package api import ( "bytes" "context" "errors" "net/http" "net/http/httptest" "os" "testing" "git.fabledsword.com/bvandeusen/minstrel/internal/mailer" ) func TestForgotPassword_KnownEmail_SendsMail(t *testing.T) { if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" { t.Skip("MINSTREL_TEST_DATABASE_URL not set") } h, pool := testHandlers(t) fake := &mailer.FakeSender{} h.mailer = fake user := seedUser(t, pool, "forgotuser", "pw", false) if _, err := pool.Exec(context.Background(), "UPDATE users SET email = 'forgot@example.com' WHERE id = $1", user.ID); err != nil { t.Fatalf("seed email: %v", err) } body := `{"email":"forgot@example.com"}` req := httptest.NewRequest(http.MethodPost, "/api/auth/forgot-password", bytes.NewReader([]byte(body))) req.Host = "minstrel.example.com" rec := httptest.NewRecorder() h.handleForgotPassword(rec, req) if rec.Code != http.StatusOK { t.Errorf("status = %d, want 200", rec.Code) } if len(fake.Sent) != 1 { t.Fatalf("Sent len = %d, want 1", len(fake.Sent)) } got := fake.LastSent() if got.To != "forgot@example.com" { t.Errorf("To = %q, want forgot@example.com", got.To) } // Token row was inserted. var tokenCount int if err := pool.QueryRow(context.Background(), "SELECT count(*) FROM password_resets WHERE user_id = $1", user.ID).Scan(&tokenCount); err != nil { t.Fatalf("verify token: %v", err) } if tokenCount == 0 { t.Errorf("no password_resets row inserted") } } func TestForgotPassword_UnknownEmail_Returns200_NoSend(t *testing.T) { if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" { t.Skip("MINSTREL_TEST_DATABASE_URL not set") } h, _ := testHandlers(t) fake := &mailer.FakeSender{} h.mailer = fake body := `{"email":"nonexistent@example.com"}` req := httptest.NewRequest(http.MethodPost, "/api/auth/forgot-password", bytes.NewReader([]byte(body))) rec := httptest.NewRecorder() h.handleForgotPassword(rec, req) if rec.Code != http.StatusOK { t.Errorf("status = %d, want 200 (always; no enumeration)", rec.Code) } if len(fake.Sent) != 0 { t.Errorf("Sent len = %d, want 0 for unknown email", len(fake.Sent)) } } func TestForgotPassword_MailerFailure_StillReturns200(t *testing.T) { if os.Getenv("MINSTREL_TEST_DATABASE_URL") == "" { t.Skip("MINSTREL_TEST_DATABASE_URL not set") } h, pool := testHandlers(t) fake := &mailer.FakeSender{FailNext: errors.New("simulated SMTP failure")} h.mailer = fake user := seedUser(t, pool, "mailfail", "pw", false) if _, err := pool.Exec(context.Background(), "UPDATE users SET email = 'mailfail@example.com' WHERE id = $1", user.ID); err != nil { t.Fatalf("seed: %v", err) } body := `{"email":"mailfail@example.com"}` req := httptest.NewRequest(http.MethodPost, "/api/auth/forgot-password", bytes.NewReader([]byte(body))) rec := httptest.NewRecorder() h.handleForgotPassword(rec, req) if rec.Code != http.StatusOK { t.Errorf("status = %d, want 200 (mailer failures don't propagate)", rec.Code) } }