web/session/session_test.go

package session

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/mhsanaei/3x-ui/v3/database/model"

	"github.com/gin-contrib/sessions"
	"github.com/gin-contrib/sessions/cookie"
	"github.com/gin-gonic/gin"
)

func TestSetLoginUserStoresOnlyUserID(t *testing.T) {
	gin.SetMode(gin.TestMode)
	router := gin.New()
	router.Use(sessions.Sessions(sessionCookieName, cookie.NewStore([]byte("01234567890123456789012345678901"))))
	router.GET("/", func(c *gin.Context) {
		if err := SetLoginUser(c, &model.User{Id: 7, Username: "admin", Password: "hash"}); err != nil {
			t.Fatal(err)
		}
		got := sessions.Default(c).Get(loginUserKey)
		if got != 7 {
			t.Fatalf("stored session payload = %#v, want user id only", got)
		}
		c.Status(http.StatusNoContent)
	})

	rec := httptest.NewRecorder()
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	router.ServeHTTP(rec, req)
	if rec.Code != http.StatusNoContent {
		t.Fatalf("status = %d, want %d", rec.Code, http.StatusNoContent)
	}
}

func TestSessionUserIDSupportsLegacyUserPayload(t *testing.T) {
	id, ok := sessionUserID(model.User{Id: 11, Username: "admin", Password: "hash"})
	if !ok || id != 11 {
		t.Fatalf("legacy session payload resolved to (%d, %v), want (11, true)", id, ok)
	}
	id, ok = sessionUserID(&model.User{Id: 12, Username: "admin", Password: "hash"})
	if !ok || id != 12 {
		t.Fatalf("legacy pointer session payload resolved to (%d, %v), want (12, true)", id, ok)
	}
}
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 ) 2026-05-13 12:52:52 +02:00			`package session`

			`import (`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`

			`"github.com/mhsanaei/3x-ui/v3/database/model"`

			`"github.com/gin-contrib/sessions"`
			`"github.com/gin-contrib/sessions/cookie"`
			`"github.com/gin-gonic/gin"`
			`)`

			`func TestSetLoginUserStoresOnlyUserID(t *testing.T) {`
			`gin.SetMode(gin.TestMode)`
			`router := gin.New()`
			`router.Use(sessions.Sessions(sessionCookieName, cookie.NewStore([]byte("01234567890123456789012345678901"))))`
			`router.GET("/", func(c *gin.Context) {`
			`if err := SetLoginUser(c, &model.User{Id: 7, Username: "admin", Password: "hash"}); err != nil {`
			`t.Fatal(err)`
			`}`
			`got := sessions.Default(c).Get(loginUserKey)`
			`if got != 7 {`
			`t.Fatalf("stored session payload = %#v, want user id only", got)`
			`}`
			`c.Status(http.StatusNoContent)`
			`})`

			`rec := httptest.NewRecorder()`
			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
			`router.ServeHTTP(rec, req)`
			`if rec.Code != http.StatusNoContent {`
			`t.Fatalf("status = %d, want %d", rec.Code, http.StatusNoContent)`
			`}`
			`}`

			`func TestSessionUserIDSupportsLegacyUserPayload(t *testing.T) {`
			`id, ok := sessionUserID(model.User{Id: 11, Username: "admin", Password: "hash"})`
			`if !ok \|\| id != 11 {`
			`t.Fatalf("legacy session payload resolved to (%d, %v), want (11, true)", id, ok)`
			`}`
			`id, ok = sessionUserID(&model.User{Id: 12, Username: "admin", Password: "hash"})`
			`if !ok \|\| id != 12 {`
			`t.Fatalf("legacy pointer session payload resolved to (%d, %v), want (12, true)", id, ok)`
			`}`
			`}`