From a053f67ddfcc415bde2b10d9f166bf95f289f34a Mon Sep 17 00:00:00 2001 From: Molecule AI Core Platform Lead Date: Fri, 24 Apr 2026 13:01:42 +0000 Subject: [PATCH] test(middleware): add last_used_at ExpectExec for WorkspaceAuth org-token tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit orgtoken.Validate() runs a synchronous UPDATE org_api_tokens SET last_used_at after every successful auth scan. Tests were missing the sqlmock ExpectExec for this call — the code discards the error (_, _ = ExecContext) so CI passed, but ExpectationsWereMet() could not detect a regression where the UPDATE was accidentally removed. Adds strict mock expectations for all four WorkspaceAuth+org-token test cases: SetsOrgIDContext, OrgIDNULL_DoesNotSetContext, DBRowScanError_DoesNotPanic, and SetsAllContextKeys. Fixes: GH#1774 Co-Authored-By: Claude Sonnet 4.6 --- .../wsauth_middleware_org_id_test.go | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/workspace-server/internal/middleware/wsauth_middleware_org_id_test.go b/workspace-server/internal/middleware/wsauth_middleware_org_id_test.go index c492444b..5bfd72e1 100644 --- a/workspace-server/internal/middleware/wsauth_middleware_org_id_test.go +++ b/workspace-server/internal/middleware/wsauth_middleware_org_id_test.go @@ -36,6 +36,11 @@ func TestWorkspaceAuth_ValidOrgToken_SetsOrgIDContext(t *testing.T) { WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}). AddRow("tok-org-abc", "tok_test", "00000000-0000-0000-0000-000000000001")) + // Best-effort last_used_at update after Validate succeeds. + mock.ExpectExec("UPDATE org_api_tokens SET last_used_at"). + WithArgs("tok-org-abc"). + WillReturnResult(sqlmock.NewResult(0, 1)) + r := gin.New() r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) { v, exists := c.Get("org_id") @@ -84,6 +89,11 @@ func TestWorkspaceAuth_ValidOrgToken_OrgIDNULL_DoesNotSetContext(t *testing.T) { WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}). AddRow("tok-old-xyz", "tok_old_", nil)) + // Best-effort last_used_at update after Validate succeeds (even for NULL org_id). + mock.ExpectExec("UPDATE org_api_tokens SET last_used_at"). + WithArgs("tok-old-xyz"). + WillReturnResult(sqlmock.NewResult(0, 1)) + r := gin.New() r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) { _, exists := c.Get("org_id") @@ -216,6 +226,11 @@ func TestWorkspaceAuth_OrgToken_DBRowScanError_DoesNotPanic(t *testing.T) { WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}). AddRow("tok-ok", "tok_tok_", "00000000-0000-0000-0000-000000000099")) + // Best-effort last_used_at update after Validate succeeds. + mock.ExpectExec("UPDATE org_api_tokens SET last_used_at"). + WithArgs("tok-ok"). + WillReturnResult(sqlmock.NewResult(0, 1)) + r := gin.New() r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) { // org_id key may or may not be set — either is acceptable here. @@ -255,6 +270,11 @@ func TestWorkspaceAuth_OrgToken_SetsAllContextKeys(t *testing.T) { WillReturnRows(sqlmock.NewRows([]string{"id", "prefix", "org_id"}). AddRow("tok-full", "tok_fu_", expectedOrgID)) + // Best-effort last_used_at update after Validate succeeds. + mock.ExpectExec("UPDATE org_api_tokens SET last_used_at"). + WithArgs("tok-full"). + WillReturnResult(sqlmock.NewResult(0, 1)) + r := gin.New() r.GET("/workspaces/:id/secrets", WorkspaceAuth(mockDB), func(c *gin.Context) { id, ok := c.Get("org_token_id")