refactor: switch API from token auth to cookie-based session auth

- Remove API token system entirely (model, migration, middleware) - Add migration 007 to drop api_tokens table - Add POST /api/v1/login endpoint for JSON credential auth - API routes now use session cookies (same as web UI) - Remove /api/v1/tokens endpoint - HandleAPIWhoAmI uses session auth instead of token context - APISessionAuth middleware returns JSON 401 instead of redirect - Update all API tests to use cookie-based authentication Addresses review comment on PR #74.
2026-02-16 00:31:10 -08:00
parent 0536f57ec2
commit 9ac1d25788
7 changed files with 221 additions and 407 deletions
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
@@ -10,34 +10,64 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-
-	"git.eeqj.de/sneak/upaas/internal/models"
 )

-func setupAPITest(t *testing.T) (*testContext, string) {
+// apiRouter builds a chi router with the API routes using session auth middleware.
+func apiRouter(tc *testContext) http.Handler {
+	r := chi.NewRouter()
+
+	r.Route("/api/v1", func(apiR chi.Router) {
+		apiR.Post("/login", tc.handlers.HandleAPILoginPOST())
+
+		apiR.Group(func(apiR chi.Router) {
+			apiR.Use(tc.middleware.APISessionAuth())
+			apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
+			apiR.Get("/apps", tc.handlers.HandleAPIListApps())
+			apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
+			apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
+			apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
+			apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
+			apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
+		})
+	})
+
+	return r
+}
+
+// setupAPITest creates a test context with a user and returns session cookies.
+func setupAPITest(t *testing.T) (*testContext, []*http.Cookie) {
 	t.Helper()

 	tc := setupTestHandlers(t)

-	// Create a user first.
+	// Create a user.
 	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
 	require.NoError(t, err)

-	user, err := models.FindUserByUsername(t.Context(), tc.database, "admin")
-	require.NoError(t, err)
-	require.NotNil(t, user)
+	// Login via the API to get session cookies.
+	r := apiRouter(tc)

-	// Generate an API token.
-	rawToken, _, err := models.GenerateAPIToken(t.Context(), tc.database, user.ID, "test")
-	require.NoError(t, err)
+	loginBody := `{"username":"admin","password":"password123"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(loginBody))
+	req.Header.Set("Content-Type", "application/json")

-	return tc, rawToken
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	require.Equal(t, http.StatusOK, rr.Code)
+
+	cookies := rr.Result().Cookies()
+	require.NotEmpty(t, cookies, "login should return session cookies")
+
+	return tc, cookies
 }

+// apiRequest makes an authenticated API request using session cookies.
 func apiRequest(
 	t *testing.T,
 	tc *testContext,
-	token, method, path string,
+	cookies []*http.Cookie,
+	method, path string,
 	body string,
 ) *httptest.ResponseRecorder {
 	t.Helper()
@@ -50,64 +80,102 @@ func apiRequest(
 		req = httptest.NewRequest(method, path, nil)
 	}

-	req.Header.Set("Authorization", "Bearer "+token)
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}

 	rr := httptest.NewRecorder()

-	// Build a chi router with API routes.
-	r := chi.NewRouter()
-	mw := tc.middleware
-
-	r.Route("/api/v1", func(apiR chi.Router) {
-		apiR.Use(mw.APITokenAuth())
-		apiR.Get("/whoami", tc.handlers.HandleAPIWhoAmI())
-		apiR.Post("/tokens", tc.handlers.HandleAPICreateToken())
-		apiR.Get("/apps", tc.handlers.HandleAPIListApps())
-		apiR.Post("/apps", tc.handlers.HandleAPICreateApp())
-		apiR.Get("/apps/{id}", tc.handlers.HandleAPIGetApp())
-		apiR.Delete("/apps/{id}", tc.handlers.HandleAPIDeleteApp())
-		apiR.Post("/apps/{id}/deploy", tc.handlers.HandleAPITriggerDeploy())
-		apiR.Get("/apps/{id}/deployments", tc.handlers.HandleAPIListDeployments())
-	})
-
+	r := apiRouter(tc)
 	r.ServeHTTP(rr, req)

 	return rr
 }

-func TestAPIAuthRejectsNoToken(t *testing.T) {
+func TestAPILoginSuccess(t *testing.T) {
 	t.Parallel()

 	tc := setupTestHandlers(t)

-	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
+	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
+	require.NoError(t, err)
+
+	r := apiRouter(tc)
+
+	body := `{"username":"admin","password":"password123"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
 	rr := httptest.NewRecorder()
-
-	r := chi.NewRouter()
-	r.Route("/api/v1", func(apiR chi.Router) {
-		apiR.Use(tc.middleware.APITokenAuth())
-		apiR.Get("/apps", tc.handlers.HandleAPIListApps())
-	})
-
 	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var resp map[string]any
+	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
+	assert.Equal(t, "admin", resp["username"])
+
+	// Should have a Set-Cookie header.
+	assert.NotEmpty(t, rr.Result().Cookies())
+}
+
+func TestAPILoginInvalidCredentials(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	_, err := tc.authSvc.CreateUser(t.Context(), "admin", "password123")
+	require.NoError(t, err)
+
+	r := apiRouter(tc)
+
+	body := `{"username":"admin","password":"wrong"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }

-func TestAPIAuthRejectsInvalidToken(t *testing.T) {
+func TestAPILoginMissingFields(t *testing.T) {
 	t.Parallel()

 	tc := setupTestHandlers(t)

-	rr := apiRequest(t, tc, "invalid-token", http.MethodGet, "/api/v1/apps", "")
+	r := apiRouter(tc)
+
+	body := `{"username":"","password":""}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/login", strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
+func TestAPIRejectsUnauthenticated(t *testing.T) {
+	t.Parallel()
+
+	tc := setupTestHandlers(t)
+
+	r := apiRouter(tc)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/apps", nil)
+	rr := httptest.NewRecorder()
+	r.ServeHTTP(rr, req)
+
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }

 func TestAPIWhoAmI(t *testing.T) {
 	t.Parallel()

-	tc, token := setupAPITest(t)
+	tc, cookies := setupAPITest(t)

-	rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/whoami", "")
+	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/whoami", "")
 	assert.Equal(t, http.StatusOK, rr.Code)

 	var resp map[string]any
@@ -118,9 +186,9 @@ func TestAPIWhoAmI(t *testing.T) {
 func TestAPIListAppsEmpty(t *testing.T) {
 	t.Parallel()

-	tc, token := setupAPITest(t)
+	tc, cookies := setupAPITest(t)

-	rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps", "")
+	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps", "")
 	assert.Equal(t, http.StatusOK, rr.Code)

 	var apps []any
@@ -131,10 +199,10 @@ func TestAPIListAppsEmpty(t *testing.T) {
 func TestAPICreateApp(t *testing.T) {
 	t.Parallel()

-	tc, token := setupAPITest(t)
+	tc, cookies := setupAPITest(t)

 	body := `{"name":"test-app","repoUrl":"https://github.com/example/repo"}`
-	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	assert.Equal(t, http.StatusCreated, rr.Code)

 	var app map[string]any
@@ -146,22 +214,20 @@ func TestAPICreateApp(t *testing.T) {
 func TestAPICreateAppValidation(t *testing.T) {
 	t.Parallel()

-	tc, token := setupAPITest(t)
+	tc, cookies := setupAPITest(t)

-	// Missing required fields.
 	body := `{"name":"","repoUrl":""}`
-	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 }

 func TestAPIGetApp(t *testing.T) {
 	t.Parallel()

-	tc, token := setupAPITest(t)
+	tc, cookies := setupAPITest(t)

-	// Create an app first.
 	body := `{"name":"my-app","repoUrl":"https://github.com/example/repo"}`
-	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	require.Equal(t, http.StatusCreated, rr.Code)

 	var created map[string]any
@@ -170,8 +236,7 @@ func TestAPIGetApp(t *testing.T) {
 	appID, ok := created["id"].(string)
 	require.True(t, ok)

-	// Get the app.
-	rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID, "")
+	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusOK, rr.Code)

 	var app map[string]any
@@ -182,20 +247,19 @@ func TestAPIGetApp(t *testing.T) {
 func TestAPIGetAppNotFound(t *testing.T) {
 	t.Parallel()

-	tc, token := setupAPITest(t)
+	tc, cookies := setupAPITest(t)

-	rr := apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/nonexistent", "")
+	rr := apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/nonexistent", "")
 	assert.Equal(t, http.StatusNotFound, rr.Code)
 }

 func TestAPIDeleteApp(t *testing.T) {
 	t.Parallel()

-	tc, token := setupAPITest(t)
+	tc, cookies := setupAPITest(t)

-	// Create an app.
 	body := `{"name":"delete-me","repoUrl":"https://github.com/example/repo"}`
-	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	require.Equal(t, http.StatusCreated, rr.Code)

 	var created map[string]any
@@ -204,23 +268,20 @@ func TestAPIDeleteApp(t *testing.T) {
 	appID, ok := created["id"].(string)
 	require.True(t, ok)

-	// Delete it.
-	rr = apiRequest(t, tc, token, http.MethodDelete, "/api/v1/apps/"+appID, "")
+	rr = apiRequest(t, tc, cookies, http.MethodDelete, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusOK, rr.Code)

-	// Verify it's gone.
-	rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID, "")
+	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID, "")
 	assert.Equal(t, http.StatusNotFound, rr.Code)
 }

 func TestAPIListDeployments(t *testing.T) {
 	t.Parallel()

-	tc, token := setupAPITest(t)
+	tc, cookies := setupAPITest(t)

-	// Create an app.
 	body := `{"name":"deploy-app","repoUrl":"https://github.com/example/repo"}`
-	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/apps", body)
+	rr := apiRequest(t, tc, cookies, http.MethodPost, "/api/v1/apps", body)
 	require.Equal(t, http.StatusCreated, rr.Code)

 	var created map[string]any
@@ -229,26 +290,10 @@ func TestAPIListDeployments(t *testing.T) {
 	appID, ok := created["id"].(string)
 	require.True(t, ok)

-	// List deployments (should be empty).
-	rr = apiRequest(t, tc, token, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
+	rr = apiRequest(t, tc, cookies, http.MethodGet, "/api/v1/apps/"+appID+"/deployments", "")
 	assert.Equal(t, http.StatusOK, rr.Code)

 	var deployments []any
 	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &deployments))
 	assert.Empty(t, deployments)
 }
-
-func TestAPICreateToken(t *testing.T) {
-	t.Parallel()
-
-	tc, token := setupAPITest(t)
-
-	body := `{"name":"new-token"}`
-	rr := apiRequest(t, tc, token, http.MethodPost, "/api/v1/tokens", body)
-	assert.Equal(t, http.StatusCreated, rr.Code)
-
-	var resp map[string]any
-	require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
-	assert.Equal(t, "new-token", resp["name"])
-	assert.NotEmpty(t, resp["token"])
-}