Fix CI test failures from RBAC/multiuser changes

- Fix %%v typo in main.go log.Printf (was printing literal %%v)
- Add users and audit_logs to testutil CleanupCollections so auth tests
  get a clean slate between runs
- Update apiauth_test.go callbacks to match new (interface{}, error)
  return type for APIKeyValidateFunc and OAuthValidateFunc
- Add email field to oauth handler tests and fix expected error message
  ("Invalid email or password" not "Invalid password")

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jonradoff

cmd/server/main.go

@@ -86,7 +86,7 @@ func main() {
 
 	// Migrate to multi-user system (creates first admin user from legacy password if needed)
 	if err := authManager.MigrateToMultiUser(context.Background()); err != nil {
-		log.Printf("Warning: Failed to migrate to multi-user: %%v", err)
+		log.Printf("Warning: Failed to migrate to multi-user: %v", err)
 	}
 
 	// Initialize snippet service (needed by both handlers and API handler)

internal/middleware/apiauth_test.go

@@ -10,8 +10,8 @@ import (
 )
 
 func TestAPIAuth_MissingAuthorizationHeader(t *testing.T) {
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
-		return nil
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
+		return nil, nil
 	})
 	handler := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -33,8 +33,8 @@ func TestAPIAuth_MissingAuthorizationHeader(t *testing.T) {
 }
 
 func TestAPIAuth_MalformedAuthorizationHeader(t *testing.T) {
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
-		return nil
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
+		return nil, nil
 	})
 	handler := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -65,12 +65,12 @@ func TestAPIAuth_MalformedAuthorizationHeader(t *testing.T) {
 
 func TestAPIAuth_ValidAPIKey(t *testing.T) {
 	called := false
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
 		if rawKey != "lc_testkey123" {
-			return fmt.Errorf("invalid key")
+			return nil, fmt.Errorf("invalid key")
 		}
 		called = true
-		return nil
+		return nil, nil
 	})
 	handler := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -91,8 +91,8 @@ func TestAPIAuth_ValidAPIKey(t *testing.T) {
 }
 
 func TestAPIAuth_InvalidAPIKey(t *testing.T) {
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
-		return fmt.Errorf("invalid key")
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
+		return nil, fmt.Errorf("invalid key")
 	})
 	handler := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -110,14 +110,14 @@ func TestAPIAuth_InvalidAPIKey(t *testing.T) {
 
 func TestAPIAuth_ValidOAuthToken(t *testing.T) {
 	systemKey := "lc_system_key_12345678901234567890"
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
-		return fmt.Errorf("not an API key")
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
+		return nil, fmt.Errorf("not an API key")
 	})
-	m.SetOAuth(func(ctx context.Context, rawToken string) error {
+	m.SetOAuth(func(ctx context.Context, rawToken string) (interface{}, error) {
 		if rawToken != "oauth_access_token_123" {
-			return fmt.Errorf("invalid token")
+			return nil, fmt.Errorf("invalid token")
 		}
-		return nil
+		return nil, nil
 	}, systemKey, "https://example.com/.well-known/oauth-protected-resource")
 
 	var capturedAuth string
@@ -143,11 +143,11 @@ func TestAPIAuth_ValidOAuthToken(t *testing.T) {
 }
 
 func TestAPIAuth_InvalidOAuthToken(t *testing.T) {
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
-		return fmt.Errorf("not an API key")
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
+		return nil, fmt.Errorf("not an API key")
 	})
-	m.SetOAuth(func(ctx context.Context, rawToken string) error {
-		return fmt.Errorf("invalid token")
+	m.SetOAuth(func(ctx context.Context, rawToken string) (interface{}, error) {
+		return nil, fmt.Errorf("invalid token")
 	}, "lc_system", "https://example.com/.well-known/oauth-protected-resource")
 
 	handler := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -165,8 +165,8 @@ func TestAPIAuth_InvalidOAuthToken(t *testing.T) {
 }
 
 func TestAPIAuth_OAuthNotConfigured_NonLCToken(t *testing.T) {
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
-		return fmt.Errorf("invalid key")
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
+		return nil, fmt.Errorf("invalid key")
 	})
 	// OAuth NOT configured
 
@@ -186,11 +186,11 @@ func TestAPIAuth_OAuthNotConfigured_NonLCToken(t *testing.T) {
 
 func TestAPIAuth_WWWAuthenticateHeader(t *testing.T) {
 	resourceURL := "https://example.com/.well-known/oauth-protected-resource"
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
-		return fmt.Errorf("invalid")
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
+		return nil, fmt.Errorf("invalid")
 	})
-	m.SetOAuth(func(ctx context.Context, rawToken string) error {
-		return fmt.Errorf("invalid")
+	m.SetOAuth(func(ctx context.Context, rawToken string) (interface{}, error) {
+		return nil, fmt.Errorf("invalid")
 	}, "lc_system", resourceURL)
 
 	handler := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -212,8 +212,8 @@ func TestAPIAuth_WWWAuthenticateHeader(t *testing.T) {
 }
 
 func TestAPIAuth_NoWWWAuthenticateWithoutResourceMetadata(t *testing.T) {
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
-		return fmt.Errorf("invalid")
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
+		return nil, fmt.Errorf("invalid")
 	})
 	// No OAuth configured, no resource metadata URL
 
@@ -232,8 +232,8 @@ func TestAPIAuth_NoWWWAuthenticateWithoutResourceMetadata(t *testing.T) {
 }
 
 func TestAPIAuth_CaseInsensitiveBearer(t *testing.T) {
-	m := NewAPIAuth(func(ctx context.Context, rawKey string) error {
-		return nil
+	m := NewAPIAuth(func(ctx context.Context, rawKey string) (interface{}, error) {
+		return nil, nil
 	})
 	handler := m.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)

internal/oauth/handler_test.go

@@ -461,6 +461,7 @@ func TestAuthorizeSubmit_LoginSuccess(t *testing.T) {
 		"code_challenge":       {"challenge123"},
 		"code_challenge_method": {"S256"},
 		"action":               {"login"},
+		"email":                {"admin@localhost"},
 		"password":             {"admin123"},
 	}
 
@@ -497,6 +498,7 @@ func TestAuthorizeSubmit_LoginWrongPassword(t *testing.T) {
 		"code_challenge":       {"challenge"},
 		"code_challenge_method": {"S256"},
 		"action":               {"login"},
+		"email":                {"admin@localhost"},
 		"password":             {"wrongpassword"},
 	}
 
@@ -511,8 +513,8 @@ func TestAuthorizeSubmit_LoginWrongPassword(t *testing.T) {
 	}
 
 	body := rr.Body.String()
-	if !strings.Contains(body, "Invalid password") {
-		t.Error("expected 'Invalid password' error in response")
+	if !strings.Contains(body, "Invalid email or password") {
+		t.Error("expected 'Invalid email or password' error in response")
 	}
 }
 

internal/testutil/testutil.go

@@ -98,7 +98,8 @@ func CleanupCollections(t *testing.T, db *database.DB) {
 	collections := []string{
 		"content", "content_versions", "templates", "folders", "collections",
 		"custom_pages", "settings", "theme_versions", "contact_messages",
-		"login_attempts", "assets", "api_keys", "redirects",
+		"login_attempts", "assets", "api_keys", "redirects", "snippets",
+		"users", "audit_logs",
 		"oauth_clients", "oauth_auth_codes", "oauth_access_tokens", "oauth_refresh_tokens",
 	}
 	for _, name := range collections {