package platform import ( "context" "crypto/sha256" "encoding/base64" "encoding/json" "net/http" "net/http/httptest" "net/url" "strings" "testing" "time" ) func TestNewPKCE(t *testing.T) { v, c, err := newPKCE() if err != nil { t.Fatalf("newPKCE: %v", err) } if len(v) != 64 { t.Errorf("verifier length = %d, want 64", len(v)) } sum := sha256.Sum256([]byte(v)) want := base64.RawURLEncoding.EncodeToString(sum[:]) if c != want { t.Errorf("challenge = %q, want S256(verifier) = %q", c, want) } // two calls must differ v2, _, _ := newPKCE() if v == v2 { t.Error("two verifiers collided") } } // decodeBody reads a JSON request body into a map. func decodeBody(t *testing.T, r *http.Request) map[string]string { t.Helper() var m map[string]string if err := json.NewDecoder(r.Body).Decode(&m); err != nil { t.Fatalf("decode body: %v", err) } return m } // TestLogin_Success drives the whole broker device-authorization loopback flow with a // fake /device/token endpoint and a fake browser — no real network or prod dependency. func TestLogin_Success(t *testing.T) { var gotBody map[string]string brokerSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.URL.Path != "/device/token" { t.Errorf("token path = %s, want /device/token", r.URL.Path) } gotBody = decodeBody(t, r) w.Header().Set("Content-Type", "application/json") _ = json.NewEncoder(w).Encode(map[string]any{ "id": "sid-1", "app": "cdrop", "access": "at-123", "refresh": "rtk-456", "access_expires": time.Now().Add(15 * time.Minute).Unix(), }) })) defer brokerSrv.Close() cfg := OAuthConfig{BrokerURL: brokerSrv.URL, App: "cdrop"} // Fake browser: parse the /device/authorize URL, assert it carries app + PKCE, // then GET the loopback redirect with a code + the same state (approved). openURL := func(authURL string) { u, err := url.Parse(authURL) if err != nil { t.Errorf("parse authURL: %v", err) return } if !strings.HasSuffix(u.Path, "/device/authorize") { t.Errorf("authorize path = %s, want /device/authorize", u.Path) } q := u.Query() if q.Get("code_challenge") == "" || q.Get("code_challenge_method") != "S256" { t.Errorf("authorize request missing PKCE challenge: %v", q) } if q.Get("app") != "cdrop" { t.Errorf("authorize app = %q", q.Get("app")) } cb := q.Get("redirect_uri") + "?code=auth-code-xyz&state=" + url.QueryEscape(q.Get("state")) resp, err := http.Get(cb) if err != nil { t.Errorf("callback GET: %v", err) return } _ = resp.Body.Close() } tok, err := NewFlow(cfg, openURL).Login(context.Background()) if err != nil { t.Fatalf("Login: %v", err) } if tok.AccessToken != "at-123" { t.Errorf("access = %q, want at-123", tok.AccessToken) } if tok.RefreshToken != "rtk-456" { t.Errorf("refresh = %q, want rtk-456", tok.RefreshToken) } if tok.ExpiresIn <= 0 || tok.ExpiresIn > 900 { t.Errorf("expires_in = %d, want ~900 (derived from access_expires)", tok.ExpiresIn) } // The exchange must carry the code, the PKCE verifier, and the same redirect_uri. if gotBody["code"] != "auth-code-xyz" { t.Errorf("code = %q", gotBody["code"]) } if gotBody["code_verifier"] == "" { t.Error("token exchange missing code_verifier") } if !strings.HasPrefix(gotBody["redirect_uri"], "http://127.0.0.1:") { t.Errorf("redirect_uri = %q, want loopback", gotBody["redirect_uri"]) } } func TestLogin_StateMismatch(t *testing.T) { cfg := OAuthConfig{BrokerURL: "https://sso.example.net", App: "cdrop"} openURL := func(authURL string) { u, _ := url.Parse(authURL) redirect := u.Query().Get("redirect_uri") resp, err := http.Get(redirect + "?code=c&state=WRONG-STATE") if err == nil { _ = resp.Body.Close() } } _, err := NewFlow(cfg, openURL).Login(context.Background()) if err == nil || !strings.Contains(err.Error(), "state mismatch") { t.Fatalf("want state mismatch error, got %v", err) } } func TestLogin_IncompleteConfig(t *testing.T) { _, err := NewFlow(OAuthConfig{App: "only-app"}, func(string) {}).Login(context.Background()) if err == nil { t.Fatal("want error for incomplete config, got nil") } } func TestRefresh_Success(t *testing.T) { var gotBody map[string]string brokerSrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.URL.Path != "/refresh" { t.Errorf("refresh path = %s, want /refresh", r.URL.Path) } gotBody = decodeBody(t, r) w.Header().Set("Content-Type", "application/json") _ = json.NewEncoder(w).Encode(map[string]any{ "access": "new-at", "refresh": "new-rtk", "access_expires": time.Now().Add(15 * time.Minute).Unix(), }) })) defer brokerSrv.Close() cfg := OAuthConfig{BrokerURL: brokerSrv.URL, App: "cdrop"} tok, err := NewFlow(cfg, func(string) {}).Refresh(context.Background(), "old-rtk") if err != nil { t.Fatalf("Refresh: %v", err) } if tok.AccessToken != "new-at" { t.Errorf("access = %q, want new-at", tok.AccessToken) } if tok.RefreshToken != "new-rtk" { t.Errorf("refresh = %q, want new-rtk (rotated)", tok.RefreshToken) } if gotBody["refresh"] != "old-rtk" { t.Errorf("sent refresh = %q, want old-rtk", gotBody["refresh"]) } } func TestRefresh_EmptyToken(t *testing.T) { cfg := OAuthConfig{BrokerURL: "https://sso.example.net", App: "cdrop"} if _, err := NewFlow(cfg, func(string) {}).Refresh(context.Background(), ""); err == nil { t.Fatal("want error for empty refresh token") } }