refactor: restructure package organization and add comprehensive tests (#35)

- Reorganize files to use descriptive names (main.go → package.go)
- Move Provider interface to dedicated interface.go files
- Add mock generation with go:generate directives
- Implement comprehensive unit tests for all packages:
  - auth: OAuth flow, authentication middleware, authorization checks
  - backend: MCP proxy setup, command execution, test server
  - idp: OAuth server metadata, JWKS, client registration and flow
  - proxy: JWT validation, token extraction, proxy handling
- Add testify for assertions and testserver for backend testing
- Update dependencies: add testify and memstore for session testing
- Delete obsolete mock files and consolidate utility functions

Author: hrntknr

go.mod

@@ -11,6 +11,7 @@ require (
 	github.com/mark3labs/mcp-go v0.37.0
 	github.com/ory/fosite v0.49.0
 	github.com/spf13/cobra v1.8.1
+	github.com/stretchr/testify v1.10.0
 	go.etcd.io/bbolt v1.4.2
 	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
@@ -77,14 +78,14 @@ require (
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/quasoft/memstore v0.0.0-20191010062613-2bce066d2b0b // indirect
 	github.com/seatgeek/logrus-gelf-formatter v0.0.0-20210414080842-5b05eb8ff761 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/afero v1.9.5 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/spf13/viper v1.16.0 // indirect
-	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect

go.sum

@@ -406,6 +406,8 @@ github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qR
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/quasoft/memstore v0.0.0-20191010062613-2bce066d2b0b h1:aUNXCGgukb4gtY99imuIeoh8Vr0GSwAlYxPAhqZrpFc=
+github.com/quasoft/memstore v0.0.0-20191010062613-2bce066d2b0b/go.mod h1:wTPjTepVu7uJBYgZ0SdWHQlIas582j6cn2jgk4DDdlg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=

pkg/auth/main.go pkg/auth/auth.gopkg/auth/main.go renamed to pkg/auth/auth.go

@@ -1,7 +1,6 @@
 package auth
 
 import (
-	"context"
 	"embed"
 	"errors"
 	"html/template"
@@ -11,22 +10,11 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/sigbit/mcp-auth-proxy/pkg/utils"
 	"golang.org/x/crypto/bcrypt"
-	"golang.org/x/oauth2"
 )
 
 //go:embed templates/*
 var templateFS embed.FS
 
-type Provider interface {
-	Name() string
-	RedirectURL() string
-	AuthURL() string
-	AuthCodeURL(c *gin.Context, state string) (string, error)
-	Exchange(c *gin.Context, state string) (*oauth2.Token, error)
-	GetUserID(ctx context.Context, token *oauth2.Token) (string, error)
-	Authorization(userid string) (bool, error)
-}
-
 type AuthRouter struct {
 	passwordHash         []string
 	providers            map[string]Provider

pkg/auth/auth_test.go

@@ -0,0 +1,196 @@
+package auth
+
+import (
+	"net/http"
+	"net/http/cookiejar"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-contrib/sessions/memstore"
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+	"golang.org/x/oauth2"
+)
+
+func setupTestRouter(authRouter *AuthRouter) *gin.Engine {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+
+	// Setup session middleware
+	store := memstore.NewStore([]byte("test-secret"))
+	router.Use(sessions.Sessions("session", store))
+
+	// Setup dummy protected route
+	router.GET("/", authRouter.RequireAuth(), func(c *gin.Context) {
+		c.String(http.StatusOK, "authenticated")
+	})
+
+	// Setup authentication routes
+	authRouter.SetupRoutes(router)
+
+	return router
+}
+
+func setupClient() *http.Client {
+	jar, _ := cookiejar.New(nil)
+	return &http.Client{
+		Jar: jar,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+}
+
+func TestAuthenticationFlow(t *testing.T) {
+	t.Run("Unauthenticated access should redirect to login", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		// Create mock provider
+		mockProvider := NewMockProvider(ctrl)
+		mockProvider.EXPECT().Name().Return("test").AnyTimes()
+		mockProvider.EXPECT().AuthURL().Return("/.auth/test").AnyTimes()
+		mockProvider.EXPECT().RedirectURL().Return("/.auth/test/callback").AnyTimes()
+
+		// Create AuthRouter
+		authRouter, err := NewAuthRouter(nil, mockProvider)
+		require.NoError(t, err)
+
+		router := setupTestRouter(authRouter)
+		server := httptest.NewServer(router)
+		defer server.Close()
+
+		client := setupClient()
+
+		resp, err := client.Get(server.URL + "/")
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		require.Equal(t, http.StatusFound, resp.StatusCode)
+
+		location := resp.Header.Get("Location")
+		require.Equal(t, LoginEndpoint, location)
+	})
+
+	t.Run("OAuth authentication flow", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		// Create mock provider
+		mockProvider := NewMockProvider(ctrl)
+		mockProvider.EXPECT().Name().Return("test").AnyTimes()
+		mockProvider.EXPECT().AuthURL().Return("/.auth/test").AnyTimes()
+		mockProvider.EXPECT().RedirectURL().Return("/.auth/test/callback").AnyTimes()
+
+		// Create AuthRouter
+		authRouter, err := NewAuthRouter(nil, mockProvider)
+		require.NoError(t, err)
+
+		router := setupTestRouter(authRouter)
+		server := httptest.NewServer(router)
+		defer server.Close()
+
+		client := setupClient()
+
+		// Step 1: Access unauthenticated route first to set redirectURL in session
+		resp, err := client.Get(server.URL + "/")
+		require.NoError(t, err)
+		resp.Body.Close()
+
+		// Verify redirect to login page
+		require.Equal(t, http.StatusFound, resp.StatusCode)
+
+		// Step 2: Start authentication
+		mockProvider.EXPECT().AuthCodeURL(gomock.Any(), gomock.Any()).Return("https://example.com/oauth", nil)
+
+		resp, err = client.Get(server.URL + "/.auth/test")
+		require.NoError(t, err)
+		resp.Body.Close()
+
+		require.Equal(t, http.StatusFound, resp.StatusCode)
+
+		location := resp.Header.Get("Location")
+		require.Equal(t, "https://example.com/oauth", location)
+
+		// Step 3: Handle callback
+		mockToken := &oauth2.Token{AccessToken: "test-token"}
+		mockProvider.EXPECT().Exchange(gomock.Any(), gomock.Any()).Return(mockToken, nil)
+		mockProvider.EXPECT().GetUserID(gomock.Any(), mockToken).Return("test-user", nil)
+
+		resp, err = client.Get(server.URL + "/.auth/test/callback")
+		require.NoError(t, err)
+		resp.Body.Close()
+
+		require.Equal(t, http.StatusFound, resp.StatusCode)
+
+		// Verify redirect to root
+		location = resp.Header.Get("Location")
+		require.Equal(t, "/", location)
+
+		// Step 4: Access after authentication
+		mockProvider.EXPECT().Authorization("test-user").Return(true, nil)
+
+		resp, err = client.Get(server.URL + "/")
+		if err != nil {
+			t.Fatalf("Request failed: %v", err)
+		}
+		defer resp.Body.Close()
+
+		require.Equal(t, http.StatusOK, resp.StatusCode)
+	})
+
+	t.Run("Unauthorized user should be blocked", func(t *testing.T) {
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+
+		// Create mock provider
+		mockProvider := NewMockProvider(ctrl)
+		mockProvider.EXPECT().Name().Return("test").AnyTimes()
+		mockProvider.EXPECT().AuthURL().Return("/.auth/test").AnyTimes()
+		mockProvider.EXPECT().RedirectURL().Return("/.auth/test/callback").AnyTimes()
+
+		// Create AuthRouter
+		authRouter, err := NewAuthRouter(nil, mockProvider)
+		require.NoError(t, err)
+
+		router := setupTestRouter(authRouter)
+		server := httptest.NewServer(router)
+		defer server.Close()
+
+		client := setupClient()
+
+		// Step 1: Access unauthenticated route first
+		resp, err := client.Get(server.URL + "/")
+		require.NoError(t, err)
+		resp.Body.Close()
+
+		// Step 2: Start authentication
+		mockProvider.EXPECT().AuthCodeURL(gomock.Any(), gomock.Any()).Return("https://example.com/oauth", nil)
+
+		resp, err = client.Get(server.URL + "/.auth/test")
+		require.NoError(t, err)
+		resp.Body.Close()
+
+		// Step 3: Complete authentication
+		mockToken := &oauth2.Token{AccessToken: "test-token"}
+		mockProvider.EXPECT().Exchange(gomock.Any(), gomock.Any()).Return(mockToken, nil)
+		mockProvider.EXPECT().GetUserID(gomock.Any(), mockToken).Return("unauthorized-user", nil)
+
+		resp, err = client.Get(server.URL + "/.auth/test/callback")
+		require.NoError(t, err)
+		resp.Body.Close()
+
+		// Step 4: Test access when authorization fails
+		mockProvider.EXPECT().Authorization("unauthorized-user").Return(false, nil)
+
+		resp, err = client.Get(server.URL + "/")
+		if err != nil {
+			t.Fatalf("Request failed: %v", err)
+		}
+		defer resp.Body.Close()
+
+		require.Equal(t, http.StatusForbidden, resp.StatusCode)
+	})
+}

pkg/auth/interface.go

@@ -0,0 +1,19 @@
+//go:generate mockgen -source=interface.go -destination=mock.go -package=auth
+package auth
+
+import (
+	"context"
+
+	"github.com/gin-gonic/gin"
+	"golang.org/x/oauth2"
+)
+
+type Provider interface {
+	Name() string
+	RedirectURL() string
+	AuthURL() string
+	AuthCodeURL(c *gin.Context, state string) (string, error)
+	Exchange(c *gin.Context, state string) (*oauth2.Token, error)
+	GetUserID(ctx context.Context, token *oauth2.Token) (string, error)
+	Authorization(userid string) (bool, error)
+}