feat: add JSON API with token auth (closes #69)

- Add API token model with SHA-256 hashed tokens - Add migration 006_add_api_tokens.sql - Add Bearer token auth middleware - Add API endpoints under /api/v1/: - GET /whoami - POST /tokens (create new API token) - GET /apps (list all apps) - POST /apps (create app) - GET /apps/{id} (get app) - DELETE /apps/{id} (delete app) - POST /apps/{id}/deploy (trigger deployment) - GET /apps/{id}/deployments (list deployments) - Add comprehensive tests for all API endpoints - All tests pass, zero lint issues
2026-02-16 00:20:41 -08:00
parent e31666ab5c
commit 0536f57ec2
7 changed files with 938 additions and 12 deletions
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
@@ -0,0 +1,254 @@
+package handlers_test
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"git.eeqj.de/sneak/upaas/internal/models"
+)
+
+func setupAPITest(t *testing.T) (*testContext, string) {
+	t.Helper()
+
+	tc := setupTestHandlers(t)
+
+	// Create a user first.
+	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
+	require.NoError(t, err)
+
+	user, err := models.FindUserByUsername(t.Context(), tc.database, "admin")
+	require.NoError(t, err)
+	require.NotNil(t, user)
+
+	// Generate an API token.
+	rawToken, _, err := models.GenerateAPIToken(t.Context(), tc.database, user.ID, "test")
+	require.NoError(t, err)
+
+	return tc, rawToken
+}
+
+func apiRequest(
+	t *testing.T,
+	tc *testContext,
+	token, method, path string,
+	body string,
+) *httptest.ResponseRecorder {
+	t.Helper()
+
+	var req *http.Request
+	if body != "" {
+		req = httptest.NewRequest(method, path, strings.NewReader(body))
+		req.Header.Set("Content-Type", "application/json")
+	} else {
+		req = httptest.NewRequest(method, path, nil)
+	}
+
+	req.Header.Set("Authorization", "Bearer "+token)
+
+	rr := httptest.NewRecorder()
+
+	// Build a chi router with API routes.
+	r := chi.NewRouter()
+	mw := tc.middleware
+
+	r.Route("/api/v1", func(apiR chi.Router) {
+		apiR.Use(mw.APITokenAuth())
+		apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
+		apiR.Post("/tokens", tc.handlers.HandleAPICreateToken())
+		apiR.Get("/apps", tc.handlers.HandleAPIListApps())
+		apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
+		apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
+		apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
+		apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
+		apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
+	})
+
+	r.ServeHTTP(rr, req)
+
+	return rr
+}
+
+func TestAPIAuthRejectsNoToken(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
+	rr := httptest.NewRecorder()
+
+	r := chi.NewRouter()
+	r.Route("/api/v1", func(apiR chi.Router) {
+		apiR.Use(tc.middleware.APITokenAuth())
+		apiR.Get("/apps", tc.handlers.HandleAPIListApps())
+	})
+
+	r.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func TestAPIAuthRejectsInvalidToken(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	rr := apiRequest(t, tc, "invalid-token", http.MethodGet, "/api/v1/apps", "")
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func TestAPIWhoAmI(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/whoami", "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "admin", resp["username"])
+}
+
+func TestAPIListAppsEmpty(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps", "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var apps []any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &apps))
+	assert.Empty(t, apps)
+}
+
+func TestAPICreateApp(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	body := `{"name":"test-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	assert.Equal(t, http.StatusCreated, rr.Code)
+
+	var app map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
+	assert.Equal(t, "test-app", app["name"])
+	assert.Equal(t, "pending", app["status"])
+}
+
+func TestAPICreateAppValidation(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	// Missing required fields.
+	body := `{"name":"","repoUrl":""}`
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
+func TestAPIGetApp(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	// Create an app first.
+	body := `{"name":"my-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	// Get the app.
+	rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID, "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var app map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &app))
+	assert.Equal(t, "my-app", app["name"])
+}
+
+func TestAPIGetAppNotFound(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/nonexistent", "")
+	assert.Equal(t, http.StatusNotFound, rr.Code)
+}
+
+func TestAPIDeleteApp(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	// Create an app.
+	body := `{"name":"delete-me","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	// Delete it.
+	rr = apiRequest(t, tc, token, http.MethodDelete, "/api/v1/apps/"+appID, "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	// Verify it's gone.
+	rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID, "")
+	assert.Equal(t, http.StatusNotFound, rr.Code)
+}
+
+func TestAPIListDeployments(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	// Create an app.
+	body := `{"name":"deploy-app","repoUrl":"https://github.com/example/repo"}`
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	require.Equal(t, http.StatusCreated, rr.Code)
+
+	var created map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &created))
+
+	appID, ok := created["id"].(string)
+	require.True(t, ok)
+
+	// List deployments (should be empty).
+	rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var deployments []any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &deployments))
+	assert.Empty(t, deployments)
+}
+
+func TestAPICreateToken(t *testing.T) {
+	t.Parallel()
+
+	tc, token := setupAPITest(t)
+
+	body := `{"name":"new-token"}`
+	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/tokens", body)
+	assert.Equal(t, http.StatusCreated, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "new-token", resp["name"])
+	assert.NotEmpty(t, resp["token"])
+}