From 3139543f5250f27f45b49c521d3171cf25247640 Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Fri, 13 Jun 2025 13:40:33 +0200 Subject: [PATCH 1/2] tests/authentication: Use API endpoint in `token_auth_cannot_find_token()` that actually supports token auth `GET /api/v1/me/updates` only supports cookie authentication, so this test was a bit misleading before --- src/tests/authentication.rs | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/tests/authentication.rs b/src/tests/authentication.rs index 91b8774af09..ed564ee9c64 100644 --- a/src/tests/authentication.rs +++ b/src/tests/authentication.rs @@ -1,6 +1,7 @@ use crate::tests::TestApp; -use crate::tests::util::{MockRequestExt, RequestHelper, Response}; +use crate::tests::util::{MockRequestExt, MockTokenUser, RequestHelper, Response}; +use crate::tests::builders::PublishBuilder; use crate::tests::util::encode_session_header; use http::{Method, StatusCode, header}; use insta::assert_snapshot; @@ -18,11 +19,11 @@ async fn anonymous_user_unauthorized() { #[tokio::test(flavor = "multi_thread")] async fn token_auth_cannot_find_token() { - let (_, anon) = TestApp::init().empty().await; - let mut request = anon.request_builder(Method::GET, URL); - request.header(header::AUTHORIZATION, "cio1tkfake-token"); - let response: Response<()> = anon.run(request).await; + let (app, _anon) = TestApp::full().empty().await; + let client = MockTokenUser::with_auth_header("cio1tkfake-token".to_string(), app.clone()); + let pb = PublishBuilder::new("foo", "1.0.0"); + let response = client.publish_crate(pb).await; assert_snapshot!(response.status(), @"403 Forbidden"); assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"authentication failed"}]}"#); } From c778663c5f10cae527ccc6a51ee2477a9e5d3d61 Mon Sep 17 00:00:00 2001 From: Tobias Bieniek Date: Fri, 13 Jun 2025 15:03:41 +0200 Subject: [PATCH 2/2] tests/token: Use API endpoint in `old_tokens_give_specific_error_message()` that actually supports token auth `GET /api/v1/me` only supports cookie authentication, so this test was a bit misleading before --- src/tests/token.rs | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/tests/token.rs b/src/tests/token.rs index 5ce01593067..f5aed1bc124 100644 --- a/src/tests/token.rs +++ b/src/tests/token.rs @@ -1,9 +1,9 @@ -use crate::tests::util::MockRequestExt; +use crate::tests::builders::PublishBuilder; +use crate::tests::util::MockTokenUser; use crate::tests::{RequestHelper, TestApp}; use crate::{models::ApiToken, views::EncodableMe}; use diesel::prelude::*; use diesel_async::RunQueryDsl; -use http::header; use insta::assert_snapshot; #[tokio::test(flavor = "multi_thread")] @@ -35,12 +35,11 @@ async fn using_token_updates_last_used_at() { #[tokio::test(flavor = "multi_thread")] async fn old_tokens_give_specific_error_message() { - let url = "/api/v1/me"; - let (_, anon) = TestApp::init().empty().await; + let (app, _anon) = TestApp::full().empty().await; - let mut request = anon.get_request(url); - request.header(header::AUTHORIZATION, "oldtoken"); - let response = anon.run::<()>(request).await; + let client = MockTokenUser::with_auth_header("oldtoken".to_string(), app.clone()); + let pb = PublishBuilder::new("foo", "1.0.0"); + let response = client.publish_crate(pb).await; assert_snapshot!(response.status(), @"401 Unauthorized"); assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"The given API token does not match the format used by crates.io. Tokens generated before 2020-07-14 were generated with an insecure random number generator, and have been revoked. You can generate a new token at https://crates.io/me. For more information please see https://blog.rust-lang.org/2020/07/14/crates-io-security-advisory.html. We apologize for any inconvenience."}]}"#); }