TestOAuth2ClientIsolation tests that OAuth2 clients cannot access other clients' data
(t *testing.T)
| 17 | |
| 18 | // TestOAuth2ClientIsolation tests that OAuth2 clients cannot access other clients' data |
| 19 | func TestOAuth2ClientIsolation(t *testing.T) { |
| 20 | t.Parallel() |
| 21 | |
| 22 | client := coderdtest.New(t, nil) |
| 23 | _ = coderdtest.CreateFirstUser(t, client) |
| 24 | |
| 25 | ctx := t.Context() |
| 26 | |
| 27 | // Create two separate OAuth2 clients with unique identifiers |
| 28 | client1Name := fmt.Sprintf("test-client-1-%s-%d", t.Name(), time.Now().UnixNano()) |
| 29 | client1Req := codersdk.OAuth2ClientRegistrationRequest{ |
| 30 | RedirectURIs: []string{"https://client1.example.com/callback"}, |
| 31 | ClientName: client1Name, |
| 32 | ClientURI: "https://client1.example.com", |
| 33 | } |
| 34 | client1Resp, err := client.PostOAuth2ClientRegistration(ctx, client1Req) |
| 35 | require.NoError(t, err) |
| 36 | |
| 37 | client2Name := fmt.Sprintf("test-client-2-%s-%d", t.Name(), time.Now().UnixNano()) |
| 38 | client2Req := codersdk.OAuth2ClientRegistrationRequest{ |
| 39 | RedirectURIs: []string{"https://client2.example.com/callback"}, |
| 40 | ClientName: client2Name, |
| 41 | ClientURI: "https://client2.example.com", |
| 42 | } |
| 43 | client2Resp, err := client.PostOAuth2ClientRegistration(ctx, client2Req) |
| 44 | require.NoError(t, err) |
| 45 | |
| 46 | t.Run("ClientsCannotAccessOtherClientData", func(t *testing.T) { |
| 47 | t.Parallel() |
| 48 | ctx := t.Context() |
| 49 | |
| 50 | // Client 1 should not be able to access Client 2's data using Client 1's token |
| 51 | _, err := client.GetOAuth2ClientConfiguration(ctx, client2Resp.ClientID, client1Resp.RegistrationAccessToken) |
| 52 | require.Error(t, err) |
| 53 | |
| 54 | var httpErr *codersdk.Error |
| 55 | require.ErrorAs(t, err, &httpErr) |
| 56 | require.Equal(t, http.StatusUnauthorized, httpErr.StatusCode()) |
| 57 | |
| 58 | // Client 2 should not be able to access Client 1's data using Client 2's token |
| 59 | _, err = client.GetOAuth2ClientConfiguration(ctx, client1Resp.ClientID, client2Resp.RegistrationAccessToken) |
| 60 | require.Error(t, err) |
| 61 | |
| 62 | require.ErrorAs(t, err, &httpErr) |
| 63 | require.Equal(t, http.StatusUnauthorized, httpErr.StatusCode()) |
| 64 | }) |
| 65 | |
| 66 | t.Run("ClientsCannotUpdateOtherClients", func(t *testing.T) { |
| 67 | t.Parallel() |
| 68 | ctx := t.Context() |
| 69 | |
| 70 | // Client 1 should not be able to update Client 2 using Client 1's token |
| 71 | updateReq := codersdk.OAuth2ClientRegistrationRequest{ |
| 72 | RedirectURIs: []string{"https://malicious.example.com/callback"}, |
| 73 | ClientName: "Malicious Update", |
| 74 | } |
| 75 | |
| 76 | _, err := client.PutOAuth2ClientConfiguration(ctx, client2Resp.ClientID, client1Resp.RegistrationAccessToken, updateReq) |
nothing calls this directly
no test coverage detected