cdrop — 跨 OS 剪贴板与文件传输服务
Commilitia Drop:自托管的跨设备剪贴板同步与点对点文件传输。 - 后端 Go(chi / SQLite WAL / SSE Hub / WebRTC signaling + 状态机 / Relay ring buffer),编译进单个 distroless 镜像(前端 go:embed)。 - 前端 React + TanStack Router + Zustand,自实现 SSE + WebRTC P2P,NAT 受阻时回退服务端中继;聚珍(Juzhen)CJK 综合排版。 - 桌面端 Wails v2(macOS / Windows),瘦客户端复用 web。 - 鉴权 OIDC PKCE(自建 Casdoor 等),refresh_token 信封加密存系统密钥库;iOS Shortcut 用 HS256 scoped token。 架构文档与变更记录见 docs 分支(PROJECT_BRIEF / FRONTEND_DESIGN / CHANGELOG)。 本次为公开发布初始提交:完整开发历史(含部署细节)留存于私有归档,公开仓库自此干净起步。
This commit is contained in:
@@ -0,0 +1,56 @@
|
||||
package jwtauth
|
||||
|
||||
import "context"
|
||||
|
||||
type Claims struct {
|
||||
UserID string
|
||||
Groups []string
|
||||
// JTI and Scopes are populated only for HS256 shortcut tokens; a full OIDC /
|
||||
// dev session leaves them empty. A non-empty JTI marks a *scoped* token —
|
||||
// one allowed to reach only the endpoints its Scopes grant (the route layer
|
||||
// enforces this). This keeps a leaked shortcut token's blast radius minimal.
|
||||
JTI string
|
||||
Scopes []string
|
||||
}
|
||||
|
||||
// Scoped reports whether these claims came from a scoped shortcut token rather
|
||||
// than a full login session.
|
||||
func (c *Claims) Scoped() bool { return c.JTI != "" }
|
||||
|
||||
// HasScope reports whether the claims grant the named scope.
|
||||
func (c *Claims) HasScope(scope string) bool {
|
||||
for _, s := range c.Scopes {
|
||||
if s == scope {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
type ctxKey int
|
||||
|
||||
const (
|
||||
claimsCtxKey ctxKey = iota
|
||||
deviceCtxKey
|
||||
deviceTypeCtxKey
|
||||
)
|
||||
|
||||
func ClaimsFromContext(ctx context.Context) (*Claims, bool) {
|
||||
c, ok := ctx.Value(claimsCtxKey).(*Claims)
|
||||
return c, ok
|
||||
}
|
||||
|
||||
func DeviceNameFromContext(ctx context.Context) (string, bool) {
|
||||
n, ok := ctx.Value(deviceCtxKey).(string)
|
||||
return n, ok
|
||||
}
|
||||
|
||||
// DeviceTypeFromContext returns the client-declared device type set by the auth
|
||||
// middleware (browser / macos / windows / linux), defaulting to "browser".
|
||||
func DeviceTypeFromContext(ctx context.Context) string {
|
||||
t, ok := ctx.Value(deviceTypeCtxKey).(string)
|
||||
if !ok || t == "" {
|
||||
return "browser"
|
||||
}
|
||||
return t
|
||||
}
|
||||
@@ -0,0 +1,38 @@
|
||||
package jwtauth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"log/slog"
|
||||
"time"
|
||||
|
||||
"commilitia.net/cdrop/internal/db"
|
||||
)
|
||||
|
||||
// DeviceSweepInterval is how often the device sweeper wakes up.
|
||||
const DeviceSweepInterval = 1 * time.Hour
|
||||
|
||||
// RunDeviceSweeper deletes devices whose last_seen is older than ttl.
|
||||
// Per user requirement: device registration must not outlive the longest
|
||||
// valid refresh_token (brief §2: 196h sliding window). Anything ≤ TTL is fine;
|
||||
// 0 disables the sweeper.
|
||||
func RunDeviceSweeper(ctx context.Context, queries *db.Queries, ttl time.Duration) {
|
||||
if ttl <= 0 {
|
||||
slog.Info("device sweeper disabled (ttl <= 0)")
|
||||
return
|
||||
}
|
||||
slog.Info("device sweeper running", "ttl", ttl, "interval", DeviceSweepInterval)
|
||||
|
||||
t := time.NewTicker(DeviceSweepInterval)
|
||||
defer t.Stop()
|
||||
for {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return
|
||||
case <-t.C:
|
||||
cutoff := time.Now().Add(-ttl).Unix()
|
||||
if err := queries.DeleteStaleDevices(ctx, cutoff); err != nil {
|
||||
slog.Error("device sweeper failed", "err", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,61 @@
|
||||
package jwtauth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"commilitia.net/cdrop/internal/db"
|
||||
)
|
||||
|
||||
func openTestQueries(t *testing.T) *db.Queries {
|
||||
t.Helper()
|
||||
dbPath := filepath.Join(t.TempDir(), "x.db")
|
||||
conn, err := db.Open(dbPath)
|
||||
if err != nil {
|
||||
t.Fatalf("open: %v", err)
|
||||
}
|
||||
t.Cleanup(func() { _ = conn.Close() })
|
||||
if err := db.Bootstrap(context.Background(), conn); err != nil {
|
||||
t.Fatalf("bootstrap: %v", err)
|
||||
}
|
||||
return db.New(conn)
|
||||
}
|
||||
|
||||
func TestDeleteStaleDevices_RemovesOnlyOld(t *testing.T) {
|
||||
q := openTestQueries(t)
|
||||
ctx := context.Background()
|
||||
|
||||
now := time.Now()
|
||||
old := now.Add(-200 * time.Hour)
|
||||
fresh := now.Add(-1 * time.Hour)
|
||||
|
||||
upsert := func(name string, ts time.Time) {
|
||||
if err := q.UpsertDevice(ctx, db.UpsertDeviceParams{
|
||||
UserID: "alice", Name: name, Type: "browser", LastSeen: ts.Unix(),
|
||||
}); err != nil {
|
||||
t.Fatalf("upsert %s: %v", name, err)
|
||||
}
|
||||
}
|
||||
upsert("old-device", old)
|
||||
upsert("fresh-device", fresh)
|
||||
|
||||
// Cutoff = "older than 196 hours from now" mimics RunDeviceSweeper math.
|
||||
cutoff := now.Add(-196 * time.Hour).Unix()
|
||||
if err := q.DeleteStaleDevices(ctx, cutoff); err != nil {
|
||||
t.Fatalf("delete: %v", err)
|
||||
}
|
||||
|
||||
devs, _ := q.ListDevicesByUser(ctx, "alice")
|
||||
got := map[string]bool{}
|
||||
for _, d := range devs {
|
||||
got[d.Name] = true
|
||||
}
|
||||
if got["old-device"] {
|
||||
t.Error("old-device should have been swept")
|
||||
}
|
||||
if !got["fresh-device"] {
|
||||
t.Error("fresh-device should remain")
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,113 @@
|
||||
package jwtauth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rsa"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"log/slog"
|
||||
"net/http"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/go-jose/go-jose/v4"
|
||||
)
|
||||
|
||||
// jwksCache fetches & caches the Casdoor JWKS.
|
||||
//
|
||||
// Behavior:
|
||||
// - successful fetch: refreshes the entire key set
|
||||
// - kid miss: forces a single refresh attempt
|
||||
// - stale-while-error: if cached entry exists, return it even when refresh fails
|
||||
type jwksCache struct {
|
||||
url string
|
||||
ttl time.Duration
|
||||
|
||||
mu sync.RWMutex
|
||||
keys map[string]*rsa.PublicKey
|
||||
fetchedAt time.Time
|
||||
|
||||
httpClient *http.Client
|
||||
}
|
||||
|
||||
func newJWKSCache(url string, ttl time.Duration) *jwksCache {
|
||||
return &jwksCache{
|
||||
url: url,
|
||||
ttl: ttl,
|
||||
keys: map[string]*rsa.PublicKey{},
|
||||
httpClient: &http.Client{Timeout: 5 * time.Second},
|
||||
}
|
||||
}
|
||||
|
||||
func (j *jwksCache) GetKey(ctx context.Context, kid string) (*rsa.PublicKey, error) {
|
||||
if kid == "" {
|
||||
return nil, errors.New("missing kid")
|
||||
}
|
||||
|
||||
j.mu.RLock()
|
||||
cached, found := j.keys[kid]
|
||||
fresh := !j.fetchedAt.IsZero() && time.Since(j.fetchedAt) < j.ttl
|
||||
j.mu.RUnlock()
|
||||
|
||||
if found && fresh {
|
||||
return cached, nil
|
||||
}
|
||||
|
||||
if err := j.refresh(ctx); err != nil {
|
||||
if found {
|
||||
slog.Warn("jwks refresh failed; returning stale key",
|
||||
"err", err, "kid", kid)
|
||||
return cached, nil
|
||||
}
|
||||
return nil, fmt.Errorf("jwks refresh: %w", err)
|
||||
}
|
||||
|
||||
j.mu.RLock()
|
||||
defer j.mu.RUnlock()
|
||||
if k, ok := j.keys[kid]; ok {
|
||||
return k, nil
|
||||
}
|
||||
return nil, fmt.Errorf("kid %q not found in JWKS", kid)
|
||||
}
|
||||
|
||||
func (j *jwksCache) refresh(ctx context.Context) error {
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, j.url, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
resp, err := j.httpClient.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return fmt.Errorf("status %d", resp.StatusCode)
|
||||
}
|
||||
body, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var set jose.JSONWebKeySet
|
||||
if err := json.Unmarshal(body, &set); err != nil {
|
||||
return fmt.Errorf("parse JWKS: %w", err)
|
||||
}
|
||||
|
||||
next := map[string]*rsa.PublicKey{}
|
||||
for _, k := range set.Keys {
|
||||
pk, ok := k.Key.(*rsa.PublicKey)
|
||||
if !ok || k.KeyID == "" {
|
||||
continue
|
||||
}
|
||||
next[k.KeyID] = pk
|
||||
}
|
||||
|
||||
j.mu.Lock()
|
||||
defer j.mu.Unlock()
|
||||
j.keys = next
|
||||
j.fetchedAt = time.Now()
|
||||
return nil
|
||||
}
|
||||
@@ -0,0 +1,319 @@
|
||||
package jwtauth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"crypto/subtle"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/go-jose/go-jose/v4"
|
||||
"github.com/go-jose/go-jose/v4/jwt"
|
||||
|
||||
"commilitia.net/cdrop/internal/config"
|
||||
"commilitia.net/cdrop/internal/db"
|
||||
)
|
||||
|
||||
// Store is the subset of *db.Queries the auth middleware uses: device upserts
|
||||
// plus the shortcut-token lookups needed to honour revocation. Declared as an
|
||||
// interface so tests can swap in a fake.
|
||||
type Store interface {
|
||||
UpsertDevice(ctx context.Context, arg db.UpsertDeviceParams) error
|
||||
GetShortcutToken(ctx context.Context, jti string) (db.ShortcutToken, error)
|
||||
TouchShortcutTokenUsed(ctx context.Context, arg db.TouchShortcutTokenUsedParams) error
|
||||
}
|
||||
|
||||
type Authenticator struct {
|
||||
cfg *config.Config
|
||||
store Store
|
||||
jwks *jwksCache
|
||||
hsKey []byte
|
||||
}
|
||||
|
||||
func New(cfg *config.Config, store Store) *Authenticator {
|
||||
a := &Authenticator{
|
||||
cfg: cfg,
|
||||
store: store,
|
||||
}
|
||||
if cfg.HS256Secret != "" {
|
||||
a.hsKey = DeriveHS256Key(cfg.HS256Secret)
|
||||
}
|
||||
if cfg.AuthMode == "prod" && cfg.OIDCJWKSURL != "" {
|
||||
a.jwks = newJWKSCache(cfg.OIDCJWKSURL, 10*time.Minute)
|
||||
}
|
||||
return a
|
||||
}
|
||||
|
||||
func (a *Authenticator) Middleware(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
token, ok := bearerToken(r)
|
||||
if !ok {
|
||||
unauthorized(w, "missing bearer token")
|
||||
return
|
||||
}
|
||||
|
||||
claims, err := a.verify(r.Context(), token, r)
|
||||
if err != nil {
|
||||
slog.Warn("auth failed", "err", err, "path", r.URL.Path)
|
||||
unauthorized(w, "invalid token")
|
||||
return
|
||||
}
|
||||
|
||||
deviceName := sanitizeDeviceName(r.Header.Get("X-Device-Name"))
|
||||
deviceType := normalizeDeviceType(r.Header.Get("X-Device-Type"))
|
||||
if claims.Scoped() {
|
||||
// The backend authoritatively knows a scoped token is the iOS
|
||||
// Shortcut, so it labels the device "shortcut" regardless of any
|
||||
// header. ("ios" stays reserved for a real native client.)
|
||||
deviceType = "shortcut"
|
||||
}
|
||||
|
||||
// Register a device only when the client names itself (X-Device-Name).
|
||||
// A nameless request — e.g. a polling shortcut hitting /api/clipboard/version
|
||||
// without the header — must NOT be registered: the old random UA fallback
|
||||
// minted a fresh "Unknown Device" row on every request and flooded the list.
|
||||
if deviceName != "" {
|
||||
if err := a.store.UpsertDevice(r.Context(), db.UpsertDeviceParams{
|
||||
UserID: claims.UserID,
|
||||
Name: deviceName,
|
||||
Type: deviceType,
|
||||
LastSeen: time.Now().Unix(),
|
||||
}); err != nil {
|
||||
// non-fatal: log and continue so transient DB errors don't 401 users
|
||||
slog.Error("device upsert failed",
|
||||
"err", err, "user", claims.UserID, "device", deviceName)
|
||||
}
|
||||
}
|
||||
|
||||
ctx := context.WithValue(r.Context(), claimsCtxKey, claims)
|
||||
ctx = context.WithValue(ctx, deviceCtxKey, deviceName)
|
||||
ctx = context.WithValue(ctx, deviceTypeCtxKey, deviceType)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
}
|
||||
|
||||
func (a *Authenticator) verify(ctx context.Context, token string, r *http.Request) (*Claims, error) {
|
||||
if a.cfg.AuthMode == "dev" {
|
||||
return a.verifyDev(token, r)
|
||||
}
|
||||
if c, err := a.verifyHS256(ctx, token); err == nil {
|
||||
return c, nil
|
||||
}
|
||||
return a.verifyRS256(ctx, token)
|
||||
}
|
||||
|
||||
func (a *Authenticator) verifyDev(token string, r *http.Request) (*Claims, error) {
|
||||
if subtle.ConstantTimeCompare([]byte(token), []byte(a.cfg.DevToken)) != 1 {
|
||||
return nil, errors.New("invalid dev token")
|
||||
}
|
||||
userID := r.Header.Get("X-Dev-User")
|
||||
if userID == "" {
|
||||
userID = "dev-user"
|
||||
}
|
||||
return &Claims{UserID: userID, Groups: []string{"dev"}}, nil
|
||||
}
|
||||
|
||||
func (a *Authenticator) verifyHS256(ctx context.Context, token string) (*Claims, error) {
|
||||
if len(a.hsKey) == 0 {
|
||||
return nil, errors.New("HS256 secret not configured")
|
||||
}
|
||||
parsed, err := jwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.HS256})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var std jwt.Claims
|
||||
custom := map[string]any{}
|
||||
if err := parsed.Claims(a.hsKey, &std, &custom); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err := std.ValidateWithLeeway(jwt.Expected{Time: time.Now()}, 30*time.Second); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
claims, err := claimsFromJWT(std, custom)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// HS256 is only ever used to mint scoped shortcut tokens, and those ALWAYS
|
||||
// carry a jti. A validly-signed HS256 token without one must be rejected
|
||||
// outright: otherwise it would fall through here as a full, unscoped account
|
||||
// session with a self-declared subject — far beyond the clipboard-only
|
||||
// surface HS256 is meant for. Requiring the jti keeps a leaked HS256 secret's
|
||||
// blast radius pinned to the shortcut scope (clipboard, and nothing else).
|
||||
if std.ID == "" {
|
||||
return nil, errors.New("HS256 token missing jti")
|
||||
}
|
||||
|
||||
// The signature alone is not enough — the token must still be present and not
|
||||
// revoked in the store, so a leaked or retired token can be killed
|
||||
// server-side. The stored row is also the authoritative source of scopes
|
||||
// (never trust scopes off the wire).
|
||||
row, err := a.store.GetShortcutToken(ctx, std.ID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("shortcut token lookup: %w", err)
|
||||
}
|
||||
if row.Revoked != 0 {
|
||||
return nil, errors.New("shortcut token revoked")
|
||||
}
|
||||
if row.UserID != claims.UserID {
|
||||
return nil, errors.New("shortcut token subject mismatch")
|
||||
}
|
||||
claims.JTI = std.ID
|
||||
claims.Scopes = strings.Fields(row.Scopes)
|
||||
a.touchTokenAsync(std.ID)
|
||||
return claims, nil
|
||||
}
|
||||
|
||||
// touchTokenAsync records a shortcut token's last-use time off the request path
|
||||
// — it's audit metadata, so a slow or failing write must never delay or fail
|
||||
// the request it belongs to.
|
||||
func (a *Authenticator) touchTokenAsync(jti string) {
|
||||
now := time.Now().Unix()
|
||||
go func() {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||
defer cancel()
|
||||
if err := a.store.TouchShortcutTokenUsed(ctx, db.TouchShortcutTokenUsedParams{
|
||||
LastUsedAt: &now,
|
||||
Jti: jti,
|
||||
}); err != nil {
|
||||
slog.Warn("touch shortcut token failed", "err", err, "jti", jti)
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
func (a *Authenticator) verifyRS256(ctx context.Context, token string) (*Claims, error) {
|
||||
if a.jwks == nil {
|
||||
return nil, errors.New("JWKS not configured")
|
||||
}
|
||||
parsed, err := jwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.RS256})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if len(parsed.Headers) == 0 {
|
||||
return nil, errors.New("missing token headers")
|
||||
}
|
||||
kid := parsed.Headers[0].KeyID
|
||||
key, err := a.jwks.GetKey(ctx, kid)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var std jwt.Claims
|
||||
custom := map[string]any{}
|
||||
if err := parsed.Claims(key, &std, &custom); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
expected := jwt.Expected{Time: time.Now()}
|
||||
if a.cfg.OIDCIssuer != "" {
|
||||
expected.Issuer = a.cfg.OIDCIssuer
|
||||
}
|
||||
if a.cfg.OIDCAudience != "" {
|
||||
expected.AnyAudience = parseAudiences(a.cfg.OIDCAudience)
|
||||
}
|
||||
if err := std.ValidateWithLeeway(expected, 30*time.Second); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return claimsFromJWT(std, custom)
|
||||
}
|
||||
|
||||
// parseAudiences splits a comma-separated OIDCAudience config into a jwt.Audience
|
||||
// set. Multiple values let one backend accept tokens minted for several OAuth
|
||||
// clients (the web app and the desktop client carry different `aud`); go-jose's
|
||||
// AnyAudience passes when the token's audience matches any one entry. Whitespace
|
||||
// around entries is trimmed and empties dropped, so a plain single value behaves
|
||||
// exactly as before.
|
||||
func parseAudiences(raw string) jwt.Audience {
|
||||
parts := strings.Split(raw, ",")
|
||||
out := make(jwt.Audience, 0, len(parts))
|
||||
for _, p := range parts {
|
||||
if s := strings.TrimSpace(p); s != "" {
|
||||
out = append(out, s)
|
||||
}
|
||||
}
|
||||
return out
|
||||
}
|
||||
|
||||
func claimsFromJWT(std jwt.Claims, custom map[string]any) (*Claims, error) {
|
||||
if std.Subject == "" {
|
||||
return nil, errors.New("missing subject claim")
|
||||
}
|
||||
c := &Claims{UserID: std.Subject}
|
||||
if g, ok := custom["groups"].([]any); ok {
|
||||
for _, item := range g {
|
||||
if s, ok := item.(string); ok {
|
||||
c.Groups = append(c.Groups, s)
|
||||
}
|
||||
}
|
||||
}
|
||||
return c, nil
|
||||
}
|
||||
|
||||
func bearerToken(r *http.Request) (string, bool) {
|
||||
h := r.Header.Get("Authorization")
|
||||
const prefix = "Bearer "
|
||||
if !strings.HasPrefix(h, prefix) {
|
||||
return "", false
|
||||
}
|
||||
tok := strings.TrimPrefix(h, prefix)
|
||||
if tok == "" {
|
||||
return "", false
|
||||
}
|
||||
return tok, true
|
||||
}
|
||||
|
||||
func unauthorized(w http.ResponseWriter, reason string) {
|
||||
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
||||
w.Header().Set("WWW-Authenticate", `Bearer realm="cdrop"`)
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
_ = json.NewEncoder(w).Encode(map[string]string{
|
||||
"error": "unauthorized",
|
||||
"reason": reason,
|
||||
})
|
||||
}
|
||||
|
||||
// DeriveHS256Key turns a configured secret of any length into a fixed 32-byte
|
||||
// HMAC key. HS256 requires >= 32 bytes; hashing guarantees that (and keeps the
|
||||
// minting and verifying sides in lockstep) so a short CDROP_HS256_SECRET can't
|
||||
// make shortcut-token signing fail. Both signing (httpapi) and verifying use it.
|
||||
func DeriveHS256Key(secret string) []byte {
|
||||
sum := sha256.Sum256([]byte(secret))
|
||||
return sum[:]
|
||||
}
|
||||
|
||||
// sanitizeDeviceName enforces the global ASCII-only device-name policy. Device
|
||||
// names ride in the X-Device-Name HTTP header, which can't carry non-ASCII
|
||||
// reliably (and browser fetch rejects such header values outright), so the name
|
||||
// is restricted to printable ASCII everywhere. Here we keep only printable ASCII
|
||||
// (0x20–0x7E), trim, and cap the length as a server-side backstop; clients also
|
||||
// validate the name up front for a clear error. Empty after sanitising → the
|
||||
// caller falls back to a UA-derived default.
|
||||
func sanitizeDeviceName(raw string) string {
|
||||
var b strings.Builder
|
||||
for _, r := range raw {
|
||||
if r >= 0x20 && r <= 0x7E {
|
||||
b.WriteRune(r)
|
||||
}
|
||||
}
|
||||
name := strings.TrimSpace(b.String())
|
||||
if len(name) > 64 {
|
||||
name = strings.TrimSpace(name[:64])
|
||||
}
|
||||
return name
|
||||
}
|
||||
|
||||
// normalizeDeviceType whitelists the client-declared X-Device-Type so a device
|
||||
// row only ever carries a known kind; anything unrecognised (incl. empty) falls
|
||||
// back to "browser", the default web client. Desktop clients send macos/windows;
|
||||
// "ios" is reserved for a future native iOS client (the Shortcut never sends it).
|
||||
func normalizeDeviceType(raw string) string {
|
||||
switch t := strings.ToLower(strings.TrimSpace(raw)); t {
|
||||
case "macos", "windows", "linux", "ios", "browser":
|
||||
return t
|
||||
default:
|
||||
return "browser"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,490 @@
|
||||
package jwtauth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"database/sql"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/go-jose/go-jose/v4"
|
||||
"github.com/go-jose/go-jose/v4/jwt"
|
||||
|
||||
"commilitia.net/cdrop/internal/config"
|
||||
"commilitia.net/cdrop/internal/db"
|
||||
)
|
||||
|
||||
// fakeDeviceUpserter records UpsertDevice calls without touching SQL and serves
|
||||
// shortcut-token lookups from an in-memory map (empty → "not found", so plain
|
||||
// device-only tests are unaffected).
|
||||
type fakeDeviceUpserter struct {
|
||||
calls []db.UpsertDeviceParams
|
||||
err error
|
||||
tokens map[string]db.ShortcutToken
|
||||
}
|
||||
|
||||
func (f *fakeDeviceUpserter) UpsertDevice(_ context.Context, arg db.UpsertDeviceParams) error {
|
||||
f.calls = append(f.calls, arg)
|
||||
return f.err
|
||||
}
|
||||
|
||||
func (f *fakeDeviceUpserter) GetShortcutToken(_ context.Context, jti string) (db.ShortcutToken, error) {
|
||||
if t, ok := f.tokens[jti]; ok {
|
||||
return t, nil
|
||||
}
|
||||
return db.ShortcutToken{}, sql.ErrNoRows
|
||||
}
|
||||
|
||||
// TouchShortcutTokenUsed is a no-op in tests: it runs on a detached goroutine
|
||||
// (touchTokenAsync), so recording into the fake here would race the test body.
|
||||
func (f *fakeDeviceUpserter) TouchShortcutTokenUsed(_ context.Context, _ db.TouchShortcutTokenUsedParams) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// echo handler that responds with the claims+device discovered in context.
|
||||
func echoMe(w http.ResponseWriter, r *http.Request) {
|
||||
claims, _ := ClaimsFromContext(r.Context())
|
||||
dev, _ := DeviceNameFromContext(r.Context())
|
||||
resp := map[string]any{
|
||||
"user_id": claims.UserID,
|
||||
"groups": claims.Groups,
|
||||
"device": dev,
|
||||
}
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_ = json.NewEncoder(w).Encode(resp)
|
||||
}
|
||||
|
||||
func TestDevMode_AcceptsTokenAndUsesXDevUser(t *testing.T) {
|
||||
cfg := &config.Config{AuthMode: "dev", DevToken: "secret-token"}
|
||||
dev := &fakeDeviceUpserter{}
|
||||
a := New(cfg, dev)
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||
req.Header.Set("Authorization", "Bearer secret-token")
|
||||
req.Header.Set("X-Dev-User", "alice")
|
||||
req.Header.Set("X-Device-Name", "tab-1")
|
||||
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(echoMe)).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("status: got %d, want 200; body=%s", rr.Code, rr.Body.String())
|
||||
}
|
||||
var got map[string]any
|
||||
if err := json.Unmarshal(rr.Body.Bytes(), &got); err != nil {
|
||||
t.Fatalf("decode: %v", err)
|
||||
}
|
||||
if got["user_id"] != "alice" {
|
||||
t.Errorf("user_id: got %v, want alice", got["user_id"])
|
||||
}
|
||||
if got["device"] != "tab-1" {
|
||||
t.Errorf("device: got %v, want tab-1", got["device"])
|
||||
}
|
||||
if len(dev.calls) != 1 {
|
||||
t.Errorf("UpsertDevice calls: got %d, want 1", len(dev.calls))
|
||||
}
|
||||
}
|
||||
|
||||
func TestDevMode_DefaultsUserIDWhenHeaderMissing(t *testing.T) {
|
||||
cfg := &config.Config{AuthMode: "dev", DevToken: "t"}
|
||||
a := New(cfg, &fakeDeviceUpserter{})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||
req.Header.Set("Authorization", "Bearer t")
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(echoMe)).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("status: got %d, want 200", rr.Code)
|
||||
}
|
||||
var got map[string]any
|
||||
_ = json.Unmarshal(rr.Body.Bytes(), &got)
|
||||
if got["user_id"] != "dev-user" {
|
||||
t.Errorf("user_id: got %v, want dev-user", got["user_id"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestDevMode_RejectsWrongToken(t *testing.T) {
|
||||
cfg := &config.Config{AuthMode: "dev", DevToken: "right"}
|
||||
a := New(cfg, &fakeDeviceUpserter{})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||
req.Header.Set("Authorization", "Bearer wrong")
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(echoMe)).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("status: got %d, want 401", rr.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDevMode_RejectsMissingHeader(t *testing.T) {
|
||||
cfg := &config.Config{AuthMode: "dev", DevToken: "x"}
|
||||
a := New(cfg, &fakeDeviceUpserter{})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(echoMe)).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("status: got %d, want 401", rr.Code)
|
||||
}
|
||||
}
|
||||
|
||||
// --- prod RS256 path ---
|
||||
|
||||
func newRSAKey(t *testing.T) *rsa.PrivateKey {
|
||||
t.Helper()
|
||||
k, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
if err != nil {
|
||||
t.Fatalf("rsa keygen: %v", err)
|
||||
}
|
||||
return k
|
||||
}
|
||||
|
||||
func startJWKSServer(t *testing.T, kid string, pub *rsa.PublicKey) *httptest.Server {
|
||||
t.Helper()
|
||||
jwk := jose.JSONWebKey{Key: pub, KeyID: kid, Algorithm: "RS256", Use: "sig"}
|
||||
set := jose.JSONWebKeySet{Keys: []jose.JSONWebKey{jwk}}
|
||||
body, err := json.Marshal(set)
|
||||
if err != nil {
|
||||
t.Fatalf("marshal jwks: %v", err)
|
||||
}
|
||||
return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_, _ = w.Write(body)
|
||||
}))
|
||||
}
|
||||
|
||||
func signRS256(t *testing.T, priv *rsa.PrivateKey, kid string, claims jwt.Claims, custom map[string]any) string {
|
||||
t.Helper()
|
||||
signer, err := jose.NewSigner(
|
||||
jose.SigningKey{Algorithm: jose.RS256, Key: priv},
|
||||
(&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", kid),
|
||||
)
|
||||
if err != nil {
|
||||
t.Fatalf("new signer: %v", err)
|
||||
}
|
||||
tok, err := jwt.Signed(signer).Claims(claims).Claims(custom).Serialize()
|
||||
if err != nil {
|
||||
t.Fatalf("sign: %v", err)
|
||||
}
|
||||
return tok
|
||||
}
|
||||
|
||||
func TestProdMode_AcceptsValidRS256(t *testing.T) {
|
||||
priv := newRSAKey(t)
|
||||
kid := "key-1"
|
||||
srv := startJWKSServer(t, kid, &priv.PublicKey)
|
||||
defer srv.Close()
|
||||
|
||||
cfg := &config.Config{
|
||||
AuthMode: "prod",
|
||||
OIDCJWKSURL: srv.URL,
|
||||
OIDCIssuer: "https://oauth.example/",
|
||||
OIDCAudience: "cdrop",
|
||||
}
|
||||
a := New(cfg, &fakeDeviceUpserter{})
|
||||
|
||||
now := time.Now()
|
||||
std := jwt.Claims{
|
||||
Issuer: "https://oauth.example/",
|
||||
Subject: "user-bob",
|
||||
Audience: jwt.Audience{"cdrop"},
|
||||
IssuedAt: jwt.NewNumericDate(now),
|
||||
Expiry: jwt.NewNumericDate(now.Add(time.Hour)),
|
||||
}
|
||||
tok := signRS256(t, priv, kid, std, map[string]any{"groups": []any{"users"}})
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||
req.Header.Set("Authorization", "Bearer "+tok)
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(echoMe)).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("status: got %d, want 200; body=%s", rr.Code, rr.Body.String())
|
||||
}
|
||||
var got map[string]any
|
||||
_ = json.Unmarshal(rr.Body.Bytes(), &got)
|
||||
if got["user_id"] != "user-bob" {
|
||||
t.Errorf("user_id: got %v, want user-bob", got["user_id"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestProdMode_RejectsExpiredRS256(t *testing.T) {
|
||||
priv := newRSAKey(t)
|
||||
kid := "key-1"
|
||||
srv := startJWKSServer(t, kid, &priv.PublicKey)
|
||||
defer srv.Close()
|
||||
|
||||
cfg := &config.Config{
|
||||
AuthMode: "prod",
|
||||
OIDCJWKSURL: srv.URL,
|
||||
OIDCIssuer: "https://oauth.example/",
|
||||
OIDCAudience: "cdrop",
|
||||
}
|
||||
a := New(cfg, &fakeDeviceUpserter{})
|
||||
|
||||
past := time.Now().Add(-time.Hour)
|
||||
std := jwt.Claims{
|
||||
Issuer: "https://oauth.example/",
|
||||
Subject: "user-bob",
|
||||
Audience: jwt.Audience{"cdrop"},
|
||||
IssuedAt: jwt.NewNumericDate(past),
|
||||
Expiry: jwt.NewNumericDate(past.Add(time.Minute)), // already 59min stale
|
||||
}
|
||||
tok := signRS256(t, priv, kid, std, nil)
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||
req.Header.Set("Authorization", "Bearer "+tok)
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(echoMe)).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("status: got %d, want 401; body=%s", rr.Code, rr.Body.String())
|
||||
}
|
||||
}
|
||||
|
||||
func TestProdMode_RejectsWrongIssuer(t *testing.T) {
|
||||
priv := newRSAKey(t)
|
||||
kid := "key-1"
|
||||
srv := startJWKSServer(t, kid, &priv.PublicKey)
|
||||
defer srv.Close()
|
||||
|
||||
cfg := &config.Config{
|
||||
AuthMode: "prod",
|
||||
OIDCJWKSURL: srv.URL,
|
||||
OIDCIssuer: "https://oauth.example/",
|
||||
OIDCAudience: "cdrop",
|
||||
}
|
||||
a := New(cfg, &fakeDeviceUpserter{})
|
||||
|
||||
now := time.Now()
|
||||
std := jwt.Claims{
|
||||
Issuer: "https://attacker.example/",
|
||||
Subject: "user-bob",
|
||||
Audience: jwt.Audience{"cdrop"},
|
||||
IssuedAt: jwt.NewNumericDate(now),
|
||||
Expiry: jwt.NewNumericDate(now.Add(time.Hour)),
|
||||
}
|
||||
tok := signRS256(t, priv, kid, std, nil)
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||
req.Header.Set("Authorization", "Bearer "+tok)
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(echoMe)).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("status: got %d, want 401; body=%s", rr.Code, rr.Body.String())
|
||||
}
|
||||
}
|
||||
|
||||
// Multi-audience (R1): one backend serving web + desktop clients. A desktop
|
||||
// token carries aud=<desktop client_id>; it must pass when OIDCAudience lists
|
||||
// both client_ids comma-separated, and still be rejected when its aud is in
|
||||
// neither.
|
||||
func TestProdMode_AcceptsSecondAudienceInList(t *testing.T) {
|
||||
priv := newRSAKey(t)
|
||||
kid := "key-1"
|
||||
srv := startJWKSServer(t, kid, &priv.PublicKey)
|
||||
defer srv.Close()
|
||||
|
||||
cfg := &config.Config{
|
||||
AuthMode: "prod",
|
||||
OIDCJWKSURL: srv.URL,
|
||||
OIDCIssuer: "https://oauth.example/",
|
||||
OIDCAudience: "cdrop-web , cdrop-desktop", // spaces trimmed
|
||||
}
|
||||
a := New(cfg, &fakeDeviceUpserter{})
|
||||
|
||||
now := time.Now()
|
||||
std := jwt.Claims{
|
||||
Issuer: "https://oauth.example/",
|
||||
Subject: "user-bob",
|
||||
Audience: jwt.Audience{"cdrop-desktop"}, // the desktop client's aud
|
||||
IssuedAt: jwt.NewNumericDate(now),
|
||||
Expiry: jwt.NewNumericDate(now.Add(time.Hour)),
|
||||
}
|
||||
tok := signRS256(t, priv, kid, std, nil)
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||
req.Header.Set("Authorization", "Bearer "+tok)
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(echoMe)).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("status: got %d, want 200; body=%s", rr.Code, rr.Body.String())
|
||||
}
|
||||
}
|
||||
|
||||
func TestProdMode_RejectsAudienceNotInList(t *testing.T) {
|
||||
priv := newRSAKey(t)
|
||||
kid := "key-1"
|
||||
srv := startJWKSServer(t, kid, &priv.PublicKey)
|
||||
defer srv.Close()
|
||||
|
||||
cfg := &config.Config{
|
||||
AuthMode: "prod",
|
||||
OIDCJWKSURL: srv.URL,
|
||||
OIDCIssuer: "https://oauth.example/",
|
||||
OIDCAudience: "cdrop-web,cdrop-desktop",
|
||||
}
|
||||
a := New(cfg, &fakeDeviceUpserter{})
|
||||
|
||||
now := time.Now()
|
||||
std := jwt.Claims{
|
||||
Issuer: "https://oauth.example/",
|
||||
Subject: "user-bob",
|
||||
Audience: jwt.Audience{"some-other-client"},
|
||||
IssuedAt: jwt.NewNumericDate(now),
|
||||
Expiry: jwt.NewNumericDate(now.Add(time.Hour)),
|
||||
}
|
||||
tok := signRS256(t, priv, kid, std, nil)
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/me", nil)
|
||||
req.Header.Set("Authorization", "Bearer "+tok)
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(echoMe)).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("status: got %d, want 401; body=%s", rr.Code, rr.Body.String())
|
||||
}
|
||||
}
|
||||
|
||||
// A nameless request (no X-Device-Name) must NOT register a device — preventing
|
||||
// the random-fallback "Unknown Device" flood from polling clients.
|
||||
func TestNamelessRequestSkipsDeviceUpsert(t *testing.T) {
|
||||
cfg := &config.Config{AuthMode: "dev", DevToken: "t"}
|
||||
store := &fakeDeviceUpserter{}
|
||||
a := New(cfg, store)
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/clipboard/version", nil)
|
||||
req.Header.Set("Authorization", "Bearer t") // no X-Device-Name
|
||||
rr := httptest.NewRecorder()
|
||||
a.Middleware(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
})).ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("status: got %d, want 200", rr.Code)
|
||||
}
|
||||
if len(store.calls) != 0 {
|
||||
t.Errorf("nameless request must not upsert a device, got %d calls", len(store.calls))
|
||||
}
|
||||
}
|
||||
|
||||
func signHS256(t *testing.T, secret, sub, jti, scope string, exp time.Time) string {
|
||||
t.Helper()
|
||||
sig, err := jose.NewSigner(
|
||||
jose.SigningKey{Algorithm: jose.HS256, Key: DeriveHS256Key(secret)},
|
||||
(&jose.SignerOptions{}).WithType("JWT"),
|
||||
)
|
||||
if err != nil {
|
||||
t.Fatalf("signer: %v", err)
|
||||
}
|
||||
std := jwt.Claims{
|
||||
Subject: sub,
|
||||
ID: jti,
|
||||
IssuedAt: jwt.NewNumericDate(time.Now()),
|
||||
Expiry: jwt.NewNumericDate(exp),
|
||||
}
|
||||
tok, err := jwt.Signed(sig).Claims(std).Claims(map[string]any{"scope": scope}).Serialize()
|
||||
if err != nil {
|
||||
t.Fatalf("serialize: %v", err)
|
||||
}
|
||||
return tok
|
||||
}
|
||||
|
||||
func serveBearer(a *Authenticator, tok string) (int, *Claims) {
|
||||
req := httptest.NewRequest(http.MethodGet, "/api/clipboard", nil)
|
||||
req.Header.Set("Authorization", "Bearer "+tok)
|
||||
req.Header.Set("X-Device-Name", "iPhone")
|
||||
rr := httptest.NewRecorder()
|
||||
var got *Claims
|
||||
a.Middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
got, _ = ClaimsFromContext(r.Context())
|
||||
w.WriteHeader(http.StatusOK)
|
||||
})).ServeHTTP(rr, req)
|
||||
return rr.Code, got
|
||||
}
|
||||
|
||||
// A valid HS256 shortcut token authenticates and carries its jti + stored scope;
|
||||
// revocation, an unknown jti, and a subject/owner mismatch are all rejected even
|
||||
// though the signature is valid — the store is the authority.
|
||||
func TestShortcutToken_HS256VerifyRevokeAndScope(t *testing.T) {
|
||||
secret := "test-hs256-secret-at-least-32-bytes-long" // HS256 needs >= 32 bytes
|
||||
cfg := &config.Config{AuthMode: "prod", HS256Secret: secret}
|
||||
exp := time.Now().Add(time.Hour)
|
||||
store := &fakeDeviceUpserter{tokens: map[string]db.ShortcutToken{
|
||||
"jti-1": {Jti: "jti-1", UserID: "user-x", Scopes: "clipboard", ExpiresAt: exp.Unix()},
|
||||
}}
|
||||
a := New(cfg, store)
|
||||
|
||||
tok := signHS256(t, secret, "user-x", "jti-1", "clipboard", exp)
|
||||
|
||||
code, claims := serveBearer(a, tok)
|
||||
if code != http.StatusOK {
|
||||
t.Fatalf("valid token: got %d, want 200", code)
|
||||
}
|
||||
if claims == nil || !claims.Scoped() || claims.JTI != "jti-1" || !claims.HasScope("clipboard") {
|
||||
t.Fatalf("claims not populated as scoped clipboard token: %+v", claims)
|
||||
}
|
||||
// The device registers under the (ASCII) X-Device-Name the request carried.
|
||||
if len(store.calls) == 0 || store.calls[len(store.calls)-1].Name != "iPhone" {
|
||||
t.Errorf("expected device name from header, got %+v", store.calls)
|
||||
}
|
||||
|
||||
// Subject mismatch: stored row owned by a different user than the token's sub.
|
||||
store.tokens["jti-1"] = db.ShortcutToken{Jti: "jti-1", UserID: "someone-else", Scopes: "clipboard", ExpiresAt: exp.Unix()}
|
||||
if code, _ := serveBearer(a, tok); code != http.StatusUnauthorized {
|
||||
t.Errorf("subject mismatch: got %d, want 401", code)
|
||||
}
|
||||
|
||||
// Revoked row → reject.
|
||||
store.tokens["jti-1"] = db.ShortcutToken{Jti: "jti-1", UserID: "user-x", Scopes: "clipboard", Revoked: 1, ExpiresAt: exp.Unix()}
|
||||
if code, _ := serveBearer(a, tok); code != http.StatusUnauthorized {
|
||||
t.Errorf("revoked token: got %d, want 401", code)
|
||||
}
|
||||
|
||||
// Unknown jti (signed but no stored row) → reject.
|
||||
ghost := signHS256(t, secret, "user-x", "ghost", "clipboard", exp)
|
||||
if code, _ := serveBearer(a, ghost); code != http.StatusUnauthorized {
|
||||
t.Errorf("unknown jti: got %d, want 401", code)
|
||||
}
|
||||
}
|
||||
|
||||
// An HS256 token WITHOUT a jti must be rejected outright (G1): the HS256 path
|
||||
// only ever signs scoped shortcut tokens, which always carry a jti. A jti-less
|
||||
// but validly-signed token would otherwise fall through as a full, unscoped
|
||||
// account session with a self-declared subject — so a leaked HS256 secret could
|
||||
// mint arbitrary-subject sessions far beyond the clipboard scope. Requiring the
|
||||
// jti pins a leaked secret's blast radius to clipboard-only.
|
||||
func TestShortcutToken_HS256RejectsMissingJTI(t *testing.T) {
|
||||
secret := "test-hs256-secret-at-least-32-bytes-long"
|
||||
cfg := &config.Config{AuthMode: "prod", HS256Secret: secret}
|
||||
a := New(cfg, &fakeDeviceUpserter{})
|
||||
|
||||
tok := signHS256(t, secret, "user-x", "", "clipboard", time.Now().Add(time.Hour))
|
||||
if code, _ := serveBearer(a, tok); code != http.StatusUnauthorized {
|
||||
t.Errorf("jti-less HS256 token must be rejected, got %d", code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSanitizeDeviceName(t *testing.T) {
|
||||
cases := []struct{ in, want string }{
|
||||
{"iPhone", "iPhone"},
|
||||
{" My iPad ", "My iPad"},
|
||||
{"我的iPhone", "iPhone"}, // CJK stripped
|
||||
{"我的电脑", ""}, // all non-ASCII → empty (caller falls back)
|
||||
{"Mac Book", "MacBook"}, // NBSP dropped
|
||||
}
|
||||
for _, c := range cases {
|
||||
if got := sanitizeDeviceName(c.in); got != c.want {
|
||||
t.Errorf("sanitizeDeviceName(%q) = %q, want %q", c.in, got, c.want)
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user