nethesis
diff --git a/‎service/authclient.go‎
Lines changed: 107 additions & 50 deletions b/‎service/authclient.go‎
Lines changed: 107 additions & 50 deletions
diff --git a/‎service/authclient_test.go‎
Lines changed: 125 additions & 10 deletions b/‎service/authclient_test.go‎
Lines changed: 125 additions & 10 deletions
@@ -24,9 +24,9 @@ type AuthResponse struct {
 }
 
 // AuthClient abstracts the external authentication call so it can be mocked in tests.
-// Validate now returns a MappingRequest built from the auth response.
+// Validate returns all MappingRequests built from the auth response array.
 type AuthClient interface {
-	Validate(ctx context.Context, extension, secret, homeserverHost string) (*models.MappingRequest, int, error)
+	Validate(ctx context.Context, extension, secret, homeserverHost string) ([]*models.MappingRequest, bool, error)
 }
 
 // HTTPAuthClient is the default AuthClient implementation that calls the external HTTP endpoint.
@@ -51,15 +51,13 @@ func NewHTTPAuthClient(url string, timeout time.Duration, cacheTTL time.Duration
 }
 
 type cachedAuth struct {
-	mapping *models.MappingRequest
-	expiry  time.Time
-	status  int
+	expiry time.Time
 }
 
 // Validate calls the configured external auth endpoint and converts its result
-// into a models.MappingRequest. homeserverHost is used to build full Matrix IDs
-// when the returned user_name is a localpart.
-func (h *HTTPAuthClient) Validate(ctx context.Context, extension, secret, homeserverHost string) (*models.MappingRequest, int, error) {
+// into an array of models.MappingRequest. It caches authentication success/failure.
+// homeserverHost is used to build full Matrix IDs when the returned user_name is a localpart.
+func (h *HTTPAuthClient) Validate(ctx context.Context, extension, secret, homeserverHost string) ([]*models.MappingRequest, bool, error) {
 	// check cache
 	key := extension + "|" + secret + "|" + homeserverHost
 	logger.Debug().Str("key", key).Msg("authclient: validate called")
@@ -69,7 +67,8 @@ func (h *HTTPAuthClient) Validate(ctx context.Context, extension, secret, homese
 			if time.Now().Before(c.expiry) {
 				h.mu.RUnlock()
 				logger.Debug().Str("key", key).Time("expiry", c.expiry).Msg("authclient: cache hit")
-				return c.mapping, c.status, nil
+				// Return empty array on cache hit for authenticated requests
+				return []*models.MappingRequest{}, true, nil
 			}
 		}
 		h.mu.RUnlock()
@@ -80,80 +79,138 @@ func (h *HTTPAuthClient) Validate(ctx context.Context, extension, secret, homese
 	body, _ := json.Marshal(payload)
 	req, err := http.NewRequestWithContext(ctx, "POST", h.url, bytes.NewReader(body))
 	if err != nil {
-		return nil, 0, err
+		return []*models.MappingRequest{}, false, err
 	}
 	req.Header.Set("Content-Type", "application/json")
 
 	logger.Debug().Str("url", h.url).Str("extension", extension).Msg("authclient: sending auth request")
 
 	resp, err := h.client.Do(req)
 	if err != nil {
-		return nil, 0, err
+		return []*models.MappingRequest{}, false, err
 	}
 	defer resp.Body.Close()
 
 	logger.Debug().Int("status", resp.StatusCode).Msg("authclient: received response")
 	if resp.StatusCode != http.StatusOK {
 		b, _ := io.ReadAll(resp.Body)
 		logger.Debug().Int("status", resp.StatusCode).Bytes("body", b).Msg("authclient: non-200 response")
-		return nil, resp.StatusCode, fmt.Errorf("status %d: %s", resp.StatusCode, string(b))
+		return []*models.MappingRequest{}, false, fmt.Errorf("status %d: %s", resp.StatusCode, string(b))
 	}
 
-	var ar AuthResponse
-	if err := json.NewDecoder(resp.Body).Decode(&ar); err != nil {
+	var responses []AuthResponse
+	if err := json.NewDecoder(resp.Body).Decode(&responses); err != nil {
 		logger.Debug().Err(err).Msg("authclient: failed to decode response")
-		return nil, resp.StatusCode, err
+		return []*models.MappingRequest{}, false, err
 	}
 
-	logger.Debug().Str("main_extension", ar.MainExtension).Strs("sub_extensions", ar.SubExtensions).Str("user_name", ar.UserName).Msg("authclient: parsed auth response")
+	logger.Debug().Int("response_count", len(responses)).Msg("authclient: parsed auth response array")
 
-	// Parse main_extension
+	// Find the matching response based on main_extension matching the extension parameter
+	var ar *AuthResponse
+	for i := range responses {
+		if strings.TrimSpace(responses[i].MainExtension) == extension {
+			ar = &responses[i]
+			break
+		}
+	}
+
+	if ar == nil {
+		logger.Debug().Str("extension", extension).Msg("authclient: no matching extension in response array")
+		return []*models.MappingRequest{}, false, fmt.Errorf("extension %s not found in auth response", extension)
+	}
+
+	logger.Debug().Str("main_extension", ar.MainExtension).Strs("sub_extensions", ar.SubExtensions).Str("user_name", ar.UserName).Msg("authclient: found matching auth response")
+
+	// Validate that the matched extension can be parsed as a number
 	mainExt := strings.TrimSpace(ar.MainExtension)
 	if mainExt == "" {
-		return nil, resp.StatusCode, fmt.Errorf("external auth response missing main_extension")
+		logger.Warn().Msg("authclient: matched extension is empty")
+		return []*models.MappingRequest{}, false, fmt.Errorf("matched extension is empty")
 	}
-	mainNum, err := strconv.Atoi(mainExt)
-	if err != nil {
-		return nil, resp.StatusCode, fmt.Errorf("invalid main_extension from auth: %w", err)
+	if _, err := strconv.Atoi(mainExt); err != nil {
+		logger.Warn().Str("main_extension", mainExt).Err(err).Msg("authclient: matched extension cannot be parsed as integer")
+		return []*models.MappingRequest{}, false, fmt.Errorf("matched extension %s is not a valid number: %w", mainExt, err)
+	}
+
+	// Cache successful authentication (without mapping data)
+	if h.cacheTTL > 0 {
+		h.mu.Lock()
+		h.cache[key] = cachedAuth{expiry: time.Now().Add(h.cacheTTL)}
+		h.mu.Unlock()
+		logger.Debug().Str("key", key).Time("expiry", time.Now().Add(h.cacheTTL)).Msg("authclient: cached successful authentication")
 	}
 
-	// Parse sub extensions
-	subNums := make([]int, 0, len(ar.SubExtensions))
-	for _, ssub := range ar.SubExtensions {
-		ssub = strings.TrimSpace(ssub)
-		if ssub == "" {
+	// Convert all responses to MappingRequest array
+	mappings := make([]*models.MappingRequest, 0, len(responses))
+	var matchedUserMapping *models.MappingRequest
+
+	for i := range responses {
+		authResp := &responses[i]
+
+		// Parse main_extension
+		mainExt := strings.TrimSpace(authResp.MainExtension)
+		if mainExt == "" {
+			logger.Warn().Msg("authclient: skipping response with missing main_extension")
 			continue
 		}
-		if v, err := strconv.Atoi(ssub); err == nil {
-			subNums = append(subNums, v)
+		mainNum, err := strconv.Atoi(mainExt)
+		if err != nil {
+			logger.Warn().Str("main_extension", mainExt).Err(err).Msg("authclient: invalid main_extension, skipping")
+			continue
 		}
-	}
 
-	// Build matrix id
-	matrixID := strings.TrimSpace(ar.UserName)
-	if matrixID == "" {
-		matrixID = extension
-	}
-	if !strings.HasPrefix(matrixID, "@") {
-		if homeserverHost == "" {
-			return nil, resp.StatusCode, fmt.Errorf("cannot build matrix id: homeserver host not configured")
+		// Parse sub extensions
+		subNums := make([]int, 0, len(authResp.SubExtensions))
+		for _, ssub := range authResp.SubExtensions {
+			ssub = strings.TrimSpace(ssub)
+			if ssub == "" {
+				continue
+			}
+			if v, err := strconv.Atoi(ssub); err == nil {
+				subNums = append(subNums, v)
+			}
+		}
+
+		// Build matrix id
+		matrixID := strings.TrimSpace(authResp.UserName)
+		if matrixID == "" {
+			matrixID = extension
+		}
+		if !strings.HasPrefix(matrixID, "@") {
+			if homeserverHost == "" {
+				// If this is the matched user, we need homeserver host to build their Matrix ID
+				if authResp == ar {
+					logger.Warn().Str("user_name", authResp.UserName).Msg("authclient: cannot build matrix id for authenticated user without homeserver host")
+					return []*models.MappingRequest{}, false, fmt.Errorf("cannot build matrix id for authenticated user: homeserver host not configured")
+				}
+				logger.Warn().Str("user_name", authResp.UserName).Msg("authclient: cannot build matrix id without homeserver host, skipping")
+				continue
+			}
+			local := strings.ToLower(strings.TrimSpace(matrixID))
+			matrixID = fmt.Sprintf("@%s:%s", local, homeserverHost)
 		}
-		local := strings.ToLower(strings.TrimSpace(matrixID))
-		matrixID = fmt.Sprintf("@%s:%s", local, homeserverHost)
-	}
 
-	mapping := &models.MappingRequest{
-		Number:     mainNum,
-		MatrixID:   matrixID,
-		SubNumbers: subNums,
+		mapping := &models.MappingRequest{
+			Number:     mainNum,
+			MatrixID:   matrixID,
+			SubNumbers: subNums,
+		}
+		mappings = append(mappings, mapping)
+
+		// Track the authenticated user's mapping
+		if authResp == ar {
+			matchedUserMapping = mapping
+		}
+
+		logger.Debug().Int("number", mainNum).Str("matrix_id", matrixID).Ints("sub_numbers", subNums).Msg("authclient: added mapping to response")
 	}
 
-	if h.cacheTTL > 0 {
-		h.mu.Lock()
-		h.cache[key] = cachedAuth{mapping: mapping, expiry: time.Now().Add(h.cacheTTL), status: resp.StatusCode}
-		h.mu.Unlock()
-		logger.Debug().Str("key", key).Time("expiry", time.Now().Add(h.cacheTTL)).Msg("authclient: stored mapping in cache")
+	// Ensure the authenticated user's mapping was successfully created
+	if matchedUserMapping == nil {
+		logger.Warn().Msg("authclient: authenticated user's mapping was not created")
+		return []*models.MappingRequest{}, false, fmt.Errorf("failed to create mapping for authenticated user")
 	}
 
-	return mapping, resp.StatusCode, nil
+	return mappings, true, nil
 }
@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/nethesis/matrix2acrobits/models"
 	"github.com/stretchr/testify/require"
 )
 
@@ -18,37 +19,151 @@ func TestHTTPAuthClient_Non200Response(t *testing.T) {
 	defer ts.Close()
 
 	c := NewHTTPAuthClient(ts.URL, 2*time.Second, 0)
-	_, status, err := c.Validate(context.TODO(), "123", "secret", "example.com")
+	_, ok, err := c.Validate(context.TODO(), "123", "secret", "example.com")
 	require.Error(t, err)
-	require.Equal(t, http.StatusInternalServerError, status)
+	require.False(t, ok)
 }
 
 func TestHTTPAuthClient_InvalidMainExtension(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte(`{"main_extension":"not-a-number","sub_extensions":[],"user_name":"alice"}`))
+		// Return an array with one valid and one invalid entry
+		_, _ = w.Write([]byte(`[
+			{"main_extension":"201","sub_extensions":[],"user_name":"giacomo"},
+			{"main_extension":"not-a-number","sub_extensions":[],"user_name":"alice"}
+		]`))
 	}))
 	defer ts.Close()
 
 	c := NewHTTPAuthClient(ts.URL, 2*time.Second, 0)
-	mapping, status, err := c.Validate(context.TODO(), "123", "secret", "example.com")
+	// Request the invalid extension - should not find it in the array
+	mappings, ok, err := c.Validate(context.TODO(), "not-a-number", "secret", "example.com")
 	require.Error(t, err)
-	require.Nil(t, mapping)
-	require.Equal(t, http.StatusOK, status)
+	require.False(t, ok)
+	require.Empty(t, mappings)
 }
 
 func TestHTTPAuthClient_MissingHomeserverHost(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte(`{"main_extension":"1","sub_extensions":[],"user_name":"alice"}`))
+		// The server returns entries with localpart user_name (no @domain)
+		// When we have no homeserverHost, we should skip these
+		_, _ = w.Write([]byte(`[{"main_extension":"1","sub_extensions":[],"user_name":"alice"}]`))
 	}))
 	defer ts.Close()
 
 	c := NewHTTPAuthClient(ts.URL, 2*time.Second, 0)
-	mapping, status, err := c.Validate(context.TODO(), "123", "secret", "")
+	// Request extension 1 with no homeserver host configured
+	// This should result in the entry being skipped, returning empty array and an error
+	mappings, ok, err := c.Validate(context.TODO(), "1", "secret", "")
 	require.Error(t, err)
-	require.Nil(t, mapping)
-	require.Equal(t, http.StatusOK, status)
+	require.False(t, ok)
+	require.Empty(t, mappings)
+}
+
+func TestHTTPAuthClient_MatchingExtensionFromArray(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`[
+			{"main_extension":"201","sub_extensions":["91201","92201"],"user_name":"giacomo"},
+			{"main_extension":"202","sub_extensions":["91202"],"user_name":"mario"}
+		]`))
+	}))
+	defer ts.Close()
+
+	c := NewHTTPAuthClient(ts.URL, 2*time.Second, 0)
+	mappings, ok, err := c.Validate(context.TODO(), "202", "secret", "example.com")
+	require.NoError(t, err)
+	require.True(t, ok)
+	require.Len(t, mappings, 2)
+
+	// Find the mario entry (202)
+	var marioMapping *models.MappingRequest
+	for _, m := range mappings {
+		if m.Number == 202 {
+			marioMapping = m
+			break
+		}
+	}
+	require.NotNil(t, marioMapping)
+	require.Equal(t, 202, marioMapping.Number)
+	require.Equal(t, "@mario:example.com", marioMapping.MatrixID)
+	require.Equal(t, []int{91202}, marioMapping.SubNumbers)
+}
+
+func TestHTTPAuthClient_ExtensionNotFound(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`[
+			{"main_extension":"201","sub_extensions":["91201","92201"],"user_name":"giacomo"},
+			{"main_extension":"202","sub_extensions":["91202"],"user_name":"mario"}
+		]`))
+	}))
+	defer ts.Close()
+
+	c := NewHTTPAuthClient(ts.URL, 2*time.Second, 0)
+	mappings, ok, err := c.Validate(context.TODO(), "999", "secret", "example.com")
+	require.Error(t, err)
+	require.False(t, ok)
+	require.Empty(t, mappings)
+}
+
+func TestHTTPAuthClient_CacheHitReturnsEmptyMappings(t *testing.T) {
+	callCount := 0
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		callCount++
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`[
+			{"main_extension":"201","sub_extensions":["91201"],"user_name":"giacomo"},
+			{"main_extension":"202","sub_extensions":["91202"],"user_name":"mario"}
+		]`))
+	}))
+	defer ts.Close()
+
+	c := NewHTTPAuthClient(ts.URL, 2*time.Second, 100*time.Millisecond)
+
+	// First call should make request and return all mappings
+	mappings1, ok1, err1 := c.Validate(context.TODO(), "202", "secret", "example.com")
+	require.NoError(t, err1)
+	require.True(t, ok1)
+	require.Len(t, mappings1, 2)
+	require.Equal(t, 1, callCount)
+
+	// Second call should use cache and return empty mappings
+	mappings2, ok2, err2 := c.Validate(context.TODO(), "202", "secret", "example.com")
+	require.NoError(t, err2)
+	require.True(t, ok2)
+	require.Len(t, mappings2, 0)   // Cache returns empty array
+	require.Equal(t, 1, callCount) // No additional call
+}
+
+func TestHTTPAuthClient_CacheFailedAuth(t *testing.T) {
+	callCount := 0
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		callCount++
+		w.WriteHeader(http.StatusUnauthorized)
+		_, _ = w.Write([]byte("unauthorized"))
+	}))
+	defer ts.Close()
+
+	c := NewHTTPAuthClient(ts.URL, 2*time.Second, 100*time.Millisecond)
+
+	// First call should make request and fail
+	mappings1, ok1, err1 := c.Validate(context.TODO(), "999", "wrongsecret", "example.com")
+	require.Error(t, err1)
+	require.False(t, ok1)
+	require.Empty(t, mappings1)
+	require.Equal(t, 1, callCount)
+
+	// Second call should NOT use cache (failed auth not cached) and make new request
+	mappings2, ok2, err2 := c.Validate(context.TODO(), "999", "wrongsecret", "example.com")
+	require.Error(t, err2)
+	require.False(t, ok2)
+	require.Empty(t, mappings2)
+	require.Equal(t, 2, callCount) // Additional call made
 }