Testing
Status: Complete
Chatalot includes a test suite covering cryptographic operations, security utilities, and input validation. This page describes how to run tests, what is tested, and testing conventions.
Running Tests
# Run all tests
cargo test
# Run tests for a specific crate
cargo test -p chatalot-crypto
# Run a specific test by name
cargo test test_basic_exchange
# Run with output visible
cargo test -- --nocapture
Test Suite Overview
Crypto Tests (chatalot-crypto) -- 23 tests
The crypto crate has the most comprehensive test coverage, validating all cryptographic primitives and protocols.
AEAD (ChaCha20-Poly1305) -- 3 tests
| Test | Description |
|---|---|
test_encrypt_decrypt_roundtrip |
Encrypts and decrypts data, verifies plaintext matches |
test_wrong_key_fails |
Decryption with wrong key returns error |
test_tampered_ciphertext_fails |
Modified ciphertext is rejected (integrity check) |
X3DH Key Agreement -- 4 tests
| Test | Description |
|---|---|
test_x3dh_initiator_responder |
Full handshake: both sides derive the same shared secret |
test_x3dh_without_one_time_prekey |
Handshake succeeds with only 3 DH operations (no OTP) |
test_x3dh_invalid_signature |
Rejects prekey bundle with forged signature |
test_x3dh_associated_data |
Verifies both sides compute identical associated data |
Double Ratchet -- 7 tests
| Test | Description |
|---|---|
test_basic_exchange |
Alice encrypts, Bob decrypts successfully |
test_tampered_ciphertext |
Modified ciphertext is rejected |
test_out_of_order |
Messages delivered out of order are decrypted correctly |
test_multiple_messages |
Multiple sequential messages in one direction |
test_session_serialization |
Session serializes to JSON and deserializes correctly |
test_ping_pong |
Alternating send/receive triggers DH ratchet steps |
test_large_message |
Large payload (10 KB) encrypts and decrypts correctly |
Sender Keys (Group Encryption) -- 5 tests
| Test | Description |
|---|---|
test_basic_sender_key |
Sender encrypts, receiver decrypts |
test_multiple_recipients |
One sender key works for multiple receivers |
test_sender_key_serialization |
State serializes and deserializes correctly |
test_tampered_sender_key |
Modified ciphertext is rejected |
test_out_of_order_sender_key |
Out-of-order messages handled with key caching |
Identity -- 2 tests
| Test | Description |
|---|---|
test_fingerprint_deterministic |
Same key always produces the same fingerprint |
test_safety_number_commutative |
safety_number(A, B) == safety_number(B, A) |
Server Tests
CSS Sanitizer -- Tests in crates/chatalot-server/src/services/css_sanitizer.rs
- Validates CSS sanitization for custom themes (blocks dangerous properties, allows safe ones)
File Security -- Tests in crates/chatalot-server/src/services/file_security.rs
- Validates file type detection, content type verification, and security checks
Linting and Type Checking
# Rust linting (should pass with 3 acceptable too_many_arguments warnings)
cargo clippy -- -W clippy::all
# Svelte/TypeScript type checking
cd clients/web && npm run check
# Web client build (should produce 0 warnings)
cd clients/web && npm run build
Known Acceptable Warnings
The following clippy warnings are expected and acceptable:
- 3 too_many_arguments warnings on database repository functions (these functions naturally take many parameters)
Testing Conventions
- Unit tests are embedded in source files using
#[cfg(test)]modules - Test names use
test_prefix with snake_case descriptions - Crypto tests verify both happy path and failure cases (wrong keys, tampered data, invalid signatures)
- Assertions use standard
assert!,assert_eq!, and pattern matching onResulttypes - No external test framework beyond Rust's built-in
#[test]
What Is Not Tested
The following areas rely on manual testing: - WebSocket message handling (integration-level) - REST API endpoints (integration-level) - Database repository functions (require live PostgreSQL) - Web client UI components - Voice/video WebRTC flows
Roadmap: Integration tests with a test database and API client are planned for a future release.
Manual Testing Checklist
When making changes, verify these core flows manually:
- Registration -- Create account, receive recovery code
- Login/Logout -- Login, token refresh, logout
- Messaging -- Send, edit, delete, reply, react
- Threads -- Create thread, reply in thread
- Voice -- Join/leave voice channel, mute/unmute
- File upload -- Upload file, view preview, download
- Admin panel -- User management, audit log
- Mobile -- Responsive layout on small screens
Related Pages
- Building from Source -- Build prerequisites and commands
- Contributing -- Contribution guidelines
- Crypto Implementation -- What the crypto tests verify