package httpapi import ( "net/http" "net/http/httptest" "testing" "ai-service/internal/config" ) func TestAPITokenProtectsAPIRoutes(t *testing.T) { srv := NewServer(nil, config.Config{APIAuthToken: "secret"}) req := httptest.NewRequest(http.MethodGet, "/api/v1/stats", nil) rec := httptest.NewRecorder() srv.ServeHTTP(rec, req) if rec.Code != http.StatusUnauthorized { t.Fatalf("expected unauthorized API request to be 401, got %d", rec.Code) } req = httptest.NewRequest(http.MethodGet, "/api/v1/not-found", nil) req.Header.Set("Authorization", "Bearer wrong") rec = httptest.NewRecorder() srv.ServeHTTP(rec, req) if rec.Code != http.StatusUnauthorized { t.Fatalf("expected wrong token to be 401, got %d", rec.Code) } req = httptest.NewRequest(http.MethodGet, "/api/v1/not-found", nil) req.Header.Set("Authorization", "Bearer secret") rec = httptest.NewRecorder() srv.ServeHTTP(rec, req) if rec.Code != http.StatusNotFound { t.Fatalf("expected authorized unknown route to be 404, got %d", rec.Code) } } func TestAPITokenDoesNotProtectHealth(t *testing.T) { srv := NewServer(nil, config.Config{APIAuthToken: "secret"}) req := httptest.NewRequest(http.MethodGet, "/healthz", nil) rec := httptest.NewRecorder() srv.ServeHTTP(rec, req) if rec.Code != http.StatusOK { t.Fatalf("expected healthz to stay open, got %d", rec.Code) } }