lib/server/security_test.go

package server

import (
	"net/http"
	"net/http/httptest"
	"os"
	"testing"
	"time"

	"github.com/gin-gonic/gin"

	"warpbox/lib/boxstore"
	"warpbox/lib/config"
	"warpbox/lib/metastore"
	"warpbox/lib/models"
)

func TestValidateManifestFileUploadRejectsExpiredBox(t *testing.T) {
	restoreUploadRoot := boxstore.UploadRoot()
	defer boxstore.SetUploadRoot(restoreUploadRoot)
	boxstore.SetUploadRoot(t.TempDir())

	boxID := "0123456789abcdef0123456789abcdef"
	if err := os.MkdirAll(boxstore.BoxPath(boxID), 0755); err != nil {
		t.Fatalf("MkdirAll returned error: %v", err)
	}
	manifest := models.BoxManifest{
		Files:     []models.BoxFile{{ID: "0123456789abcdef", Name: "file.txt", Status: models.FileStatusWait}},
		ExpiresAt: time.Now().UTC().Add(-time.Second),
	}
	if err := boxstore.WriteManifest(boxID, manifest); err != nil {
		t.Fatalf("WriteManifest returned error: %v", err)
	}

	app := &App{config: &config.Config{}}
	if err := app.validateManifestFileUpload(boxID, "0123456789abcdef", 1); err == nil {
		t.Fatal("expected expired box upload to be rejected")
	}
	if _, err := os.Stat(boxstore.BoxPath(boxID)); !os.IsNotExist(err) {
		t.Fatalf("expected expired box to be deleted, stat err=%v", err)
	}
}

func TestAdminProtectedPostRequiresCSRF(t *testing.T) {
	gin.SetMode(gin.TestMode)

	store, err := metastore.Open(t.TempDir())
	if err != nil {
		t.Fatalf("Open returned error: %v", err)
	}
	defer store.Close()

	adminTag, err := store.EnsureAdminTag()
	if err != nil {
		t.Fatalf("EnsureAdminTag returned error: %v", err)
	}
	user, err := store.CreateUserWithPassword("admin", "", "secret", []string{adminTag.ID})
	if err != nil {
		t.Fatalf("CreateUserWithPassword returned error: %v", err)
	}
	session, err := store.CreateSession(user.ID, time.Hour)
	if err != nil {
		t.Fatalf("CreateSession returned error: %v", err)
	}

	app := &App{config: &config.Config{}, store: store}
	router := gin.New()
	router.POST("/admin/test", app.requireAdminSession, func(ctx *gin.Context) {
		ctx.Status(http.StatusNoContent)
	})

	request := httptest.NewRequest(http.MethodPost, "/admin/test", nil)
	request.AddCookie(&http.Cookie{Name: adminSessionCookie, Value: session.Token})
	response := httptest.NewRecorder()
	router.ServeHTTP(response, request)
	if response.Code != http.StatusForbidden {
		t.Fatalf("expected missing CSRF token to be forbidden, got %d", response.Code)
	}
}
feat(security): use bcrypt hashes and safe paths for boxes - Replace legacy salted password hashing with bcrypt and store hash alg - Accept existing bcrypt hashes while keeping legacy verification fallback - Validate box IDs and use SafeChildPath for box/file operations to prevent traversal - Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip writefeat(security): use bcrypt hashes and safe paths for boxes - Replace legacy salted password hashing with bcrypt and store hash alg - Accept existing bcrypt hashes while keeping legacy verification fallback - Validate box IDs and use SafeChildPath for box/file operations to prevent traversal - Refactor download flow to share zip writer logic and correctly handle one-time deletes and optional renew-on-download only after a successful zip write 2026-04-28 21:42:36 +03:00			`package server`

			`import (`
			`"net/http"`
			`"net/http/httptest"`
			`"os"`
			`"testing"`
			`"time"`

			`"github.com/gin-gonic/gin"`

			`"warpbox/lib/boxstore"`
			`"warpbox/lib/config"`
			`"warpbox/lib/metastore"`
			`"warpbox/lib/models"`
			`)`

			`func TestValidateManifestFileUploadRejectsExpiredBox(t *testing.T) {`
			`restoreUploadRoot := boxstore.UploadRoot()`
			`defer boxstore.SetUploadRoot(restoreUploadRoot)`
			`boxstore.SetUploadRoot(t.TempDir())`

			`boxID := "0123456789abcdef0123456789abcdef"`
			`if err := os.MkdirAll(boxstore.BoxPath(boxID), 0755); err != nil {`
			`t.Fatalf("MkdirAll returned error: %v", err)`
			`}`
			`manifest := models.BoxManifest{`
			`Files: []models.BoxFile{{ID: "0123456789abcdef", Name: "file.txt", Status: models.FileStatusWait}},`
			`ExpiresAt: time.Now().UTC().Add(-time.Second),`
			`}`
			`if err := boxstore.WriteManifest(boxID, manifest); err != nil {`
			`t.Fatalf("WriteManifest returned error: %v", err)`
			`}`

			`app := &App{config: &config.Config{}}`
			`if err := app.validateManifestFileUpload(boxID, "0123456789abcdef", 1); err == nil {`
			`t.Fatal("expected expired box upload to be rejected")`
			`}`
			`if _, err := os.Stat(boxstore.BoxPath(boxID)); !os.IsNotExist(err) {`
			`t.Fatalf("expected expired box to be deleted, stat err=%v", err)`
			`}`
			`}`

			`func TestAdminProtectedPostRequiresCSRF(t *testing.T) {`
			`gin.SetMode(gin.TestMode)`

			`store, err := metastore.Open(t.TempDir())`
			`if err != nil {`
			`t.Fatalf("Open returned error: %v", err)`
			`}`
			`defer store.Close()`

			`adminTag, err := store.EnsureAdminTag()`
			`if err != nil {`
			`t.Fatalf("EnsureAdminTag returned error: %v", err)`
			`}`
			`user, err := store.CreateUserWithPassword("admin", "", "secret", []string{adminTag.ID})`
			`if err != nil {`
			`t.Fatalf("CreateUserWithPassword returned error: %v", err)`
			`}`
			`session, err := store.CreateSession(user.ID, time.Hour)`
			`if err != nil {`
			`t.Fatalf("CreateSession returned error: %v", err)`
			`}`

			`app := &App{config: &config.Config{}, store: store}`
			`router := gin.New()`
			`router.POST("/admin/test", app.requireAdminSession, func(ctx *gin.Context) {`
			`ctx.Status(http.StatusNoContent)`
			`})`

			`request := httptest.NewRequest(http.MethodPost, "/admin/test", nil)`
			`request.AddCookie(&http.Cookie{Name: adminSessionCookie, Value: session.Token})`
			`response := httptest.NewRecorder()`
			`router.ServeHTTP(response, request)`
			`if response.Code != http.StatusForbidden {`
			`t.Fatalf("expected missing CSRF token to be forbidden, got %d", response.Code)`
			`}`
			`}`