jim800121/visionA
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
visionA/visionA-backend/internal/api/test_helpers_test.go
jim800121chen 22f0837ba8 feat(visionA-backend): Phase 0 → 0.7 雲端後端(雙 binary + OIDC BFF + stage 部署) 
從 edge-ai-platform POC 轉為正式產品的雲端後端,含以下整合階段:

- Phase 0:雛形骨架 — `cmd/api-server` (REST :3721) + `cmd/remote-proxy`
  (tunnel :3800 / internal :3801) 雙 binary 共用 internal/,沿用 POC 的
  WebSocket+yamux tunnel 協定但解耦 relay 與 API
- Phase 0.6:OIDC BFF 接 Innovedus Member Center
  - internal/oidc package(coreos/go-oidc + PKCE S256 + state + nonce)
  - internal/usersession package(HMAC-SHA256 cookie + RotateSessionID
    防 session fixation, OWASP ASVS V3.2.1)
  - 4 個 OIDC handler(/api/auth/login|callback|me|logout)+ AuthMiddleware
  - 完全拔除 StaticAuthProvider,OIDC 是唯一認證路徑
  - 9 個 ADR(含 ADR-010 BFF / ADR-011 取代 static auth /
    ADR-012 pending session shared cookie / ADR-013 PKCE-only public client)
- Phase 0.7:A1 改造 + security audit 修復
  - OIDC ClientSecret 變選填,支援 stage MC 的 public PKCE-only client
    (AuthStyleInParams 強制 token endpoint 不送 client_secret)
  - 預留 ServiceClient* 欄位給未來 client_credentials grant
  - 移除 13+ 處 resolveUserID(uc, StaticUserID) fallback 改 strict mode
    (Audit C1:multi-tenant 隔離破口)
  - Pairing exchange MarkUsed 失敗 abort + revoke session token(Audit M3)
  - 新增 all_endpoints_require_auth_test 整合測試(51 endpoint × 401)

驗證:go test -race -count=3 ./... 17 packages 全綠 / go vet 0 warning

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 11:21:20 +08:00

34 lines
1.2 KiB
Go
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// test_helpers_test.go — internal/api 套件 unit test 共用 helper。
//
// OB5 起 AuthMiddleware 強制走 OIDCcookie + SessionManager
// 但很多既有 unit test 並不關心 auth 細節 — 它們關心的是「假設 user 已登入,
// 那該 handler 行為對不對」。為了讓這類測試不被 auth 細節拖累,
// 提供一個「跳過 AuthMiddleware、直接塞 UserContext」的 middleware shim。
//
// 完整的 OIDC 認證流程測試見:
// - oidc_auth_test.gounit test含 AuthMiddleware 行為)
// - cmd/api-server/oidc_e2e_test.goend-to-end
package api
import (
"github.com/gin-gonic/gin"
"visiona-backend/internal/auth"
)
// injectStaticUserContext 是 unit test 用的 fake AuthMiddleware
// 直接把指定的 userID / email 塞進 gin.Context跳過 cookie / session 邏輯。
//
// 用途:測試 handler 在「假設 user 已登入」前提下的行為list / create 等業務邏輯)。
// 不可用於:驗證 AuthMiddleware 自身行為 — 那要走真 OIDC flow。
func injectStaticUserContext(userID, email string) gin.HandlerFunc {
return func(c *gin.Context) {
c.Set(ctxKeyUserContext, &auth.UserContext{
UserID: userID,
Email: email,
})
c.Next()
}
}
Reference in New Issue View Git Blame Copy Permalink