Drift audit 2026-06-02 — 26 findings shipped #75
+17
-7
@@ -1,7 +1,6 @@
|
|||||||
package api
|
package api
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
|
||||||
"errors"
|
"errors"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
@@ -9,6 +8,22 @@ import (
|
|||||||
"git.fabledsword.com/bvandeusen/minstrel/internal/auth"
|
"git.fabledsword.com/bvandeusen/minstrel/internal/auth"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// handleGetMe returns the authenticated user's profile shape — id,
|
||||||
|
// username, display_name, email, is_admin. Mirrors the response shape
|
||||||
|
// of PUT /api/me/profile so the Android Settings → Profile screen
|
||||||
|
// (and Flutter's equivalent) can read its starting state from a GET
|
||||||
|
// before the user has done a first save.
|
||||||
|
//
|
||||||
|
// Drift #578 fix: this previously emitted the narrower UserView
|
||||||
|
// (id, username, is_admin only). Android's MeApi.getProfile() deser-
|
||||||
|
// ialised into MyProfileWire and saw display_name=null, email=null
|
||||||
|
// on every read — wiping the form fields on every Settings open.
|
||||||
|
// Saving from that blank state then submitted empty strings, which
|
||||||
|
// handleUpdateMyProfile treats as "clear to NULL" — DESTROYING the
|
||||||
|
// user's stored display_name + email. Returning the full profile
|
||||||
|
// shape here closes the loop. Web (User type narrower than this
|
||||||
|
// response) keeps working via TypeScript structural typing — the
|
||||||
|
// extra fields are ignored.
|
||||||
func (h *handlers) handleGetMe(w http.ResponseWriter, r *http.Request) {
|
func (h *handlers) handleGetMe(w http.ResponseWriter, r *http.Request) {
|
||||||
user, ok := auth.UserFromContext(r.Context())
|
user, ok := auth.UserFromContext(r.Context())
|
||||||
if !ok {
|
if !ok {
|
||||||
@@ -18,10 +33,5 @@ func (h *handlers) handleGetMe(w http.ResponseWriter, r *http.Request) {
|
|||||||
writeErr(w, apierror.InternalMsg("missing auth context", errors.New("missing auth context")))
|
writeErr(w, apierror.InternalMsg("missing auth context", errors.New("missing auth context")))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
w.Header().Set("Content-Type", "application/json")
|
writeJSON(w, http.StatusOK, profileViewFromUser(user))
|
||||||
_ = json.NewEncoder(w).Encode(UserView{
|
|
||||||
ID: user.ID,
|
|
||||||
Username: user.Username,
|
|
||||||
IsAdmin: user.IsAdmin,
|
|
||||||
})
|
|
||||||
}
|
}
|
||||||
|
|||||||
+50
-1
@@ -1,6 +1,7 @@
|
|||||||
package api
|
package api
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
@@ -21,13 +22,61 @@ func TestHandleGetMe_ReturnsAuthenticatedUser(t *testing.T) {
|
|||||||
if w.Code != http.StatusOK {
|
if w.Code != http.StatusOK {
|
||||||
t.Fatalf("status = %d body = %s", w.Code, w.Body.String())
|
t.Fatalf("status = %d body = %s", w.Code, w.Body.String())
|
||||||
}
|
}
|
||||||
var got UserView
|
var got meProfileResp
|
||||||
if err := json.Unmarshal(w.Body.Bytes(), &got); err != nil {
|
if err := json.Unmarshal(w.Body.Bytes(), &got); err != nil {
|
||||||
t.Fatalf("decode: %v", err)
|
t.Fatalf("decode: %v", err)
|
||||||
}
|
}
|
||||||
if got.Username != "test-alice" || !got.IsAdmin {
|
if got.Username != "test-alice" || !got.IsAdmin {
|
||||||
t.Errorf("user = %+v, want test-alice/admin", got)
|
t.Errorf("user = %+v, want test-alice/admin", got)
|
||||||
}
|
}
|
||||||
|
if got.DisplayName != nil {
|
||||||
|
t.Errorf("DisplayName = %v, want nil for a user with no profile set", *got.DisplayName)
|
||||||
|
}
|
||||||
|
if got.Email != nil {
|
||||||
|
t.Errorf("Email = %v, want nil for a user with no profile set", *got.Email)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Drift #578 regression guard: a user whose profile fields ARE set
|
||||||
|
// must see them in the /api/me response. Previously this handler
|
||||||
|
// emitted the narrower UserView so Android Settings → Profile saw
|
||||||
|
// display_name=null and email=null on every read, wiped the form
|
||||||
|
// fields, and submitting from that blank state destroyed the user's
|
||||||
|
// stored values via the "empty string clears to NULL" semantics of
|
||||||
|
// PUT /api/me/profile.
|
||||||
|
func TestHandleGetMe_IncludesDisplayNameAndEmail(t *testing.T) {
|
||||||
|
h, pool := testHandlers(t)
|
||||||
|
user := seedUser(t, pool, "alice", "hunter2", false)
|
||||||
|
|
||||||
|
displayName := "Alice Liddell"
|
||||||
|
email := "alice@example.com"
|
||||||
|
updated, err := dbq.New(pool).UpdateUserProfile(context.Background(), dbq.UpdateUserProfileParams{
|
||||||
|
ID: user.ID,
|
||||||
|
DisplayName: &displayName,
|
||||||
|
Email: &email,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("UpdateUserProfile: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||||
|
req = withUser(req, updated)
|
||||||
|
w := httptest.NewRecorder()
|
||||||
|
h.handleGetMe(w, req)
|
||||||
|
|
||||||
|
if w.Code != http.StatusOK {
|
||||||
|
t.Fatalf("status = %d body = %s", w.Code, w.Body.String())
|
||||||
|
}
|
||||||
|
var got meProfileResp
|
||||||
|
if err := json.Unmarshal(w.Body.Bytes(), &got); err != nil {
|
||||||
|
t.Fatalf("decode: %v", err)
|
||||||
|
}
|
||||||
|
if got.DisplayName == nil || *got.DisplayName != displayName {
|
||||||
|
t.Errorf("DisplayName = %v, want %q", got.DisplayName, displayName)
|
||||||
|
}
|
||||||
|
if got.Email == nil || *got.Email != email {
|
||||||
|
t.Errorf("Email = %v, want %q", got.Email, email)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestHandleGetMe_MissingContextReturns500(t *testing.T) {
|
func TestHandleGetMe_MissingContextReturns500(t *testing.T) {
|
||||||
|
|||||||
Reference in New Issue
Block a user