fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: tighten audit-flagged tests and add missing coverage

Browse Source 
Tightens three tests whose names overstated what they checked:

- `login_succeeds_and_rotates_session` now asserts the login cookie
  differs from the registration cookie, and that the registration
  cookie is still valid after login (the documented contract).
- `storage::local::rejects_path_traversal` exercises three extra
  rejection paths the existing implementation already handled but the
  tests didn't probe: `a/./b`, the single-segment `.`, and the empty
  segment `a//b`.
- `create_and_use_bot_token` asserts that `token_hash` is *absent*
  from the response (`get(...).is_none()`), not just `is_null()`,
  which would have accepted an explicit `"token_hash": null` payload
  too.

Adds four coverage cases that the audit flagged as missing:

- `me_rejects_expired_session` — hand-craft a session row with
  `expires_at = now() - 1h`, hit `/auth/me` with the matching cookie,
  expect 401 + `unauthenticated`. Proves the extractor's
  `expires_at > now()` filter is wired.
- `concurrent_manga_bookmarks_serialised_by_unique_index` — spawn two
  POSTs in parallel for the same `(user, manga, chapter=null)`,
  assert one wins (201) and one collides (409) via the partial unique
  index from migration 0004.
- `bookmark_create_accepts_bearer_token` — mint a bot token and POST
  /bookmarks with `Authorization: Bearer`, asserting `CurrentUser`
  resolves identically to the cookie path on a write endpoint (not
  just `/auth/me`).
- Three new unit tests on `app::cors_layer` covering the allowlist
  (origin reflected, credentials true), a foreign origin (no
  allow-origin header emitted), and the same-origin default (empty
  allowlist emits no CORS headers at all).

`cors_layer` is `pub(crate)` now so the tests in `app::tests` can
reach it; the function itself is unchanged.

No version bump.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-16 23:30:19 +02:00
parent 785b9755cf
commit 2df4084c56
5 changed files with 243 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
backend/src/storage/local.rs
View File

@@ -102,9 +102,18 @@ mod tests {
async fn rejects_path_traversal() {
let dir = tempdir().unwrap();
let s = LocalStorage::new(dir.path());
// Parent-dir reference at the start.
assert!(matches!(s.put("../escape", b"x").await, Err(StorageError::BadKey)));
// Parent-dir reference mid-path.
assert!(matches!(s.get("a/../../b").await, Err(StorageError::BadKey)));
// Empty key.
assert!(matches!(s.exists("").await, Err(StorageError::BadKey)));
// Current-dir reference (the implementation rejects `.` segments
// alongside `..`; this exercises that arm).
assert!(matches!(s.get("a/./b").await, Err(StorageError::BadKey)));
assert!(matches!(s.get(".").await, Err(StorageError::BadKey)));
// Empty segment via doubled slash.
assert!(matches!(s.get("a//b").await, Err(StorageError::BadKey)));
}
#[tokio::test]