fix(classroom): add leave confirmation and upgrade tests

salmonumbrella · claude · salmonumbrella · commit 5483ee2656ef · 2026-01-14T05:43:51.000-08:00
- Add confirmDestructive() to leave command for consistency with other
  destructive operations
- Add SYNC comments to shared CSS in HTML templates
- Add tests for /auth/upgrade endpoint (success, missing email, creds error)

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/internal/cmd/classroom_courses.go b/internal/cmd/classroom_courses.go
@@ -466,6 +466,11 @@ func (c *ClassroomCoursesLeaveCmd) Run(ctx context.Context, flags *RootFlags) er
 		return usage("empty user")
 	}
 
+	err = confirmDestructive(ctx, flags, fmt.Sprintf("remove %s %s from course %s", role, userID, courseID))
+	if err != nil {
+		return err
+	}
+
 	svc, err := newClassroomService(ctx, account)
 	if err != nil {
 		return wrapClassroomError(err)
diff --git a/internal/googleauth/accounts_server_test.go b/internal/googleauth/accounts_server_test.go
@@ -859,3 +859,98 @@ func TestStartManageServer_Timeout(t *testing.T) {
 		t.Fatalf("expected browser URL, got %q", opened)
 	}
 }
+
+func TestManageServer_HandleAuthUpgrade(t *testing.T) {
+	origRead := readClientCredentials
+	origState := randomStateFn
+	origEndpoint := oauthEndpoint
+
+	t.Cleanup(func() {
+		readClientCredentials = origRead
+		randomStateFn = origState
+		oauthEndpoint = origEndpoint
+	})
+
+	readClientCredentials = func() (config.ClientCredentials, error) {
+		return config.ClientCredentials{ClientID: "id", ClientSecret: "secret"}, nil
+	}
+	randomStateFn = func() (string, error) { return "state456", nil }
+	oauthEndpoint = oauth2.Endpoint{AuthURL: "http://example.com/auth", TokenURL: "http://example.com/token"}
+
+	ln, err := (&net.ListenConfig{}).Listen(context.Background(), "tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listen: %v", err)
+	}
+
+	t.Cleanup(func() { _ = ln.Close() })
+
+	ms := &ManageServer{listener: ln}
+	rr := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/auth/upgrade?email=test@example.com", nil)
+	ms.handleAuthUpgrade(rr, req)
+
+	if rr.Code != http.StatusFound {
+		t.Fatalf("status: %d", rr.Code)
+	}
+
+	loc := rr.Header().Get("Location")
+	var parsed *url.URL
+
+	if p, err := url.Parse(loc); err != nil {
+		t.Fatalf("parse location: %v", err)
+	} else {
+		parsed = p
+	}
+
+	if parsed.Host != "example.com" {
+		t.Fatalf("unexpected host: %q", parsed.Host)
+	}
+
+	if state := parsed.Query().Get("state"); state != "state456" {
+		t.Fatalf("unexpected state: %q", state)
+	}
+
+	if ms.oauthState != "state456" {
+		t.Fatalf("expected oauthState set")
+	}
+
+	// Check for login_hint (pre-selects the email)
+	if loginHint := parsed.Query().Get("login_hint"); loginHint != "test@example.com" {
+		t.Fatalf("expected login_hint=test@example.com, got %q", loginHint)
+	}
+
+	// Check for prompt=consent (forces consent screen)
+	if prompt := parsed.Query().Get("prompt"); prompt != "consent" {
+		t.Fatalf("expected prompt=consent, got %q", prompt)
+	}
+}
+
+func TestManageServer_HandleAuthUpgrade_MissingEmail(t *testing.T) {
+	ms := &ManageServer{}
+	rr := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/auth/upgrade", nil)
+	ms.handleAuthUpgrade(rr, req)
+
+	if rr.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d", rr.Code)
+	}
+}
+
+func TestManageServer_HandleAuthUpgrade_CredentialsError(t *testing.T) {
+	origRead := readClientCredentials
+
+	t.Cleanup(func() { readClientCredentials = origRead })
+
+	readClientCredentials = func() (config.ClientCredentials, error) {
+		return config.ClientCredentials{}, errBoom
+	}
+
+	rr := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/auth/upgrade?email=test@example.com", nil)
+	ms := &ManageServer{}
+	ms.handleAuthUpgrade(rr, req)
+
+	if rr.Code != http.StatusInternalServerError {
+		t.Fatalf("expected 500, got %d", rr.Code)
+	}
+}
diff --git a/internal/googleauth/templates/accounts.html b/internal/googleauth/templates/accounts.html
@@ -242,6 +242,8 @@
             gap: 4px;
         }
 
+        /* SYNC: Service tag styles are shared between accounts.html and success.html
+         * If modifying service icons/colors, update both files */
         .service-tag {
             font-size: 10px;
             font-weight: 500;
diff --git a/internal/googleauth/templates/success.html b/internal/googleauth/templates/success.html
@@ -191,6 +191,8 @@
             margin-bottom: 20px;
         }
 
+        /* SYNC: Service tag styles are shared between accounts.html and success.html
+         * If modifying service icons/colors, update both files */
         .service-tag {
             font-size: 11px;
             font-weight: 500;

Original file line number	Diff line number	Diff line change
`@@ -242,6 +242,8 @@`
`242`	`242`	`gap: 4px;`
`243`	`243`	`}`
`244`	`244`
	`245`	`+ /* SYNC: Service tag styles are shared between accounts.html and success.html`
	`246`	`+ * If modifying service icons/colors, update both files */`
`245`	`247`	`.service-tag {`
`246`	`248`	`font-size: 10px;`
`247`	`249`	`font-weight: 500;`
Original file line number	Diff line number	Diff line change
`@@ -191,6 +191,8 @@`
`191`	`191`	`margin-bottom: 20px;`
`192`	`192`	`}`
`193`	`193`
	`194`	`+ /* SYNC: Service tag styles are shared between accounts.html and success.html`
	`195`	`+ * If modifying service icons/colors, update both files */`
`194`	`196`	`.service-tag {`
`195`	`197`	`font-size: 11px;`
`196`	`198`	`font-weight: 500;`