feat(headless-login): add jwks cache visibility and refresh flow

- replace inline headless jwks support with jwksUri-only validation - add cached jwks refresh worker, manual refresh/revoke endpoints, and parsed key summaries - expose allowed algorithms and key previews in DevFront with regression coverage
2026-04-01 18:33:22 +09:00
parent f51cdba51a
commit 9facd24a00
20 changed files with 2393 additions and 499 deletions
--- a/backend/internal/handler/auth_handler_link_test.go
+++ b/backend/internal/handler/auth_handler_link_test.go
@@ -175,6 +175,12 @@ func TestPollEnchantedLink_ExpiredToken_ReturnsCode(t *testing.T) {
 func TestHeadlessLinkInit_HeadlessLoginClientSuccess(t *testing.T) {
 	redis := &mockRedisRepo{data: make(map[string]string)}
 	privateKey, jwks := mustHeadlessRSAJWK(t)
+	jwksBody, _ := json.Marshal(jwks)
+	jwksServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write(jwksBody)
+	}))
+	defer jwksServer.Close()

 	idp := &mockIdpProvider{
 		userExists:      true,
@@ -192,7 +198,7 @@ func TestHeadlessLinkInit_HeadlessLoginClientSuccess(t *testing.T) {
 						"status":                              "active",
 						"headless_login_enabled":              true,
 						"headless_token_endpoint_auth_method": "private_key_jwt",
-						"headless_jwks":                       jwks,
+						"headless_jwks_uri":                   jwksServer.URL + "/.well-known/jwks.json",
 					},
 				},
 			})
@@ -236,6 +242,12 @@ func TestHeadlessLinkInit_HeadlessLoginClientSuccess(t *testing.T) {
 func TestHeadlessLinkPoll_AfterApprovalReturnsRedirect(t *testing.T) {
 	redis := &mockRedisRepo{data: make(map[string]string)}
 	privateKey, jwks := mustHeadlessRSAJWK(t)
+	jwksBody, _ := json.Marshal(jwks)
+	jwksServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write(jwksBody)
+	}))
+	defer jwksServer.Close()

 	idp := &mockIdpProvider{
 		userExists:      true,
@@ -254,7 +266,7 @@ func TestHeadlessLinkPoll_AfterApprovalReturnsRedirect(t *testing.T) {
 						"status":                              "active",
 						"headless_login_enabled":              true,
 						"headless_token_endpoint_auth_method": "private_key_jwt",
-						"headless_jwks":                       jwks,
+						"headless_jwks_uri":                   jwksServer.URL + "/.well-known/jwks.json",
 					},
 				},
 			})