authkit initial

2026-04-26 01:36:53 +00:00 · 2026-04-26 01:36:53 +00:00 · 134393fbca
commit 134393fbca
parent 5173b0a43d
43 changed files with 5188 additions and 1 deletions
--- a/tokens_test.go
+++ b/tokens_test.go
@ -0,0 +1,56 @@
+package authkit
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"strings"
+	"testing"
+)
+
+func TestMintSecretRoundtrip(t *testing.T) {
+	plaintext, hash, err := mintSecret(prefixSession, nil)
+	if err != nil {
+		t.Fatalf("mintSecret: %v", err)
+	}
+	if !strings.HasPrefix(plaintext, prefixSession+"_") {
+		t.Fatalf("missing prefix: %q", plaintext)
+	}
+	parsed, ok := parseSecret(prefixSession, plaintext)
+	if !ok {
+		t.Fatalf("parseSecret rejected our own mint")
+	}
+	if !bytes.Equal(hash, parsed) {
+		t.Fatalf("hash mismatch")
+	}
+	want := sha256.Sum256([]byte(plaintext))
+	if !bytes.Equal(hash, want[:]) {
+		t.Fatalf("hashSecret != sha256(plaintext)")
+	}
+}
+
+func TestParseSecretWrongPrefix(t *testing.T) {
+	plaintext, _, err := mintSecret(prefixSession, nil)
+	if err != nil {
+		t.Fatalf("mintSecret: %v", err)
+	}
+	if _, ok := parseSecret(prefixAPIKey, plaintext); ok {
+		t.Fatalf("parseSecret should reject mismatched prefix")
+	}
+	if _, ok := parseSecret(prefixSession, "sessXXXX"); ok {
+		t.Fatalf("parseSecret should require trailing underscore")
+	}
+}
+
+func TestMintSecretUniqueness(t *testing.T) {
+	seen := make(map[string]struct{}, 100)
+	for i := 0; i < 100; i++ {
+		p, _, err := mintSecret(prefixAPIKey, nil)
+		if err != nil {
+			t.Fatalf("mintSecret: %v", err)
+		}
+		if _, dup := seen[p]; dup {
+			t.Fatalf("duplicate mint: %s", p)
+		}
+		seen[p] = struct{}{}
+	}
+}