claude-code-proxy/proxy/internal/middleware/dashboard_auth_test.go

package middleware

import (
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"testing"
)

func TestDashboardAuthDisabledWhenEmpty(t *testing.T) {
	called := false
	handler := DashboardAuth("")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		called = true
		w.WriteHeader(http.StatusOK)
	}))

	req := httptest.NewRequest(http.MethodGet, "/dashboard", nil)
	rr := httptest.NewRecorder()
	handler.ServeHTTP(rr, req)

	if !called {
		t.Fatal("expected handler to be called when password is empty")
	}
	if rr.Code != http.StatusOK {
		t.Fatalf("expected 200, got %d", rr.Code)
	}
}

func TestDashboardAuthRejectsNoCredentials(t *testing.T) {
	handler := DashboardAuth("secret")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))

	req := httptest.NewRequest(http.MethodGet, "/dashboard", nil)
	rr := httptest.NewRecorder()
	handler.ServeHTTP(rr, req)

	if rr.Code != http.StatusUnauthorized {
		t.Fatalf("expected 401, got %d", rr.Code)
	}

	// Verify JSON response body
	var body map[string]string
	if err := json.NewDecoder(rr.Body).Decode(&body); err != nil {
		t.Fatalf("expected JSON response, got error: %v", err)
	}
	if body["error"] != "unauthorized" {
		t.Fatalf("expected error=unauthorized, got %q", body["error"])
	}
}

func TestDashboardAuthRejectsWrongPassword(t *testing.T) {
	handler := DashboardAuth("secret")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
	}))

	req := httptest.NewRequest(http.MethodGet, "/dashboard", nil)
	req.SetBasicAuth("admin", "wrong")
	rr := httptest.NewRecorder()
	handler.ServeHTTP(rr, req)

	if rr.Code != http.StatusUnauthorized {
		t.Fatalf("expected 401, got %d", rr.Code)
	}
}

func TestDashboardAuthAcceptsValidCredentials(t *testing.T) {
	called := false
	handler := DashboardAuth("secret")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		called = true
		w.WriteHeader(http.StatusOK)
	}))

	req := httptest.NewRequest(http.MethodGet, "/dashboard", nil)
	req.SetBasicAuth("admin", "secret")
	rr := httptest.NewRecorder()
	handler.ServeHTTP(rr, req)

	if !called {
		t.Fatal("expected handler to be called with valid credentials")
	}
	if rr.Code != http.StatusOK {
		t.Fatalf("expected 200, got %d", rr.Code)
	}
}

func TestWriteJSONSetsContentType(t *testing.T) {
	rr := httptest.NewRecorder()
	writeJSON(rr, http.StatusForbidden, map[string]string{"error": "forbidden"})

	if ct := rr.Header().Get("Content-Type"); ct != "application/json" {
		t.Fatalf("expected Content-Type application/json, got %q", ct)
	}
	if rr.Code != http.StatusForbidden {
		t.Fatalf("expected status 403, got %d", rr.Code)
	}

	var body map[string]string
	if err := json.NewDecoder(rr.Body).Decode(&body); err != nil {
		t.Fatalf("expected valid JSON, got error: %v", err)
	}
	if body["error"] != "forbidden" {
		t.Fatalf("expected error=forbidden, got %q", body["error"])
	}
}
Local fork: hardening + ops improvements (timeout knob, demotion, /livez, drain) This commit captures both the prior accumulated work-in-progress (framework migration web/→svelte/, postgres storage, conversation viewer, dashboard auth, OpenAPI spec, integration tests) AND today's operational improvements layered on top. History wasn't checkpointed incrementally; happy to split it via interactive rebase if a reviewer wants smaller commits. Today's changes (in addition to the older WIP): 1. Configurable upstream response-header timeout - ANTHROPIC_RESPONSE_HEADER_TIMEOUT env (default 300s) - Replaces hardcoded 300s in provider/anthropic.go that was firing on opus + 1M-context + extended thinking non-streaming requests - Files: internal/config/config.go, internal/provider/anthropic.go 2. Structured forward-error diagnostic logging - When a forward to Anthropic fails, log a single key=value line with request_id, model, stream, body_bytes, has_thinking, anthropic_beta, query, elapsed, ctx_err — alongside the existing human-readable error line for back-compat - Files: internal/handler/handlers.go (logForwardFailure) 3. Full SSE protocol passthrough + Flusher fix - handler/handlers.go: forward all SSE lines verbatim (event:, id:, retry:, : comments, blank-line terminators), not only data:. Previous code produced malformed SSE for strict parsers. - middleware/logging.go: explicit Flush() method on responseWriter. Embedding http.ResponseWriter (interface) does not auto-promote Flush(), so every w.(http.Flusher) check in the streaming handler was returning ok=false and SSE writes buffered in net/http until the body closed. 4. Non-streaming → streaming demotion (feature-flagged) - ANTHROPIC_DEMOTE_NONSTREAMING env (default false) - When enabled and the routed provider is anthropic, force stream=true upstream for clients that asked for stream=false. Receive SSE, accumulate via accumulateSSEToMessage (handles text, tool_use with partial_json reassembly, thinking, signature, citations_delta, usage merge), and synthesize a single non-streaming JSON response. - Eliminates the ResponseHeaderTimeout class of failure entirely. - Body rewrite uses json.Decoder + UseNumber() to preserve integer precision in unknown nested fields (tool inputs from prior turns). - Files: internal/config/config.go, internal/handler/handlers.go, cmd/proxy/main.go, cmd/proxy/main_test.go 5. Live operational state: /livez gauge + graceful drain - New internal/runtime package: atomic in-flight counter + draining flag - New middleware/inflight.go: increments runtime gauge, applied to /v1/* subrouter so Messages, ChatCompletions, and ProxyPassthrough are all counted - /v1/* moved to a gorilla/mux subrouter so the InFlight middleware applies surgically; /health, /livez, /openapi.* remain on parent router (unauthenticated, uncounted) - Health handler returns 503 draining when runtime.IsDraining() is true, so Traefik stops routing to a slot before drain begins - New /livez handler returns {status, in_flight, draining, timestamp} - SIGTERM handler in main.go: SetDraining(true), poll for in_flight==0 with 32-min ceiling and 1s tick (logs every 10s), then srv.Shutdown - Auth bypass list extended with /livez - Files: internal/runtime/runtime.go (new), internal/middleware/inflight.go (new), internal/middleware/auth.go, internal/handler/handlers.go (Health, Livez, runtime import), cmd/proxy/main.go (subrouter, drain loop) 6. OpenAPI spec updates - Document Health 503 response and new DrainingResponse schema - Add /livez path with LivezResponse schema - Files: internal/handler/openapi.go Verified: go build ./... clean, go test ./... all pass, go vet clean. Three rounds of codex peer review across changes 1-5; all feedback addressed (citations_delta, json.Number precision, drain-loop logging via lastLog timestamp, PathPrefix tightened to "/v1/"). 2026-05-02 15:15:58 -06:00			`package middleware`

			`import (`
			`"encoding/json"`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`
			`)`

			`func TestDashboardAuthDisabledWhenEmpty(t *testing.T) {`
			`called := false`
			`handler := DashboardAuth("")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`called = true`
			`w.WriteHeader(http.StatusOK)`
			`}))`

			`req := httptest.NewRequest(http.MethodGet, "/dashboard", nil)`
			`rr := httptest.NewRecorder()`
			`handler.ServeHTTP(rr, req)`

			`if !called {`
			`t.Fatal("expected handler to be called when password is empty")`
			`}`
			`if rr.Code != http.StatusOK {`
			`t.Fatalf("expected 200, got %d", rr.Code)`
			`}`
			`}`

			`func TestDashboardAuthRejectsNoCredentials(t *testing.T) {`
			`handler := DashboardAuth("secret")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`w.WriteHeader(http.StatusOK)`
			`}))`

			`req := httptest.NewRequest(http.MethodGet, "/dashboard", nil)`
			`rr := httptest.NewRecorder()`
			`handler.ServeHTTP(rr, req)`

			`if rr.Code != http.StatusUnauthorized {`
			`t.Fatalf("expected 401, got %d", rr.Code)`
			`}`

			`// Verify JSON response body`
			`var body map[string]string`
			`if err := json.NewDecoder(rr.Body).Decode(&body); err != nil {`
			`t.Fatalf("expected JSON response, got error: %v", err)`
			`}`
			`if body["error"] != "unauthorized" {`
			`t.Fatalf("expected error=unauthorized, got %q", body["error"])`
			`}`
			`}`

			`func TestDashboardAuthRejectsWrongPassword(t *testing.T) {`
			`handler := DashboardAuth("secret")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`w.WriteHeader(http.StatusOK)`
			`}))`

			`req := httptest.NewRequest(http.MethodGet, "/dashboard", nil)`
			`req.SetBasicAuth("admin", "wrong")`
			`rr := httptest.NewRecorder()`
			`handler.ServeHTTP(rr, req)`

			`if rr.Code != http.StatusUnauthorized {`
			`t.Fatalf("expected 401, got %d", rr.Code)`
			`}`
			`}`

			`func TestDashboardAuthAcceptsValidCredentials(t *testing.T) {`
			`called := false`
			`handler := DashboardAuth("secret")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`called = true`
			`w.WriteHeader(http.StatusOK)`
			`}))`

			`req := httptest.NewRequest(http.MethodGet, "/dashboard", nil)`
			`req.SetBasicAuth("admin", "secret")`
			`rr := httptest.NewRecorder()`
			`handler.ServeHTTP(rr, req)`

			`if !called {`
			`t.Fatal("expected handler to be called with valid credentials")`
			`}`
			`if rr.Code != http.StatusOK {`
			`t.Fatalf("expected 200, got %d", rr.Code)`
			`}`
			`}`

			`func TestWriteJSONSetsContentType(t *testing.T) {`
			`rr := httptest.NewRecorder()`
			`writeJSON(rr, http.StatusForbidden, map[string]string{"error": "forbidden"})`

			`if ct := rr.Header().Get("Content-Type"); ct != "application/json" {`
			`t.Fatalf("expected Content-Type application/json, got %q", ct)`
			`}`
			`if rr.Code != http.StatusForbidden {`
			`t.Fatalf("expected status 403, got %d", rr.Code)`
			`}`

			`var body map[string]string`
			`if err := json.NewDecoder(rr.Body).Decode(&body); err != nil {`
			`t.Fatalf("expected valid JSON, got error: %v", err)`
			`}`
			`if body["error"] != "forbidden" {`
			`t.Fatalf("expected error=forbidden, got %q", body["error"])`
			`}`
			`}`