@@ -2,6 +2,8 @@ package auth
22
33import (
44 "context"
5+ "net/http"
6+ "net/http/httptest"
57 "strings"
68 "testing"
79 "time"
@@ -196,6 +198,63 @@ func TestRequestEmailRegistrationRequiresTurnstileWhenEnabled(t *testing.T) {
196198 }
197199}
198200
201+ func TestVerifyRegistrationTurnstileSkipsWhenSiteKeyEmpty (t * testing.T ) {
202+ service := NewService (config.Config {}, nil , nil )
203+
204+ err := service .verifyRegistrationTurnstile (context .Background (), config.Config {
205+ TurnstileRegistrationEnabled : true ,
206+ TurnstileSecretKey : "secret-key" ,
207+ }, "" , "" )
208+ if err != nil {
209+ t .Fatalf ("expected empty site key to skip turnstile, got %v" , err )
210+ }
211+ }
212+
213+ func TestVerifyRegistrationTurnstileRequiresSecretWhenSiteKeyPresent (t * testing.T ) {
214+ service := NewService (config.Config {}, nil , nil )
215+
216+ err := service .verifyRegistrationTurnstile (context .Background (), config.Config {
217+ TurnstileRegistrationEnabled : true ,
218+ TurnstileSiteKey : "site-key" ,
219+ }, "token" , "" )
220+ if err == nil || err .Error () != "turnstile is not configured" {
221+ t .Fatalf ("expected missing secret error, got %v" , err )
222+ }
223+ }
224+
225+ func TestVerifyRegistrationTurnstileUsesConfiguredEndpoint (t * testing.T ) {
226+ var gotRemoteIP string
227+ server := httptest .NewServer (http .HandlerFunc (func (w http.ResponseWriter , r * http.Request ) {
228+ if r .Method != http .MethodPost {
229+ t .Fatalf ("expected POST, got %s" , r .Method )
230+ }
231+ if err := r .ParseForm (); err != nil {
232+ t .Fatalf ("parse turnstile form: %v" , err )
233+ }
234+ if r .Form .Get ("secret" ) != "secret-key" || r .Form .Get ("response" ) != "token" {
235+ t .Fatalf ("unexpected form: %#v" , r .Form )
236+ }
237+ gotRemoteIP = r .Form .Get ("remoteip" )
238+ w .Header ().Set ("Content-Type" , "application/json" )
239+ _ , _ = w .Write ([]byte (`{"success":true}` ))
240+ }))
241+ defer server .Close ()
242+
243+ service := NewService (config.Config {}, nil , nil )
244+ err := service .verifyRegistrationTurnstile (context .Background (), config.Config {
245+ TurnstileRegistrationEnabled : true ,
246+ TurnstileSiteKey : "site-key" ,
247+ TurnstileSecretKey : "secret-key" ,
248+ TurnstileSiteverifyURL : server .URL ,
249+ }, "token" , "203.0.113.7" )
250+ if err != nil {
251+ t .Fatalf ("expected configured endpoint verification to pass, got %v" , err )
252+ }
253+ if gotRemoteIP != "203.0.113.7" {
254+ t .Fatalf ("expected remote ip to be forwarded, got %q" , gotRemoteIP )
255+ }
256+ }
257+
199258func TestRegisterWithEmailRequiresTurnstileWhenEmailVerificationDisabled (t * testing.T ) {
200259 service := NewService (config.Config {
201260 EmailLoginEnabled : true ,
@@ -212,6 +271,22 @@ func TestRegisterWithEmailRequiresTurnstileWhenEmailVerificationDisabled(t *test
212271 }
213272}
214273
274+ func TestRegisterWithEmailDoesNotRequireTurnstileWhenEmailVerificationEnabled (t * testing.T ) {
275+ service := NewService (config.Config {
276+ EmailLoginEnabled : true ,
277+ EmailRegistrationEnabled : true ,
278+ EmailVerificationEnabled : true ,
279+ TurnstileRegistrationEnabled : true ,
280+ TurnstileSiteKey : "site-key" ,
281+ TurnstileSecretKey : "secret-key" ,
282+ }, & emailRegistrationRepo {}, nil )
283+
284+ _ , err := service .RegisterWithEmail (context .Background (), "user@example.com" , "securepass1" , "" , "" , "127.0.0.1" , "" , requestmeta.SessionAuditContext {})
285+ if err == nil || err .Error () != "verification code is invalid or expired" {
286+ t .Fatalf ("expected verification code error instead of turnstile error, got %v" , err )
287+ }
288+ }
289+
215290func TestResolveSecurityVerificationMethod (t * testing.T ) {
216291 now := time .Now ()
217292 cases := []struct {
0 commit comments