package config import ( "strings" "testing" ) func TestValidate_DevRequiresDevToken(t *testing.T) { c := &Config{AuthMode: "dev", DevToken: ""} err := c.validate() if err == nil { t.Fatal("dev mode without DevToken must reject; got nil error") } if !strings.Contains(err.Error(), "CDROP_DEV_TOKEN") { t.Errorf("error must mention CDROP_DEV_TOKEN; got %q", err.Error()) } } func TestValidate_DevWithDevTokenOK(t *testing.T) { c := &Config{AuthMode: "dev", DevToken: "x"} if err := c.validate(); err != nil { t.Fatalf("dev with token should pass; got %v", err) } } func TestValidate_ProdOK(t *testing.T) { c := &Config{AuthMode: "prod", OIDCAudience: "cdrop-web,cdrop-desktop"} if err := c.validate(); err != nil { t.Fatalf("prod mode with audience should pass; got %v", err) } } func TestValidate_ProdRequiresAudience(t *testing.T) { // R6: prod with an empty audience leaves RS256 audience checking off, so a // token minted for any sibling app sharing the JWKS would validate. Refuse. c := &Config{AuthMode: "prod", OIDCAudience: ""} err := c.validate() if err == nil { t.Fatal("prod without CDROP_OIDC_AUDIENCE must reject; got nil error") } if !strings.Contains(err.Error(), "CDROP_OIDC_AUDIENCE") { t.Errorf("error must mention CDROP_OIDC_AUDIENCE; got %q", err.Error()) } } func TestValidate_UnknownMode(t *testing.T) { c := &Config{AuthMode: "rogue"} err := c.validate() if err == nil { t.Fatal("unknown auth mode must reject") } } func TestLoad_EnvOverridesDefaults(t *testing.T) { t.Setenv("CDROP_AUTH_MODE", "dev") t.Setenv("CDROP_DEV_TOKEN", "abc") t.Setenv("CDROP_LISTEN", ":9090") t.Setenv("CDROP_DB_PATH", "/tmp/x.db") cfg, err := Load() if err != nil { t.Fatalf("load: %v", err) } if cfg.AuthMode != "dev" { t.Errorf("AuthMode: got %q, want %q", cfg.AuthMode, "dev") } if cfg.DevToken != "abc" { t.Errorf("DevToken: got %q, want %q", cfg.DevToken, "abc") } if cfg.Listen != ":9090" { t.Errorf("Listen: got %q, want %q", cfg.Listen, ":9090") } if cfg.DBPath != "/tmp/x.db" { t.Errorf("DBPath: got %q, want %q", cfg.DBPath, "/tmp/x.db") } }