From b5d42f6e2eef426a88be37060ed63e5e2e2492d1 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Tue, 2 Dec 2025 00:13:32 +0000 Subject: [PATCH] test: Add edge case for ensureSettingsWriteScope valid scope Tests the code path when an API token has the settings:write scope, which allows the operation to proceed. --- internal/api/security_setup_fix_test.go | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/internal/api/security_setup_fix_test.go b/internal/api/security_setup_fix_test.go index f756790..17203bb 100644 --- a/internal/api/security_setup_fix_test.go +++ b/internal/api/security_setup_fix_test.go @@ -418,6 +418,37 @@ func TestResetLockoutRequiresSettingsScope(t *testing.T) { } } +func TestEnsureSettingsWriteScopeWithValidScope(t *testing.T) { + dataDir := t.TempDir() + + rawToken := strings.Repeat("ab", 32) + record, err := config.NewAPITokenRecord(rawToken, "admin-token", []string{config.ScopeSettingsWrite}) + if err != nil { + t.Fatalf("new token record: %v", err) + } + + cfg := &config.Config{ + DataPath: dataDir, + ConfigPath: dataDir, + APITokens: []config.APITokenRecord{*record}, + APITokenEnabled: true, + } + cfg.SortAPITokens() + + req := httptest.NewRequest(http.MethodPost, "/api/security/test", nil) + attachAPITokenRecord(req, record) + + rr := httptest.NewRecorder() + result := ensureSettingsWriteScope(rr, req) + + if !result { + t.Error("ensureSettingsWriteScope should return true when token has settings:write scope") + } + if rr.Code != http.StatusOK { + t.Errorf("expected no error response, got status %d", rr.Code) + } +} + func TestValidateBcryptHash(t *testing.T) { tests := []struct { name string