long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden auth flows and align api contracts

Browse Source
This commit is contained in:
Your Name
2026-05-30 21:29:24 +08:00
parent 7ad65a0138
commit a332917142
50 changed files with 23594 additions and 723 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/api/handler/totp_handler_test.go
View File

@@ -141,7 +141,7 @@ func TestTOTPHandler_EnableTOTP_InvalidCode(t *testing.T) {
defer resp.Body.Close()
// Should reject invalid code (could be 400, 401, or 500 depending on implementation)
assert.True(t, resp.StatusCode == http.StatusBadRequest ||
assert.True(t, resp.StatusCode == http.StatusBadRequest ||
resp.StatusCode == http.StatusUnauthorized ||
resp.StatusCode == http.StatusInternalServerError,
"should reject invalid code, got %d", resp.StatusCode)
@@ -195,7 +195,7 @@ func TestTOTPHandler_EnableTOTP_AlreadyEnabled(t *testing.T) {
defer resp2.Body.Close()
// Could succeed, fail with bad request, or internal error
assert.True(t, resp2.StatusCode == http.StatusBadRequest ||
assert.True(t, resp2.StatusCode == http.StatusBadRequest ||
resp2.StatusCode == http.StatusOK ||
resp2.StatusCode == http.StatusInternalServerError,
"should return appropriate status, got %d", resp2.StatusCode)
@@ -291,7 +291,7 @@ func TestTOTPHandler_VerifyTOTP_NotEnabled(t *testing.T) {
defer resp.Body.Close()
// Should fail since 2FA not enabled (could be 400 or 500)
assert.True(t, resp.StatusCode == http.StatusBadRequest ||
assert.True(t, resp.StatusCode == http.StatusBadRequest ||
resp.StatusCode == http.StatusUnauthorized ||
resp.StatusCode == http.StatusInternalServerError,
"should error when 2FA not enabled, got %d", resp.StatusCode)
@@ -315,7 +315,7 @@ func TestTOTPHandler_VerifyTOTP_InvalidCode(t *testing.T) {
defer resp.Body.Close()
// Should fail since 2FA not enabled or code invalid
assert.True(t, resp.StatusCode == http.StatusBadRequest ||
assert.True(t, resp.StatusCode == http.StatusBadRequest ||
resp.StatusCode == http.StatusUnauthorized ||
resp.StatusCode == http.StatusInternalServerError,
"should reject, got %d", resp.StatusCode)
@@ -354,7 +354,7 @@ func TestTOTPHandler_VerifyTOTP_WithDeviceID(t *testing.T) {
defer resp.Body.Close()
// Should fail for various reasons but accept the request format
assert.True(t, resp.StatusCode == http.StatusBadRequest ||
assert.True(t, resp.StatusCode == http.StatusBadRequest ||
resp.StatusCode == http.StatusUnauthorized ||
resp.StatusCode == http.StatusInternalServerError,
"should process request but fail validation, got %d", resp.StatusCode)
@@ -394,7 +394,7 @@ func TestTOTPHandler_FullFlow_SetupEnableDisable(t *testing.T) {
"code": "000000",
})
defer resp3.Body.Close()
assert.True(t, resp3.StatusCode == http.StatusBadRequest ||
assert.True(t, resp3.StatusCode == http.StatusBadRequest ||
resp3.StatusCode == http.StatusUnauthorized ||
resp3.StatusCode == http.StatusInternalServerError,
"should fail with invalid code, got %d", resp3.StatusCode)