3x-ui/util/crypto/crypto_test.go

package crypto

import (
	"strings"
	"testing"
)

func TestHashPasswordAsBcrypt_RoundTrip(t *testing.T) {
	password := "correct horse battery staple"

	hash, err := HashPasswordAsBcrypt(password)
	if err != nil {
		t.Fatalf("HashPasswordAsBcrypt returned error: %v", err)
	}
	if hash == "" {
		t.Fatal("expected non-empty hash")
	}
	if hash == password {
		t.Fatal("hash must not equal the plaintext password")
	}
	if !strings.HasPrefix(hash, "$2") {
		t.Fatalf("expected bcrypt prefix $2..., got %q", hash[:min(4, len(hash))])
	}

	if !CheckPasswordHash(hash, password) {
		t.Fatal("CheckPasswordHash returned false for the matching password")
	}
}

func TestCheckPasswordHash_WrongPassword(t *testing.T) {
	hash, err := HashPasswordAsBcrypt("right-password")
	if err != nil {
		t.Fatalf("HashPasswordAsBcrypt returned error: %v", err)
	}

	if CheckPasswordHash(hash, "wrong-password") {
		t.Fatal("CheckPasswordHash returned true for a wrong password")
	}
	if CheckPasswordHash(hash, "") {
		t.Fatal("CheckPasswordHash returned true for an empty password")
	}
}

func TestCheckPasswordHash_InvalidHash(t *testing.T) {
	if CheckPasswordHash("", "anything") {
		t.Fatal("empty hash must not validate")
	}
	if CheckPasswordHash("not-a-bcrypt-hash", "anything") {
		t.Fatal("malformed hash must not validate")
	}
}

func TestHashPasswordAsBcrypt_DifferentHashesForSamePassword(t *testing.T) {
	password := "same-password"
	h1, err := HashPasswordAsBcrypt(password)
	if err != nil {
		t.Fatalf("first hash failed: %v", err)
	}
	h2, err := HashPasswordAsBcrypt(password)
	if err != nil {
		t.Fatalf("second hash failed: %v", err)
	}
	if h1 == h2 {
		t.Fatal("expected bcrypt to produce different hashes (random salt) for the same password")
	}
	if !CheckPasswordHash(h1, password) || !CheckPasswordHash(h2, password) {
		t.Fatal("both hashes should still validate the original password")
	}
}
test: cover crypto, random, netsafe, sub helpers, xray equals, websocket hub, node service Adds ~110 unit tests across previously untested packages. Focus on pure-logic and concurrency surfaces where regressions would silently affect users: - util/crypto, util/random: password hashing round-trip, ss2022 key generation, alphabet/length invariants. - util/netsafe: IsBlockedIP edge cases, NormalizeHost validation, SSRF guard with AllowPrivate context bypass. - util/common, util/json_util: traffic formatter, Combine nil-skip, RawMessage empty-as-null and copy-on-unmarshal. - sub: splitLinkLines, searchKey/searchHost, kcp share fields, finalmask normalization, buildVmessLink round-trip. - xray: Config.Equals and InboundConfig.Equals field-by-field, getRequiredUserString/getOptionalUserString type checks. - web/websocket: hub registration, throttling, slow-client eviction, nil-receiver safety, concurrent register/unregister. - web/service: NodeService.normalize validation, normalizeBasePath, HeartbeatPatch.ToUI mapping. - web/job: atomicBool concurrent set/takeAndReset semantics. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-18 08:00:09 +00:00			`package crypto`

			`import (`
			`"strings"`
			`"testing"`
			`)`

			`func TestHashPasswordAsBcrypt_RoundTrip(t *testing.T) {`
			`password := "correct horse battery staple"`

			`hash, err := HashPasswordAsBcrypt(password)`
			`if err != nil {`
			`t.Fatalf("HashPasswordAsBcrypt returned error: %v", err)`
			`}`
			`if hash == "" {`
			`t.Fatal("expected non-empty hash")`
			`}`
			`if hash == password {`
			`t.Fatal("hash must not equal the plaintext password")`
			`}`
			`if !strings.HasPrefix(hash, "$2") {`
			`t.Fatalf("expected bcrypt prefix $2..., got %q", hash[:min(4, len(hash))])`
			`}`

			`if !CheckPasswordHash(hash, password) {`
			`t.Fatal("CheckPasswordHash returned false for the matching password")`
			`}`
			`}`

			`func TestCheckPasswordHash_WrongPassword(t *testing.T) {`
			`hash, err := HashPasswordAsBcrypt("right-password")`
			`if err != nil {`
			`t.Fatalf("HashPasswordAsBcrypt returned error: %v", err)`
			`}`

			`if CheckPasswordHash(hash, "wrong-password") {`
			`t.Fatal("CheckPasswordHash returned true for a wrong password")`
			`}`
			`if CheckPasswordHash(hash, "") {`
			`t.Fatal("CheckPasswordHash returned true for an empty password")`
			`}`
			`}`

			`func TestCheckPasswordHash_InvalidHash(t *testing.T) {`
			`if CheckPasswordHash("", "anything") {`
			`t.Fatal("empty hash must not validate")`
			`}`
			`if CheckPasswordHash("not-a-bcrypt-hash", "anything") {`
			`t.Fatal("malformed hash must not validate")`
			`}`
			`}`

			`func TestHashPasswordAsBcrypt_DifferentHashesForSamePassword(t *testing.T) {`
			`password := "same-password"`
			`h1, err := HashPasswordAsBcrypt(password)`
			`if err != nil {`
			`t.Fatalf("first hash failed: %v", err)`
			`}`
			`h2, err := HashPasswordAsBcrypt(password)`
			`if err != nil {`
			`t.Fatalf("second hash failed: %v", err)`
			`}`
			`if h1 == h2 {`
			`t.Fatal("expected bcrypt to produce different hashes (random salt) for the same password")`
			`}`
			`if !CheckPasswordHash(h1, password) \|\| !CheckPasswordHash(h2, password) {`
			`t.Fatal("both hashes should still validate the original password")`
			`}`
			`}`