mailarchiv/api_test.go

package api_test

import (
	"bytes"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"path/filepath"
	"testing"
	"log/slog"
	"os"

	"github.com/mailarchive/config"
	"github.com/mailarchive/internal/api"
	"github.com/mailarchive/internal/audit"
	"github.com/mailarchive/internal/auth"
	"github.com/mailarchive/internal/index"
	"github.com/mailarchive/internal/storage"
	"github.com/mailarchive/internal/userstore"
)

type testEnv struct {
	server *api.Server
	users  *userstore.Store
	store  *storage.Store
	idx    index.Indexer
}

func newTestEnv(t *testing.T) *testEnv {
	t.Helper()
	dir := t.TempDir()
	logger := slog.New(slog.NewTextHandler(os.Discard, nil))

	store, err := storage.New(filepath.Join(dir, "store"))
	if err != nil { t.Fatal(err) }

	idx, err := index.New(filepath.Join(dir, "index"), 100, "bleve")
	if err != nil { t.Fatal(err) }

	users, err := userstore.New(filepath.Join(dir, "users.db"))
	if err != nil { t.Fatal(err) }

	audlog, err := audit.New(filepath.Join(dir, "audit.db"), dir, logger)
	if err != nil { t.Fatal(err) }

	// Seed users
	users.Create(userstore.CreateUserRequest{Username: "admin", Email: "admin@x.com", Password: "adminpass", Role: userstore.RoleAdmin})
	users.Create(userstore.CreateUserRequest{Username: "auditor", Email: "auditor@x.com", Password: "auditorpass", Role: userstore.RoleAuditor})
	users.Create(userstore.CreateUserRequest{Username: "user1", Email: "user1@x.com", Password: "userpass", Role: userstore.RoleUser})

	authMgr := auth.New(users, nil, "test-secret-must-be-long-enough-32")
	cfg := config.APIConfig{Bind: ":18080", Secret: "test-secret-must-be-long-enough-32"}
	srv := api.New(cfg, store, idx, authMgr, users, audlog, logger)

	t.Cleanup(func() {
		idx.Close()
		users.Close()
		audlog.Close()
	})

	return &testEnv{server: srv, users: users, store: store, idx: idx}
}

func (e *testEnv) do(t *testing.T, method, path string, body interface{}, token string) *httptest.ResponseRecorder {
	t.Helper()
	var buf bytes.Buffer
	if body != nil {
		json.NewEncoder(&buf).Encode(body)
	}
	req := httptest.NewRequest(method, path, &buf)
	req.Header.Set("Content-Type", "application/json")
	if token != "" {
		req.Header.Set("Authorization", "Bearer "+token)
	}
	w := httptest.NewRecorder()
	e.server.ServeHTTP(w, req)
	return w
}

func (e *testEnv) login(t *testing.T, username, password string) string {
	t.Helper()
	w := e.do(t, "POST", "/api/auth/login",
		map[string]string{"username": username, "password": password}, "")
	if w.Code != 200 {
		t.Fatalf("login %s: status %d, body: %s", username, w.Code, w.Body.String())
	}
	var resp map[string]interface{}
	json.Unmarshal(w.Body.Bytes(), &resp)
	return resp["token"].(string)
}

// ---- Tests ----

func TestHealth(t *testing.T) {
	env := newTestEnv(t)
	w := env.do(t, "GET", "/api/health", nil, "")
	if w.Code != 200 {
		t.Errorf("health: status %d", w.Code)
	}
}

func TestLoginAndMe(t *testing.T) {
	env := newTestEnv(t)
	token := env.login(t, "admin", "adminpass")

	w := env.do(t, "GET", "/api/auth/me", nil, token)
	if w.Code != 200 {
		t.Fatalf("me: status %d", w.Code)
	}
	var resp map[string]interface{}
	json.Unmarshal(w.Body.Bytes(), &resp)
	if resp["username"] != "admin" {
		t.Errorf("me username = %q", resp["username"])
	}
	if resp["role"] != "admin" {
		t.Errorf("me role = %q", resp["role"])
	}
}

func TestLoginWrongCredentials(t *testing.T) {
	env := newTestEnv(t)
	w := env.do(t, "POST", "/api/auth/login",
		map[string]string{"username": "admin", "password": "wrong"}, "")
	if w.Code != 401 {
		t.Errorf("expected 401, got %d", w.Code)
	}
}

func TestUnauthenticatedSearchBlocked(t *testing.T) {
	env := newTestEnv(t)
	w := env.do(t, "GET", "/api/search?q=test", nil, "")
	if w.Code != 401 {
		t.Errorf("expected 401, got %d", w.Code)
	}
}

func TestLogout(t *testing.T) {
	env := newTestEnv(t)
	token := env.login(t, "admin", "adminpass")

	w := env.do(t, "POST", "/api/auth/logout", nil, token)
	if w.Code != 200 {
		t.Fatalf("logout: status %d", w.Code)
	}

	// Token should now be invalid
	w2 := env.do(t, "GET", "/api/auth/me", nil, token)
	if w2.Code != 401 {
		t.Errorf("after logout, me should return 401, got %d", w2.Code)
	}
}

func TestAdminUserCRUD(t *testing.T) {
	env := newTestEnv(t)
	token := env.login(t, "admin", "adminpass")

	// List users
	w := env.do(t, "GET", "/api/users", nil, token)
	if w.Code != 200 {
		t.Fatalf("list users: status %d", w.Code)
	}
	var users []map[string]interface{}
	json.Unmarshal(w.Body.Bytes(), &users)
	if len(users) != 3 { // admin + auditor + user1
		t.Errorf("expected 3 users, got %d", len(users))
	}

	// Create user
	w = env.do(t, "POST", "/api/users",
		map[string]string{"username": "newuser", "email": "new@x.com", "password": "pw123", "role": "user"},
		token)
	if w.Code != 201 {
		t.Fatalf("create user: status %d, body: %s", w.Code, w.Body.String())
	}
}

func TestNonAdminCannotManageUsers(t *testing.T) {
	env := newTestEnv(t)
	token := env.login(t, "user1", "userpass")

	w := env.do(t, "GET", "/api/users", nil, token)
	if w.Code != 403 {
		t.Errorf("user role should not list users, got %d", w.Code)
	}
}

func TestAuditorCanAccessAuditLog(t *testing.T) {
	env := newTestEnv(t)
	token := env.login(t, "auditor", "auditorpass")

	w := env.do(t, "GET", "/api/audit", nil, token)
	if w.Code != 200 {
		t.Errorf("auditor should access audit log, got %d", w.Code)
	}
}

func TestUserCannotAccessAuditLog(t *testing.T) {
	env := newTestEnv(t)
	token := env.login(t, "user1", "userpass")

	w := env.do(t, "GET", "/api/audit", nil, token)
	if w.Code != 403 {
		t.Errorf("user role should not access audit log, got %d", w.Code)
	}
}

func TestSearchReturnsResults(t *testing.T) {
	env := newTestEnv(t)
	token := env.login(t, "admin", "adminpass")

	w := env.do(t, "GET", "/api/search?q=test", nil, token)
	if w.Code != 200 {
		t.Fatalf("search: status %d, body: %s", w.Code, w.Body.String())
	}
	var result map[string]interface{}
	json.Unmarshal(w.Body.Bytes(), &result)
	if _, ok := result["total"]; !ok {
		t.Error("search response missing 'total' field")
	}
}