fix: more review comments

2026-02-26 19:02:08 +00:00 · 2026-01-26 16:20:49 +02:00
parent e498ee4be0
commit fe391fc571
9 changed files with 270 additions and 57 deletions
--- a/internal/controller/context_controller_test.go
+++ b/internal/controller/context_controller_test.go
@@ -13,7 +13,7 @@ import (
 	"gotest.tools/v3/assert"
 )

-var controllerCfg = controller.ContextControllerConfig{
+var contextControllerCfg = controller.ContextControllerConfig{
 	Providers: []controller.Provider{
 		{
 			Name:  "Local",
@@ -35,7 +35,7 @@ var controllerCfg = controller.ContextControllerConfig{
 	DisableUIWarnings:     false,
 }

-var userContext = config.UserContext{
+var contextCtrlTestContext = config.UserContext{
 	Username:    "testuser",
 	Name:        "testuser",
 	Email:       "test@example.com",
@@ -65,7 +65,7 @@ func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httpt

 	group := router.Group("/api")

-	ctrl := controller.NewContextController(controllerCfg, group)
+	ctrl := controller.NewContextController(contextControllerCfg, group)
 	ctrl.SetupRoutes()

 	return router, recorder
@@ -75,14 +75,14 @@ func TestAppContextHandler(t *testing.T) {
 	expectedRes := controller.AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		Providers:             controllerCfg.Providers,
-		Title:                 controllerCfg.Title,
-		AppURL:                controllerCfg.AppURL,
-		CookieDomain:          controllerCfg.CookieDomain,
-		ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
-		BackgroundImage:       controllerCfg.BackgroundImage,
-		OAuthAutoRedirect:     controllerCfg.OAuthAutoRedirect,
-		DisableUIWarnings:     controllerCfg.DisableUIWarnings,
+		Providers:             contextControllerCfg.Providers,
+		Title:                 contextControllerCfg.Title,
+		AppURL:                contextControllerCfg.AppURL,
+		CookieDomain:          contextControllerCfg.CookieDomain,
+		ForgotPasswordMessage: contextControllerCfg.ForgotPasswordMessage,
+		BackgroundImage:       contextControllerCfg.BackgroundImage,
+		OAuthAutoRedirect:     contextControllerCfg.OAuthAutoRedirect,
+		DisableUIWarnings:     contextControllerCfg.DisableUIWarnings,
 	}

 	router, recorder := setupContextController(nil)
@@ -103,20 +103,20 @@ func TestUserContextHandler(t *testing.T) {
 	expectedRes := controller.UserContextResponse{
 		Status:      200,
 		Message:     "Success",
-		IsLoggedIn:  userContext.IsLoggedIn,
-		Username:    userContext.Username,
-		Name:        userContext.Name,
-		Email:       userContext.Email,
-		Provider:    userContext.Provider,
-		OAuth:       userContext.OAuth,
-		TotpPending: userContext.TotpPending,
-		OAuthName:   userContext.OAuthName,
+		IsLoggedIn:  contextCtrlTestContext.IsLoggedIn,
+		Username:    contextCtrlTestContext.Username,
+		Name:        contextCtrlTestContext.Name,
+		Email:       contextCtrlTestContext.Email,
+		Provider:    contextCtrlTestContext.Provider,
+		OAuth:       contextCtrlTestContext.OAuth,
+		TotpPending: contextCtrlTestContext.TotpPending,
+		OAuthName:   contextCtrlTestContext.OAuthName,
 	}

 	// Test with context
 	router, recorder := setupContextController(&[]gin.HandlerFunc{
 		func(c *gin.Context) {
-			c.Set("context", &userContext)
+			c.Set("context", &contextCtrlTestContext)
 			c.Next()
 		},
 	})
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -114,7 +114,7 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}

-	_, ok := controller.oidc.GetClient(req.ClientID)
+	client, ok := controller.oidc.GetClient(req.ClientID)

 	if !ok {
 		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
@@ -133,8 +133,8 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		return
 	}

-	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username which remains stable, but if username changes then sub changes too.
-	sub := utils.GenerateUUID(userContext.Username)
+	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
+	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.Username, client.ID))
 	code := rand.Text()

 	// Before storing the code, delete old session
@@ -272,16 +272,6 @@ func (controller *OIDCController) Token(c *gin.Context) {
 			return
 		}

-		err = controller.oidc.DeleteCodeEntry(c, entry.CodeHash)
-
-		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to delete code in database")
-			c.JSON(400, gin.H{
-				"error": "server_error",
-			})
-			return
-		}
-
 		tokenResponse = tokenRes
 	case "refresh_token":
 		client, ok := controller.oidc.GetClient(req.ClientID)
--- a/internal/controller/oidc_controller_test.go
+++ b/internal/controller/oidc_controller_test.go
@@ -20,7 +20,7 @@ import (
 	"gotest.tools/v3/assert"
 )

-var serviceConfig = service.OIDCServiceConfig{
+var oidcServiceConfig = service.OIDCServiceConfig{
 	Clients: map[string]config.OIDCClientConfig{
 		"client1": {
 			ClientID:         "some-client-id",
@@ -38,7 +38,7 @@ var serviceConfig = service.OIDCServiceConfig{
 	SessionExpiry:  3600,
 }

-var oidcTestContext = config.UserContext{
+var oidcCtrlTestContext = config.UserContext{
 	Username:    "test",
 	Name:        "Test",
 	Email:       "test@example.com",
@@ -69,7 +69,7 @@ func TestOIDCController(t *testing.T) {
 	queries := repository.New(db)

 	// Create a new OIDC Servicee
-	oidcService := service.NewOIDCService(serviceConfig, queries)
+	oidcService := service.NewOIDCService(oidcServiceConfig, queries)
 	err = oidcService.Init()
 	assert.NilError(t, err)

@@ -78,7 +78,7 @@ func TestOIDCController(t *testing.T) {
 	router := gin.Default()

 	router.Use(func(c *gin.Context) {
-		c.Set("context", &oidcTestContext)
+		c.Set("context", &oidcCtrlTestContext)
 		c.Next()
 	})

@@ -137,6 +137,8 @@ func TestOIDCController(t *testing.T) {

 	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))

+	assert.NilError(t, err)
+
 	req.Header.Set("content-type", "application/x-www-form-urlencoded")
 	req.SetBasicAuth("some-client-id", "some-client-secret")

@@ -154,12 +156,31 @@ func TestOIDCController(t *testing.T) {
 	_, ok = resJson["id_token"].(string)
 	assert.Assert(t, ok)

-	_, ok = resJson["refresh_token"].(string)
+	refreshToken, ok := resJson["refresh_token"].(string)
 	assert.Assert(t, ok)

 	expires_in, ok := resJson["expires_in"].(float64)
 	assert.Assert(t, ok)
-	assert.Equal(t, expires_in, float64(serviceConfig.SessionExpiry))
+	assert.Equal(t, expires_in, float64(oidcServiceConfig.SessionExpiry))
+
+	// Ensure code is expired
+	recorder = httptest.NewRecorder()
+
+	params, err = query.Values(controller.TokenRequest{
+		GrantType:   "authorization_code",
+		Code:        code,
+		RedirectURI: "https://example.com/oauth/callback",
+	})
+
+	assert.NilError(t, err)
+
+	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
+
+	req.Header.Set("content-type", "application/x-www-form-urlencoded")
+	req.SetBasicAuth("some-client-id", "some-client-secret")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, http.StatusBadRequest, recorder.Code)

 	// Test userinfo
 	recorder = httptest.NewRecorder()
@@ -182,18 +203,81 @@ func TestOIDCController(t *testing.T) {

 	name, ok := resJson["name"].(string)
 	assert.Assert(t, ok)
-	assert.Equal(t, name, oidcTestContext.Name)
+	assert.Equal(t, name, oidcCtrlTestContext.Name)

 	email, ok := resJson["email"].(string)
 	assert.Assert(t, ok)
-	assert.Equal(t, email, oidcTestContext.Email)
+	assert.Equal(t, email, oidcCtrlTestContext.Email)

 	preferred_username, ok := resJson["preferred_username"].(string)
 	assert.Assert(t, ok)
-	assert.Equal(t, preferred_username, oidcTestContext.Username)
+	assert.Equal(t, preferred_username, oidcCtrlTestContext.Username)

 	// Not sure why this is failing, will look into it later
-	// groups, ok := resJson["groups"].([]string)
-	// assert.Assert(t, ok)
-	// assert.Equal(t, strings.Split(oidcTestContext.LdapGroups, ","), groups)
+	igroups, ok := resJson["groups"].([]any)
+	assert.Assert(t, ok)
+
+	groups := make([]string, len(igroups))
+	for i, group := range igroups {
+		groups[i], ok = group.(string)
+		assert.Assert(t, ok)
+	}
+
+	assert.DeepEqual(t, strings.Split(oidcCtrlTestContext.LdapGroups, ","), groups)
+
+	// Test refresh token
+	recorder = httptest.NewRecorder()
+
+	params, err = query.Values(controller.TokenRequest{
+		GrantType:    "refresh_token",
+		RefreshToken: refreshToken,
+		ClientID:     "some-client-id",
+		ClientSecret: "some-client-secret",
+	})
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, http.StatusOK, recorder.Code)
+
+	resJson = map[string]any{}
+
+	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	newToken, ok := resJson["access_token"].(string)
+	assert.Assert(t, ok)
+	assert.Assert(t, newToken != accessToken)
+
+	// Ensure old token is invalid
+	recorder = httptest.NewRecorder()
+	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", accessToken))
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, http.StatusUnauthorized, recorder.Code)
+
+	// Test new token
+	recorder = httptest.NewRecorder()
+	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", newToken))
+
+	router.ServeHTTP(recorder, req)
+	assert.Equal(t, http.StatusOK, recorder.Code)
 }