Commit Graph

15 Commits

Author SHA1 Message Date
kolaente 33b9aa6292 test(api/v2): isolate project tests per-handler, not via shared harness
The project test port had added db.LoadFixtures() into the shared
webHandlerTestV2.serve(), reloading fixtures before every request. That
wiped runtime-created rows between requests within a test, breaking the
create-then-read-back contract every v2 resource relies on (e.g.
TestHumaTeam/Create/Public read its freshly-created team back and got 403).

Revert that shared-harness change and isolate the project/archived tests
the way the team and label tests do: each subtest builds its own handler
via handlerFor, so it runs against freshly loaded fixtures (setupTestEnv
reloads once per handler), while a create-then-read-back sequence reuses
one handler within the subtest.
2026-06-05 07:40:07 +00:00
kolaente 25665f887f test(api/v2): port full v1 project coverage (permission matrix, archived)
Bring the v2 project webtest to 1:1 parity with v1's TestProject and
TestArchived so the v2 routes independently prove everything v1 proved:

- Full sharing matrix on ReadOne/Update/Delete across team, user,
  parent-team and parent-user shares x read/write/admin, asserting
  allow/deny and (for ReadOne) the granted max_permission level via
  expand=permissions (v2's replacement for v1's x-max-permission header).
- Create permission matrix via parent_project_id (forbidden parent,
  parent-team/user write+admin allowed, read-only denied), nonexistent
  parent (404), and title-too-long (422) on both Create and Update.
- Create response assertions (owner echo, description, tasks not embedded).
- ReadAll search (q=) with exact cardinality and archived propagation to
  child project 21.
- New TestHumaArchived ports the HTTP-observable archived behaviours:
  no edit/unarchive under an archived parent, self-archived edit denied
  but unarchive allowed, and archiving a project (412 / ErrCodeProjectIsArchived).

Make webHandlerTestV2.serve reload fixtures per request, mirroring v1's
per-request fixture reload, so mutating subtests don't leak state across
the shared Echo instance.
2026-06-05 07:40:07 +00:00
kolaente c0392e42ac test(api/v2): port full v1 team coverage (permission matrix, public discovery, exact cardinality, DB persistence) 2026-06-03 18:56:12 +00:00
kolaente 21194e61b0 test(api/v2): Label round-trip, ETag, PATCH, error shapes
Seven integration tests covering the Label pilot:

- Create_Read_Update_Delete — full round-trip through POST/GET/PUT/
  DELETE, asserts body + status at each step.
- List_ReturnsItems — GET /labels, asserts items[] is non-empty and
  contains a known fixture; this is the regression catcher for the
  generic-any silent-empty trap the spike hit.
- ForbiddenErrorShape — user1 reading user13's private label returns
  403 problem+json with the RFC 9457 type/title/status/detail shape.
- ValidationErrorShape — POST with empty title fails Huma's
  minLength:1 check with 422 problem+json + structured per-field
  errors locating `title`.
- ETagReturns304 — first GET captures ETag, second GET with
  If-None-Match returns 304.
- PATCHMergePatch — AutoPatch-synthesised PATCH with partial
  application/merge-patch+json body updates one field and leaves
  the others untouched; a follow-up GET confirms preservation.
- OpenAPISpecDescribesAllFive — the unauthenticated
  /api/v2/openapi.json surfaces GET+POST on /labels and GET+PUT+
  DELETE on /labels/{id}.
2026-05-31 12:56:57 +00:00
kolaente 76790348f7 test: verify background removal preserves project title
Regression test for #2552. Deletes the background of project 35 (owned by
testuser6) and then fetches the project to confirm the title is still
'Test35 with background'.
2026-04-08 09:07:15 +00:00
kolaente 83bac15841
feat: rename ServiceJWTSecret to ServiceSecret with deprecation (#2502) 2026-03-30 12:07:01 +02:00
kolaente 3a730165bc test: add tests for external team user discoverability bypass 2026-03-04 20:32:11 +01:00
kolaente d1e1cb3b4f test(api): add tests for password validation in reset and update flows
- Add httpCodeGetter interface to handle ValidationHTTPError in test helper
- Add test case for password too short in password reset
- Add test case for password too short in password update
- Fix existing test data to use valid 8+ char passwords
2026-02-25 13:44:56 +01:00
kolaente 8ee069a2a3 feat: add session-based auth with refresh token rotation
- Login creates a server-side session and sets an HttpOnly refresh
  token cookie alongside the short-lived JWT
- POST /user/token/refresh exchanges the cookie for a new JWT and
  rotates the refresh token atomically
- POST /user/logout destroys the session and clears the cookie
- POST /user/token restricted to link share tokens only
- Session list (GET) and delete (DELETE) routes for /user/sessions
- All user sessions invalidated on password change and reset
- CORS configured to allow credentials for cross-origin cookies
- JWT 401 responses use structured error code 11 for client detection
- Refresh token cookie name constants annotated for gosec G101
2026-02-25 10:30:25 +01:00
John Starich 591a646f84 refactor: remove environment variable requirements for go test 2026-02-17 18:01:05 +01:00
renovate[bot] 9a61453e86
fix(deps): update module github.com/labstack/echo/v4 to v5 (#2131)
Closes https://github.com/go-vikunja/vikunja/pull/2133

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kolaente <k@knt.li>
2026-01-24 20:38:32 +01:00
kolaente 39b4568bc5
refactor: centralize HTTP error handling (#2062)
This changes the error handling to a centralized HTTP error handler in `pkg/routes/error_handler.go` that converts all error types to proper HTTP responses. This simplifies the overall error handling because http handler now only need to return the error instead of calling HandleHTTPError as previously.
It also removes the duplication between handling errors with and without Sentry.

🐰 Hop along, dear errors, no more wrapping today!
We've centralized handlers in a shiny new way,
From scattered to unified, the code flows so clean,
ValidationHTTPError marshals JSON supreme!
Direct propagation hops forward with glee,
A refactor so grand—what a sight to see! 🎉
2026-01-08 10:02:59 +00:00
kolaente 1b5a9dbdea refactor: use helper function to check user local 2025-09-04 18:09:21 +02:00
kolaente ca83ad1f98 feat: move to slog for logging 2025-07-21 18:15:39 +02:00
kolaente 6671ce38a8
chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
Renamed from pkg/integrations/integrations.go (Browse further)