From 6b095e54f85a71fe6746715d7b0467ef7c4d9cfb Mon Sep 17 00:00:00 2001 From: Jason Hilder Date: Fri, 1 May 2026 07:49:22 +0200 Subject: [PATCH] Cleaned up hurl test files. --- test_requests/access.hurl | 20 ------------ test_requests/login.hurl | 13 -------- test_requests/register.hurl | 15 --------- tests/hurl/auth_lifecycle.hurl | 56 ++++++++++++++++++++++++++++++++++ tests/hurl/bad_token.hurl | 7 +++++ tests/hurl/login_logout.hurl | 28 +++++++++++++++++ 6 files changed, 91 insertions(+), 48 deletions(-) delete mode 100644 test_requests/access.hurl delete mode 100644 test_requests/login.hurl delete mode 100644 test_requests/register.hurl create mode 100644 tests/hurl/auth_lifecycle.hurl create mode 100644 tests/hurl/bad_token.hurl create mode 100644 tests/hurl/login_logout.hurl diff --git a/test_requests/access.hurl b/test_requests/access.hurl deleted file mode 100644 index a8e7b3d..0000000 --- a/test_requests/access.hurl +++ /dev/null @@ -1,20 +0,0 @@ -# Step 1: Login -POST http://localhost:3333/login -[FormParams] -email: jason@debian.org -password: supersecretpassword - -HTTP 200 -[Captures] -# Capture the token into a variable named 'token' -token: jsonpath "$.access_token" - -# Step 2: Use the token to access a protected route -# Hurl automatically handles the variable injection with {{token}} -GET http://localhost:3333/api/protected-route -Authorization: Bearer {{token}} - -HTTP 200 -[Asserts] -# Check for something that only an auth'd user sees -jsonpath "$.status" == "success" diff --git a/test_requests/login.hurl b/test_requests/login.hurl deleted file mode 100644 index 3d62432..0000000 --- a/test_requests/login.hurl +++ /dev/null @@ -1,13 +0,0 @@ -POST http://localhost:3333/login -[FormParams] -email: jason@debian.org -password: supersecretpassword - -HTTP 200 -[Asserts] -jsonpath "$.access_token" exists -jsonpath "$.refresh_token" exists - -[Captures] -# We capture this so we can manually use it in curl/xh if we want -last_token: jsonpath "$.access_token" diff --git a/test_requests/register.hurl b/test_requests/register.hurl deleted file mode 100644 index 0199ecb..0000000 --- a/test_requests/register.hurl +++ /dev/null @@ -1,15 +0,0 @@ -# POST to the register endpoint -POST http://localhost:3333/register -[FormParams] -email: jason@debian.org -password: supersecretpassword - -# We expect a 200 OK and JSON containing tokens -HTTP 200 -[Asserts] -header "Content-Type" contains "application/json" -jsonpath "$.access_token" exists -jsonpath "$.refresh_token" exists - -# Useful for debugging in tmux: -# hurl --verbose test_register.hurl diff --git a/tests/hurl/auth_lifecycle.hurl b/tests/hurl/auth_lifecycle.hurl new file mode 100644 index 0000000..7c2b6ff --- /dev/null +++ b/tests/hurl/auth_lifecycle.hurl @@ -0,0 +1,56 @@ +# 1. Register a new unique user +POST http://localhost:3333/register +[FormParams] +email: test_user@debian.org +password: supersecretpassword + +HTTP 200 +[Captures] +access_token: jsonpath "$.access_token" +refresh_token: jsonpath "$.refresh_token" + + +# 2. Access a protected route with the first token +GET http://localhost:3333/home +Authorization: Bearer {{access_token}} + +HTTP 200 +[Asserts] +jsonpath "$.status" == "authenticated" + + +# 3. Refresh the tokens +POST http://localhost:3333/refresh +Content-Type: application/json +{ + "refresh_token": "{{refresh_token}}" +} + +HTTP 200 +[Captures] +# Overwrite with the fresh tokens +next_access_token: jsonpath "$.access_token" +next_refresh_token: jsonpath "$.refresh_token" + +[Asserts] +# Now compare the two distinct variable names +variable "next_refresh_token" != "{{refresh_token}}" + +# 4. Access the protected route again with the NEW access token +GET http://localhost:3333/home +Authorization: Bearer {{next_access_token}} + +HTTP 200 +[Asserts] +jsonpath "$.status" == "authenticated" + +# Log out user to clean table of tokens etc +POST http://localhost:3333/logout +Content-Type: application/json +{ + "refresh_token": "{{next_refresh_token}}" +} + +HTTP 200 +[Asserts] +jsonpath "$.message" == "logout success" diff --git a/tests/hurl/bad_token.hurl b/tests/hurl/bad_token.hurl new file mode 100644 index 0000000..b00eafd --- /dev/null +++ b/tests/hurl/bad_token.hurl @@ -0,0 +1,7 @@ +# Check accessing protected route with an invalid token gives a 401 +GET http://localhost:3333/home +Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30 + +HTTP 401 +[Asserts] +jsonpath "$.error" == "unauthorized" diff --git a/tests/hurl/login_logout.hurl b/tests/hurl/login_logout.hurl new file mode 100644 index 0000000..d2d32d9 --- /dev/null +++ b/tests/hurl/login_logout.hurl @@ -0,0 +1,28 @@ +POST http://localhost:3333/login +[FormParams] +email: test_user@debian.org +password: supersecretpassword + +HTTP 200 +[Captures] +access_token: jsonpath "$.access_token" +refresh_token: jsonpath "$.refresh_token" + +# Check the logged in use can access the protected route +GET http://localhost:3333/home +Authorization: Bearer {{access_token}} + +HTTP 200 +[Asserts] +jsonpath "$.status" == "authenticated" + +# Log out user to clean table of tokens etc +POST http://localhost:3333/logout +Content-Type: application/json +{ + "refresh_token": "{{refresh_token}}" +} + +HTTP 200 +[Asserts] +jsonpath "$.message" == "logout success"