MCPcopy Index your code
hub / github.com/coder/coder / TestOAuth2InformationDisclosure

Function TestOAuth2InformationDisclosure

coderd/oauth2_security_test.go:314–394  ·  view source on GitHub ↗

TestOAuth2InformationDisclosure tests that error messages don't leak sensitive information

(t *testing.T)

Source from the content-addressed store, hash-verified

312
313// TestOAuth2InformationDisclosure tests that error messages don't leak sensitive information
314func TestOAuth2InformationDisclosure(t *testing.T) {
315 t.Parallel()
316
317 client := coderdtest.New(t, nil)
318 _ = coderdtest.CreateFirstUser(t, client)
319
320 ctx := t.Context()
321
322 // Register a client for testing
323 clientName := fmt.Sprintf("test-client-%d", time.Now().UnixNano())
324 regReq := codersdk.OAuth2ClientRegistrationRequest{
325 RedirectURIs: []string{"https://example.com/callback"},
326 ClientName: clientName,
327 }
328 regResp, err := client.PostOAuth2ClientRegistration(ctx, regReq)
329 require.NoError(t, err)
330
331 t.Run("ErrorsDoNotLeakClientSecrets", func(t *testing.T) {
332 t.Parallel()
333 ctx := t.Context()
334
335 // Try various invalid operations and ensure they don't leak the client secret
336 _, err := client.GetOAuth2ClientConfiguration(ctx, regResp.ClientID, "invalid-token")
337 require.Error(t, err)
338
339 var httpErr *codersdk.Error
340 require.ErrorAs(t, err, &httpErr)
341
342 // Error message should not contain any part of the client secret or registration token
343 errorText := strings.ToLower(httpErr.Message + httpErr.Detail)
344 require.NotContains(t, errorText, strings.ToLower(regResp.ClientSecret))
345 require.NotContains(t, errorText, strings.ToLower(regResp.RegistrationAccessToken))
346 })
347
348 t.Run("ErrorsDoNotLeakDatabaseDetails", func(t *testing.T) {
349 t.Parallel()
350 ctx := t.Context()
351
352 // Try to access non-existent client
353 _, err := client.GetOAuth2ClientConfiguration(ctx, "non-existent-client-id", regResp.RegistrationAccessToken)
354 require.Error(t, err)
355
356 var httpErr *codersdk.Error
357 require.ErrorAs(t, err, &httpErr)
358
359 // Error message should not leak database schema information
360 errorText := strings.ToLower(httpErr.Message + httpErr.Detail)
361 require.NotContains(t, errorText, "sql")
362 require.NotContains(t, errorText, "database")
363 require.NotContains(t, errorText, "table")
364 require.NotContains(t, errorText, "row")
365 require.NotContains(t, errorText, "constraint")
366 })
367
368 t.Run("ErrorsAreConsistentForInvalidClients", func(t *testing.T) {
369 t.Parallel()
370 ctx := t.Context()
371

Callers

nothing calls this directly

Calls 8

NewFunction · 0.92
CreateFirstUserFunction · 0.92
ContextMethod · 0.65
RunMethod · 0.65
ErrorMethod · 0.45
EqualMethod · 0.45

Tested by

no test coverage detected