molecule-cli/internal/cmd/http_test.go

package cmd

import (
	"net/http"
	"net/http/httptest"
	"testing"
)

// TestRunHTTP_SetsAuthHeader is the regression test for the auth bug: before
// the fix, runHTTP sent NO Authorization header and management calls 401'd a
// hardened tenant. It must now send `Authorization: Bearer $MOLECULE_API_KEY`
// and `X-Molecule-Org-Id: $MOLECULE_ORG_ID`.
func TestRunHTTP_SetsAuthHeader(t *testing.T) {
	t.Setenv("MOLECULE_API_KEY", "test-key-123")
	t.Setenv("MOLECULE_ORG_ID", "org_abc")

	var gotAuth, gotOrg, gotCT string
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		gotAuth = r.Header.Get("Authorization")
		gotOrg = r.Header.Get("X-Molecule-Org-Id")
		gotCT = r.Header.Get("Content-Type")
		w.WriteHeader(http.StatusOK)
		_, _ = w.Write([]byte(`{"ok":true}`))
	}))
	defer srv.Close()

	if _, err := runHTTP("POST", srv.URL+"/x", []byte(`{"a":1}`)); err != nil {
		t.Fatalf("runHTTP: %v", err)
	}
	if want := "Bearer test-key-123"; gotAuth != want {
		t.Errorf("Authorization header = %q, want %q", gotAuth, want)
	}
	if want := "org_abc"; gotOrg != want {
		t.Errorf("X-Molecule-Org-Id header = %q, want %q", gotOrg, want)
	}
	if want := "application/json"; gotCT != want {
		t.Errorf("Content-Type = %q, want %q", gotCT, want)
	}
}

// TestRunHTTP_NoOrgIDWhenUnset confirms the org header is omitted when
// MOLECULE_ORG_ID is unset (so single-tenant/dev hosts that don't gate on it
// keep working) — but the bearer is still set.
func TestRunHTTP_NoOrgIDWhenUnset(t *testing.T) {
	t.Setenv("MOLECULE_API_KEY", "k")
	t.Setenv("MOLECULE_ORG_ID", "")

	var hadOrg bool
	var gotAuth string
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, hadOrg = r.Header["X-Molecule-Org-Id"]
		gotAuth = r.Header.Get("Authorization")
		w.WriteHeader(http.StatusOK)
	}))
	defer srv.Close()

	if _, err := runHTTP("GET", srv.URL+"/x", nil); err != nil {
		t.Fatalf("runHTTP: %v", err)
	}
	if hadOrg {
		t.Errorf("X-Molecule-Org-Id should be absent when MOLECULE_ORG_ID is unset")
	}
	if gotAuth != "Bearer k" {
		t.Errorf("Authorization = %q, want %q", gotAuth, "Bearer k")
	}
}

// TestRunHTTP_NoAuthHeaderWhenKeyUnset confirms no empty bearer is sent when
// MOLECULE_API_KEY is unset (preserves the dev/self-host fail-open path).
func TestRunHTTP_NoAuthHeaderWhenKeyUnset(t *testing.T) {
	t.Setenv("MOLECULE_API_KEY", "")
	t.Setenv("MOLECULE_ORG_ID", "")

	var hadAuth bool
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		_, hadAuth = r.Header["Authorization"]
		w.WriteHeader(http.StatusOK)
	}))
	defer srv.Close()

	if _, err := runHTTP("GET", srv.URL+"/x", nil); err != nil {
		t.Fatalf("runHTTP: %v", err)
	}
	if hadAuth {
		t.Errorf("Authorization header should be absent when MOLECULE_API_KEY is unset")
	}
}