package app import ( "crypto/rand" "crypto/rsa" "crypto/sha256" "crypto/x509" "encoding/base64" "encoding/pem" "testing" "github.com/geo-platform/tenant-api/internal/shared/auth" "github.com/geo-platform/tenant-api/internal/shared/response" "github.com/stretchr/testify/require" ) func TestAuthServiceLoginPasswordDecryptsEncryptedPassword(t *testing.T) { t.Parallel() key, err := rsa.GenerateKey(rand.Reader, 2048) require.NoError(t, err) privatePEM := string(pem.EncodeToMemory(&pem.Block{ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key), })) cipher, err := auth.NewPasswordCipher(privatePEM, "tenant-test-key") require.NoError(t, err) encrypted, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, &key.PublicKey, []byte("Test@123"), nil) require.NoError(t, err) svc := (&AuthService{}).WithPasswordCipher(cipher) got, err := svc.loginPassword(LoginRequest{ EncryptedPassword: base64.StdEncoding.EncodeToString(encrypted), PasswordKeyID: "tenant-test-key", }) require.NoError(t, err) require.Equal(t, "Test@123", got) } func TestAuthServiceLoginPasswordAllowsPlainPasswordCompatibility(t *testing.T) { t.Parallel() got, err := (&AuthService{}).loginPassword(LoginRequest{Password: "Test@123"}) require.NoError(t, err) require.Equal(t, "Test@123", got) } func TestAuthServiceLoginPasswordRejectsEncryptedWhenCipherMissing(t *testing.T) { t.Parallel() _, err := (&AuthService{}).loginPassword(LoginRequest{EncryptedPassword: "abc"}) require.Error(t, err) appErr, ok := err.(*response.AppError) require.True(t, ok) require.Equal(t, "password_cipher_unavailable", appErr.Message) }