d3c06f5564
- start.sh: Add options 8 (Seed LITE - skip cities) and 9 (Run All Tests) - seeder: Add seed:lite, seed:fast scripts and --skip-locations flag - seeder: Remove superadmin creation (now via backend migration) - backend: Update 010_seed_super_admin.sql with hardcoded hash (Admin@2025! + pepper) - backend: Expand jwt_service_test.go with 5 new tests (+10% coverage) - frontend: Fix api.test.ts URL duplication bug, add error handling tests - seeder: Add SQL data files to .gitignore
85 lines
2.4 KiB
Go
85 lines
2.4 KiB
Go
package tests
|
|
|
|
import (
|
|
"database/sql"
|
|
"fmt"
|
|
"testing"
|
|
|
|
_ "github.com/lib/pq"
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
func TestVerifyLogin(t *testing.T) {
|
|
// 1. Config
|
|
dbURL := "postgres://yuki:xl1zfmr6e9bb@db-60059.dc-sp-1.absamcloud.com:26868/gohorsejobs_dev?sslmode=require"
|
|
pepper := "gohorse-pepper" // Using the simple pepper user agreed to
|
|
// Alternative: try the old one if needed, but let's stick to the latest instruction.
|
|
// If the user hasn't updated the seeder to 'gohorse-pepper' yet, this might fail unless I check what they actually used.
|
|
// The user claimed "variables are equal".
|
|
password := "Admin@2025!"
|
|
|
|
// 2. Connect DB
|
|
db, err := sql.Open("postgres", dbURL)
|
|
if err != nil {
|
|
t.Fatalf("Failed to connect: %v", err)
|
|
}
|
|
defer db.Close()
|
|
|
|
if err := db.Ping(); err != nil {
|
|
t.Fatalf("Failed to ping: %v", err)
|
|
}
|
|
|
|
// 3. Fetch User
|
|
var hash string
|
|
err = db.QueryRow("SELECT password_hash FROM users WHERE identifier = 'superadmin'").Scan(&hash)
|
|
if err != nil {
|
|
t.Fatalf("Failed to find user: %v", err)
|
|
}
|
|
|
|
fmt.Printf("found hash in DB: %s\n", hash)
|
|
|
|
// 4. Verify
|
|
passWithPepper := password + pepper
|
|
err = bcrypt.CompareHashAndPassword([]byte(hash), []byte(passWithPepper))
|
|
if err != nil {
|
|
t.Errorf("FAILED to verify with pepper '%s': %v", pepper, err)
|
|
|
|
// Try with the "old" random string pepper just in case
|
|
oldPepper := "some-random-string-for-password-hashing"
|
|
passWithOld := password + oldPepper
|
|
err2 := bcrypt.CompareHashAndPassword([]byte(hash), []byte(passWithOld))
|
|
if err2 == nil {
|
|
t.Logf("SUCCESS with OLD pepper: '%s'", oldPepper)
|
|
} else {
|
|
t.Logf("Failed with old pepper as well.")
|
|
}
|
|
|
|
} else {
|
|
t.Logf("SUCCESS! Password verifies with pepper '%s'", pepper)
|
|
}
|
|
}
|
|
|
|
func TestVerifyLoginNoPepper(t *testing.T) {
|
|
dbURL := "postgres://yuki:xl1zfmr6e9bb@db-60059.dc-sp-1.absamcloud.com:26868/gohorsejobs_dev?sslmode=require"
|
|
password := "Admin@2025!"
|
|
|
|
db, err := sql.Open("postgres", dbURL)
|
|
if err != nil {
|
|
t.Fatalf("Failed to connect: %v", err)
|
|
}
|
|
defer db.Close()
|
|
|
|
var hash string
|
|
err = db.QueryRow("SELECT password_hash FROM users WHERE identifier = 'superadmin'").Scan(&hash)
|
|
if err != nil {
|
|
t.Fatalf("Failed to find user: %v", err)
|
|
}
|
|
|
|
// Try WITHOUT pepper
|
|
err = bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
|
|
if err == nil {
|
|
t.Log("✅ MATCH: Hash was created WITHOUT pepper")
|
|
} else {
|
|
t.Errorf("❌ No match without pepper either: %v", err)
|
|
}
|
|
}
|