From 194bec8b9ff12142ca57ef36fa034218e6f8f2b2 Mon Sep 17 00:00:00 2001 From: kolaente Date: Thu, 26 Mar 2026 11:31:51 +0100 Subject: [PATCH] test: add integration tests for CalDAV API token auth --- pkg/db/fixtures/api_tokens.yml | 20 ++++++++++++++++++ pkg/webtests/caldav_test.go | 38 ++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/pkg/db/fixtures/api_tokens.yml b/pkg/db/fixtures/api_tokens.yml index b7a225616..2ff417bff 100644 --- a/pkg/db/fixtures/api_tokens.yml +++ b/pkg/db/fixtures/api_tokens.yml @@ -48,3 +48,23 @@ owner_id: 18 created: 2023-09-01 07:00:00 # token in plaintext is tk_locked_user_test_token_0000000012345678 +- id: 6 + title: 'caldav access token for user 15' + token_salt: cDvTk9sR2m + token_hash: 41f673b144dd743df03de7fb3770766d09f0ac11619cbcca1849310bf71093b872258d5f3b5fc0308ac23910c5570e602b25 + token_last_eight: aabbccdd + permissions: '{"caldav":["access"]}' + expires_at: 2099-01-01 00:00:00 + owner_id: 15 + created: 2024-01-01 00:00:00 + # token in plaintext is tk_caldav_api_token_test_00000000aabbccdd +- id: 7 + title: 'non-caldav token for user 15' + token_salt: xY7mNp3qRs + token_hash: 844f04afac4479a690b303dbc96795f83526aba0dce11f917e918699542e7ae53f869a9d6e03e147e12350bdf1a710e09cc9 + token_last_eight: 5678efab + permissions: '{"tasks":["read_all"]}' + expires_at: 2099-01-01 00:00:00 + owner_id: 15 + created: 2024-01-01 00:00:00 + # token in plaintext is tk_nocaldav_token_test_000000005678efab diff --git a/pkg/webtests/caldav_test.go b/pkg/webtests/caldav_test.go index fb4eb89e5..3157539dc 100644 --- a/pkg/webtests/caldav_test.go +++ b/pkg/webtests/caldav_test.go @@ -910,3 +910,41 @@ func TestCaldavDisabledUserRejected(t *testing.T) { assert.False(t, result, "locked user should not be able to authenticate via CalDAV") }) } + +func TestCaldavAPITokenAuth(t *testing.T) { + t.Run("API token with caldav permission succeeds", func(t *testing.T) { + e, _ := setupTestEnv() + c, _ := createRequest(e, http.MethodGet, "", nil, nil) + + // API token fixture id 6: owner_id=15, permissions={"caldav":["access"]} + result, err := caldav.BasicAuth(c, testuser15.Username, "tk_caldav_api_token_test_00000000aabbccdd") + require.NoError(t, err) + assert.True(t, result, "API token with caldav permission should authenticate") + }) + t.Run("API token without caldav permission rejected", func(t *testing.T) { + e, _ := setupTestEnv() + c, _ := createRequest(e, http.MethodGet, "", nil, nil) + + // API token fixture id 7: owner_id=15, permissions={"tasks":["read_all"]} + result, err := caldav.BasicAuth(c, testuser15.Username, "tk_nocaldav_token_test_000000005678efab") + require.NoError(t, err) + assert.False(t, result, "API token without caldav permission should be rejected") + }) + t.Run("API token with wrong username rejected", func(t *testing.T) { + e, _ := setupTestEnv() + c, _ := createRequest(e, http.MethodGet, "", nil, nil) + + // Token belongs to user15 but we provide user1's username + result, err := caldav.BasicAuth(c, testuser1.Username, "tk_caldav_api_token_test_00000000aabbccdd") + require.NoError(t, err) + assert.False(t, result, "API token with mismatched username should be rejected") + }) + t.Run("invalid API token rejected", func(t *testing.T) { + e, _ := setupTestEnv() + c, _ := createRequest(e, http.MethodGet, "", nil, nil) + + result, err := caldav.BasicAuth(c, testuser15.Username, "tk_this_is_totally_not_a_valid_token_at_all") + require.NoError(t, err) + assert.False(t, result, "invalid API token should be rejected") + }) +}