Refactor password reset flow

2026-01-27 11:16:44 +09:00
parent 739da39a61
commit 72a36701da
9 changed files with 606 additions and 149 deletions
--- a/backend/internal/handler/auth_handler_test.go
+++ b/backend/internal/handler/auth_handler_test.go
@@ -0,0 +1,108 @@
+package handler
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+// helper to build a Fiber app with the handler route mounted.
+func newTestApp(h *AuthHandler) *fiber.App {
+	app := fiber.New()
+	app.Post("/api/v1/auth/password/reset/complete", h.CompletePasswordReset)
+	return app
+}
+
+func TestCompletePasswordReset_MissingLoginID(t *testing.T) {
+	h := &AuthHandler{}
+	app := newTestApp(h)
+
+	body, _ := json.Marshal(map[string]string{
+		"newPassword": "Password1!",
+	})
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/password/reset/complete", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusBadRequest {
+		t.Fatalf("expected 400 for missing loginId, got %d", resp.StatusCode)
+	}
+
+	var got map[string]string
+	if err := json.NewDecoder(resp.Body).Decode(&got); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if got["error"] != "Login ID and new password are required" {
+		t.Fatalf("unexpected error message: %v", got["error"])
+	}
+}
+
+func TestCompletePasswordReset_InvalidPasswordPolicy(t *testing.T) {
+	h := &AuthHandler{}
+	app := newTestApp(h)
+
+	body, _ := json.Marshal(map[string]string{
+		"newPassword": "short", // too short + missing complexity
+	})
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/password/reset/complete?loginId=user@example.com", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusBadRequest {
+		t.Fatalf("expected 400 for weak password, got %d", resp.StatusCode)
+	}
+
+	var got map[string]string
+	if err := json.NewDecoder(resp.Body).Decode(&got); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if got["error"] != "Password must be at least 8 characters long" {
+		t.Fatalf("unexpected error message: %v", got["error"])
+	}
+}
+
+func TestCompletePasswordReset_NilDescopeClient(t *testing.T) {
+	h := &AuthHandler{} // DescopeClient intentionally nil to hit the configuration error branch
+	app := newTestApp(h)
+
+	body, _ := json.Marshal(map[string]string{
+		"newPassword": "StrongPass1!",
+	})
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/password/reset/complete?loginId=user@example.com", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusInternalServerError {
+		t.Fatalf("expected 500 when Descope client is nil, got %d", resp.StatusCode)
+	}
+
+	var got map[string]string
+	if err := json.NewDecoder(resp.Body).Decode(&got); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if got["error"] != "Authentication service not configured" {
+		t.Fatalf("unexpected error message: %v", got["error"])
+	}
+}