forked from baron/baron-sso
426 lines
14 KiB
Go
426 lines
14 KiB
Go
package handler
|
|
|
|
import (
|
|
"baron-sso-backend/internal/domain"
|
|
"baron-sso-backend/internal/service"
|
|
"baron-sso-backend/internal/testsupport"
|
|
"bytes"
|
|
"encoding/json"
|
|
"io"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/gofiber/fiber/v2"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/mock"
|
|
)
|
|
|
|
// Mock services
|
|
type mockEmailService struct {
|
|
lastTo string
|
|
lastSubject string
|
|
lastBody string
|
|
}
|
|
|
|
func (m *mockEmailService) SendEmail(to, subject, body string) error {
|
|
m.lastTo = to
|
|
m.lastSubject = subject
|
|
m.lastBody = body
|
|
return nil
|
|
}
|
|
|
|
type mockSmsService struct {
|
|
lastTo string
|
|
lastContent string
|
|
}
|
|
|
|
func (m *mockSmsService) SendSms(to, content string) error {
|
|
m.lastTo = to
|
|
m.lastContent = content
|
|
return nil
|
|
}
|
|
|
|
func newHeadlessLinkTestApp(h *AuthHandler) *fiber.App {
|
|
app := fiber.New()
|
|
app.Post("/api/v1/auth/headless/link/init", h.HeadlessLinkInit)
|
|
app.Post("/api/v1/auth/headless/link/poll", h.HeadlessLinkPoll)
|
|
app.Post("/api/v1/auth/magic-link/verify", h.VerifyMagicLink)
|
|
return app
|
|
}
|
|
|
|
func TestEnchantedLinkFlow_Email_Success(t *testing.T) {
|
|
redis := &mockRedisRepo{data: make(map[string]string)}
|
|
// Force "Not Supported" for InitiateLinkLogin only to trigger custom Enchanted Link logic
|
|
idp := &mockIdpProvider{
|
|
userExists: true,
|
|
initiateLinkErr: domain.ErrNotSupported,
|
|
}
|
|
|
|
h := &AuthHandler{
|
|
RedisService: redis,
|
|
IdpProvider: idp,
|
|
EmailService: &mockEmailService{},
|
|
SmsService: &mockSmsService{},
|
|
}
|
|
app := fiber.New()
|
|
app.Post("/api/v1/auth/enchanted-link/init", h.InitEnchantedLink)
|
|
app.Post("/api/v1/auth/enchanted-link/poll", h.PollEnchantedLink)
|
|
app.Post("/api/v1/auth/magic-link/verify", h.VerifyMagicLink)
|
|
|
|
t.Setenv("USERFRONT_URL", "http://userfront.test")
|
|
|
|
// 1. Init Enchanted Link (Email)
|
|
body, _ := json.Marshal(map[string]string{
|
|
"loginId": "user@example.com",
|
|
"method": "email",
|
|
})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/enchanted-link/init", bytes.NewReader(body))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ := app.Test(req, -1)
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
var initResp map[string]interface{}
|
|
json.NewDecoder(resp.Body).Decode(&initResp)
|
|
pendingRef := initResp["pendingRef"].(string)
|
|
assert.NotEmpty(t, pendingRef)
|
|
|
|
// Find the token key "enchanted_token:..." in mock redis
|
|
var token string
|
|
for k := range redis.data {
|
|
if len(k) > 16 && k[:16] == "enchanted_token:" {
|
|
token = k[16:]
|
|
break
|
|
}
|
|
}
|
|
assert.NotEmpty(t, token)
|
|
|
|
// 2. Verify Magic Link
|
|
verifyBody, _ := json.Marshal(map[string]interface{}{
|
|
"token": token,
|
|
"verifyOnly": true,
|
|
})
|
|
req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/magic-link/verify", bytes.NewReader(verifyBody))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ = app.Test(req, -1)
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
// 3. Poll (Success)
|
|
pollBody, _ := json.Marshal(map[string]string{"pendingRef": pendingRef})
|
|
req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/enchanted-link/poll", bytes.NewReader(pollBody))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ = app.Test(req, -1)
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
var pollResp map[string]interface{}
|
|
json.NewDecoder(resp.Body).Decode(&pollResp)
|
|
assert.Equal(t, "ok", pollResp["status"])
|
|
assert.Equal(t, "valid-jwt", pollResp["sessionJwt"])
|
|
}
|
|
|
|
func TestEnchantedLinkFlow_Sms_Success(t *testing.T) {
|
|
redis := &mockRedisRepo{data: make(map[string]string)}
|
|
idp := &mockIdpProvider{
|
|
userExists: true,
|
|
initiateLinkErr: domain.ErrNotSupported,
|
|
}
|
|
|
|
h := &AuthHandler{
|
|
RedisService: redis,
|
|
IdpProvider: idp,
|
|
SmsService: &mockSmsService{},
|
|
}
|
|
app := fiber.New()
|
|
app.Post("/api/v1/auth/enchanted-link/init", h.InitEnchantedLink)
|
|
|
|
// 1. Init Enchanted Link (SMS)
|
|
body, _ := json.Marshal(map[string]string{
|
|
"loginId": "010-1234-5678",
|
|
"method": "sms",
|
|
})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/enchanted-link/init", bytes.NewReader(body))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ := app.Test(req, -1)
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
var initResp map[string]interface{}
|
|
json.NewDecoder(resp.Body).Decode(&initResp)
|
|
assert.NotEmpty(t, initResp["userCode"])
|
|
}
|
|
|
|
func TestResolveUserfrontURL_DevLocalhostUsesConfiguredPort(t *testing.T) {
|
|
t.Setenv("APP_ENV", "dev")
|
|
t.Setenv("USERFRONT_URL", "http://localhost:5000")
|
|
|
|
h := &AuthHandler{}
|
|
app := fiber.New()
|
|
app.Get("/probe", func(c *fiber.Ctx) error {
|
|
return c.SendString(h.resolveUserfrontURL(c))
|
|
})
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "http://localhost/probe", nil)
|
|
resp, _ := app.Test(req, -1)
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
body, _ := io.ReadAll(resp.Body)
|
|
assert.Equal(t, "http://localhost:5000", string(body))
|
|
}
|
|
|
|
func TestVerifyLoginCode_MapsSmsPhoneBeforeFlowLookup(t *testing.T) {
|
|
redis := &mockRedisRepo{data: map[string]string{
|
|
prefixLoginCode + "su-@samaneng.com": "flow-123",
|
|
prefixLoginCodePending + "su-@samaneng.com": "pending-123",
|
|
prefixLoginCodeSmsLookup + "+821041585840": "su-@samaneng.com",
|
|
prefixLoginCodeSmsTarget + "su-@samaneng.com": "+821041585840",
|
|
prefixLoginCodeValue + "pending-123": "569765",
|
|
}}
|
|
h := &AuthHandler{
|
|
RedisService: redis,
|
|
IdpProvider: &mockIdpProvider{},
|
|
}
|
|
app := fiber.New()
|
|
app.Post("/api/v1/auth/login/code/verify", h.VerifyLoginCode)
|
|
|
|
body, _ := json.Marshal(map[string]interface{}{
|
|
"loginId": "01041585840",
|
|
"code": "569765",
|
|
"pendingRef": "pending-123",
|
|
"verifyOnly": true,
|
|
})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/login/code/verify", bytes.NewReader(body))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ := app.Test(req, -1)
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
var got map[string]interface{}
|
|
_ = json.NewDecoder(resp.Body).Decode(&got)
|
|
assert.Equal(t, "approved", got["status"])
|
|
assert.Equal(t, "pending-123", got["pendingRef"])
|
|
}
|
|
|
|
func TestPollEnchantedLink_ExpiredToken_ReturnsCode(t *testing.T) {
|
|
redis := &mockRedisRepo{data: make(map[string]string)}
|
|
h := &AuthHandler{
|
|
RedisService: redis,
|
|
}
|
|
app := fiber.New()
|
|
app.Post("/api/v1/auth/enchanted-link/poll", h.PollEnchantedLink)
|
|
|
|
body, _ := json.Marshal(map[string]string{
|
|
"pendingRef": "missing-ref",
|
|
})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/enchanted-link/poll", bytes.NewReader(body))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ := app.Test(req, -1)
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
var got map[string]interface{}
|
|
json.NewDecoder(resp.Body).Decode(&got)
|
|
assert.Equal(t, "expired_token", got["error"])
|
|
assert.Equal(t, "expired_token", got["code"])
|
|
}
|
|
|
|
func TestHeadlessLinkInit_HeadlessLoginClientSuccess(t *testing.T) {
|
|
t.Setenv("BACKEND_PUBLIC_URL", "")
|
|
|
|
if !testsupport.PortBindingAvailable() {
|
|
t.Skip("skipping headless link tests because this environment cannot bind local TCP listeners")
|
|
}
|
|
|
|
redis := &mockRedisRepo{data: make(map[string]string)}
|
|
privateKey, jwks := mustHeadlessRSAJWK(t)
|
|
jwksBody, _ := json.Marshal(jwks)
|
|
jwksServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_, _ = w.Write(jwksBody)
|
|
}))
|
|
defer jwksServer.Close()
|
|
|
|
idp := &mockIdpProvider{
|
|
userExists: true,
|
|
initiateLinkErr: domain.ErrNotSupported,
|
|
}
|
|
|
|
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if strings.Contains(r.URL.Path, "/oauth2/auth/requests/login") && r.Method == http.MethodGet {
|
|
_ = json.NewEncoder(w).Encode(domain.HydraLoginRequest{
|
|
Challenge: "challenge-123",
|
|
Client: domain.HydraClient{
|
|
ClientID: "headless-login-client",
|
|
TokenEndpointAuthMethod: "none",
|
|
Metadata: map[string]interface{}{
|
|
"status": "active",
|
|
"headless_login_enabled": true,
|
|
"headless_token_endpoint_auth_method": "private_key_jwt",
|
|
"headless_jwks_uri": jwksServer.URL + "/.well-known/jwks.json",
|
|
},
|
|
},
|
|
})
|
|
return
|
|
}
|
|
http.NotFound(w, r)
|
|
})
|
|
|
|
h := &AuthHandler{
|
|
RedisService: redis,
|
|
IdpProvider: idp,
|
|
SmsService: &mockSmsService{},
|
|
Hydra: &service.HydraAdminService{
|
|
AdminURL: "http://hydra.test",
|
|
HTTPClient: &http.Client{Transport: mockHydraTransport(hydraHandler)},
|
|
},
|
|
}
|
|
|
|
app := newHeadlessLinkTestApp(h)
|
|
t.Setenv("USERFRONT_URL", "http://userfront.test")
|
|
|
|
body, _ := json.Marshal(map[string]string{
|
|
"client_id": "headless-login-client",
|
|
"client_assertion": mustHeadlessClientAssertion(t, privateKey, "headless-login-client", "http://example.com/api/v1/auth/headless/link/init"),
|
|
"loginId": "010-1234-5678",
|
|
"login_challenge": "challenge-123",
|
|
})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/headless/link/init", bytes.NewReader(body))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ := app.Test(req, -1)
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
var got map[string]interface{}
|
|
_ = json.NewDecoder(resp.Body).Decode(&got)
|
|
assert.NotEmpty(t, got["pendingRef"])
|
|
_, hasUserCode := got["userCode"]
|
|
assert.False(t, hasUserCode)
|
|
}
|
|
|
|
func TestHeadlessLinkPoll_AfterApprovalReturnsRedirect(t *testing.T) {
|
|
t.Setenv("BACKEND_PUBLIC_URL", "")
|
|
|
|
if !testsupport.PortBindingAvailable() {
|
|
t.Skip("skipping headless link tests because this environment cannot bind local TCP listeners")
|
|
}
|
|
|
|
redis := &mockRedisRepo{data: make(map[string]string)}
|
|
privateKey, jwks := mustHeadlessRSAJWK(t)
|
|
jwksBody, _ := json.Marshal(jwks)
|
|
|
|
idp := &mockIdpProvider{
|
|
userExists: true,
|
|
initiateLinkErr: domain.ErrNotSupported,
|
|
}
|
|
|
|
hydraHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
switch {
|
|
case strings.Contains(r.URL.Path, "/oauth2/auth/requests/login") && r.Method == http.MethodGet:
|
|
_ = json.NewEncoder(w).Encode(domain.HydraLoginRequest{
|
|
Challenge: "challenge-123",
|
|
Client: domain.HydraClient{
|
|
ClientID: "headless-login-client",
|
|
ClientName: "local-demo-rp",
|
|
TokenEndpointAuthMethod: "none",
|
|
Metadata: map[string]interface{}{
|
|
"status": "active",
|
|
"headless_login_enabled": true,
|
|
"headless_token_endpoint_auth_method": "private_key_jwt",
|
|
"headless_jwks_uri": "https://rp.example.com/.well-known/jwks.json",
|
|
},
|
|
},
|
|
})
|
|
return
|
|
case strings.Contains(r.URL.Path, "/oauth2/auth/requests/login/accept") && r.Method == http.MethodPut:
|
|
_ = json.NewEncoder(w).Encode(map[string]string{"redirect_to": "http://rp/cb"})
|
|
return
|
|
}
|
|
http.NotFound(w, r)
|
|
})
|
|
|
|
mockKratos := new(MockKratosAdminService)
|
|
mockKratos.On("FindIdentityIDByIdentifier", mock.Anything, "+821012345678").Return("kratos-identity-id", nil)
|
|
auditRepo := &mockAuditRepo{}
|
|
headlessClient := &http.Client{Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
|
|
if r.URL.Host == "rp.example.com" && r.URL.Path == "/.well-known/jwks.json" {
|
|
return httpResponse(r, http.StatusOK, string(jwksBody)), nil
|
|
}
|
|
return httpResponse(r, http.StatusNotFound, "not found"), nil
|
|
})}
|
|
|
|
h := &AuthHandler{
|
|
RedisService: redis,
|
|
IdpProvider: idp,
|
|
SmsService: &mockSmsService{},
|
|
KratosAdmin: mockKratos,
|
|
AuditRepo: auditRepo,
|
|
HeadlessJWKS: service.NewHeadlessJWKSCacheService(nil, headlessClient),
|
|
Hydra: &service.HydraAdminService{
|
|
AdminURL: "http://hydra.test",
|
|
HTTPClient: &http.Client{Transport: mockHydraTransport(hydraHandler)},
|
|
},
|
|
}
|
|
|
|
app := newHeadlessLinkTestApp(h)
|
|
t.Setenv("USERFRONT_URL", "http://userfront.test")
|
|
|
|
initBody, _ := json.Marshal(map[string]string{
|
|
"client_id": "headless-login-client",
|
|
"client_assertion": mustHeadlessClientAssertion(t, privateKey, "headless-login-client", "http://example.com/api/v1/auth/headless/link/init"),
|
|
"loginId": "010-1234-5678",
|
|
"login_challenge": "challenge-123",
|
|
})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/headless/link/init", bytes.NewReader(initBody))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ := app.Test(req, -1)
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
var initResp map[string]interface{}
|
|
_ = json.NewDecoder(resp.Body).Decode(&initResp)
|
|
pendingRef := initResp["pendingRef"].(string)
|
|
assert.NotEmpty(t, pendingRef)
|
|
|
|
var token string
|
|
for k := range redis.data {
|
|
if len(k) > 16 && k[:16] == "enchanted_token:" {
|
|
token = k[16:]
|
|
break
|
|
}
|
|
}
|
|
assert.NotEmpty(t, token)
|
|
|
|
verifyBody, _ := json.Marshal(map[string]interface{}{
|
|
"token": token,
|
|
"verifyOnly": true,
|
|
})
|
|
req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/magic-link/verify", bytes.NewReader(verifyBody))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ = app.Test(req, -1)
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
pollBody, _ := json.Marshal(map[string]string{
|
|
"client_id": "headless-login-client",
|
|
"client_assertion": mustHeadlessClientAssertion(t, privateKey, "headless-login-client", "http://example.com/api/v1/auth/headless/link/poll"),
|
|
"pendingRef": pendingRef,
|
|
})
|
|
req = httptest.NewRequest(http.MethodPost, "/api/v1/auth/headless/link/poll", bytes.NewReader(pollBody))
|
|
req.Header.Set("Content-Type", "application/json")
|
|
resp, _ = app.Test(req, -1)
|
|
|
|
assert.Equal(t, http.StatusOK, resp.StatusCode)
|
|
var pollResp map[string]interface{}
|
|
_ = json.NewDecoder(resp.Body).Decode(&pollResp)
|
|
assert.Equal(t, "http://rp/cb", pollResp["redirectTo"])
|
|
assert.Equal(t, "ok", pollResp["status"])
|
|
if assert.Len(t, auditRepo.logs, 1) {
|
|
assert.Contains(t, auditRepo.logs[0].EventType, "/api/v1/auth/")
|
|
details, err := parseAuditDetails(auditRepo.logs[0].Details)
|
|
if err != nil {
|
|
t.Fatalf("failed to parse audit details: %v", err)
|
|
}
|
|
assert.Equal(t, "headless-login-client", details["client_id"])
|
|
assert.Equal(t, "local-demo-rp", details["client_name"])
|
|
assert.Equal(t, "challenge-123", details["login_challenge"])
|
|
}
|
|
}
|