#!/bin/bash # Automated API test script - simulates Grok workflow # Usage: ./test-api.sh [session_token] set -e API="https://inou.com/api/v1" SESSION_TOKEN="${1:-}" # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' pass() { echo -e "${GREEN}PASS${NC}: $1"; } fail() { echo -e "${RED}FAIL${NC}: $1"; exit 1; } info() { echo -e "${YELLOW}INFO${NC}: $1"; } echo "=== Inou API Test Suite ===" echo "" # Get session token if not provided if [ -z "$SESSION_TOKEN" ]; then info "No token provided, fetching from database..." SESSION_TOKEN=$(sqlite3 /tank/inou/data/inou.db "SELECT session_token FROM dossiers WHERE length(session_token) > 10 LIMIT 1" | /tank/inou/bin/decrypt 2>/dev/null) if [ -z "$SESSION_TOKEN" ]; then fail "No session token found in database" fi fi echo "Session token: ${SESSION_TOKEN:0:16}..." echo "" # Test 1: Exchange session token for access token info "Test 1: Token refresh (session -> access token)" RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$API/token" -H "Authorization: Bearer $SESSION_TOKEN") HTTP_CODE=$(echo "$RESPONSE" | tail -1) BODY=$(echo "$RESPONSE" | head -n -1) if [ "$HTTP_CODE" = "200" ]; then ACCESS_TOKEN=$(echo "$BODY" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])" 2>/dev/null) EXPIRES_IN=$(echo "$BODY" | python3 -c "import sys,json; print(json.load(sys.stdin)['expires_in'])" 2>/dev/null) pass "Got access token (expires in ${EXPIRES_IN}s)" else fail "Token refresh failed: HTTP $HTTP_CODE" fi # Test 2: List dossiers with access token (Bearer header) info "Test 2: List dossiers (Bearer header auth)" RESPONSE=$(curl -s -w "\n%{http_code}" "$API/dossiers" -H "Authorization: Bearer $ACCESS_TOKEN") HTTP_CODE=$(echo "$RESPONSE" | tail -1) BODY=$(echo "$RESPONSE" | head -n -1) if [ "$HTTP_CODE" = "200" ]; then COUNT=$(echo "$BODY" | python3 -c "import sys,json; print(len(json.load(sys.stdin)))" 2>/dev/null) pass "Listed $COUNT dossiers" else fail "List dossiers failed: HTTP $HTTP_CODE" fi # Test 3: List dossiers with access token (query param - Grok style) info "Test 3: List dossiers (query param auth - Grok style)" RESPONSE=$(curl -s -w "\n%{http_code}" "$API/dossiers?token=$ACCESS_TOKEN") HTTP_CODE=$(echo "$RESPONSE" | tail -1) BODY=$(echo "$RESPONSE" | head -n -1) if [ "$HTTP_CODE" = "200" ]; then FIRST_DOSSIER=$(echo "$BODY" | python3 -c "import sys,json; d=json.load(sys.stdin)[0]; print(f\"{d['name']} ({d['id'][:8]}...)\")" 2>/dev/null) pass "Query param auth works: $FIRST_DOSSIER" else fail "Query param auth failed: HTTP $HTTP_CODE" fi # Test 4: Access with invalid token info "Test 4: Reject invalid token" RESPONSE=$(curl -s -w "\n%{http_code}" "$API/dossiers?token=invalid_token_12345") HTTP_CODE=$(echo "$RESPONSE" | tail -1) if [ "$HTTP_CODE" = "401" ]; then pass "Invalid token rejected with 401" else fail "Invalid token should return 401, got $HTTP_CODE" fi # Test 5: Get dossier details info "Test 5: Get dossier entries" DOSSIER_ID=$(echo "$BODY" | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])" 2>/dev/null) RESPONSE=$(curl -s -w "\n%{http_code}" "$API/dossiers/$DOSSIER_ID/entries?token=$ACCESS_TOKEN&category=imaging") HTTP_CODE=$(echo "$RESPONSE" | tail -1) if [ "$HTTP_CODE" = "200" ]; then pass "Got dossier entries" else fail "Get entries failed: HTTP $HTTP_CODE" fi # Test 6: Verify token expiration is enforced (create expired token for testing) info "Test 6: Check token structure" TOKEN_PARTS=$(echo "$ACCESS_TOKEN" | base64 -d 2>/dev/null | head -c 100 || true) if [ -n "$ACCESS_TOKEN" ] && [ ${#ACCESS_TOKEN} -gt 50 ]; then pass "Access token is encrypted (${#ACCESS_TOKEN} chars)" else fail "Access token looks invalid" fi echo "" echo "=== All tests passed ===" echo "" echo "Summary:" echo "- Session token -> access token exchange: OK" echo "- Bearer header auth: OK" echo "- Query param auth (Grok): OK" echo "- Invalid token rejection: OK" echo "- Dossier access: OK" echo "- Token encryption: OK"