iris/middleware/basicauth/basicauth_test.go

// Package basicauth_tests performs black-box testing of the basicauth middleware.
// Note that, a secondary test is also available at: _examples/auth/basicauth/main_test.go
package basicauth_test

import (
	"fmt"
	"testing"

	"github.com/kataras/iris/v12"
	"github.com/kataras/iris/v12/httptest"
	"github.com/kataras/iris/v12/middleware/basicauth"
)

func TestBasicAuthUseRouter(t *testing.T) {
	app := iris.New()
	users := map[string]string{
		"usr":   "pss",
		"admin": "admin",
	}

	auth := basicauth.New(basicauth.Options{
		Allow:    basicauth.AllowUsers(users),
		Realm:    basicauth.DefaultRealm,
		MaxTries: 1,
	})

	app.UseRouter(auth)

	app.Get("/user_json", func(ctx iris.Context) {
		ctx.JSON(ctx.User())
	})

	app.Get("/user_string", func(ctx iris.Context) {
		user := ctx.User()

		authorization, _ := user.GetAuthorization()
		username, _ := user.GetUsername()
		password, _ := user.GetPassword()
		ctx.Writef("%s\n%s\n%s", authorization, username, password)
	})

	app.Get("/", func(ctx iris.Context) {
		username, _, _ := ctx.Request().BasicAuth()
		ctx.Writef("Hello, %s!", username)
	})

	app.Subdomain("static").Get("/", func(ctx iris.Context) {
		username, _, _ := ctx.Request().BasicAuth()
		ctx.Writef("Static, %s", username)
	})

	resetWithUseRouter := app.Subdomain("reset_with_use_router").ResetRouterFilters()
	resetWithUseRouter.UseRouter(func(ctx iris.Context) {
		ctx.Record()
		ctx.Writef("with use router\n")
		ctx.Next()
	})
	resetWithUseRouter.Get("/", func(ctx iris.Context) {
		username, _, _ := ctx.Request().BasicAuth()
		ctx.Writef("%s", username) // username should be empty.
	})
	// ^ order of these should not matter.
	app.Subdomain("reset").ResetRouterFilters().Get("/", func(ctx iris.Context) {
		username, _, _ := ctx.Request().BasicAuth()
		ctx.Writef("%s", username) // username should be empty.
	})

	e := httptest.New(t, app.Configure(
		iris.WithFireMethodNotAllowed,
		iris.WithResetOnFireErrorCode,
	))

	for username, password := range users {
		// Test pass authentication and route found.
		e.GET("/").WithBasicAuth(username, password).Expect().
			Status(httptest.StatusOK).Body().IsEqual(fmt.Sprintf("Hello, %s!", username))
		e.GET("/user_json").WithBasicAuth(username, password).Expect().
			Status(httptest.StatusOK).JSON().Object().ContainsMap(iris.Map{
			"username": username,
		})
		e.GET("/user_string").WithBasicAuth(username, password).Expect().
			Status(httptest.StatusOK).Body().
			Equal(fmt.Sprintf("%s\n%s\n%s", "Basic Authentication", username, password))

		// Test empty auth.
		e.GET("/").Expect().Status(httptest.StatusUnauthorized).Body().IsEqual("Unauthorized")
		// Test invalid auth.
		e.GET("/").WithBasicAuth(username, "invalid_password").Expect().
			Status(httptest.StatusForbidden)
		e.GET("/").WithBasicAuth("invaid_username", password).Expect().
			Status(httptest.StatusForbidden)

		// Test different method, it should pass the authentication (no stop on 401)
		// but it doesn't fire the GET route, instead it gives 405.
		e.POST("/").WithBasicAuth(username, password).Expect().
			Status(httptest.StatusMethodNotAllowed).Body().IsEqual("Method Not Allowed")

		// Test pass the authentication but route not found.
		e.GET("/notfound").WithBasicAuth(username, password).Expect().
			Status(httptest.StatusNotFound).Body().IsEqual("Not Found")

		// Test empty auth.
		e.GET("/notfound").Expect().Status(httptest.StatusUnauthorized).Body().IsEqual("Unauthorized")
		// Test invalid auth.
		e.GET("/notfound").WithBasicAuth(username, "invalid_password").Expect().
			Status(httptest.StatusForbidden)
		e.GET("/notfound").WithBasicAuth("invaid_username", password).Expect().
			Status(httptest.StatusForbidden)

		// Test subdomain inherited.
		sub := e.Builder(func(req *httptest.Request) {
			req.WithURL("http://static.mydomain.com")
		})

		// Test pass and route found.
		sub.GET("/").WithBasicAuth(username, password).Expect().
			Status(httptest.StatusOK).Body().IsEqual(fmt.Sprintf("Static, %s", username))

		// Test empty auth.
		sub.GET("/").Expect().Status(httptest.StatusUnauthorized)
		// Test invalid auth.
		sub.GET("/").WithBasicAuth(username, "invalid_password").Expect().
			Status(httptest.StatusForbidden)
		sub.GET("/").WithBasicAuth("invaid_username", password).Expect().
			Status(httptest.StatusForbidden)

		// Test pass the authentication but route not found.
		sub.GET("/notfound").WithBasicAuth(username, password).Expect().
			Status(httptest.StatusNotFound).Body().IsEqual("Not Found")

		// Test empty auth.
		sub.GET("/notfound").Expect().Status(httptest.StatusUnauthorized).Body().IsEqual("Unauthorized")
		// Test invalid auth.
		sub.GET("/notfound").WithBasicAuth(username, "invalid_password").Expect().
			Status(httptest.StatusForbidden)
		sub.GET("/notfound").WithBasicAuth("invaid_username", password).Expect().
			Status(httptest.StatusForbidden)

		// Test a reset-ed Party with a single one UseRouter
		// which writes on matched routes and reset and send the error on errors.
		// (all should pass without auth).
		sub = e.Builder(func(req *httptest.Request) {
			req.WithURL("http://reset_with_use_router.mydomain.com")
		})
		sub.GET("/").Expect().Status(httptest.StatusOK).Body().IsEqual("with use router\n")
		sub.POST("/").Expect().Status(httptest.StatusMethodNotAllowed).Body().IsEqual("Method Not Allowed")
		sub.GET("/notfound").Expect().Status(httptest.StatusNotFound).Body().IsEqual("Not Found")

		// Test a reset-ed Party (all should pass without auth).
		sub = e.Builder(func(req *httptest.Request) {
			req.WithURL("http://reset.mydomain.com")
		})
		sub.GET("/").Expect().Status(httptest.StatusOK).Body().IsEmpty()
		sub.POST("/").Expect().Status(httptest.StatusMethodNotAllowed).Body().IsEqual("Method Not Allowed")
		sub.GET("/notfound").Expect().Status(httptest.StatusNotFound).Body().IsEqual("Not Found")
	}
}