MCPcopy Index your code
hub / github.com/coder/coder / TestOAuth2ClientIsolation

Function TestOAuth2ClientIsolation

coderd/oauth2_security_test.go:19–101  ·  view source on GitHub ↗

TestOAuth2ClientIsolation tests that OAuth2 clients cannot access other clients' data

(t *testing.T)

Source from the content-addressed store, hash-verified

17
18// TestOAuth2ClientIsolation tests that OAuth2 clients cannot access other clients' data
19func TestOAuth2ClientIsolation(t *testing.T) {
20 t.Parallel()
21
22 client := coderdtest.New(t, nil)
23 _ = coderdtest.CreateFirstUser(t, client)
24
25 ctx := t.Context()
26
27 // Create two separate OAuth2 clients with unique identifiers
28 client1Name := fmt.Sprintf("test-client-1-%s-%d", t.Name(), time.Now().UnixNano())
29 client1Req := codersdk.OAuth2ClientRegistrationRequest{
30 RedirectURIs: []string{"https://client1.example.com/callback"},
31 ClientName: client1Name,
32 ClientURI: "https://client1.example.com",
33 }
34 client1Resp, err := client.PostOAuth2ClientRegistration(ctx, client1Req)
35 require.NoError(t, err)
36
37 client2Name := fmt.Sprintf("test-client-2-%s-%d", t.Name(), time.Now().UnixNano())
38 client2Req := codersdk.OAuth2ClientRegistrationRequest{
39 RedirectURIs: []string{"https://client2.example.com/callback"},
40 ClientName: client2Name,
41 ClientURI: "https://client2.example.com",
42 }
43 client2Resp, err := client.PostOAuth2ClientRegistration(ctx, client2Req)
44 require.NoError(t, err)
45
46 t.Run("ClientsCannotAccessOtherClientData", func(t *testing.T) {
47 t.Parallel()
48 ctx := t.Context()
49
50 // Client 1 should not be able to access Client 2's data using Client 1's token
51 _, err := client.GetOAuth2ClientConfiguration(ctx, client2Resp.ClientID, client1Resp.RegistrationAccessToken)
52 require.Error(t, err)
53
54 var httpErr *codersdk.Error
55 require.ErrorAs(t, err, &httpErr)
56 require.Equal(t, http.StatusUnauthorized, httpErr.StatusCode())
57
58 // Client 2 should not be able to access Client 1's data using Client 2's token
59 _, err = client.GetOAuth2ClientConfiguration(ctx, client1Resp.ClientID, client2Resp.RegistrationAccessToken)
60 require.Error(t, err)
61
62 require.ErrorAs(t, err, &httpErr)
63 require.Equal(t, http.StatusUnauthorized, httpErr.StatusCode())
64 })
65
66 t.Run("ClientsCannotUpdateOtherClients", func(t *testing.T) {
67 t.Parallel()
68 ctx := t.Context()
69
70 // Client 1 should not be able to update Client 2 using Client 1's token
71 updateReq := codersdk.OAuth2ClientRegistrationRequest{
72 RedirectURIs: []string{"https://malicious.example.com/callback"},
73 ClientName: "Malicious Update",
74 }
75
76 _, err := client.PutOAuth2ClientConfiguration(ctx, client2Resp.ClientID, client1Resp.RegistrationAccessToken, updateReq)

Callers

nothing calls this directly

Calls 12

StatusCodeMethod · 0.95
NewFunction · 0.92
CreateFirstUserFunction · 0.92
ContextMethod · 0.65
NameMethod · 0.65
RunMethod · 0.65
ErrorMethod · 0.45
EqualMethod · 0.45

Tested by

no test coverage detected