From 4d55202300f9648bdcf9be14aeb2b8034ca37fc3 Mon Sep 17 00:00:00 2001 From: Adam Mathes Date: Sat, 14 Feb 2026 11:09:39 -0800 Subject: feat: fix authentication to handle no-password scenario\n\n- Updated Authenticated() to return true when no password is configured\n- Updated apiLoginHandler to succeed when no password is set\n- Added comprehensive backend tests for both password/no-password cases\n- Added E2E tests for authentication flows (password tests are skipped by default)\n- All tests pass for both authentication scenarios\n\nFixes issue where app would require login even when no password was configured.\nNow properly supports passwordless mode for local development. --- web/auth_test.go | 174 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ web/web.go | 16 +++++ 2 files changed, 190 insertions(+) create mode 100644 web/auth_test.go (limited to 'web') diff --git a/web/auth_test.go b/web/auth_test.go new file mode 100644 index 0000000..6f319b9 --- /dev/null +++ b/web/auth_test.go @@ -0,0 +1,174 @@ +package web + +import ( + "net/http" + "net/http/httptest" + "strings" + "testing" + + "adammathes.com/neko/config" +) + +// TestAuthenticationNoPassword tests that when no password is configured, +// all routes should be accessible without authentication +func TestAuthenticationNoPassword(t *testing.T) { + // Save original password and restore after test + originalPassword := config.Config.DigestPassword + defer func() { + config.Config.DigestPassword = originalPassword + }() + + // Set empty password (no authentication required) + config.Config.DigestPassword = "" + + // Create a test handler that returns 200 OK + testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + w.Write([]byte("success")) + }) + + // Wrap with AuthWrap + wrappedHandler := AuthWrap(testHandler) + + // Test without any auth cookie - should succeed + req := httptest.NewRequest("GET", "/test", nil) + rr := httptest.NewRecorder() + wrappedHandler.ServeHTTP(rr, req) + + if rr.Code != http.StatusOK { + t.Errorf("Expected 200 OK when no password is set, got %d", rr.Code) + } + + body := rr.Body.String() + if body != "success" { + t.Errorf("Expected 'success' response, got %s", body) + } +} + +// TestAuthenticationWithPassword tests that when a password is configured, +// routes require authentication +func TestAuthenticationWithPassword(t *testing.T) { + // Save original password and restore after test + originalPassword := config.Config.DigestPassword + defer func() { + config.Config.DigestPassword = originalPassword + }() + + // Set a password + config.Config.DigestPassword = "testpassword" + + // Create a test handler + testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + w.Write([]byte("success")) + }) + + // Wrap with AuthWrap + wrappedHandler := AuthWrap(testHandler) + + // Test without auth cookie - should redirect to login + req := httptest.NewRequest("GET", "/test", nil) + rr := httptest.NewRecorder() + wrappedHandler.ServeHTTP(rr, req) + + if rr.Code != http.StatusTemporaryRedirect { + t.Errorf("Expected 307 redirect when not authenticated, got %d", rr.Code) + } + + location := rr.Header().Get("Location") + if location != "/login/" { + t.Errorf("Expected redirect to /login/, got %s", location) + } +} + +// TestAuthenticationWithValidCookie tests that a valid auth cookie allows access +func TestAuthenticationWithValidCookie(t *testing.T) { + // Save original password and restore after test + originalPassword := config.Config.DigestPassword + defer func() { + config.Config.DigestPassword = originalPassword + }() + + password := "testpassword" + config.Config.DigestPassword = password + + // First, login to get a valid cookie + loginReq := httptest.NewRequest("POST", "/login/", strings.NewReader("password="+password)) + loginReq.Header.Set("Content-Type", "application/x-www-form-urlencoded") + loginRR := httptest.NewRecorder() + loginHandler(loginRR, loginReq) + + // Extract the auth cookie + var authCookie *http.Cookie + for _, cookie := range loginRR.Result().Cookies() { + if cookie.Name == "auth" { + authCookie = cookie + break + } + } + + if authCookie == nil { + t.Fatal("Expected auth cookie after successful login") + } + + // Now test with the valid cookie + testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + w.Write([]byte("success")) + }) + + wrappedHandler := AuthWrap(testHandler) + + req := httptest.NewRequest("GET", "/test", nil) + req.AddCookie(authCookie) + rr := httptest.NewRecorder() + wrappedHandler.ServeHTTP(rr, req) + + if rr.Code != http.StatusOK { + t.Errorf("Expected 200 OK with valid auth cookie, got %d", rr.Code) + } +} + +// TestApiLoginNoPassword tests that API login works when no password is set +func TestApiLoginNoPassword(t *testing.T) { + originalPassword := config.Config.DigestPassword + defer func() { + config.Config.DigestPassword = originalPassword + }() + + config.Config.DigestPassword = "" + + req := httptest.NewRequest("POST", "/api/login", strings.NewReader("password=")) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + rr := httptest.NewRecorder() + apiLoginHandler(rr, req) + + // Should succeed with any password (or empty) when no password is configured + if rr.Code != http.StatusOK { + t.Errorf("Expected 200 OK for API login with no password configured, got %d", rr.Code) + } +} + +// TestApiAuthStatusNoPassword tests auth status endpoint when no password is set +func TestApiAuthStatusNoPassword(t *testing.T) { + originalPassword := config.Config.DigestPassword + defer func() { + config.Config.DigestPassword = originalPassword + }() + + config.Config.DigestPassword = "" + + req := httptest.NewRequest("GET", "/api/auth", nil) + rr := httptest.NewRecorder() + apiAuthStatusHandler(rr, req) + + // Should return authenticated:true when no password is set + if rr.Code != http.StatusOK { + t.Errorf("Expected 200 OK for auth status with no password, got %d", rr.Code) + } + + body := rr.Body.String() + if !strings.Contains(body, `"authenticated":true`) { + t.Errorf("Expected authenticated:true in response, got: %s", body) + } +} diff --git a/web/web.go b/web/web.go index 892def3..1a713bd 100644 --- a/web/web.go +++ b/web/web.go @@ -133,6 +133,11 @@ func logoutHandler(w http.ResponseWriter, r *http.Request) { } func Authenticated(r *http.Request) bool { + // If no password is configured, authentication is not required + if config.Config.DigestPassword == "" { + return true + } + pc, err := r.Cookie("auth") if err != nil { return false @@ -179,6 +184,17 @@ func apiLoginHandler(w http.ResponseWriter, r *http.Request) { http.Error(w, "method not allowed", http.StatusMethodNotAllowed) return } + + // If no password is configured, authentication is not required + if config.Config.DigestPassword == "" { + // Still set a dummy auth cookie for consistency + c := http.Cookie{Name: AuthCookie, Value: "noauth", Path: "/", MaxAge: SecondsInAYear, HttpOnly: true} + http.SetCookie(w, &c) + w.Header().Set("Content-Type", "application/json") + fmt.Fprintf(w, `{"status":"ok"}`) + return + } + username := r.FormValue("username") password := r.FormValue("password") -- cgit v1.2.3