test: add integration tests for CalDAV API token auth

2026-05-07 20:38:46 -05:00 · 2026-03-26 11:31:51 +01:00
parent 6207705928
commit 194bec8b9f
2 changed files with 58 additions and 0 deletions
--- a/pkg/db/fixtures/api_tokens.yml
+++ b/pkg/db/fixtures/api_tokens.yml
@@ -48,3 +48,23 @@
  owner_id: 18
  created: 2023-09-01 07:00:00
  # token in plaintext is tk_locked_user_test_token_0000000012345678
+- id: 6
+  title: 'caldav access token for user 15'
+  token_salt: cDvTk9sR2m
+  token_hash: 41f673b144dd743df03de7fb3770766d09f0ac11619cbcca1849310bf71093b872258d5f3b5fc0308ac23910c5570e602b25
+  token_last_eight: aabbccdd
+  permissions: '{"caldav":["access"]}'
+  expires_at: 2099-01-01 00:00:00
+  owner_id: 15
+  created: 2024-01-01 00:00:00
+  # token in plaintext is tk_caldav_api_token_test_00000000aabbccdd
+- id: 7
+  title: 'non-caldav token for user 15'
+  token_salt: xY7mNp3qRs
+  token_hash: 844f04afac4479a690b303dbc96795f83526aba0dce11f917e918699542e7ae53f869a9d6e03e147e12350bdf1a710e09cc9
+  token_last_eight: 5678efab
+  permissions: '{"tasks":["read_all"]}'
+  expires_at: 2099-01-01 00:00:00
+  owner_id: 15
+  created: 2024-01-01 00:00:00
+  # token in plaintext is tk_nocaldav_token_test_000000005678efab
--- a/pkg/webtests/caldav_test.go
+++ b/pkg/webtests/caldav_test.go
@@ -910,3 +910,41 @@ func TestCaldavDisabledUserRejected(t *testing.T) {
 		assert.False(t, result, "locked user should not be able to authenticate via CalDAV")
 	})
 }
+
+func TestCaldavAPITokenAuth(t *testing.T) {
+	t.Run("API token with caldav permission succeeds", func(t *testing.T) {
+		e, _ := setupTestEnv()
+		c, _ := createRequest(e, http.MethodGet, "", nil, nil)
+
+		// API token fixture id 6: owner_id=15, permissions={"caldav":["access"]}
+		result, err := caldav.BasicAuth(c, testuser15.Username, "tk_caldav_api_token_test_00000000aabbccdd")
+		require.NoError(t, err)
+		assert.True(t, result, "API token with caldav permission should authenticate")
+	})
+	t.Run("API token without caldav permission rejected", func(t *testing.T) {
+		e, _ := setupTestEnv()
+		c, _ := createRequest(e, http.MethodGet, "", nil, nil)
+
+		// API token fixture id 7: owner_id=15, permissions={"tasks":["read_all"]}
+		result, err := caldav.BasicAuth(c, testuser15.Username, "tk_nocaldav_token_test_000000005678efab")
+		require.NoError(t, err)
+		assert.False(t, result, "API token without caldav permission should be rejected")
+	})
+	t.Run("API token with wrong username rejected", func(t *testing.T) {
+		e, _ := setupTestEnv()
+		c, _ := createRequest(e, http.MethodGet, "", nil, nil)
+
+		// Token belongs to user15 but we provide user1's username
+		result, err := caldav.BasicAuth(c, testuser1.Username, "tk_caldav_api_token_test_00000000aabbccdd")
+		require.NoError(t, err)
+		assert.False(t, result, "API token with mismatched username should be rejected")
+	})
+	t.Run("invalid API token rejected", func(t *testing.T) {
+		e, _ := setupTestEnv()
+		c, _ := createRequest(e, http.MethodGet, "", nil, nil)
+
+		result, err := caldav.BasicAuth(c, testuser15.Username, "tk_this_is_totally_not_a_valid_token_at_all")
+		require.NoError(t, err)
+		assert.False(t, result, "invalid API token should be rejected")
+	})
+}