abitofhelp
diff --git a/‎auth/jwt/jwt.go‎
Lines changed: 6 additions & 0 deletions b/‎auth/jwt/jwt.go‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎auth/jwt/mock_validator_test.go‎
Lines changed: 61 additions & 0 deletions b/‎auth/jwt/mock_validator_test.go‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎auth/jwt/remote_validation_test.go‎
Lines changed: 142 additions & 0 deletions b/‎auth/jwt/remote_validation_test.go‎
Lines changed: 142 additions & 0 deletions
diff --git a/‎auth/middleware/middleware_constructor_test.go‎
Lines changed: 65 additions & 0 deletions b/‎auth/middleware/middleware_constructor_test.go‎
Lines changed: 65 additions & 0 deletions
@@ -71,6 +71,12 @@ func (s *Service) WithRemoteValidator(config RemoteConfig) *Service {
 	return s
 }
 
+// SetRemoteValidatorForTesting sets the remote validator for testing purposes.
+// This method should only be used in tests.
+func (s *Service) SetRemoteValidatorForTesting(validator TokenValidator) {
+	s.remoteValidator = validator
+}
+
 // Claims represents the JWT claims contained in a token.
 type Claims struct {
 	// UserID is the unique identifier of the user (stored in the 'sub' claim)
 
@@ -0,0 +1,61 @@
+// Copyright (c) 2025 A Bit of Help, Inc.
+
+package jwt_test
+
+import (
+	"context"
+	"errors"
+
+	autherrors "github.com/abitofhelp/servicelib/auth/errors"
+	"github.com/abitofhelp/servicelib/auth/jwt"
+)
+
+// MockValidator is a mock implementation of the TokenValidator interface for testing.
+type MockValidator struct {
+	// ShouldSucceed determines whether the validation should succeed or fail
+	ShouldSucceed bool
+	
+	// ErrorToReturn is the error to return when validation fails
+	ErrorToReturn error
+	
+	// ClaimsToReturn is the claims to return when validation succeeds
+	ClaimsToReturn *jwt.Claims
+	
+	// Called tracks whether ValidateToken was called
+	Called bool
+}
+
+// ValidateToken implements the TokenValidator interface for testing.
+func (m *MockValidator) ValidateToken(ctx context.Context, tokenString string) (*jwt.Claims, error) {
+	m.Called = true
+	
+	if tokenString == "" {
+		return nil, autherrors.ErrMissingToken
+	}
+	
+	if m.ShouldSucceed {
+		return m.ClaimsToReturn, nil
+	}
+	
+	if m.ErrorToReturn != nil {
+		return nil, m.ErrorToReturn
+	}
+	
+	return nil, errors.New("mock validation failed")
+}
+
+// NewSuccessfulMockValidator creates a new MockValidator that succeeds with the given claims.
+func NewSuccessfulMockValidator(claims *jwt.Claims) *MockValidator {
+	return &MockValidator{
+		ShouldSucceed:  true,
+		ClaimsToReturn: claims,
+	}
+}
+
+// NewFailingMockValidator creates a new MockValidator that fails with the given error.
+func NewFailingMockValidator(err error) *MockValidator {
+	return &MockValidator{
+		ShouldSucceed:  false,
+		ErrorToReturn:  err,
+	}
+}
@@ -0,0 +1,142 @@
+// Copyright (c) 2025 A Bit of Help, Inc.
+
+package jwt_test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	autherrors "github.com/abitofhelp/servicelib/auth/errors"
+	"github.com/abitofhelp/servicelib/auth/jwt"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+)
+
+// TestRemoteValidationSuccess tests the case where remote validation succeeds
+func TestRemoteValidationSuccess(t *testing.T) {
+	logger := zap.NewNop()
+	config := jwt.Config{
+		SecretKey:     "test-secret",
+		TokenDuration: 1 * time.Hour,
+		Issuer:        "test-issuer",
+	}
+	service := jwt.NewService(config, logger)
+	ctx := context.Background()
+
+	// Create expected claims
+	expectedClaims := &jwt.Claims{
+		UserID:    "remote-user-123",
+		Roles:     []string{"admin", "remote-user"},
+		Scopes:    []string{"read", "write"},
+		Resources: []string{"resource1", "resource2"},
+	}
+
+	// Set up a mock validator that succeeds
+	mockValidator := NewSuccessfulMockValidator(expectedClaims)
+
+	// Set the mock validator as the remote validator
+	service.WithRemoteValidator(jwt.RemoteConfig{})
+	// Access the private field using reflection
+	setRemoteValidator(t, service, mockValidator)
+
+	// Test with any token (the mock will ignore the actual token)
+	claims, err := service.ValidateToken(ctx, "any-token")
+
+	// Verify the mock was called
+	assert.True(t, mockValidator.Called)
+
+	// Verify the result
+	assert.NoError(t, err)
+	assert.NotNil(t, claims)
+	assert.Equal(t, expectedClaims.UserID, claims.UserID)
+	assert.Equal(t, expectedClaims.Roles, claims.Roles)
+	assert.Equal(t, expectedClaims.Scopes, claims.Scopes)
+	assert.Equal(t, expectedClaims.Resources, claims.Resources)
+}
+
+// TestRemoteValidationFailure tests the case where remote validation fails with a non-NotImplemented error
+func TestRemoteValidationFailure(t *testing.T) {
+	logger := zap.NewNop()
+	config := jwt.Config{
+		SecretKey:     "test-secret",
+		TokenDuration: 1 * time.Hour,
+		Issuer:        "test-issuer",
+	}
+	service := jwt.NewService(config, logger)
+	ctx := context.Background()
+
+	// Generate a valid token for local validation
+	userID := "user123"
+	roles := []string{"admin", "user"}
+	token, err := service.GenerateToken(ctx, userID, roles, []string{}, []string{})
+	require.NoError(t, err)
+	require.NotEmpty(t, token)
+
+	// Set up a mock validator that fails with a custom error
+	customError := autherrors.WithMessage(autherrors.ErrInvalidToken, "remote validation failed")
+	mockValidator := NewFailingMockValidator(customError)
+
+	// Set the mock validator as the remote validator
+	service.WithRemoteValidator(jwt.RemoteConfig{})
+	// Access the private field using reflection
+	setRemoteValidator(t, service, mockValidator)
+
+	// Test validation - should fall back to local validation and succeed
+	claims, err := service.ValidateToken(ctx, token)
+
+	// Verify the mock was called
+	assert.True(t, mockValidator.Called)
+
+	// Verify the result - should succeed with local validation
+	assert.NoError(t, err)
+	assert.NotNil(t, claims)
+	assert.Equal(t, userID, claims.UserID)
+	assert.Equal(t, roles, claims.Roles)
+}
+
+// TestRemoteValidationNotImplemented tests the case where remote validation returns ErrNotImplemented
+func TestRemoteValidationNotImplemented(t *testing.T) {
+	logger := zap.NewNop()
+	config := jwt.Config{
+		SecretKey:     "test-secret",
+		TokenDuration: 1 * time.Hour,
+		Issuer:        "test-issuer",
+	}
+	service := jwt.NewService(config, logger)
+	ctx := context.Background()
+
+	// Generate a valid token for local validation
+	userID := "user123"
+	roles := []string{"admin", "user"}
+	token, err := service.GenerateToken(ctx, userID, roles, []string{}, []string{})
+	require.NoError(t, err)
+	require.NotEmpty(t, token)
+
+	// Set up a mock validator that fails with ErrNotImplemented
+	mockValidator := NewFailingMockValidator(autherrors.ErrNotImplemented)
+
+	// Set the mock validator as the remote validator
+	service.WithRemoteValidator(jwt.RemoteConfig{})
+	// Access the private field using reflection
+	setRemoteValidator(t, service, mockValidator)
+
+	// Test validation - should fall back to local validation and succeed
+	claims, err := service.ValidateToken(ctx, token)
+
+	// Verify the mock was called
+	assert.True(t, mockValidator.Called)
+
+	// Verify the result - should succeed with local validation
+	assert.NoError(t, err)
+	assert.NotNil(t, claims)
+	assert.Equal(t, userID, claims.UserID)
+	assert.Equal(t, roles, claims.Roles)
+}
+
+// Helper function to set the remote validator for testing
+func setRemoteValidator(t *testing.T, service *jwt.Service, validator jwt.TokenValidator) {
+	// Use the exported method to set the remote validator for testing
+	service.SetRemoteValidatorForTesting(validator)
+}
@@ -0,0 +1,65 @@
+// Copyright (c) 2025 A Bit of Help, Inc.
+
+package middleware
+
+import (
+	"testing"
+
+	"github.com/abitofhelp/servicelib/auth/jwt"
+	"github.com/abitofhelp/servicelib/auth/oidc"
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/zap"
+)
+
+// TestNewMiddleware tests the NewMiddleware function
+func TestNewMiddleware(t *testing.T) {
+	// Create a mock JWT service
+	jwtService := &jwt.Service{}
+	
+	// Create a config
+	config := Config{
+		SkipPaths:   []string{"/health", "/metrics"},
+		RequireAuth: true,
+	}
+	
+	// Test with logger
+	logger := zap.NewNop()
+	middleware := NewMiddleware(jwtService, config, logger)
+	
+	// Verify the middleware was created correctly
+	assert.NotNil(t, middleware)
+	assert.Equal(t, config, middleware.config)
+	assert.Equal(t, jwtService, middleware.jwtService)
+	assert.Nil(t, middleware.oidcService)
+	
+	// Test with nil logger (should use NopLogger)
+	middleware = NewMiddleware(jwtService, config, nil)
+	assert.NotNil(t, middleware)
+}
+
+// TestNewMiddlewareWithOIDC tests the NewMiddlewareWithOIDC function
+func TestNewMiddlewareWithOIDC(t *testing.T) {
+	// Create mock services
+	jwtService := &jwt.Service{}
+	oidcService := &oidc.Service{}
+	
+	// Create a config
+	config := Config{
+		SkipPaths:   []string{"/health", "/metrics"},
+		RequireAuth: true,
+	}
+	
+	// Test with logger
+	logger := zap.NewNop()
+	middleware := NewMiddlewareWithOIDC(jwtService, oidcService, config, logger)
+	
+	// Verify the middleware was created correctly
+	assert.NotNil(t, middleware)
+	assert.Equal(t, config, middleware.config)
+	assert.Equal(t, jwtService, middleware.jwtService)
+	assert.Equal(t, oidcService, middleware.oidcService)
+	
+	// Test with nil logger (should use NopLogger)
+	middleware = NewMiddlewareWithOIDC(jwtService, oidcService, config, nil)
+	assert.NotNil(t, middleware)
+}