Go Backend Testing Strategies: From Unit Tests to Integration Testing
Jay Kye
15 min read
Comprehensive guide to testing Go backend applications. Covering unit testing, mocking patterns, JWT authentication testing, and test architecture best practices with real-world examples.
GoTestingUnit TestingMockingJWTBackendTest Architecture
Building on my Go/Gin project setup, I've been focusing on implementing comprehensive testing strategies. Testing isn't just about catching bugs—it's about building confidence in your code and enabling safe refactoring. Let's explore how to build a robust testing architecture for Go backend applications.
The complete test implementation is available in the my-go-next-todo auth package.
Test Architecture Overview
The Testing Pyramid
^
/ \
/ \
/ E2E \ ← Few, expensive, slow
/_______\
/ \
/Integration\ ← Some, moderate cost
/_____________\
/ \
/ Unit Tests \ ← Many, cheap, fast
/___________________\
Unit Tests (80%): Test individual functions and methods in isolation Integration Tests (15%): Test component interactions End-to-End Tests (5%): Test complete user workflows
Test Directory Structure
internal/auth/
├── jwt.go
├── jwt_test.go # Unit tests alongside source
├── password.go
├── password_test.go
├── validation.go
├── validation_test.go
├── service.go
├── service_test.go # Integration-style tests
├── repository.go
└── repository_test.go
Key Principles:
- Co-location: Test files next to source files (
*_test.go) - Package-level testing: Tests in same package for white-box testing
- Mock separation: Dedicated mocks directory for reusable test doubles
Mock Patterns and Dependency Injection
Interface-Based Design
// repository.go - Define interfaces for testability
type UserRepository interface {
CreateUser(ctx context.Context, user *User) error
GetUserByEmail(ctx context.Context, email string) (*User, error)
GetUserByID(ctx context.Context, id int) (*User, error)
}
// Real implementation
type PostgresUserRepository struct {
db *pgxpool.Pool
}
func (r *PostgresUserRepository) CreateUser(ctx context.Context, user *User) error {
query := `INSERT INTO users (email, password_hash) VALUES ($1, $2) RETURNING id`
return r.db.QueryRow(ctx, query, user.Email, user.PasswordHash).Scan(&user.ID)
}
Mock Database Pattern
// MockDatabase simulates database operations for testing
type MockDatabase struct {
users map[int]*User
usersByEmail map[string]*User
nextID int
shouldFail bool
queryError error
}
// NewMockDatabase creates a new mock database
func NewMockDatabase() *MockDatabase {
return &MockDatabase{
users: make(map[int]*User),
usersByEmail: make(map[string]*User),
nextID: 1,
}
}
// Control methods for testing scenarios
func (m *MockDatabase) SetShouldFail(shouldFail bool) {
m.shouldFail = shouldFail
}
func (m *MockDatabase) SetQueryError(err error) {
m.queryError = err
}
func (m *MockDatabase) Clear() {
m.users = make(map[int]*User)
m.usersByEmail = make(map[string]*User)
m.nextID = 1
m.shouldFail = false
m.queryError = nil
}
func (m *MockDatabase) AddUser(user *User) {
m.users[user.ID] = user
m.usersByEmail[user.Email] = user
if user.ID >= m.nextID {
m.nextID = user.ID + 1
}
}
// MockUserRepository implements UserRepository with mock database
type MockUserRepositoryDB struct {
mockDB *MockDatabase
}
func NewMockUserRepositoryDB() *MockUserRepositoryDB {
return &MockUserRepositoryDB{
mockDB: NewMockDatabase(),
}
}
func (r *MockUserRepositoryDB) CreateUser(ctx context.Context, user *User) error {
if r.mockDB.shouldFail {
return r.mockDB.queryError
}
// Check for duplicate email
if _, exists := r.mockDB.usersByEmail[user.Email]; exists {
return ErrEmailAlreadyExists
}
user.ID = r.mockDB.nextID
r.mockDB.AddUser(user)
return nil
}
func (r *MockUserRepositoryDB) GetUserByEmail(ctx context.Context, email string) (*User, error) {
if r.mockDB.shouldFail {
return nil, r.mockDB.queryError
}
user, exists := r.mockDB.usersByEmail[email]
if !exists {
return nil, ErrUserNotFound
}
return user, nil
}
Mock Design Principles:
- Controllable behavior:
SetShouldFail()for error simulation - State management:
Clear()for test isolation - Realistic simulation: Mimic real database constraints
- Predictable data: Deterministic ID generation
JWT Service Testing
JWT Service Testing with Test Data Pattern
// jwt_test.go
type JWTTestData struct {
secretKey string
expiryHours time.Duration
userID string
email string
}
var (
TestData = JWTTestData{
secretKey: "test-secret-key-32-chars-long",
expiryHours: 1 * time.Hour,
email: "test@user.com",
userID: "123",
}
service = NewJWTService(TestData.secretKey, TestData.expiryHours)
)
// TestNewJWTService tests JWT service creation
func TestNewJWTService(t *testing.T) {
if service == nil {
t.Fatal("JWT service should not be nil")
}
if service.secretKey != TestData.secretKey {
t.Errorf("Expected secret key: %s, got %s", TestData.secretKey, service.secretKey)
}
if service.expiryHours != TestData.expiryHours {
t.Errorf("Expected expiry hours: %s, got %s", TestData.expiryHours, service.expiryHours)
}
}
// TestGenerateToken tests JWT token generation
func TestGenerateToken(t *testing.T) {
token, err := service.GenerateToken(TestData.userID, TestData.email)
if err != nil {
t.Fatalf("Failed to generate token: %v", err)
}
if token == "" {
t.Error("Token should not be empty")
}
// Check if token has proper JWT structure (header.payload.signature)
parts := strings.Split(token, ".")
if len(parts) != 3 {
t.Errorf("JWT token should have 3 parts, got %d", len(parts))
}
}
// TestValidateToken tests JWT token validation
func TestValidateToken(t *testing.T) {
token, err := service.GenerateToken(TestData.userID, TestData.email)
if err != nil {
t.Fatalf("Failed to generate token: %v", err)
}
claims, err := service.ValidateToken(token)
if err != nil {
t.Fatalf("Failed to validate token: %v", err)
}
if claims.UserID != TestData.userID {
t.Errorf("Expected UserID: %s, got %s", TestData.userID, claims.UserID)
}
if claims.Email != TestData.email {
t.Errorf("Expected Email: %s, got %s", TestData.email, claims.Email)
}
if claims.Issuer != "todo-app" {
t.Errorf("Expected Issuer: %s, got %s", "todo-app", claims.Issuer)
}
}
// TestValidateInvalidToken tests validation of invalid tokens
func TestValidateInvalidToken(t *testing.T) {
testCases := []struct {
name string
token string
}{
{"empty token", ""},
{"malformed token", "invalid token"},
{"invalid signature", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzIiwiZW1haWwiOiJ0ZXN0QGV4YW1wbGUuY29tIn0.invalid_signature"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
_, err := service.ValidateToken(tc.token)
if err == nil {
t.Errorf("Expected error for %s, but got none", tc.name)
}
})
}
}
// TestValidateExpiredToken tests expired token validation
func TestValidateExpiredToken(t *testing.T) {
shortService := NewJWTService(TestData.secretKey, 1*time.Millisecond)
token, err := shortService.GenerateToken(TestData.userID, TestData.email)
if err != nil {
t.Fatalf("Failed to generate token: %v", err)
}
time.Sleep(10 * time.Millisecond)
_, err = shortService.ValidateToken(token)
if err == nil {
t.Error("Expected error for expired token")
}
// Check if error is specifically about expiration
if !strings.Contains(err.Error(), "expired") {
t.Errorf("Expected expiration error, got: %v", err)
}
}
func TestJWTService_TokenExpiration(t *testing.T) {
// Test with very short expiration for testing
jwtService := &JWTService{
secretKey: "test-secret",
expiration: time.Millisecond * 100, // 100ms expiration
}
token, err := jwtService.GenerateToken(1, "test@example.com")
require.NoError(t, err)
// Token should be valid immediately
user, err := jwtService.ValidateToken(token)
assert.NoError(t, err)
assert.NotNil(t, user)
// Wait for expiration
time.Sleep(time.Millisecond * 200)
// Token should now be expired
user, err = jwtService.ValidateToken(token)
assert.Error(t, err)
assert.Nil(t, user)
assert.Contains(t, err.Error(), "token is expired")
}
Password Service Testing
Password Service Testing with Test Data Pattern
// password_test.go
type PasswordTestData struct {
service *PasswordService
validPassword string
invalidPassword string
}
var (
passwordTestData = PasswordTestData{
service: NewPasswordService(),
validPassword: "validpassword123",
invalidPassword: "short",
}
)
// TestNewPasswordService tests password service creation
func TestNewPasswordService(t *testing.T) {
if passwordTestData.service == nil {
t.Fatal("Password service should not be nil")
}
if passwordTestData.service.cost != DefaultCost {
t.Errorf("Expected cost: %d, got %d", DefaultCost, passwordTestData.service.cost)
}
}
// TestHashPassword tests password hashing functionality
func TestHashPassword(t *testing.T) {
hashedPassword, err := passwordTestData.service.HashPassword(passwordTestData.validPassword)
if err != nil {
t.Fatalf("Failed to hash password: %v", err)
}
if hashedPassword == "" {
t.Error("Hashed password should not be empty")
}
if hashedPassword == passwordTestData.validPassword {
t.Error("Hashed password should not equal original password")
}
if !strings.HasPrefix(hashedPassword, "$2a$") && !strings.HasPrefix(hashedPassword, "$2b$") {
t.Error("Hashed password should have bcrypt format")
}
}
// TestHashPasswordConsistency tests that same password produces different hashes
func TestHashPasswordConsistency(t *testing.T) {
hash1, err := passwordTestData.service.HashPassword(passwordTestData.validPassword)
if err != nil {
t.Fatalf("Failed to hash password: %v", err)
}
hash2, err := passwordTestData.service.HashPassword(passwordTestData.validPassword)
if err != nil {
t.Fatalf("Failed to hash password: %v", err)
}
// Bcrypt should produce different hashes for same password (due to salt)
if hash1 == hash2 {
t.Error("Same password should produce different hash due to salt")
}
}
// TestVerifyPassword tests password verification with correct password
func TestVerifyPassword(t *testing.T) {
hashedPassword, err := passwordTestData.service.HashPassword(passwordTestData.validPassword)
if err != nil {
t.Fatalf("Failed to hash password: %v", err)
}
err = passwordTestData.service.VerifyPassword(hashedPassword, passwordTestData.validPassword)
if err != nil {
t.Errorf("Should verify password, but got %v", err)
}
}
// TestVerifyPasswordWithWrongPassword tests verify password with incorrect password
func TestVerifyPasswordWithWrongPassword(t *testing.T) {
hashedPassword, err := passwordTestData.service.HashPassword(passwordTestData.validPassword)
if err != nil {
t.Fatalf("Failed to hash password: %v", err)
}
// Test wrong password verification
err = passwordTestData.service.VerifyPassword(hashedPassword, passwordTestData.invalidPassword)
if err == nil {
t.Error("Should not verify wrong password")
}
// Check if error is specifically about mismatch
if err != bcrypt.ErrMismatchedHashAndPassword {
t.Errorf("Expected bcrypt.ErrMismatchedHashAndPassword, got %v", err)
}
}
// TestPasswordServiceCost tests that the service uses correct bcrypt cost
func TestPasswordServiceCost(t *testing.T) {
hashedPassword, err := passwordTestData.service.HashPassword(passwordTestData.validPassword)
if err != nil {
t.Fatalf("Failed to hash password: %v", err)
}
cost, err := bcrypt.Cost([]byte(hashedPassword))
if err != nil {
t.Fatalf("Failed to extract cost from hash: %v", err)
}
if cost != DefaultCost {
t.Errorf("Expected cost %d, got %d", DefaultCost, cost)
}
}
func TestPasswordService_CostFactor(t *testing.T) {
passwordService := NewPasswordService()
password := "TestPassword123!"
hash, err := passwordService.HashPassword(password)
require.NoError(t, err)
// Extract cost from hash (bcrypt format: $2a$cost$salt+hash)
parts := strings.Split(hash, "$")
require.Len(t, parts, 4)
cost, err := strconv.Atoi(parts[2])
require.NoError(t, err)
// Verify cost factor is within expected range
assert.GreaterOrEqual(t, cost, 10)
assert.LessOrEqual(t, cost, 15)
}
Validation Testing
Validation Service Testing with Test Data Pattern
// validation_test.go
type ValidatorTestData struct {
service *ValidatorService
}
var (
validatorTestData = ValidatorTestData{
service: NewValidatorService(),
}
)
// TestNewValidatorService tests validator service creation
func TestNewValidatorService(t *testing.T) {
service := NewValidatorService()
if service == nil {
t.Fatal("Validator service should not be nil")
}
}
// TestValidateRegisterInput tests user registration input validation
func TestValidateRegisterInput(t *testing.T) {
testCases := []struct {
name string
email string
password string
shouldPass bool
description string
}{
// Valid cases
{"valid input", "test@example.com", "password123", true, "valid email and password should pass"},
{"valid complex email", "user.name+tag@example.co.uk", "mypassword123", true, "complex valid email should pass"},
// Email validation failures
{"empty email", "", "password123", false, "empty email should fail"},
{"invalid email no @", "invalid-email", "password123", false, "email without @ should fail"},
{"invalid email no domain", "user@", "password123", false, "email without domain should fail"},
// Password validation failures
{"empty password", "test@example.com", "", false, "empty password should fail"},
{"short password", "test@example.com", "1234567", false, "password shorter than 8 chars should fail"},
{"exactly 8 chars", "test@example.com", "12345678", true, "exactly 8 char password should pass"},
// Both invalid
{"both empty", "", "", false, "both empty should fail"},
{"both invalid", "invalid-email", "short", false, "both invalid should fail"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
err := validatorTestData.service.ValidateRegisterInput(tc.email, tc.password)
if tc.shouldPass && err != nil {
t.Errorf("Expected validation to pass for %s, but got error: %v", tc.description, err)
}
if !tc.shouldPass && err == nil {
t.Errorf("Expected validation to fail for %s, but got no error", tc.description)
}
})
}
}
func TestValidatePassword(t *testing.T) {
tests := []struct {
name string
password string
valid bool
errorMsg string
}{
{
name: "valid password",
password: "SecurePass123!",
valid: true,
},
{
name: "too short",
password: "short",
valid: false,
errorMsg: "at least 8 characters",
},
{
name: "no uppercase",
password: "lowercase123!",
valid: false,
errorMsg: "uppercase letter",
},
{
name: "no lowercase",
password: "UPPERCASE123!",
valid: false,
errorMsg: "lowercase letter",
},
{
name: "no number",
password: "NoNumbers!",
valid: false,
errorMsg: "number",
},
{
name: "no special character",
password: "NoSpecial123",
valid: false,
errorMsg: "special character",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidatePassword(tt.password)
if tt.valid {
assert.NoError(t, err)
} else {
assert.Error(t, err)
assert.Contains(t, err.Error(), tt.errorMsg)
}
})
}
}
Simplified Integration Testing
Practical Authentication Service Testing
// TestPasswordService tests password hashing and verification
func TestPasswordService(t *testing.T) {
ps := NewPasswordService()
password := "testpassword123"
// Test hashing
hashedPassword, err := ps.HashPassword(password)
if err != nil {
t.Fatalf("Failed to hash password: %v", err)
}
if hashedPassword == password {
t.Error("Hashed password should not equal original password")
}
// Test verification - correct password
err = ps.VerifyPassword(hashedPassword, password)
if err != nil {
t.Error("Should verify correct password")
}
// Test verification - wrong password
err = ps.VerifyPassword(hashedPassword, "wrongpassword")
if err == nil {
t.Error("Should not verify wrong password")
}
}
// TestJWTService tests JWT token generation and validation
func TestJWTService(t *testing.T) {
// Use longer secret key (32+ characters recommended for HMAC)
secretKey := "this-is-a-very-long-secret-key-for-testing-jwt-tokens-safely"
expiry := 1 * time.Hour
jwtService := NewJWTService(secretKey, expiry)
userID := "123"
email := "test@example.com"
// Test token generation
token, err := jwtService.GenerateToken(userID, email)
if err != nil {
t.Fatalf("Failed to generate token: %v", err)
}
if token == "" {
t.Error("Token should not be empty")
}
// Test token validation
claims, err := jwtService.ValidateToken(token)
if err != nil {
t.Fatalf("Failed to validate token: %v", err)
}
if claims.UserID != userID {
t.Errorf("Expected UserID %s, got %s", userID, claims.UserID)
}
if claims.Email != email {
t.Errorf("Expected Email %s, got %s", email, claims.Email)
}
// Test refresh token
refreshToken, err := jwtService.GenerateRefreshToken(userID)
if err != nil {
t.Fatalf("Failed to generate refresh token: %v", err)
}
extractedUserID, err := jwtService.ValidateRefreshToken(refreshToken)
if err != nil {
t.Fatalf("Failed to validate refresh token: %v", err)
}
if extractedUserID != userID {
t.Errorf("Expected UserID %s, got %s", userID, extractedUserID)
}
}
// TestValidatorService tests input validation
func TestValidatorService(t *testing.T) {
vs := NewValidatorService()
// Test valid inputs
err := vs.ValidateRegisterInput("test@example.com", "password123")
if err != nil {
t.Errorf("Should validate correct input: %v", err)
}
// Test invalid email
err = vs.ValidateRegisterInput("invalid-email", "password123")
if err == nil {
t.Error("Should reject invalid email")
}
// Test short password
err = vs.ValidateRegisterInput("test@example.com", "123")
if err == nil {
t.Error("Should reject short password")
}
// Test empty inputs
err = vs.ValidateRegisterInput("", "")
if err == nil {
t.Error("Should reject empty inputs")
}
}
Key Testing Patterns:
Test Data Structures
- Centralized test data: Global variables for consistent test inputs
- Service initialization: Reusable service instances across tests
- Clean separation: Each service tested independently
Error Handling Verification
- Specific error types: Check for
bcrypt.ErrMismatchedHashAndPassword - Edge case coverage: Empty inputs, malformed data, expired tokens
- Realistic scenarios: Wrong passwords, invalid emails, expired tokens
Token Structure Validation
- JWT format: Verify 3-part structure (header.payload.signature)
- Claims verification: Check all expected fields (UserID, Email, Issuer)
- Expiration testing: Use short-lived tokens for expiration tests
Test Utilities and Helpers
Common Test Helpers
// test_helpers.go
package auth
import (
"context"
"testing"
"time"
)
// TestUser creates a test user with default values
func TestUser(t *testing.T, overrides ...func(*User)) *User {
t.Helper()
user := &User{
ID: 1,
Email: "test@example.com",
CreatedAt: time.Now(),
UpdatedAt: time.Now(),
}
for _, override := range overrides {
override(user)
}
return user
}
// TestContext creates a context with timeout for tests
func TestContext(t *testing.T) context.Context {
t.Helper()
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
t.Cleanup(cancel)
return ctx
}
// AssertValidToken validates that a token is properly formatted
func AssertValidToken(t *testing.T, token string) {
t.Helper()
assert.NotEmpty(t, token)
// JWT tokens have 3 parts separated by dots
parts := strings.Split(token, ".")
assert.Len(t, parts, 3, "JWT token should have 3 parts")
// Each part should be base64 encoded (non-empty)
for i, part := range parts {
assert.NotEmpty(t, part, "JWT part %d should not be empty", i)
}
}
// SetupTestAuthService creates a fully configured auth service for testing
func SetupTestAuthService(t *testing.T) (*AuthService, *mocks.MockUserRepository) {
t.Helper()
mockRepo := mocks.NewMockUserRepository()
passwordService := NewPasswordService()
jwtService := NewJWTService("test-secret-key")
authService := NewAuthService(mockRepo, passwordService, jwtService)
return authService, mockRepo
}
Test Coverage and Quality
Coverage Measurement
# Run tests with coverage
go test -v -cover ./internal/auth/
# Generate detailed coverage report
go test -coverprofile=coverage.out ./internal/auth/
go tool cover -html=coverage.out -o coverage.html
# Coverage by function
go tool cover -func=coverage.out
Target Coverage Goals:
- Unit Tests: 80%+ line coverage
- Critical paths: 95%+ coverage (auth, validation)
- Edge cases: All error conditions tested
Test Best Practices
Naming Conventions
// Good test names describe behavior (CamelCase)
func TestNewJWTService(t *testing.T) {}
func TestGenerateToken(t *testing.T) {}
func TestValidateToken(t *testing.T) {}
func TestHashPassword(t *testing.T) {}
func TestVerifyPassword(t *testing.T) {}
// Table-driven tests for multiple scenarios
func TestValidateInvalidToken(t *testing.T) {
testCases := []struct {
name string
token string
}{
{"empty token", ""},
{"malformed token", "invalid token"},
{"invalid signature", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
// Test implementation
})
}
}
Given-When-Then Pattern
func TestValidateToken(t *testing.T) {
// Given: A valid token is generated
token, err := service.GenerateToken(TestData.userID, TestData.email)
if err != nil {
t.Fatalf("Failed to generate token: %v", err)
}
// When: Token is validated
claims, err := service.ValidateToken(token)
// Then: Validation succeeds and returns correct claims
if err != nil {
t.Fatalf("Failed to validate token: %v", err)
}
if claims.UserID != TestData.userID {
t.Errorf("Expected UserID: %s, got %s", TestData.userID, claims.UserID)
}
if claims.Email != TestData.email {
t.Errorf("Expected Email: %s, got %s", TestData.email, claims.Email)
}
}
Test Isolation and Cleanup
func TestPasswordServiceMethods(t *testing.T) {
// Test the complete flow
if !passwordTestData.service.IsValidPassword(passwordTestData.validPassword) {
t.Error("Password should be valid")
}
hashedPassword, err := passwordTestData.service.HashPassword(passwordTestData.validPassword)
if err != nil {
t.Fatalf("Failed to hash valid password: %v", err)
}
err = passwordTestData.service.VerifyPassword(hashedPassword, passwordTestData.validPassword)
if err != nil {
t.Errorf("Failed to verify hashed password: %v", err)
}
// Test with invalid password
if passwordTestData.service.IsValidPassword(passwordTestData.invalidPassword) {
t.Error("Short password should be invalid")
}
}
Conclusion
Effective unit testing in Go backend applications focuses on testing individual components in isolation:
Key Unit Testing Strategies:
Test Data Patterns: Centralized test data structures for consistency and reusability Service-Level Testing: Test each service independently with clear boundaries Error Handling: Comprehensive coverage of error scenarios and edge cases Standard Library Usage: Leverage Go's built-in testing package without external dependencies
Mock Design Principles:
Interface-based design enables easy mocking and dependency injection Controllable behavior allows testing various scenarios including failures State management ensures test isolation and repeatability Realistic simulation maintains confidence in test validity
Testing Best Practices:
Clear naming: CamelCase function names that describe behavior
Test isolation: Each test runs independently with clean state
Standard assertions: Use Go's built-in testing methods (t.Error, t.Fatal, etc.)
Table-driven tests: Efficient testing of multiple scenarios
The complete test implementation demonstrates these principles in action and can be found in the my-go-next-todo auth package.
Next Steps: Building on this unit testing foundation, future posts will cover integration testing, performance benchmarking, CI/CD integration, and end-to-end testing strategies for complete authentication flows.
References:
This post demonstrates real-world unit testing strategies implemented in a production-ready Go backend application using only Go's standard testing library. All code examples are from the working implementation available on GitHub.