package gatewayauthsession_test import ( "context" "crypto/ed25519" "encoding/base64" "net/http" "testing" "time" "galaxy/integration/internal/harness" gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) func TestGatewayAuthSessionSendEmailCodeReachesAuthsessionMailDelivery(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{ "email": testEmail, }) require.Equal(t, http.StatusOK, response.StatusCode) var body struct { ChallengeID string `json:"challenge_id"` } require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body)) require.NotEmpty(t, body.ChallengeID) deliveries := h.mailStub.RecordedDeliveries() require.Len(t, deliveries, 1) require.Equal(t, testEmail, deliveries[0].Email) require.Len(t, deliveries[0].Code, 6) } func TestGatewayAuthSessionConfirmCreatesProjectionAndAllowsSubscribeEvents(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) clientPrivateKey := newClientPrivateKey("confirm-projection") challengeID, code := h.sendChallenge(t, testEmail) response := h.confirmCode(t, challengeID, code, clientPrivateKey) require.Equal(t, http.StatusOK, response.StatusCode) var confirmBody struct { DeviceSessionID string `json:"device_session_id"` } require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &confirmBody)) require.NotEmpty(t, confirmBody.DeviceSessionID) record := h.readGatewaySessionRecord(t, confirmBody.DeviceSessionID) require.Equal(t, gatewaySessionRecord{ DeviceSessionID: confirmBody.DeviceSessionID, UserID: "user-1", ClientPublicKey: base64.StdEncoding.EncodeToString(clientPrivateKey.Public().(ed25519.PublicKey)), Status: "active", }, record) ensureCalls := h.userStub.EnsureCalls() require.Len(t, ensureCalls, 1) require.Equal(t, testEmail, ensureCalls[0].Email) require.Equal(t, "en", ensureCalls[0].PreferredLanguage) require.Equal(t, testTimeZone, ensureCalls[0].TimeZone) conn := h.dialGateway(t) client := gatewayv1.NewEdgeGatewayClient(conn) stream, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-bootstrap", clientPrivateKey)) require.NoError(t, err) event, err := stream.Recv() require.NoError(t, err) assertBootstrapEvent(t, event, h.responseSignerPublicKey, "request-bootstrap") } func TestGatewayAuthSessionAcceptLanguageIsForwardedToMailAndUser(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) clientPrivateKey := newClientPrivateKey("localized") challengeID, code := h.sendChallengeWithAcceptLanguage(t, testEmail, "fr-FR, en;q=0.8") deliveries := h.mailStub.RecordedDeliveries() require.NotEmpty(t, deliveries) require.Equal(t, "fr-FR", deliveries[len(deliveries)-1].Locale) response := h.confirmCode(t, challengeID, code, clientPrivateKey) require.Equal(t, http.StatusOK, response.StatusCode) ensureCalls := h.userStub.EnsureCalls() require.Len(t, ensureCalls, 1) require.Equal(t, testEmail, ensureCalls[0].Email) require.Equal(t, "fr-FR", ensureCalls[0].PreferredLanguage) require.Equal(t, testTimeZone, ensureCalls[0].TimeZone) } func TestGatewayAuthSessionRepeatedConfirmReturnsSameSessionID(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) clientPrivateKey := newClientPrivateKey("repeated-confirm") challengeID, code := h.sendChallenge(t, testEmail) first := h.confirmCode(t, challengeID, code, clientPrivateKey) second := h.confirmCode(t, challengeID, code, clientPrivateKey) require.Equal(t, http.StatusOK, first.StatusCode) require.Equal(t, http.StatusOK, second.StatusCode) var firstBody struct { DeviceSessionID string `json:"device_session_id"` } var secondBody struct { DeviceSessionID string `json:"device_session_id"` } require.NoError(t, decodeStrictJSONPayload([]byte(first.Body), &firstBody)) require.NoError(t, decodeStrictJSONPayload([]byte(second.Body), &secondBody)) require.Equal(t, firstBody.DeviceSessionID, secondBody.DeviceSessionID) } func TestGatewayAuthSessionInvalidClientPublicKeyPassesThroughUnchanged(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) challengeID, _ := h.sendChallenge(t, testEmail) response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/confirm-email-code", map[string]string{ "challenge_id": challengeID, "code": "123456", "client_public_key": "invalid", "time_zone": testTimeZone, }) require.Equal(t, http.StatusBadRequest, response.StatusCode) require.JSONEq(t, `{"error":{"code":"invalid_client_public_key","message":"client_public_key is not a valid base64-encoded raw 32-byte Ed25519 public key"}}`, response.Body) } func TestGatewayAuthSessionChallengeNotFoundPassesThroughUnchanged(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) response := h.confirmCode(t, "missing-challenge", "123456", newClientPrivateKey("missing-challenge")) require.Equal(t, http.StatusNotFound, response.StatusCode) require.JSONEq(t, `{"error":{"code":"challenge_not_found","message":"challenge not found"}}`, response.Body) } func TestGatewayAuthSessionInvalidCodePassesThroughUnchanged(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) clientPrivateKey := newClientPrivateKey("invalid-code") challengeID, code := h.sendChallenge(t, testEmail) invalidCode := "000000" if code == invalidCode { invalidCode = "111111" } response := h.confirmCode(t, challengeID, invalidCode, clientPrivateKey) require.Equal(t, http.StatusBadRequest, response.StatusCode) require.JSONEq(t, `{"error":{"code":"invalid_code","message":"confirmation code is invalid"}}`, response.Body) } func TestGatewayAuthSessionBlockedSendRemainsSuccessShapedWithoutDelivery(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) h.userStub.SeedBlockedEmail(testEmail, "policy_blocked") response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{ "email": testEmail, }) require.Equal(t, http.StatusOK, response.StatusCode) var body struct { ChallengeID string `json:"challenge_id"` } require.NoError(t, decodeStrictJSONPayload([]byte(response.Body), &body)) require.NotEmpty(t, body.ChallengeID) require.Empty(t, h.mailStub.RecordedDeliveries()) } func TestGatewayAuthSessionSessionLimitExceededPassesThroughUnchanged(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) h.seedSessionLimit(t, 1) firstClientPrivateKey := newClientPrivateKey("session-limit-first") firstChallengeID, firstCode := h.sendChallenge(t, testEmail) firstConfirm := h.confirmCode(t, firstChallengeID, firstCode, firstClientPrivateKey) require.Equal(t, http.StatusOK, firstConfirm.StatusCode) const secondEmail = "pilot-second@example.com" h.userStub.SeedExisting(secondEmail, "user-1") secondClientPrivateKey := newClientPrivateKey("session-limit-second") secondChallengeID, secondCode := h.sendChallenge(t, secondEmail) secondConfirm := h.confirmCode(t, secondChallengeID, secondCode, secondClientPrivateKey) require.Equal(t, http.StatusConflict, secondConfirm.StatusCode) require.JSONEq(t, `{"error":{"code":"session_limit_exceeded","message":"active session limit would be exceeded"}}`, secondConfirm.Body) } func TestGatewayAuthSessionRevokeClosesPushStreamAndRejectsReopen(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{}) clientPrivateKey := newClientPrivateKey("revoke") challengeID, code := h.sendChallenge(t, testEmail) confirm := h.confirmCode(t, challengeID, code, clientPrivateKey) require.Equal(t, http.StatusOK, confirm.StatusCode) var confirmBody struct { DeviceSessionID string `json:"device_session_id"` } require.NoError(t, decodeStrictJSONPayload([]byte(confirm.Body), &confirmBody)) conn := h.dialGateway(t) client := gatewayv1.NewEdgeGatewayClient(conn) stream, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-revoke", clientPrivateKey)) require.NoError(t, err) event, err := stream.Recv() require.NoError(t, err) assertBootstrapEvent(t, event, h.responseSignerPublicKey, "request-revoke") revokeResponse := postJSONValue(t, h.authsessionInternalURL+"/api/v1/internal/sessions/"+confirmBody.DeviceSessionID+"/revoke", map[string]any{ "reason_code": "admin_revoke", "actor": map[string]string{ "type": "system", }, }) require.Equal(t, http.StatusOK, revokeResponse.StatusCode) recvErrCh := make(chan error, 1) go func() { _, recvErr := stream.Recv() recvErrCh <- recvErr }() select { case recvErr := <-recvErrCh: require.Equal(t, codes.FailedPrecondition, status.Code(recvErr)) require.Equal(t, "device session is revoked", status.Convert(recvErr).Message()) case <-time.After(5 * time.Second): t.Fatal("gateway stream did not close after authsession revoke") } reopened, err := client.SubscribeEvents(context.Background(), newSubscribeEventsRequest(confirmBody.DeviceSessionID, "request-reopen", clientPrivateKey)) if err == nil { _, err = reopened.Recv() } require.Equal(t, codes.FailedPrecondition, status.Code(err)) require.Equal(t, "device session is revoked", status.Convert(err).Message()) } func TestGatewayAuthSessionGatewayTimeoutMappingOverridesAuthsessionMessage(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{ gatewayAuthUpstreamTimeout: 50 * time.Millisecond, authsessionPublicHTTPTimeout: time.Second, authsessionMailBehavior: harness.MailBehavior{ Delay: 200 * time.Millisecond, }, }) response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{ "email": testEmail, }) require.Equal(t, http.StatusServiceUnavailable, response.StatusCode) require.JSONEq(t, `{"error":{"code":"service_unavailable","message":"auth service is unavailable"}}`, response.Body) } func TestGatewayAuthSessionAuthsessionServiceUnavailablePassesThroughUnchanged(t *testing.T) { h := newGatewayAuthSessionHarness(t, gatewayAuthSessionOptions{ authsessionMailBehavior: harness.MailBehavior{ StatusCode: http.StatusServiceUnavailable, RawBody: `{"error":"mail backend unavailable"}`, }, }) response := postJSONValue(t, h.gatewayPublicURL+"/api/v1/public/auth/send-email-code", map[string]string{ "email": testEmail, }) require.Equal(t, http.StatusServiceUnavailable, response.StatusCode) require.JSONEq(t, `{"error":{"code":"service_unavailable","message":"service is unavailable"}}`, response.Body) }