forked from molecule-ai/molecule-core
d438ff357a
The BE's tests (AdminTokenSet_*, FailOpen_*) validated the core AdminAuth contract on /admin/secrets. These table-driven additions pin the same contract on the three routes explicitly named in the #684 security report, each with three scenarios: workspace token rejected, correct ADMIN_TOKEN accepted, no bearer rejected. Routes covered: GET /admin/liveness GET /admin/github-installation-token GET /approvals/pending When ADMIN_TOKEN is set (tier 2), ValidateAnyToken is never called — the env-var comparison short-circuits before any DB lookup. The mock sets only HasAnyLiveTokenGlobal and nothing else; an extra DB expectation would itself be a test bug (calling it proves the middleware regressed to tier 3). All 18 TestAdminAuth_684* tests pass. Full go test ./... is green across all 15 platform packages. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| ratelimit_test.go | ||
| ratelimit.go | ||
| securityheaders_test.go | ||
| securityheaders.go | ||
| tenant_guard_test.go | ||
| tenant_guard.go | ||
| wsauth_middleware_test.go | ||
| wsauth_middleware.go | ||