From 313df78cf784e79c547367e6ae16c14f69550eed Mon Sep 17 00:00:00 2001 From: rcourtman Date: Wed, 4 Feb 2026 14:26:38 +0000 Subject: [PATCH] Require auth for admin endpoints with OIDC --- internal/api/oidc_admin_auth_test.go | 41 ++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 internal/api/oidc_admin_auth_test.go diff --git a/internal/api/oidc_admin_auth_test.go b/internal/api/oidc_admin_auth_test.go new file mode 100644 index 000000000..7014c7540 --- /dev/null +++ b/internal/api/oidc_admin_auth_test.go @@ -0,0 +1,41 @@ +package api + +import ( + "net/http" + "net/http/httptest" + "testing" + + "github.com/rcourtman/pulse-go-rewrite/internal/config" +) + +func TestAdminEndpointsRequireAuthWhenOIDCEnabled(t *testing.T) { + t.Setenv("ALLOW_ADMIN_BYPASS", "") + t.Setenv("PULSE_DEV", "") + t.Setenv("NODE_ENV", "") + resetAdminBypassState() + + dataDir := t.TempDir() + cfg := &config.Config{ + DataPath: dataDir, + ConfigPath: dataDir, + OIDC: &config.OIDCConfig{ + Enabled: true, + }, + } + + router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0") + + paths := []string{ + "/api/system/settings", + "/api/diagnostics", + } + + for _, path := range paths { + req := httptest.NewRequest(http.MethodGet, path, nil) + rec := httptest.NewRecorder() + router.Handler().ServeHTTP(rec, req) + if rec.Code != http.StatusUnauthorized { + t.Fatalf("expected 401 without auth for %s, got %d", path, rec.Code) + } + } +}