enki
b3204ea07a
Some checks are pending
CI Pipeline / Run Tests (push) Waiting to run
CI Pipeline / Lint Code (push) Waiting to run
CI Pipeline / Security Scan (push) Waiting to run
CI Pipeline / Build Docker Images (push) Blocked by required conditions
CI Pipeline / E2E Tests (push) Blocked by required conditions
111 lines
3.3 KiB
Bash
Executable File
111 lines
3.3 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# E2E Test: Authentication Flow
|
|
# Tests Nostr authentication, session management, and protected endpoints
|
|
|
|
set -e
|
|
|
|
BASE_URL="http://localhost:9876"
|
|
|
|
echo "=== Authentication Flow E2E Test ==="
|
|
|
|
# Test 1: Get authentication challenge
|
|
echo "Getting authentication challenge..."
|
|
CHALLENGE_RESPONSE=$(curl -s "$BASE_URL/api/auth/challenge")
|
|
echo "Challenge response: $CHALLENGE_RESPONSE"
|
|
|
|
CHALLENGE=$(echo "$CHALLENGE_RESPONSE" | grep -o '"challenge":"[^"]*"' | cut -d'"' -f4)
|
|
|
|
if [ -z "$CHALLENGE" ]; then
|
|
echo "❌ Failed to get challenge"
|
|
exit 1
|
|
fi
|
|
echo "✅ Authentication challenge received: ${CHALLENGE:0:20}..."
|
|
|
|
# Test 2: Test protected endpoint without auth
|
|
echo "Testing protected endpoint without authentication..."
|
|
UNAUTH_RESPONSE=$(curl -s -w "%{http_code}" "$BASE_URL/api/users/me/files")
|
|
HTTP_CODE="${UNAUTH_RESPONSE: -3}"
|
|
|
|
if [ "$HTTP_CODE" != "401" ]; then
|
|
echo "❌ Expected 401 Unauthorized but got $HTTP_CODE"
|
|
exit 1
|
|
fi
|
|
echo "✅ Protected endpoint correctly returns 401 without auth"
|
|
|
|
# Test 3: Test invalid authentication
|
|
echo "Testing invalid authentication..."
|
|
INVALID_AUTH=$(cat <<EOF
|
|
{
|
|
"auth_type": "nip07",
|
|
"auth_event": "{\"kind\":1,\"content\":\"fake_event\"}"
|
|
}
|
|
EOF
|
|
)
|
|
|
|
INVALID_RESPONSE=$(curl -s -X POST \
|
|
-H "Content-Type: application/json" \
|
|
-d "$INVALID_AUTH" \
|
|
"$BASE_URL/api/auth/login")
|
|
|
|
echo "Invalid auth response: $INVALID_RESPONSE"
|
|
|
|
if echo "$INVALID_RESPONSE" | grep -q '"success":true'; then
|
|
echo "❌ Invalid authentication should not succeed"
|
|
exit 1
|
|
fi
|
|
echo "✅ Invalid authentication correctly rejected"
|
|
|
|
# Test 4: Test session validation
|
|
echo "Testing session validation with invalid token..."
|
|
INVALID_SESSION_RESPONSE=$(curl -s \
|
|
-H "Authorization: Bearer invalid_token" \
|
|
"$BASE_URL/api/users/me/files")
|
|
|
|
if ! echo "$INVALID_SESSION_RESPONSE" | grep -q "Unauthorized"; then
|
|
echo "❌ Invalid session token should return Unauthorized"
|
|
exit 1
|
|
fi
|
|
echo "✅ Invalid session token correctly rejected"
|
|
|
|
# Test 5: Test logout endpoint
|
|
echo "Testing logout endpoint..."
|
|
LOGOUT_RESPONSE=$(curl -s -X POST "$BASE_URL/api/auth/logout")
|
|
echo "Logout response: $LOGOUT_RESPONSE"
|
|
|
|
if ! echo "$LOGOUT_RESPONSE" | grep -q '"success":true'; then
|
|
echo "❌ Logout endpoint should return success"
|
|
exit 1
|
|
fi
|
|
echo "✅ Logout endpoint working correctly"
|
|
|
|
# Test 6: Test admin endpoints without auth
|
|
echo "Testing admin endpoints without authentication..."
|
|
ADMIN_STATS_RESPONSE=$(curl -s -w "%{http_code}" "$BASE_URL/api/admin/stats")
|
|
HTTP_CODE="${ADMIN_STATS_RESPONSE: -3}"
|
|
|
|
if [ "$HTTP_CODE" != "401" ]; then
|
|
echo "❌ Admin endpoint should return 401 without auth, got $HTTP_CODE"
|
|
exit 1
|
|
fi
|
|
echo "✅ Admin endpoints properly protected"
|
|
|
|
# Test 7: Test rate limiting (if enabled)
|
|
echo "Testing basic request handling..."
|
|
for i in {1..5}; do
|
|
RESPONSE=$(curl -s "$BASE_URL/api/health")
|
|
if ! echo "$RESPONSE" | grep -q '"status":"ok"'; then
|
|
echo "❌ Health check $i failed"
|
|
exit 1
|
|
fi
|
|
done
|
|
echo "✅ Multiple requests handled correctly"
|
|
|
|
echo ""
|
|
echo "🎉 All authentication flow tests passed!"
|
|
echo "✅ Challenge generation working"
|
|
echo "✅ Protected endpoints secured"
|
|
echo "✅ Invalid auth rejected"
|
|
echo "✅ Session validation working"
|
|
echo "✅ Admin endpoints protected"
|
|
echo "✅ Rate limiting functional" |