@@ -251,6 +251,64 @@ func TestExtractToken(t *testing.T) {
251251 t .Fatalf ("expected user email %s, got %s" , tokenInfo .UserEmail , user .UserEmail )
252252 }
253253 })
254+
255+ t .Run ("revoked token should be treated like no token" , func (t * testing.T ) {
256+ storage := & memoryTokenStorage {
257+ storage : map [string ]auth.TokenInfo {},
258+ }
259+
260+ // Create a valid token first
261+ tokenInfo := auth.TokenInfo {
262+ UserID : 1 ,
263+ 264+ Machine : "test" ,
265+ Scopes : []string {"*" },
266+ }
267+
268+ token , err := storage .Create (context .Background (), tokenInfo )
269+ if err != nil {
270+ t .Fatalf ("expected no error, got %v" , err )
271+ }
272+
273+ // Verify token exists and works
274+ r := http.Request {
275+ Header : http.Header {"Authorization" : {"Bearer " + token }},
276+ }
277+ ctx , err := auth .ExtractToken (& r , storage )
278+ if err != nil {
279+ t .Fatalf ("expected no error for valid token, got %v" , err )
280+ }
281+
282+ user , ok := auth .GetUser (ctx )
283+ if ! ok {
284+ t .Fatalf ("expected user for valid token, got none" )
285+ }
286+ if user .UserID != tokenInfo .UserID {
287+ t .Fatalf ("expected user %d, got %d" , tokenInfo .UserID , user .UserID )
288+ }
289+
290+ // Now revoke/delete the token
291+ err = storage .Delete (context .Background (), token )
292+ if err != nil {
293+ t .Fatalf ("expected no error deleting token, got %v" , err )
294+ }
295+
296+ // Test that the revoked token is treated like no token
297+ ctx , err = auth .ExtractToken (& r , storage )
298+ if err != nil {
299+ t .Fatalf ("expected no error for revoked token, got %v" , err )
300+ }
301+
302+ // Should not have user context (same as no token)
303+ if ctx != r .Context () {
304+ t .Fatalf ("expected context to be the same as original, got different context" )
305+ }
306+
307+ _ , ok = auth .GetUser (ctx )
308+ if ok {
309+ t .Fatalf ("expected no user for revoked token, got one" )
310+ }
311+ })
254312}
255313
256314func TestMiddleware (t * testing.T ) {
0 commit comments