(ns auto-ap.auth.security-test (:require [auto-ap.integration.util :refer [wrap-setup]] [auto-ap.routes.utils :as routes-utils] [auto-ap.session-version :as session-version] [auto-ap.ssr.auth :as ssr-auth] [buddy.sign.jwt :as jwt] [clj-time.core :as time] [clojure.test :refer [deftest is testing use-fixtures]] [config.core :refer [env]])) (use-fixtures :each wrap-setup) ;; ============================================================================ ;; Security Behaviors (10.1 - 10.2) ;; ============================================================================ (deftest test-tampered-jwt-rejected (testing "Behavior 10.1: It should reject tampered JWTs during impersonation" (let [tampered-jwt (jwt/sign {:user "Target" :user/role "user" :db/id 456 :exp (time/plus (time/now) (time/hours 1))} "wrong-secret" {:alg :hs512})] (with-redefs [com.brunobonacci.mulog.core/log* (fn [& _] nil)] (is (thrown? Exception (ssr-auth/impersonate {:query-params {"jwt" tampered-jwt}}))))))) (deftest test-nil-identity-treated-as-unauthenticated (testing "Behavior 10.2: It should treat sessions with nil identity as unauthenticated" (let [handler (routes-utils/wrap-secure (fn [req] {:status 200 :body "OK"}))] ;; Request with nil identity should redirect to login (let [response (handler {:identity nil :uri "/protected"})] (is (= 302 (:status response))) (is (re-find #"/login" (get-in response [:headers "Location"])))) ;; DISCREPANCY: Empty map is truthy, so buddy.auth/authenticated? treats it as authenticated. ;; Only nil identity is treated as unauthenticated. (let [response (handler {:identity {} :uri "/protected"})] (is (= 200 (:status response)) "Empty map identity is treated as authenticated")) ;; Request with identity containing role should proceed (let [response (handler {:identity {:user/role "user"} :uri "/protected"})] (is (= 200 (:status response)))))))