fix(headless-login): simplify jwks policy checks

2026-04-01 19:24:26 +09:00
parent 51f09bf53c
commit c3ae316570
5 changed files with 409 additions and 146 deletions
--- a/devfront/tests/devfront-clients-lifecycle.spec.ts
+++ b/devfront/tests/devfront-clients-lifecycle.spec.ts
@@ -130,6 +130,9 @@ test.describe("DevFront clients lifecycle", () => {
        makeClient("client-headless-login", {
          name: "Headless Login App",
          type: "pkce",
+          metadata: {
+            request_object_signing_alg: "RS256",
+          },
          headlessJwksCache: {
            clientId: "client-headless-login",
            jwksUri,
@@ -185,8 +188,9 @@ test.describe("DevFront clients lifecycle", () => {
    ).toBeVisible();

    await expect(
-      page.getByRole("radio", { name: /Inline Public Key|Inline/i }),
+      page.getByText(/Request Object Signing Algorithm/i),
    ).toHaveCount(0);
+    await expect(page.getByText(/Allowed algorithms|허용 알고리즘/i)).toHaveCount(0);
    await page
      .getByPlaceholder(/https:\/\/rp\.example\.com\/\.well-known\/jwks\.json/i)
      .fill(jwksUri);
@@ -206,6 +210,9 @@ test.describe("DevFront clients lifecycle", () => {
    await expect
      .poll(() => state.clients[0]?.metadata?.headless_jwks_uri)
      .toBe(jwksUri);
+    await expect
+      .poll(() => state.clients[0]?.metadata?.request_object_signing_alg)
+      .toBeUndefined();

    await expect(
      page.getByText(/cached at|캐시됨|last refresh|마지막 갱신/i),
@@ -213,23 +220,6 @@ test.describe("DevFront clients lifecycle", () => {
    await expect(page.getByText(/Parsed Keys|파싱된 키/i)).toBeVisible();
    await expect(page.getByText(/^KID$/i)).toBeVisible();
    await expect(page.getByText("kid-1", { exact: true }).last()).toBeVisible();
-    await expect(
-      page.getByText(/Allowed algorithms|허용 알고리즘/i),
-    ).toBeVisible();
-    for (const algorithm of [
-      "RS256",
-      "RS384",
-      "RS512",
-      "PS256",
-      "PS384",
-      "PS512",
-      "ES256",
-      "ES384",
-      "ES512",
-      "EdDSA",
-    ]) {
-      await expect(page.getByText(algorithm, { exact: true }).last()).toBeVisible();
-    }
    await expect(
      page.getByText(
        "voVbHlo_UHkjtT7Q_8owyjZ2omE8n8mbGlpraZziStHPfe08q_RGiEXO6Pyiz42NVi-Yo0c7qiaqRwB4h9s5phpT2wwcUxnkrQeRhe7BpigInZPzpwq1hsaB2zyhE7zTRCC3hinGtFdVpNzTVKYKGPbXfeEXaRL3P838vi-_iB4IN3WQk_pAakUQvajL2H-vcWSMSNslMGPDZxobqE9MHSWocNXemrcmtCeE7ruUND0qHZOb8k-hHUBqsNoJ63WKdapzGYF6e2qgDRveYrjgOCBigZPi8npN0xStQ0YcrH_RxeTogsdRZ8SuXmLqavryVDnrT8czPkkJ-EHb8PiTCQ",
@@ -268,4 +258,104 @@ test.describe("DevFront clients lifecycle", () => {
    ).toBeVisible();
    await expect(page.getByRole("textbox", { name: /JWKS URI|JWKS URI/i })).toHaveValue(jwksUri);
  });
+
+  test("pkce headless login blocks save when parsed jwks algorithm is unsupported", async ({
+    page,
+  }) => {
+    const state = {
+      clients: [
+        makeClient("client-headless-unsupported", {
+          name: "Unsupported Headless Login App",
+          type: "pkce",
+          metadata: {
+            headless_login_enabled: true,
+            request_object_signing_alg: "RS256",
+          },
+          headlessJwksCache: {
+            clientId: "client-headless-unsupported",
+            jwksUri,
+            cachedAt: "2026-03-31T00:00:00.000Z",
+            expiresAt: "2026-04-01T00:00:00.000Z",
+            lastCheckedAt: "2026-03-31T12:00:00.000Z",
+            lastSuccessfulVerificationAt: "2026-03-31T12:00:00.000Z",
+            lastRefreshStatus: "success",
+            lastError: "",
+            consecutiveFailures: 0,
+            cachedKids: ["kid-unsupported"],
+            parsedKeys: [
+              {
+                kid: "kid-unsupported",
+                kty: "RSA",
+                use: "sig",
+                alg: "HS256",
+                n: "unsupported-n-value",
+              },
+            ],
+          },
+        }),
+      ],
+      consents: [] as Consent[],
+      auditLogsByCursor: undefined,
+    };
+    await installDevApiMock(page, state);
+
+    await page.goto("/clients/client-headless-unsupported/settings");
+
+    await page
+      .getByPlaceholder(/https:\/\/rp\.example\.com\/\.well-known\/jwks\.json/i)
+      .fill(jwksUri);
+
+    await expect(
+      page.getByText("지원하지 않는 알고리즘이 감지되었습니다.", { exact: true }),
+    ).toBeVisible();
+    await expect(page.getByRole("button", { name: /^저장$|^Save$/i })).toBeDisabled();
+  });
+
+  test("pkce headless login blocks save when parsed jwks algorithm is missing", async ({
+    page,
+  }) => {
+    const state = {
+      clients: [
+        makeClient("client-headless-missing-alg", {
+          name: "Missing Alg Headless Login App",
+          type: "pkce",
+          metadata: {
+            headless_login_enabled: true,
+            headless_jwks_uri: jwksUri,
+          },
+          headlessJwksCache: {
+            clientId: "client-headless-missing-alg",
+            jwksUri,
+            cachedAt: "2026-03-31T00:00:00.000Z",
+            expiresAt: "2026-04-01T00:00:00.000Z",
+            lastCheckedAt: "2026-03-31T12:00:00.000Z",
+            lastSuccessfulVerificationAt: "2026-03-31T12:00:00.000Z",
+            lastRefreshStatus: "success",
+            lastError: "",
+            consecutiveFailures: 0,
+            cachedKids: ["kid-missing-alg"],
+            parsedKeys: [
+              {
+                kid: "kid-missing-alg",
+                kty: "RSA",
+                use: "sig",
+                alg: "",
+                n: "missing-alg-n-value",
+              },
+            ],
+          },
+        }),
+      ],
+      consents: [] as Consent[],
+      auditLogsByCursor: undefined,
+    };
+    await installDevApiMock(page, state);
+
+    await page.goto("/clients/client-headless-missing-alg/settings");
+
+    await expect(
+      page.getByText(/알고리즘이 선언되지 않았습니다|algorithm is missing/i),
+    ).toBeVisible();
+    await expect(page.getByRole("button", { name: /^저장$|^Save$/i })).toBeDisabled();
+  });
 });