Tests: comprehensive bcrypt coverage and DRY helpers across suite

rameerez · rameerez · commit cd273e87ee3c · 2025-08-08T01:33:38.000+01:00
- Add model-level bcrypt tests: creation, hash validity/format, masked token
- Add authenticator tests for bcrypt path incl. known-prefix fallback
- Introduce with_hash_strategy helper to DRY config toggling in tests
- Keep sha256 behavior verified as default and explicit config

Motivation: ensure bcrypt configuration is fully exercised end-to-end (Digestor, ApiKey model, and Authenticator), aligned with README guidance. This strengthens production readiness when switching to bcrypt.
diff --git a/test/models/api_key_test.rb b/test/models/api_key_test.rb
@@ -52,13 +52,43 @@ def setup
       end
 
       test "creates with sha256 digest if configured" do
-        original_strategy = ApiKeys.configuration.hash_strategy
-        ApiKeys.configuration.hash_strategy = :sha256
-        api_key = ApiKeys::ApiKey.create!(owner: @user, name: "SHA256 Key")
-        assert_equal "sha256", api_key.digest_algorithm
-        assert ApiKeys::Services::Digestor.match?(token: api_key.instance_variable_get(:@token), stored_digest: api_key.token_digest, strategy: :sha256)
-      ensure
-        ApiKeys.configuration.hash_strategy = original_strategy
+        with_hash_strategy(:sha256) do
+          api_key = ApiKeys::ApiKey.create!(owner: @user, name: "SHA256 Key")
+          assert_equal "sha256", api_key.digest_algorithm
+          assert ApiKeys::Services::Digestor.match?(token: api_key.instance_variable_get(:@token), stored_digest: api_key.token_digest, strategy: :sha256)
+        end
+      end
+
+      # === Bcrypt strategy ===
+      test "creates with bcrypt digest if configured" do
+        with_hash_strategy(:bcrypt) do
+          api_key = ApiKeys::ApiKey.create!(owner: @user, name: "BCrypt Key")
+          assert_equal "bcrypt", api_key.digest_algorithm
+          assert BCrypt::Password.valid_hash?(api_key.token_digest)
+          assert BCrypt::Password.new(api_key.token_digest) == api_key.instance_variable_get(:@token)
+        end
+      end
+
+      test "bcrypt digest format and length look valid" do
+        with_hash_strategy(:bcrypt) do
+          api_key = ApiKeys::ApiKey.create!(owner: @user, name: "BCrypt Format Key")
+          digest = api_key.token_digest
+          # Typical bcrypt hashes look like: $2a$12$... or $2b$...
+          assert_match(/^\$2[aby]\$\d{2}\$/ , digest)
+          assert_operator digest.length, :>=, 55 # common bcrypt length ~60
+        end
+      end
+
+      test "masked_token and last4 correct under bcrypt" do
+        with_hash_strategy(:bcrypt) do
+          api_key = ApiKeys::ApiKey.create!(owner: @user, name: "BCrypt Masked")
+          token = api_key.instance_variable_get(:@token)
+          random_part = token.delete_prefix(api_key.prefix)
+          expected_last4 = random_part.last(4)
+
+          assert_equal expected_last4, api_key.last4
+          assert_equal "#{api_key.prefix}••••#{api_key.last4}", api_key.masked_token
+        end
       end
 
       test ".active scope works" do
diff --git a/test/services/authenticator_test.rb b/test/services/authenticator_test.rb
@@ -60,6 +60,45 @@ def mock_cache(read_map = {})
         assert_nil result.error_code
       end
 
+      test "authenticates successfully with bcrypt strategy" do
+        with_hash_strategy(:bcrypt) do
+          key = ApiKeys::ApiKey.create!(owner: @user, name: "BCrypt Auth Key")
+          token = key.token
+          key = ApiKeys::ApiKey.find(key.id)
+
+          request = mock_request(headers: { "Authorization" => "Bearer #{token}" })
+          mock_cache
+
+          result = ApiKeys::Services::Authenticator.call(request)
+          assert result.success?
+          assert_equal key, result.api_key
+        end
+      end
+
+      test "authenticates with bcrypt when configured prefix mismatch triggers known prefixes scan" do
+        with_hash_strategy(:bcrypt) do
+          original_prefix = ApiKeys.configuration.token_prefix
+          begin
+            ApiKeys.configuration.token_prefix = -> { "pfx1_" }
+            key = ApiKeys::ApiKey.create!(owner: @user, name: "BCrypt Prefix Key")
+            token = key.token
+            key = ApiKeys::ApiKey.find(key.id)
+
+            # Change configured prefix to force known-prefix path
+            ApiKeys.configuration.token_prefix = -> { "otherpfx_" }
+
+            request = mock_request(headers: { "Authorization" => "Bearer #{token}" })
+            mock_cache
+
+            result = ApiKeys::Services::Authenticator.call(request)
+            assert result.success?
+            assert_equal key, result.api_key
+          ensure
+            ApiKeys.configuration.token_prefix = original_prefix
+          end
+        end
+      end
+
       test "authenticates successfully with valid token in custom header" do
         ApiKeys.configure { |config| config.header = "X-Api-Key" }
         request = mock_request(headers: { "X-Api-Key" => @token })
diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -97,6 +97,16 @@ def teardown
     ApiKeys::ApiKey.delete_all
     User.delete_all
   end
+
+  # Temporarily set the configured hash strategy for the duration of the block
+  # Ensures the original strategy is restored afterwards
+  def with_hash_strategy(strategy)
+    original = ApiKeys.configuration.hash_strategy
+    ApiKeys.configuration.hash_strategy = strategy
+    yield
+  ensure
+    ApiKeys.configuration.hash_strategy = original
+  end
 end
 
 puts "Test helper setup complete."
