TestOAuth2RegistrationAccessToken tests the registration access token middleware
(t *testing.T)
| 1566 | |
| 1567 | // TestOAuth2RegistrationAccessToken tests the registration access token middleware |
| 1568 | func TestOAuth2RegistrationAccessToken(t *testing.T) { |
| 1569 | t.Parallel() |
| 1570 | |
| 1571 | client := coderdtest.New(t, nil) |
| 1572 | _ = coderdtest.CreateFirstUser(t, client) |
| 1573 | |
| 1574 | t.Run("ValidToken", func(t *testing.T) { |
| 1575 | t.Parallel() |
| 1576 | ctx := testutil.Context(t, testutil.WaitLong) |
| 1577 | |
| 1578 | // Register a client |
| 1579 | req := codersdk.OAuth2ClientRegistrationRequest{ |
| 1580 | RedirectURIs: []string{"https://example.com/callback"}, |
| 1581 | ClientName: fmt.Sprintf("token-test-client-%d", time.Now().UnixNano()), |
| 1582 | } |
| 1583 | |
| 1584 | resp, err := client.PostOAuth2ClientRegistration(ctx, req) |
| 1585 | require.NoError(t, err) |
| 1586 | |
| 1587 | // Valid token should work |
| 1588 | config, err := client.GetOAuth2ClientConfiguration(ctx, resp.ClientID, resp.RegistrationAccessToken) |
| 1589 | require.NoError(t, err) |
| 1590 | require.Equal(t, resp.ClientID, config.ClientID) |
| 1591 | }) |
| 1592 | |
| 1593 | t.Run("ManuallyCreatedClient", func(t *testing.T) { |
| 1594 | t.Parallel() |
| 1595 | ctx := testutil.Context(t, testutil.WaitLong) |
| 1596 | |
| 1597 | // Create a client through the normal API (not dynamic registration) |
| 1598 | appReq := codersdk.PostOAuth2ProviderAppRequest{ |
| 1599 | Name: fmt.Sprintf("manual-%d", time.Now().UnixNano()%1000000), |
| 1600 | CallbackURL: "https://manual.com/callback", |
| 1601 | } |
| 1602 | |
| 1603 | app, err := client.PostOAuth2ProviderApp(ctx, appReq) |
| 1604 | require.NoError(t, err) |
| 1605 | |
| 1606 | // Should not be able to manage via RFC 7592 endpoints |
| 1607 | _, err = client.GetOAuth2ClientConfiguration(ctx, app.ID.String(), "any-token") |
| 1608 | require.Error(t, err) |
| 1609 | require.Contains(t, err.Error(), "invalid_token") // Client was not dynamically registered |
| 1610 | }) |
| 1611 | |
| 1612 | t.Run("TokenPasswordComparison", func(t *testing.T) { |
| 1613 | t.Parallel() |
| 1614 | ctx := testutil.Context(t, testutil.WaitLong) |
| 1615 | |
| 1616 | // Register two clients to ensure tokens are unique |
| 1617 | timestamp := time.Now().UnixNano() |
| 1618 | req1 := codersdk.OAuth2ClientRegistrationRequest{ |
| 1619 | RedirectURIs: []string{"https://client1.com/callback"}, |
| 1620 | ClientName: fmt.Sprintf("client-1-%d", timestamp), |
| 1621 | } |
| 1622 | req2 := codersdk.OAuth2ClientRegistrationRequest{ |
| 1623 | RedirectURIs: []string{"https://client2.com/callback"}, |
| 1624 | ClientName: fmt.Sprintf("client-2-%d", timestamp+1), |
| 1625 | } |
nothing calls this directly
no test coverage detected