, err) defer func() { _ = resp.Body.Close() }() assert.Equal(t, http.StatusOK, resp.StatusCode) assert.True(t, called) } func TestBearerMiddleware_StaticToken_Invalid(t *testing.T) { srv := httptest.NewServer(auth.BearerMiddleware(nil, "correct-token", okHandler(nil))) defer srv.Close() req, _ := http.NewRequest(http.MethodPost, srv.URL+"/mcp", nil) req.Header.Set("Authorization", "Bearer wrong-token") resp, err := http.DefaultClient.Do(req) require.NoError(t, err) defer func() { _ = resp.Body.Close() }() assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) } func TestBearerMiddleware_UnknownBearer_NoStatic_NoJWT(t *testing.T) { srv := httptest.NewServer(auth.BearerMiddleware(nil, "", okHandler(nil))) defer srv.Close() req, _ := http.NewRequest(http.MethodPost, srv.URL+"/mcp", nil) req.Header.Set("Authorization", "Bearer random-unknown-token") resp, err := http.DefaultClient.Do(req) require.NoError(t, err) defer func() { _ = resp.Body.Close() }() assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) }