Add authorization code tests
This commit is contained in:
Kagami Sascha Rosylight
parent
413fa63093
commit
3b8b9a658a
1 changed files with 39 additions and 10 deletions
|
|
@ -342,24 +342,53 @@ describe('OAuth', () => {
|
||||||
};
|
};
|
||||||
|
|
||||||
describe('Verify PKCE', () => {
|
describe('Verify PKCE', () => {
|
||||||
for (const [title, code_verifier] of Object.entries(tests)) {
|
for (const [title, wrong_verifier] of Object.entries(tests)) {
|
||||||
test(title, async () => {
|
test(title, async () => {
|
||||||
const { client, code } = await fetchAuthorizationCode(alice, 'write:notes', code_challenge);
|
const { client, code } = await fetchAuthorizationCode(alice, 'write:notes', code_challenge);
|
||||||
|
|
||||||
await assert.rejects(client.getToken({
|
await assert.rejects(client.getToken({
|
||||||
code,
|
code,
|
||||||
redirect_uri,
|
redirect_uri,
|
||||||
code_verifier,
|
code_verifier: wrong_verifier,
|
||||||
} as AuthorizationTokenConfigExtended));
|
} as AuthorizationTokenConfigExtended));
|
||||||
|
});
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
// https://datatracker.ietf.org/doc/html/rfc6749.html#section-4.1.2
|
||||||
|
// "If an authorization code is used more than once, the authorization server
|
||||||
|
// MUST deny the request and SHOULD revoke (when possible) all tokens
|
||||||
|
// previously issued based on that authorization code."
|
||||||
|
describe('Revoking authorization code', () => {
|
||||||
|
test('On success', async () => {
|
||||||
|
const { code_challenge, code_verifier } = await pkceChallenge(128);
|
||||||
|
const { client, code } = await fetchAuthorizationCode(alice, 'write:notes', code_challenge);
|
||||||
|
|
||||||
|
await client.getToken({
|
||||||
|
code,
|
||||||
|
redirect_uri,
|
||||||
|
code_verifier,
|
||||||
|
} as AuthorizationTokenConfigExtended);
|
||||||
|
|
||||||
// And now the code is invalidated by the previous failure
|
|
||||||
await assert.rejects(client.getToken({
|
await assert.rejects(client.getToken({
|
||||||
code,
|
code,
|
||||||
redirect_uri,
|
redirect_uri,
|
||||||
code_verifier,
|
code_verifier,
|
||||||
} as AuthorizationTokenConfigExtended));
|
} as AuthorizationTokenConfigExtended));
|
||||||
});
|
});
|
||||||
}
|
|
||||||
|
test('On failure', async () => {
|
||||||
|
const { code_challenge, code_verifier } = await pkceChallenge(128);
|
||||||
|
const { client, code } = await fetchAuthorizationCode(alice, 'write:notes', code_challenge);
|
||||||
|
|
||||||
|
await assert.rejects(client.getToken({ code, redirect_uri }));
|
||||||
|
|
||||||
|
await assert.rejects(client.getToken({
|
||||||
|
code,
|
||||||
|
redirect_uri,
|
||||||
|
code_verifier,
|
||||||
|
} as AuthorizationTokenConfigExtended));
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
@ -816,5 +845,5 @@ describe('OAuth', () => {
|
||||||
|
|
||||||
// TODO: Unknown OAuth endpoint
|
// TODO: Unknown OAuth endpoint
|
||||||
|
|
||||||
// TODO: successful token exchange should invalidate the grant token (spec?)
|
// TODO: Add spec links to tests
|
||||||
});
|
});
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue