Merge commit '1406c20959678870fe01564147613b24806697a2'

2026-02-03 14:27:21 +09:00
parent d09abab5a2 1406c20959
commit 3868f5967e
25 changed files with 4683 additions and 277 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
--- a/backend/internal/handler/auth_handler_oidc_test.go
+++ b/backend/internal/handler/auth_handler_oidc_test.go
@@ -0,0 +1,201 @@
+package handler
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gofiber/fiber/v2"
+
+	"baron-sso-backend/internal/service"
+)
+
+func newOidcLoginTestApp(h *AuthHandler) *fiber.App {
+	app := fiber.New()
+	app.Post("/api/v1/auth/oidc/login/accept", h.AcceptOidcLoginRequest)
+	return app
+}
+
+func TestAcceptOidcLoginRequest_CookieOnly(t *testing.T) {
+	var gotSubject string
+	var gotChallenge string
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path != "/sessions/whoami" {
+				return httpResponse(r, http.StatusNotFound, "not found"), nil
+			}
+			if r.Header.Get("X-Session-Token") != "" {
+				return httpResponse(r, http.StatusUnauthorized, "invalid token"), nil
+			}
+			if r.Header.Get("Cookie") == "" {
+				return httpResponse(r, http.StatusUnauthorized, "missing cookie"), nil
+			}
+			return httpJSON(r, http.StatusOK, map[string]interface{}{
+				"identity": map[string]interface{}{
+					"id":     "kratos-123",
+					"traits": map[string]interface{}{},
+				},
+			}), nil
+		case "hydra.test":
+			if r.URL.Path != "/oauth2/auth/requests/login/accept" {
+				return httpResponse(r, http.StatusNotFound, "not found"), nil
+			}
+			gotChallenge = r.URL.Query().Get("login_challenge")
+			body, _ := io.ReadAll(r.Body)
+			var payload map[string]interface{}
+			_ = json.Unmarshal(body, &payload)
+			if subject, ok := payload["subject"].(string); ok {
+				gotSubject = subject
+			}
+			return httpResponse(r, http.StatusOK, `{"redirect_to":"http://rp/cb"}`), nil
+		default:
+			return httpResponse(r, http.StatusNotFound, "not found"), nil
+		}
+	})
+	client := &http.Client{Transport: transport}
+	origDefault := http.DefaultClient
+	http.DefaultClient = client
+	defer func() {
+		http.DefaultClient = origDefault
+	}()
+
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+	app := newOidcLoginTestApp(h)
+
+	body, _ := json.Marshal(map[string]string{
+		"login_challenge": "challenge-123",
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/oidc/login/accept", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Cookie", "ory_kratos_session=abc123")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("expected 200, got %d", resp.StatusCode)
+	}
+	var got map[string]string
+	if err := json.NewDecoder(resp.Body).Decode(&got); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if got["redirectTo"] != "http://rp/cb" {
+		t.Fatalf("unexpected redirectTo: %v", got["redirectTo"])
+	}
+	if gotSubject != "kratos-123" {
+		t.Fatalf("unexpected subject: %v", gotSubject)
+	}
+	if gotChallenge != "challenge-123" {
+		t.Fatalf("unexpected login_challenge: %v", gotChallenge)
+	}
+}
+
+func TestAcceptOidcLoginRequest_TokenFallbackToCookie(t *testing.T) {
+	var gotSubject string
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch r.URL.Host {
+		case "kratos.test":
+			if r.URL.Path != "/sessions/whoami" {
+				return httpResponse(r, http.StatusNotFound, "not found"), nil
+			}
+			if r.Header.Get("X-Session-Token") != "" {
+				return httpResponse(r, http.StatusUnauthorized, "invalid token"), nil
+			}
+			if r.Header.Get("Cookie") == "" {
+				return httpResponse(r, http.StatusUnauthorized, "missing cookie"), nil
+			}
+			return httpJSON(r, http.StatusOK, map[string]interface{}{
+				"identity": map[string]interface{}{
+					"id":     "kratos-456",
+					"traits": map[string]interface{}{},
+				},
+			}), nil
+		case "hydra.test":
+			if r.URL.Path != "/oauth2/auth/requests/login/accept" {
+				return httpResponse(r, http.StatusNotFound, "not found"), nil
+			}
+			body, _ := io.ReadAll(r.Body)
+			var payload map[string]interface{}
+			_ = json.Unmarshal(body, &payload)
+			if subject, ok := payload["subject"].(string); ok {
+				gotSubject = subject
+			}
+			return httpResponse(r, http.StatusOK, `{"redirect_to":"http://rp/cb"}`), nil
+		default:
+			return httpResponse(r, http.StatusNotFound, "not found"), nil
+		}
+	})
+	client := &http.Client{Transport: transport}
+	origDefault := http.DefaultClient
+	http.DefaultClient = client
+	defer func() {
+		http.DefaultClient = origDefault
+	}()
+
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+
+	h := &AuthHandler{
+		Hydra: &service.HydraAdminService{
+			AdminURL:   "http://hydra.test",
+			HTTPClient: client,
+		},
+	}
+	app := newOidcLoginTestApp(h)
+
+	body, _ := json.Marshal(map[string]string{
+		"login_challenge": "challenge-456",
+	})
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/oidc/login/accept", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Bearer invalid-token")
+	req.Header.Set("Cookie", "ory_kratos_session=def456")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("expected 200, got %d", resp.StatusCode)
+	}
+	if gotSubject != "kratos-456" {
+		t.Fatalf("unexpected subject: %v", gotSubject)
+	}
+}
+
+type roundTripFunc func(*http.Request) (*http.Response, error)
+
+func (f roundTripFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return f(req)
+}
+
+func httpResponse(req *http.Request, status int, body string) *http.Response {
+	return &http.Response{
+		StatusCode: status,
+		Header:     make(http.Header),
+		Body:       io.NopCloser(bytes.NewBufferString(body)),
+		Request:    req,
+	}
+}
+
+func httpJSON(req *http.Request, status int, payload map[string]interface{}) *http.Response {
+	data, _ := json.Marshal(payload)
+	resp := httpResponse(req, status, string(data))
+	resp.Header.Set("Content-Type", "application/json")
+	return resp
+}
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -396,16 +396,26 @@ func (h *DevHandler) ListConsents(c *fiber.Ctx) error {

 	items := make([]consentSummary, 0, len(sessions))
 	for _, session := range sessions {
+		client := session.Client
+		if client.ClientID == "" && session.ConsentRequest != nil {
+			client = session.ConsentRequest.Client
+		}
+		subject := session.Subject
+		if subject == "" && session.ConsentRequest != nil {
+			subject = session.ConsentRequest.Subject
+		}
 		authAt := ""
 		if session.AuthenticatedAt != nil {
 			authAt = session.AuthenticatedAt.Format(time.RFC3339)
 		} else if session.RequestedAt != nil {
 			authAt = session.RequestedAt.Format(time.RFC3339)
+		} else if session.HandledAt != nil {
+			authAt = session.HandledAt.Format(time.RFC3339)
 		}
 		items = append(items, consentSummary{
-			Subject:         session.Subject,
-			ClientID:        session.Client.ClientID,
-			ClientName:      session.Client.ClientName,
+			Subject:         subject,
+			ClientID:        client.ClientID,
+			ClientName:      client.ClientName,
 			GrantedScopes:   session.GrantedScope,
 			AuthenticatedAt: authAt,
 		})