Testing: Missing tests for auth middleware

[kusold]

Description

The authentication middleware (auth/middleware.go) has no tests, despite being critical for security.

Untested Code

// auth/middleware.go
func RequireAuthenticated(sessionManager *session.Manager, cfg MiddlewareConfig) func(http.Handler) http.Handler {
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            claims, ok := sessionManager.Get(r.Context(), conf.SessionKey).(SessionClaims)
            if !ok || !claims.Authenticated {
                handleUnauthenticated(w, r, conf)
                return
            }
            
            if claims.ActiveTenantID == nil && !isTenantOptionalPath(r.URL.Path, conf.AllowPathsWithoutTenant) {
                handleTenantRequired(w, r, conf)
                return
            }
            
            ctx := WithSessionClaims(r.Context(), claims)
            // ...
        })
    }
}

Tests Needed

// auth/middleware_test.go
func TestRequireAuthenticated_Unauthenticated(t *testing.T) {
    // No session → 401 or redirect to login
}

func TestRequireAuthenticated_AuthenticatedNoTenant(t *testing.T) {
    // Authenticated but no tenant selected → 409 or redirect to picker
}

func TestRequireAuthenticated_AuthenticatedWithTenant(t *testing.T) {
    // Full auth → context has claims and tenant ID
}

func TestRequireAuthenticated_TenantOptionalPath(t *testing.T) {
    // Path in AllowPathsWithoutTenant → passes without tenant
}

func TestRequireAuthenticated_APIMode(t *testing.T) {
    // ModeAPI → returns JSON errors
}

func TestRequireAuthenticated_UIMode(t *testing.T) {
    // ModeUI → redirects to login/picker
}

func TestIsTenantOptionalPath(t *testing.T) {
    // Exact match
    // Prefix match with *
    // No match
}

Impact

• Effort: Low-Medium
• Benefit: High (verify auth enforcement)
• Priority: Medium