refactor: tests (#731)

* tests: rework tests for context controller * tests: add tests for health controller * tests: add tests for oidc controller * tests: use testify assert in context and health controller * tests: add tests for user controller * tests: add tests for resources controller * tests: add well known controller tests * test: add proxy controller tests * chore: review comments * chore: more review comments * chore: cancel lockdown in testing * tests: fix get cookie domain tests * chore: add comment for testing passwords
2026-03-31 19:07:56 +00:00 · 2026-03-30 15:31:34 +03:00
parent f65df872f0
commit 5811218dbf
12 changed files with 1501 additions and 968 deletions
--- a/internal/controller/oidc_controller_test.go
+++ b/internal/controller/oidc_controller_test.go
@@ -2,10 +2,9 @@ package controller_test

 import (
 	"encoding/json"
-	"fmt"
-	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"path"
 	"strings"
 	"testing"

@@ -16,266 +15,456 @@ import (
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
-	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
-	"gotest.tools/v3/assert"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

-var oidcServiceConfig = service.OIDCServiceConfig{
-	Clients: map[string]config.OIDCClientConfig{
-		"client1": {
-			ClientID:         "some-client-id",
-			ClientSecret:     "some-client-secret",
-			ClientSecretFile: "",
-			TrustedRedirectURIs: []string{
-				"https://example.com/oauth/callback",
-			},
-			Name: "Client 1",
-		},
-	},
-	PrivateKeyPath: "/tmp/tinyauth_oidc_key",
-	PublicKeyPath:  "/tmp/tinyauth_oidc_key.pub",
-	Issuer:         "https://example.com",
-	SessionExpiry:  3600,
-}
-
-var oidcCtrlTestContext = config.UserContext{
-	Username:    "test",
-	Name:        "Test",
-	Email:       "test@example.com",
-	IsLoggedIn:  true,
-	IsBasicAuth: false,
-	OAuth:       false,
-	Provider:    "ldap", // ldap in order to test the groups
-	TotpPending: false,
-	OAuthGroups: "",
-	TotpEnabled: false,
-	OAuthName:   "",
-	OAuthSub:    "",
-	LdapGroups:  "test1,test2",
-}
-
-// Test is not amazing, but it will confirm the OIDC server works
 func TestOIDCController(t *testing.T) {
-	tlog.NewSimpleLogger().Init()
+	tempDir := t.TempDir()

-	// Create an app instance
-	app := bootstrap.NewBootstrapApp(config.Config{})
-
-	// Get db
-	db, err := app.SetupDatabase("/tmp/tinyauth.db")
-	assert.NilError(t, err)
-
-	// Create queries
-	queries := repository.New(db)
-
-	// Create a new OIDC Servicee
-	oidcService := service.NewOIDCService(oidcServiceConfig, queries)
-	err = oidcService.Init()
-	assert.NilError(t, err)
-
-	// Create test router
-	gin.SetMode(gin.TestMode)
-	router := gin.Default()
-
-	router.Use(func(c *gin.Context) {
-		c.Set("context", &oidcCtrlTestContext)
-		c.Next()
-	})
-
-	group := router.Group("/api")
-
-	// Register oidc controller
-	oidcController := controller.NewOIDCController(controller.OIDCControllerConfig{}, oidcService, group)
-	oidcController.SetupRoutes()
-
-	// Get redirect URL test
-	recorder := httptest.NewRecorder()
-
-	marshalled, err := json.Marshal(service.AuthorizeRequest{
-		Scope:        "openid profile email groups",
-		ResponseType: "code",
-		ClientID:     "some-client-id",
-		RedirectURI:  "https://example.com/oauth/callback",
-		State:        "some-state",
-	})
-
-	assert.NilError(t, err)
-
-	req, err := http.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(marshalled)))
-	assert.NilError(t, err)
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, http.StatusOK, recorder.Code)
-
-	resJson := map[string]any{}
-
-	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
-	assert.NilError(t, err)
-
-	redirect_uri, ok := resJson["redirect_uri"].(string)
-	assert.Assert(t, ok)
-
-	u, err := url.Parse(redirect_uri)
-	assert.NilError(t, err)
-
-	m, err := url.ParseQuery(u.RawQuery)
-	assert.NilError(t, err)
-	assert.Equal(t, m["state"][0], "some-state")
-
-	code := m["code"][0]
-
-	// Exchange code for token
-	recorder = httptest.NewRecorder()
-
-	params, err := query.Values(controller.TokenRequest{
-		GrantType:   "authorization_code",
-		Code:        code,
-		RedirectURI: "https://example.com/oauth/callback",
-	})
-
-	assert.NilError(t, err)
-
-	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
-
-	assert.NilError(t, err)
-
-	req.Header.Set("content-type", "application/x-www-form-urlencoded")
-	req.SetBasicAuth("some-client-id", "some-client-secret")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, http.StatusOK, recorder.Code)
-
-	resJson = map[string]any{}
-
-	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
-	assert.NilError(t, err)
-
-	accessToken, ok := resJson["access_token"].(string)
-	assert.Assert(t, ok)
-
-	_, ok = resJson["id_token"].(string)
-	assert.Assert(t, ok)
-
-	refreshToken, ok := resJson["refresh_token"].(string)
-	assert.Assert(t, ok)
-
-	expires_in, ok := resJson["expires_in"].(float64)
-	assert.Assert(t, ok)
-	assert.Equal(t, expires_in, float64(oidcServiceConfig.SessionExpiry))
-
-	// Ensure code is expired
-	recorder = httptest.NewRecorder()
-
-	params, err = query.Values(controller.TokenRequest{
-		GrantType:   "authorization_code",
-		Code:        code,
-		RedirectURI: "https://example.com/oauth/callback",
-	})
-
-	assert.NilError(t, err)
-
-	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
-
-	assert.NilError(t, err)
-
-	req.Header.Set("content-type", "application/x-www-form-urlencoded")
-	req.SetBasicAuth("some-client-id", "some-client-secret")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, http.StatusBadRequest, recorder.Code)
-
-	// Test userinfo
-	recorder = httptest.NewRecorder()
-
-	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", accessToken))
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, http.StatusOK, recorder.Code)
-
-	resJson = map[string]any{}
-
-	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
-	assert.NilError(t, err)
-
-	_, ok = resJson["sub"].(string)
-	assert.Assert(t, ok)
-
-	name, ok := resJson["name"].(string)
-	assert.Assert(t, ok)
-	assert.Equal(t, name, oidcCtrlTestContext.Name)
-
-	email, ok := resJson["email"].(string)
-	assert.Assert(t, ok)
-	assert.Equal(t, email, oidcCtrlTestContext.Email)
-
-	preferred_username, ok := resJson["preferred_username"].(string)
-	assert.Assert(t, ok)
-	assert.Equal(t, preferred_username, oidcCtrlTestContext.Username)
-
-	// Not sure why this is failing, will look into it later
-	igroups, ok := resJson["groups"].([]any)
-	assert.Assert(t, ok)
-
-	groups := make([]string, len(igroups))
-	for i, group := range igroups {
-		groups[i], ok = group.(string)
-		assert.Assert(t, ok)
+	oidcServiceCfg := service.OIDCServiceConfig{
+		Clients: map[string]config.OIDCClientConfig{
+			"test": {
+				ClientID:            "some-client-id",
+				ClientSecret:        "some-client-secret",
+				TrustedRedirectURIs: []string{"https://test.example.com/callback"},
+				Name:                "Test Client",
+			},
+		},
+		PrivateKeyPath: path.Join(tempDir, "key.pem"),
+		PublicKeyPath:  path.Join(tempDir, "key.pub"),
+		Issuer:         "https://tinyauth.example.com",
+		SessionExpiry:  500,
 	}

-	assert.DeepEqual(t, strings.Split(oidcCtrlTestContext.LdapGroups, ","), groups)
+	controllerCfg := controller.OIDCControllerConfig{}

-	// Test refresh token
-	recorder = httptest.NewRecorder()
+	simpleCtx := func(c *gin.Context) {
+		c.Set("context", &config.UserContext{
+			Username:   "test",
+			Name:       "Test User",
+			Email:      "test@example.com",
+			IsLoggedIn: true,
+			Provider:   "local",
+		})
+		c.Next()
+	}

-	params, err = query.Values(controller.TokenRequest{
-		GrantType:    "refresh_token",
-		RefreshToken: refreshToken,
+	type testCase struct {
+		description string
+		middlewares []gin.HandlerFunc
+		run         func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder)
+	}
+
+	var tests []testCase
+
+	getTestByDescription := func(description string) (func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder), bool) {
+		for _, test := range tests {
+			if test.description == description {
+				return test.run, true
+			}
+		}
+		return nil, false
+	}
+
+	tests = []testCase{
+		{
+			description: "Ensure we can fetch the client",
+			middlewares: []gin.HandlerFunc{},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("GET", "/api/oidc/clients/some-client-id", nil)
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 200, recorder.Code)
+			},
+		},
+		{
+			description: "Ensure API fails on non-existent client ID",
+			middlewares: []gin.HandlerFunc{},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("GET", "/api/oidc/clients/non-existent-client-id", nil)
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 404, recorder.Code)
+			},
+		},
+		{
+			description: "Ensure authorize fails with empty context",
+			middlewares: []gin.HandlerFunc{},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("POST", "/api/oidc/authorize", nil)
+				router.ServeHTTP(recorder, req)
+
+				var res map[string]any
+				err := json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+
+				assert.Equal(t, res["redirect_uri"], "https://tinyauth.example.com/error?error=User+is+not+logged+in+or+the+session+is+invalid")
+			},
+		},
+		{
+			description: "Ensure authorize fails with an invalid param",
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				reqBody := service.AuthorizeRequest{
+					Scope:        "openid",
+					ResponseType: "some_unsupported_response_type",
+					ClientID:     "some-client-id",
+					RedirectURI:  "https://test.example.com/callback",
+					State:        "some-state",
+					Nonce:        "some-nonce",
+				}
+				reqBodyBytes, err := json.Marshal(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
+				req.Header.Set("Content-Type", "application/json")
+				router.ServeHTTP(recorder, req)
+
+				var res map[string]any
+				err = json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+
+				assert.Equal(t, res["redirect_uri"], "https://test.example.com/callback?error=unsupported_response_type&error_description=Invalid+request+parameters&state=some-state")
+			},
+		},
+		{
+			description: "Ensure authorize succeeds with valid params",
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				reqBody := service.AuthorizeRequest{
+					Scope:        "openid",
+					ResponseType: "code",
+					ClientID:     "some-client-id",
+					RedirectURI:  "https://test.example.com/callback",
+					State:        "some-state",
+					Nonce:        "some-nonce",
+				}
+				reqBodyBytes, err := json.Marshal(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(reqBodyBytes)))
+				req.Header.Set("Content-Type", "application/json")
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 200, recorder.Code)
+
+				var res map[string]any
+				err = json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+
+				redirectURI := res["redirect_uri"].(string)
+				url, err := url.Parse(redirectURI)
+				assert.NoError(t, err)
+
+				queryParams := url.Query()
+				assert.Equal(t, queryParams.Get("state"), "some-state")
+
+				code := queryParams.Get("code")
+				assert.NotEmpty(t, code)
+			},
+		},
+		{
+			description: "Ensure token request fails with invalid grant",
+			middlewares: []gin.HandlerFunc{},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				reqBody := controller.TokenRequest{
+					GrantType:   "invalid_grant",
+					Code:        "",
+					RedirectURI: "https://test.example.com/callback",
+				}
+				reqBodyEncoded, err := query.Values(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				router.ServeHTTP(recorder, req)
+
+				var res map[string]any
+				err = json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+
+				assert.Equal(t, res["error"], "unsupported_grant_type")
+			},
+		},
+		{
+			description: "Ensure token endpoint accepts basic auth",
+			middlewares: []gin.HandlerFunc{},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				reqBody := controller.TokenRequest{
+					GrantType:   "authorization_code",
+					Code:        "some-code",
+					RedirectURI: "https://test.example.com/callback",
+				}
+				reqBodyEncoded, err := query.Values(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				req.SetBasicAuth("some-client-id", "some-client-secret")
+				router.ServeHTTP(recorder, req)
+
+				assert.Empty(t, recorder.Header().Get("www-authenticate"))
+			},
+		},
+		{
+			description: "Ensure token endpoint accepts form auth",
+			middlewares: []gin.HandlerFunc{},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				form := url.Values{}
+				form.Set("grant_type", "authorization_code")
+				form.Set("code", "some-code")
+				form.Set("redirect_uri", "https://test.example.com/callback")
+				form.Set("client_id", "some-client-id")
+				form.Set("client_secret", "some-client-secret")
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				router.ServeHTTP(recorder, req)
+
+				assert.Empty(t, recorder.Header().Get("www-authenticate"))
+			},
+		},
+		{
+			description: "Ensure token endpoint sets authenticate header when no auth is available",
+			middlewares: []gin.HandlerFunc{},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				reqBody := controller.TokenRequest{
+					GrantType:   "authorization_code",
+					Code:        "some-code",
+					RedirectURI: "https://test.example.com/callback",
+				}
+				reqBodyEncoded, err := query.Values(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				router.ServeHTTP(recorder, req)
+
+				authHeader := recorder.Header().Get("www-authenticate")
+				assert.Contains(t, authHeader, "Basic")
+			},
+		},
+		{
+			description: "Ensure we can get a token with a valid request",
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				authorizeCodeTest, found := getTestByDescription("Ensure authorize succeeds with valid params")
+				assert.True(t, found, "Authorize test not found")
+				authorizeTestRecorder := httptest.NewRecorder()
+				authorizeCodeTest(t, router, authorizeTestRecorder)
+
+				var authorizeRes map[string]any
+				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
+				assert.NoError(t, err)
+
+				redirectURI := authorizeRes["redirect_uri"].(string)
+				url, err := url.Parse(redirectURI)
+				assert.NoError(t, err)
+
+				queryParams := url.Query()
+				code := queryParams.Get("code")
+				assert.NotEmpty(t, code)
+
+				reqBody := controller.TokenRequest{
+					GrantType:   "authorization_code",
+					Code:        code,
+					RedirectURI: "https://test.example.com/callback",
+				}
+				reqBodyEncoded, err := query.Values(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				req.SetBasicAuth("some-client-id", "some-client-secret")
+				router.ServeHTTP(recorder, req)
+
+				assert.Equal(t, 200, recorder.Code)
+			},
+		},
+		{
+			description: "Ensure we can renew the access token with the refresh token",
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				tokenTest, found := getTestByDescription("Ensure we can get a token with a valid request")
+				assert.True(t, found, "Token test not found")
+				tokenRecorder := httptest.NewRecorder()
+				tokenTest(t, router, tokenRecorder)
+
+				var tokenRes map[string]any
+				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
+				assert.NoError(t, err)
+
+				_, ok := tokenRes["refresh_token"]
+				assert.True(t, ok, "Expected refresh token in response")
+				refreshToken := tokenRes["refresh_token"].(string)
+				assert.NotEmpty(t, refreshToken)
+
+				reqBody := controller.TokenRequest{
+					GrantType:    "refresh_token",
+					RefreshToken: refreshToken,
+					ClientID:     "some-client-id",
+					ClientSecret: "some-client-secret",
+				}
+				reqBodyEncoded, err := query.Values(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				router.ServeHTTP(recorder, req)
+
+				assert.NotEmpty(t, recorder.Header().Get("cache-control"))
+				assert.NotEmpty(t, recorder.Header().Get("pragma"))
+
+				assert.Equal(t, 200, recorder.Code)
+				var refreshRes map[string]any
+				err = json.Unmarshal(recorder.Body.Bytes(), &refreshRes)
+				assert.NoError(t, err)
+
+				_, ok = refreshRes["access_token"]
+				assert.True(t, ok, "Expected access token in refresh response")
+				assert.NotEqual(t, tokenRes["refresh_token"].(string), refreshRes["access_token"].(string))
+				assert.NotEqual(t, tokenRes["access_token"].(string), refreshRes["access_token"].(string))
+			},
+		},
+		{
+			description: "Ensure token endpoint deletes code after use",
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				authorizeCodeTest, found := getTestByDescription("Ensure authorize succeeds with valid params")
+				assert.True(t, found, "Authorize test not found")
+				authorizeTestRecorder := httptest.NewRecorder()
+				authorizeCodeTest(t, router, authorizeTestRecorder)
+
+				var authorizeRes map[string]any
+				err := json.Unmarshal(authorizeTestRecorder.Body.Bytes(), &authorizeRes)
+				assert.NoError(t, err)
+
+				redirectURI := authorizeRes["redirect_uri"].(string)
+				url, err := url.Parse(redirectURI)
+				assert.NoError(t, err)
+
+				queryParams := url.Query()
+				code := queryParams.Get("code")
+				assert.NotEmpty(t, code)
+
+				reqBody := controller.TokenRequest{
+					GrantType:   "authorization_code",
+					Code:        code,
+					RedirectURI: "https://test.example.com/callback",
+				}
+				reqBodyEncoded, err := query.Values(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				req.SetBasicAuth("some-client-id", "some-client-secret")
+				router.ServeHTTP(recorder, req)
+
+				assert.Equal(t, 200, recorder.Code)
+
+				// Try to use the same code again
+				secondReq := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				secondReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				secondReq.SetBasicAuth("some-client-id", "some-client-secret")
+				secondRecorder := httptest.NewRecorder()
+				router.ServeHTTP(secondRecorder, secondReq)
+
+				assert.Equal(t, 400, secondRecorder.Code)
+
+				var secondRes map[string]any
+				err = json.Unmarshal(secondRecorder.Body.Bytes(), &secondRes)
+				assert.NoError(t, err)
+
+				assert.Equal(t, secondRes["error"], "invalid_grant")
+			},
+		},
+		{
+			description: "Ensure userinfo forbids access with invalid access token",
+			middlewares: []gin.HandlerFunc{},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				req.Header.Set("Authorization", "Bearer invalid-access-token")
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 401, recorder.Code)
+			},
+		},
+		{
+			description: "Ensure access token can be used to access protected resources",
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				tokenTest, found := getTestByDescription("Ensure we can get a token with a valid request")
+				assert.True(t, found, "Token test not found")
+				tokenRecorder := httptest.NewRecorder()
+				tokenTest(t, router, tokenRecorder)
+
+				var tokenRes map[string]any
+				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
+				assert.NoError(t, err)
+
+				accessToken := tokenRes["access_token"].(string)
+				assert.NotEmpty(t, accessToken)
+
+				protectedReq := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				protectedReq.Header.Set("Authorization", "Bearer "+accessToken)
+				router.ServeHTTP(recorder, protectedReq)
+				assert.Equal(t, 200, recorder.Code)
+
+				var userInfoRes map[string]any
+				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
+				assert.NoError(t, err)
+
+				_, ok := userInfoRes["sub"]
+				assert.True(t, ok, "Expected sub claim in userinfo response")
+
+				// We should not have an email claim since we didn't request it in the scope
+				_, ok = userInfoRes["email"]
+				assert.False(t, ok, "Did not expect email claim in userinfo response")
+			},
+		},
+	}
+
+	app := bootstrap.NewBootstrapApp(config.Config{})
+
+	db, err := app.SetupDatabase(path.Join(tempDir, "tinyauth.db"))
+	require.NoError(t, err)
+
+	queries := repository.New(db)
+	oidcService := service.NewOIDCService(oidcServiceCfg, queries)
+	err = oidcService.Init()
+	require.NoError(t, err)
+
+	for _, test := range tests {
+		t.Run(test.description, func(t *testing.T) {
+			router := gin.Default()
+
+			for _, middleware := range test.middlewares {
+				router.Use(middleware)
+			}
+
+			group := router.Group("/api")
+			gin.SetMode(gin.TestMode)
+
+			oidcController := controller.NewOIDCController(controllerCfg, oidcService, group)
+			oidcController.SetupRoutes()
+
+			recorder := httptest.NewRecorder()
+
+			test.run(t, router, recorder)
+		})
+	}
+
+	t.Cleanup(func() {
+		err = db.Close()
+		require.NoError(t, err)
 	})
-
-	assert.NilError(t, err)
-
-	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
-
-	assert.NilError(t, err)
-
-	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	req.SetBasicAuth("some-client-id", "some-client-secret")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, http.StatusOK, recorder.Code)
-
-	resJson = map[string]any{}
-
-	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
-
-	assert.NilError(t, err)
-
-	newToken, ok := resJson["access_token"].(string)
-	assert.Assert(t, ok)
-	assert.Assert(t, newToken != accessToken)
-
-	// Ensure old token is invalid
-	recorder = httptest.NewRecorder()
-	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
-
-	assert.NilError(t, err)
-
-	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", accessToken))
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, http.StatusUnauthorized, recorder.Code)
-
-	// Test new token
-	recorder = httptest.NewRecorder()
-	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
-
-	assert.NilError(t, err)
-
-	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", newToken))
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, http.StatusOK, recorder.Code)
 }