Mrixs/MrixsCraft-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add Docker infrastructure, migrations, CI/CD client, session cleanup, tests

Browse Source 
Docker & Deployment:
- Add Dockerfile (multi-stage, alpine, non-root)
- Add docker-compose.yml (caddy, backend, postgres, watchtower)
- Add Caddyfile (TLS, file_server, reverse proxy)
- Add .env.example

Database:
- Add migrations/001_init.sql (all tables + indexes)

CI/CD:
- Add cmd/ci-release/main.go (launcher binary upload tool)

Session management:
- Add internal/session/cleanup.go (background expired session cleanup)
- Integrate cleanup worker into main.go

Bug fixes:
- Fix launcherLatest download URL to include version segment
- Fix serveLauncherAsset path to match route pattern
- Add Content-Type detection from file extension in CAS serveFile
- Add empty-field validation in webLogin
- Format string fix in ci-release (%d → %s for resp.Status)

Tests:
- Add internal/auth/auth_test.go (8 tests)
- Add internal/cas/cas_test.go (7 tests)
- Add internal/session/cleanup_test.go (1 test)
- Add internal/api/api_test.go (5 tests)
- All tests passing, go vet clean

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Vladimir Zagainov
2026-05-29 20:09:00 +03:00
parent 81c42e1a9a
commit 5fba2e78d5
14 changed files with 986 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
internal/api/api.go
View File

@@ -64,7 +64,7 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
mux.HandleFunc("GET /api/web/profile/{uuid}", h.getProfile)
// Skin serving.
mux.HandleFunc("GET /skins/{hash}.png", h.serveSkin)
mux.HandleFunc("GET /skins/{hash}", h.serveSkin)
}
// ── Request / Response types ──────────────────────────────────
@@ -211,6 +211,11 @@ func (h *Handler) webLogin(w http.ResponseWriter, r *http.Request) {
return
}
if req.Username == "" || req.Password == "" {
writeError(w, http.StatusBadRequest, "Username and password are required")
return
}
var user database.User
err = h.db.Pool().QueryRow(r.Context(),
`SELECT id, username, password_hash, uuid FROM users
@@ -442,8 +447,8 @@ func (h *Handler) launcherLatest(w http.ResponseWriter, r *http.Request) {
return
}
downloadURL := fmt.Sprintf("%s/files/launcher/%s/%s/%s",
h.cfg.BaseURL, osParam, archParam, filepath.Base(release.FilePath))
downloadURL := fmt.Sprintf("%s/files/launcher/%s/%s/%s/%s",
h.cfg.BaseURL, release.Version, osParam, archParam, filepath.Base(release.FilePath))
writeJSON(w, http.StatusOK, launcherLatestResponse{
Version: release.Version,

216
internal/api/api_test.go Normal file
View File

@@ -0,0 +1,216 @@
package api
import (
"bytes"
"encoding/json"
"net/http"
"net/http/httptest"
"strings"
"testing"
"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/config"
"gitea.mrixs.me/Mrixs/MrixsCraft-server/internal/database"
)
// newTestHandler creates an API handler with a nil DB for testing validation
// and routing only. Handers that touch the database will panic with nil DB —
// integration tests with a real database cover those paths.
func newTestHandler(t *testing.T) *Handler {
t.Helper()
dir := t.TempDir()
cfg := &config.Config{
Port: 8080,
CASDir: dir,
SkinsDir: dir,
BaseURL: "https://test.example.com",
JWTSecret: "test-secret",
}
return &Handler{db: &database.DB{}, cfg: cfg}
}
// TestRegisterValidation tests input validation in the register handler
// without requiring a database connection.
func TestRegisterValidation(t *testing.T) {
h := newTestHandler(t)
mux := http.NewServeMux()
h.RegisterRoutes(mux)
tests := []struct {
name string
body string
wantStatus int
wantErr string
}{
{
name: "empty body",
body: "{}",
wantStatus: http.StatusBadRequest,
wantErr: "Username, email and password are required",
},
{
name: "invalid email",
body: `{"username":"test","email":"notanemail","password":"pass"}`,
wantStatus: http.StatusBadRequest,
wantErr: "Invalid email address",
},
{
name: "invalid json",
body: "not json",
wantStatus: http.StatusBadRequest,
wantErr: "Invalid JSON",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest("POST", "/api/web/register",
bytes.NewReader([]byte(tt.body)))
req.Header.Set("Content-Type", "application/json")
w := httptest.NewRecorder()
mux.ServeHTTP(w, req)
if w.Code != tt.wantStatus {
t.Errorf("status = %d, want %d", w.Code, tt.wantStatus)
}
var resp map[string]string
json.Unmarshal(w.Body.Bytes(), &resp)
if got := resp["error"]; got != tt.wantErr {
t.Errorf("error = %q, want %q", got, tt.wantErr)
}
})
}
}
// TestWebLoginValidation tests input validation in the web login handler.
func TestWebLoginValidation(t *testing.T) {
h := newTestHandler(t)
mux := http.NewServeMux()
h.RegisterRoutes(mux)
tests := []struct {
name string
body string
wantStatus int
}{
{
name: "empty credentials",
body: `{"username":"","password":""}`,
wantStatus: http.StatusBadRequest,
},
{
name: "missing username",
body: `{"password":"secret"}`,
wantStatus: http.StatusBadRequest,
},
{
name: "missing password",
body: `{"username":"test"}`,
wantStatus: http.StatusBadRequest,
},
{
name: "invalid json",
body: "not json",
wantStatus: http.StatusBadRequest,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := httptest.NewRequest("POST", "/api/web/login",
bytes.NewReader([]byte(tt.body)))
req.Header.Set("Content-Type", "application/json")
w := httptest.NewRecorder()
mux.ServeHTTP(w, req)
if w.Code != tt.wantStatus {
t.Errorf("status = %d, want %d", w.Code, tt.wantStatus)
}
})
}
}
// TestLauncherLatest_MissingParams tests that missing query parameters
// return 400 without hitting the database.
func TestLauncherLatest_MissingParams(t *testing.T) {
h := newTestHandler(t)
mux := http.NewServeMux()
h.RegisterRoutes(mux)
queries := []string{
"/api/launcher/latest",
"/api/launcher/latest?os=windows",
"/api/launcher/latest?arch=amd64",
}
for _, q := range queries {
req := httptest.NewRequest("GET", q, nil)
w := httptest.NewRecorder()
mux.ServeHTTP(w, req)
if w.Code != http.StatusBadRequest {
t.Errorf("%s: expected 400, got %d", q, w.Code)
}
}
}
// TestAuthMiddleware_NoToken tests that protected endpoints reject
// requests without a Bearer token.
func TestAuthMiddleware_NoToken(t *testing.T) {
h := newTestHandler(t)
mux := http.NewServeMux()
h.RegisterRoutes(mux)
protected := []struct {
method string
path string
}{
{"POST", "/api/web/profile/skin"},
{"POST", "/api/web/profile/cape"},
{"DELETE", "/api/web/profile/skin"},
{"DELETE", "/api/web/profile/cape"},
}
for _, ep := range protected {
t.Run(ep.method+" "+ep.path, func(t *testing.T) {
req := httptest.NewRequest(ep.method, ep.path, nil)
w := httptest.NewRecorder()
mux.ServeHTTP(w, req)
if w.Code != http.StatusUnauthorized {
t.Errorf("%s %s: expected 401, got %d", ep.method, ep.path, w.Code)
}
var resp map[string]string
json.Unmarshal(w.Body.Bytes(), &resp)
if !strings.Contains(resp["error"], "Missing authorization") {
t.Errorf("unexpected error: %s", resp["error"])
}
})
}
}
// TestRoutesRegistered verifies all expected API routes are mounted
// and return proper HTTP status codes (not 404 for known paths).
func TestRoutesRegistered(t *testing.T) {
h := newTestHandler(t)
mux := http.NewServeMux()
h.RegisterRoutes(mux)
// Public routes that should respond without a database.
// Only routes with early validation (before DB access) are listed.
knownRoutes := []struct {
method string
path string
}{
{"POST", "/api/web/register"},
{"POST", "/api/web/login"},
{"GET", "/api/launcher/latest"},
}
for _, r := range knownRoutes {
t.Run(r.method+" "+r.path, func(t *testing.T) {
req := httptest.NewRequest(r.method, r.path, nil)
w := httptest.NewRecorder()
mux.ServeHTTP(w, req)
// Should not be 404 (route exists).
if w.Code == http.StatusNotFound {
t.Errorf("%s %s: route not found (404)", r.method, r.path)
}
})
}
}