test: add comprehensive unit test suite (~85 new tests)

Add unit tests across all model and server infrastructure layers, increasing test count from 7 to 92. Covers serde round-trips, enum methods, defaults, config parsing, error mapping, PKCE crypto (with RFC 7636 test vector), OAuth store, and SearXNG ranking/dedup logic. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 18:43:27 +01:00
parent e244711644
commit 6890ed9b42
12 changed files with 1123 additions and 13 deletions
--- a/src/infrastructure/auth.rs
+++ b/src/infrastructure/auth.rs
@@ -24,9 +24,9 @@ pub const LOGGED_IN_USER_SESS_KEY: &str = "logged-in-user";
 /// post-login redirect URL and the PKCE code verifier needed for the
 /// token exchange.
 #[derive(Debug, Clone)]
-struct PendingOAuthEntry {
-    redirect_url: Option<String>,
-    code_verifier: String,
+pub(crate) struct PendingOAuthEntry {
+    pub(crate) redirect_url: Option<String>,
+    pub(crate) code_verifier: String,
 }

 /// In-memory store for pending OAuth states. Keyed by the random state
@@ -38,7 +38,7 @@ pub struct PendingOAuthStore(Arc<RwLock<HashMap<String, PendingOAuthEntry>>>);

 impl PendingOAuthStore {
    /// Insert a pending state with an optional redirect URL and PKCE verifier.
-    fn insert(&self, state: String, entry: PendingOAuthEntry) {
+    pub(crate) fn insert(&self, state: String, entry: PendingOAuthEntry) {
        // RwLock::write only panics if the lock is poisoned, which
        // indicates a prior panic -- propagating is acceptable here.
        #[allow(clippy::expect_used)]
@@ -50,7 +50,7 @@ impl PendingOAuthStore {

    /// Remove and return the entry if the state was pending.
    /// Returns `None` if the state was never stored (CSRF failure).
-    fn take(&self, state: &str) -> Option<PendingOAuthEntry> {
+    pub(crate) fn take(&self, state: &str) -> Option<PendingOAuthEntry> {
        #[allow(clippy::expect_used)]
        self.0
            .write()
@@ -60,7 +60,8 @@ impl PendingOAuthStore {
 }

 /// Generate a cryptographically random state string for CSRF protection.
-fn generate_state() -> String {
+#[cfg_attr(test, allow(dead_code))]
+pub(crate) fn generate_state() -> String {
    let bytes: [u8; 32] = rand::rng().random();
    // Encode as hex to produce a URL-safe string without padding.
    bytes.iter().fold(String::with_capacity(64), |mut acc, b| {
@@ -75,7 +76,7 @@ fn generate_state() -> String {
 ///
 /// Uses 32 random bytes encoded as base64url (no padding) to produce
 /// a 43-character verifier per RFC 7636.
-fn generate_code_verifier() -> String {
+pub(crate) fn generate_code_verifier() -> String {
    use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};

    let bytes: [u8; 32] = rand::rng().random();
@@ -85,7 +86,7 @@ fn generate_code_verifier() -> String {
 /// Derive the S256 code challenge from a code verifier per RFC 7636.
 ///
 /// `code_challenge = BASE64URL(SHA256(code_verifier))`
-fn derive_code_challenge(verifier: &str) -> String {
+pub(crate) fn derive_code_challenge(verifier: &str) -> String {
    use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
    use sha2::{Digest, Sha256};

@@ -304,3 +305,117 @@ pub async fn set_login_session(session: Session, data: UserStateInner) -> Result
        .await
        .map_err(|e| Error::StateError(format!("session insert failed: {e}")))
 }
+
+#[cfg(test)]
+mod tests {
+    #![allow(clippy::unwrap_used, clippy::expect_used)]
+
+    use super::*;
+    use pretty_assertions::assert_eq;
+
+    // -----------------------------------------------------------------------
+    // generate_state()
+    // -----------------------------------------------------------------------
+
+    #[test]
+    fn generate_state_length_is_64() {
+        let state = generate_state();
+        assert_eq!(state.len(), 64);
+    }
+
+    #[test]
+    fn generate_state_chars_are_hex() {
+        let state = generate_state();
+        assert!(state.chars().all(|c| c.is_ascii_hexdigit()));
+    }
+
+    #[test]
+    fn generate_state_two_calls_differ() {
+        let a = generate_state();
+        let b = generate_state();
+        assert_ne!(a, b);
+    }
+
+    // -----------------------------------------------------------------------
+    // generate_code_verifier()
+    // -----------------------------------------------------------------------
+
+    #[test]
+    fn code_verifier_length_is_43() {
+        let verifier = generate_code_verifier();
+        assert_eq!(verifier.len(), 43);
+    }
+
+    #[test]
+    fn code_verifier_chars_are_url_safe_base64() {
+        let verifier = generate_code_verifier();
+        // URL-safe base64 without padding uses [A-Za-z0-9_-]
+        assert!(verifier
+            .chars()
+            .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_'));
+    }
+
+    // -----------------------------------------------------------------------
+    // derive_code_challenge()
+    // -----------------------------------------------------------------------
+
+    #[test]
+    fn code_challenge_deterministic() {
+        let verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk";
+        let a = derive_code_challenge(verifier);
+        let b = derive_code_challenge(verifier);
+        assert_eq!(a, b);
+    }
+
+    #[test]
+    fn code_challenge_rfc7636_test_vector() {
+        // RFC 7636 Appendix B test vector:
+        // verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+        // expected challenge = "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"
+        let verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk";
+        let challenge = derive_code_challenge(verifier);
+        assert_eq!(challenge, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM");
+    }
+
+    // -----------------------------------------------------------------------
+    // PendingOAuthStore
+    // -----------------------------------------------------------------------
+
+    #[test]
+    fn pending_store_insert_and_take() {
+        let store = PendingOAuthStore::default();
+        store.insert(
+            "state-1".into(),
+            PendingOAuthEntry {
+                redirect_url: Some("/dashboard".into()),
+                code_verifier: "verifier-1".into(),
+            },
+        );
+        let entry = store.take("state-1");
+        assert!(entry.is_some());
+        let entry = entry.unwrap();
+        assert_eq!(entry.redirect_url, Some("/dashboard".into()));
+        assert_eq!(entry.code_verifier, "verifier-1");
+    }
+
+    #[test]
+    fn pending_store_take_removes_entry() {
+        let store = PendingOAuthStore::default();
+        store.insert(
+            "state-2".into(),
+            PendingOAuthEntry {
+                redirect_url: None,
+                code_verifier: "v2".into(),
+            },
+        );
+        let _ = store.take("state-2");
+        // Second take should return None since the entry was removed.
+        assert!(store.take("state-2").is_none());
+    }
+
+    #[test]
+    fn pending_store_take_unknown_returns_none() {
+        let store = PendingOAuthStore::default();
+        assert!(store.take("nonexistent").is_none());
+    }
+}