inou/test-api.sh

#!/bin/bash
# Automated API test script - simulates Grok workflow
# Usage: ./test-api.sh [session_token]

set -e

API="https://inou.com/api/v1"
SESSION_TOKEN="${1:-}"

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

pass() { echo -e "${GREEN}PASS${NC}: $1"; }
fail() { echo -e "${RED}FAIL${NC}: $1"; exit 1; }
info() { echo -e "${YELLOW}INFO${NC}: $1"; }

echo "=== Inou API Test Suite ==="
echo ""

# Get session token if not provided
if [ -z "$SESSION_TOKEN" ]; then
    info "No token provided, fetching from database..."
    SESSION_TOKEN=$(sqlite3 /tank/inou/data/inou.db "SELECT session_token FROM dossiers WHERE length(session_token) > 10 LIMIT 1" | /tank/inou/bin/decrypt 2>/dev/null)
    if [ -z "$SESSION_TOKEN" ]; then
        fail "No session token found in database"
    fi
fi

echo "Session token: ${SESSION_TOKEN:0:16}..."
echo ""

# Test 1: Exchange session token for access token
info "Test 1: Token refresh (session -> access token)"
RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "$API/token" -H "Authorization: Bearer $SESSION_TOKEN")
HTTP_CODE=$(echo "$RESPONSE" | tail -1)
BODY=$(echo "$RESPONSE" | head -n -1)

if [ "$HTTP_CODE" = "200" ]; then
    ACCESS_TOKEN=$(echo "$BODY" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])" 2>/dev/null)
    EXPIRES_IN=$(echo "$BODY" | python3 -c "import sys,json; print(json.load(sys.stdin)['expires_in'])" 2>/dev/null)
    pass "Got access token (expires in ${EXPIRES_IN}s)"
else
    fail "Token refresh failed: HTTP $HTTP_CODE"
fi

# Test 2: List dossiers with access token (Bearer header)
info "Test 2: List dossiers (Bearer header auth)"
RESPONSE=$(curl -s -w "\n%{http_code}" "$API/dossiers" -H "Authorization: Bearer $ACCESS_TOKEN")
HTTP_CODE=$(echo "$RESPONSE" | tail -1)
BODY=$(echo "$RESPONSE" | head -n -1)

if [ "$HTTP_CODE" = "200" ]; then
    COUNT=$(echo "$BODY" | python3 -c "import sys,json; print(len(json.load(sys.stdin)))" 2>/dev/null)
    pass "Listed $COUNT dossiers"
else
    fail "List dossiers failed: HTTP $HTTP_CODE"
fi

# Test 3: List dossiers with access token (query param - Grok style)
info "Test 3: List dossiers (query param auth - Grok style)"
RESPONSE=$(curl -s -w "\n%{http_code}" "$API/dossiers?token=$ACCESS_TOKEN")
HTTP_CODE=$(echo "$RESPONSE" | tail -1)
BODY=$(echo "$RESPONSE" | head -n -1)

if [ "$HTTP_CODE" = "200" ]; then
    FIRST_DOSSIER=$(echo "$BODY" | python3 -c "import sys,json; d=json.load(sys.stdin)[0]; print(f\"{d['name']} ({d['id'][:8]}...)\")" 2>/dev/null)
    pass "Query param auth works: $FIRST_DOSSIER"
else
    fail "Query param auth failed: HTTP $HTTP_CODE"
fi

# Test 4: Access with invalid token
info "Test 4: Reject invalid token"
RESPONSE=$(curl -s -w "\n%{http_code}" "$API/dossiers?token=invalid_token_12345")
HTTP_CODE=$(echo "$RESPONSE" | tail -1)

if [ "$HTTP_CODE" = "401" ]; then
    pass "Invalid token rejected with 401"
else
    fail "Invalid token should return 401, got $HTTP_CODE"
fi

# Test 5: Get dossier details
info "Test 5: Get dossier entries"
DOSSIER_ID=$(echo "$BODY" | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])" 2>/dev/null)
RESPONSE=$(curl -s -w "\n%{http_code}" "$API/dossiers/$DOSSIER_ID/entries?token=$ACCESS_TOKEN&category=imaging")
HTTP_CODE=$(echo "$RESPONSE" | tail -1)

if [ "$HTTP_CODE" = "200" ]; then
    pass "Got dossier entries"
else
    fail "Get entries failed: HTTP $HTTP_CODE"
fi

# Test 6: Verify token expiration is enforced (create expired token for testing)
info "Test 6: Check token structure"
TOKEN_PARTS=$(echo "$ACCESS_TOKEN" | base64 -d 2>/dev/null | head -c 100 || true)
if [ -n "$ACCESS_TOKEN" ] && [ ${#ACCESS_TOKEN} -gt 50 ]; then
    pass "Access token is encrypted (${#ACCESS_TOKEN} chars)"
else
    fail "Access token looks invalid"
fi

echo ""
echo "=== All tests passed ==="
echo ""
echo "Summary:"
echo "- Session token -> access token exchange: OK"
echo "- Bearer header auth: OK"
echo "- Query param auth (Grok): OK"
echo "- Invalid token rejection: OK"
echo "- Dossier access: OK"
echo "- Token encryption: OK"