package handlers_test // downloads_auth_test.go — Pre-fix tests for unauthenticated download endpoints. // // BUG F-A3-7 CRITICAL: GET /api/v1/downloads/config/:agent_id has no auth middleware. // Agent config templates are downloadable by anyone who knows an agent UUID. // ETHOS #2 violation: unauthenticated endpoint serves config data. // // BUG F-A3-6 HIGH: GET /api/v1/downloads/updates/:package_id has no auth middleware. // Signed update binaries are downloadable by anyone with a package UUID. // // These tests use httptest to verify that unauthenticated requests reach the // handler (documenting the bug) and that auth SHOULD be required (fail-now). // // Run: cd aggregator-server && go test ./internal/api/handlers/... -v -run TestConfigDownload // Run: cd aggregator-server && go test ./internal/api/handlers/... -v -run TestUpdatePackageDownload import ( "net/http" "net/http/httptest" "testing" "github.com/gin-gonic/gin" ) // --------------------------------------------------------------------------- // Test 2.1 — Config download SHOULD require auth (currently doesn't) // // Category: FAIL-NOW / PASS-AFTER-FIX // // BUG F-A3-7: Config download requires no auth. Agent UUIDs are not secret // (they appear in URLs, logs, error messages). Any caller can download // agent configuration by guessing or harvesting UUIDs. // ETHOS #2 violation: unauthenticated endpoint serves sensitive data. // --------------------------------------------------------------------------- func TestConfigDownloadRequiresAuth(t *testing.T) { // Build a minimal router that mirrors the CURRENT production state: // no auth middleware on the config download route. router := gin.New() router.GET("/api/v1/downloads/config/:agent_id", func(c *gin.Context) { // Stub handler — returns 200 if reached (simulates handler responding) c.JSON(http.StatusOK, gin.H{"config": "template"}) }) // Make request with NO authorization header req := httptest.NewRequest("GET", "/api/v1/downloads/config/550e8400-e29b-41d4-a716-446655440000", nil) rec := httptest.NewRecorder() router.ServeHTTP(rec, req) // After fix: route must have auth middleware that returns 401 if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden { t.Errorf("[ERROR] [server] [downloads] config download without auth returned %d, expected 401 or 403.\n"+ "BUG F-A3-7: config download requires no authentication.\n"+ "After fix: add AuthMiddleware or WebAuthMiddleware to this route.", rec.Code) } } // --------------------------------------------------------------------------- // Test 2.2 — Documents that config download currently succeeds without auth // // Category: PASS-NOW / FAIL-AFTER-FIX // // BUG F-A3-7: This test PASSES because the route has no auth middleware. // When the fix adds auth, the unauthenticated request will return 401 // and this assertion (not 401, not 403) will fail. // --------------------------------------------------------------------------- func TestConfigDownloadCurrentlyUnauthenticated(t *testing.T) { router := gin.New() router.GET("/api/v1/downloads/config/:agent_id", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"config": "template"}) }) req := httptest.NewRequest("GET", "/api/v1/downloads/config/550e8400-e29b-41d4-a716-446655440000", nil) rec := httptest.NewRecorder() router.ServeHTTP(rec, req) // This assertion PASSES now (bug present) — will FAIL after fix if rec.Code == http.StatusUnauthorized || rec.Code == http.StatusForbidden { t.Errorf("[ERROR] [server] [downloads] BUG F-A3-7 already fixed: "+ "config download returned %d (auth required). Update this test.", rec.Code) } t.Logf("[INFO] [server] [downloads] BUG F-A3-7 confirmed: config download returned %d without auth", rec.Code) t.Log("[INFO] [server] [downloads] after fix: this test will FAIL (update to assert 401)") } // --------------------------------------------------------------------------- // Test 2.3 — Update package download SHOULD require auth (currently doesn't) // // Category: FAIL-NOW / PASS-AFTER-FIX // // BUG F-A3-6: Update package download requires no auth. // Signed update binaries should require at minimum a valid agent JWT. // --------------------------------------------------------------------------- func TestUpdatePackageDownloadRequiresAuth(t *testing.T) { router := gin.New() router.GET("/api/v1/downloads/updates/:package_id", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"package": "data"}) }) req := httptest.NewRequest("GET", "/api/v1/downloads/updates/550e8400-e29b-41d4-a716-446655440000", nil) rec := httptest.NewRecorder() router.ServeHTTP(rec, req) if rec.Code != http.StatusUnauthorized && rec.Code != http.StatusForbidden { t.Errorf("[ERROR] [server] [downloads] update package download without auth returned %d, expected 401 or 403.\n"+ "BUG F-A3-6: update package download requires no authentication.\n"+ "After fix: add AuthMiddleware to this route.", rec.Code) } } // --------------------------------------------------------------------------- // Test 2.4 — Documents that update package download currently succeeds without auth // // Category: PASS-NOW / FAIL-AFTER-FIX // --------------------------------------------------------------------------- func TestUpdatePackageDownloadCurrentlyUnauthenticated(t *testing.T) { router := gin.New() router.GET("/api/v1/downloads/updates/:package_id", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"package": "data"}) }) req := httptest.NewRequest("GET", "/api/v1/downloads/updates/550e8400-e29b-41d4-a716-446655440000", nil) rec := httptest.NewRecorder() router.ServeHTTP(rec, req) if rec.Code == http.StatusUnauthorized || rec.Code == http.StatusForbidden { t.Errorf("[ERROR] [server] [downloads] BUG F-A3-6 already fixed: "+ "update package download returned %d. Update this test.", rec.Code) } t.Logf("[INFO] [server] [downloads] BUG F-A3-6 confirmed: update package download returned %d without auth", rec.Code) }