preferred_username was being read from the ID token and thrown away after serving as a display-name fallback. It is the whole identity story: MAS imports it as the Matrix localpart, so it is also who the player is in the euro economy. Keep it in the session, and derive @user:server from it. The session cookie was host-only, so a sign-in on news never reached games. Widen it with an opt-in web.auth.cookie_domain — but only the session cookie: the OAuth round-trip cookie pairs with a redirect back to the host that started the login and stays where it was set. And because the redirect must return to that host, the redirect_uri is now derived per-request for hosts inside the cookie domain, with the configured URL as the fallback for anything else — a Host header we don't own is never echoed into a redirect.
154 lines
4.8 KiB
Go
154 lines
4.8 KiB
Go
package web
|
|
|
|
import (
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
func TestSignVerifyRoundTrip(t *testing.T) {
|
|
a := &Authenticator{secret: []byte("test-secret-key-at-least-16")}
|
|
payload := []byte(`{"sub":"abc","exp":123}`)
|
|
tok := a.sign(payload)
|
|
|
|
got, ok := a.verify(tok)
|
|
if !ok {
|
|
t.Fatal("verify rejected a freshly signed token")
|
|
}
|
|
if string(got) != string(payload) {
|
|
t.Fatalf("payload mismatch: got %q want %q", got, payload)
|
|
}
|
|
}
|
|
|
|
func TestVerifyRejectsTamperAndForeignKey(t *testing.T) {
|
|
a := &Authenticator{secret: []byte("test-secret-key-at-least-16")}
|
|
tok := a.sign([]byte(`{"sub":"abc"}`))
|
|
|
|
// Flip a byte in the payload segment.
|
|
bad := []byte(tok)
|
|
bad[0] ^= 0x01
|
|
if _, ok := a.verify(string(bad)); ok {
|
|
t.Error("verify accepted a tampered token")
|
|
}
|
|
|
|
// A different key must not validate the same token.
|
|
other := &Authenticator{secret: []byte("a-totally-different-key-16")}
|
|
if _, ok := other.verify(tok); ok {
|
|
t.Error("verify accepted a token signed with a different key")
|
|
}
|
|
|
|
if _, ok := a.verify("not-a-valid-token"); ok {
|
|
t.Error("verify accepted a malformed token")
|
|
}
|
|
}
|
|
|
|
func TestSafeNext(t *testing.T) {
|
|
cases := map[string]string{
|
|
"": "/",
|
|
"/tech": "/tech",
|
|
"/tech?page=2": "/tech?page=2",
|
|
"//evil.com": "/", // protocol-relative open redirect
|
|
"https://evil.com": "/", // absolute URL
|
|
"javascript:alert": "/", // not a path
|
|
}
|
|
for in, want := range cases {
|
|
if got := safeNext(in); got != want {
|
|
t.Errorf("safeNext(%q) = %q, want %q", in, got, want)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestMatrixUser(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
u SessionUser
|
|
want string
|
|
}{
|
|
{"lowercased", SessionUser{Username: "Reala"}, "@reala:parodia.dev"},
|
|
{"trimmed", SessionUser{Username: " reala "}, "@reala:parodia.dev"},
|
|
{"old session with no username", SessionUser{Sub: "abc", Name: "Reala"}, ""},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
if got := tc.u.MatrixUser("parodia.dev"); got != tc.want {
|
|
t.Fatalf("MatrixUser = %q, want %q", got, tc.want)
|
|
}
|
|
})
|
|
}
|
|
if got := (&SessionUser{Username: "reala"}).MatrixUser(""); got != "" {
|
|
t.Fatalf("no server name should yield no identity, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestHostInDomain(t *testing.T) {
|
|
cases := []struct {
|
|
host, domain string
|
|
want bool
|
|
}{
|
|
{"games.parodia.dev", ".parodia.dev", true},
|
|
{"news.parodia.dev:8080", ".parodia.dev", true},
|
|
{"parodia.dev", ".parodia.dev", true},
|
|
{"GAMES.PARODIA.DEV", ".parodia.dev", true},
|
|
{"evil.com", ".parodia.dev", false},
|
|
// The suffix check must not match a domain that merely ends in the
|
|
// same letters: notparodia.dev is a different site entirely.
|
|
{"notparodia.dev", ".parodia.dev", false},
|
|
{"games.parodia.dev.evil.com", ".parodia.dev", false},
|
|
}
|
|
for _, tc := range cases {
|
|
if got := hostInDomain(tc.host, tc.domain); got != tc.want {
|
|
t.Errorf("hostInDomain(%q, %q) = %v, want %v", tc.host, tc.domain, got, tc.want)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestOAuthForKeepsLoginOnTheHostItStartedOn(t *testing.T) {
|
|
base := &oauth2.Config{RedirectURL: "https://news.parodia.dev/auth/callback"}
|
|
a := &Authenticator{oauth: base, domain: ".parodia.dev"}
|
|
|
|
req := httptest.NewRequest("GET", "/auth/login", nil)
|
|
req.Host = "games.parodia.dev"
|
|
if got := a.oauthFor(req).RedirectURL; got != "https://games.parodia.dev/auth/callback" {
|
|
t.Fatalf("games login should come back to games, got %q", got)
|
|
}
|
|
|
|
req.Host = "news.parodia.dev"
|
|
if got := a.oauthFor(req).RedirectURL; got != base.RedirectURL {
|
|
t.Fatalf("news login should use the configured URL, got %q", got)
|
|
}
|
|
|
|
// A Host we don't own must never be echoed back into a redirect URI.
|
|
req.Host = "evil.com"
|
|
if got := a.oauthFor(req).RedirectURL; got != base.RedirectURL {
|
|
t.Fatalf("foreign host must fall back to the configured URL, got %q", got)
|
|
}
|
|
|
|
// With no cookie domain configured there is nothing to share, so the
|
|
// configured redirect stands whatever the Host header says.
|
|
off := &Authenticator{oauth: base}
|
|
req.Host = "games.parodia.dev"
|
|
if got := off.oauthFor(req).RedirectURL; got != base.RedirectURL {
|
|
t.Fatalf("host-only mode must not rewrite the redirect, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestSessionCookieIsSharedButOAuthCookieIsNot(t *testing.T) {
|
|
a := &Authenticator{secret: []byte("test-secret-key-at-least-16"), domain: ".parodia.dev"}
|
|
rec := httptest.NewRecorder()
|
|
a.setCookie(rec, sessionCookie, "v", time.Minute)
|
|
a.setCookie(rec, oauthCookie, "v", time.Minute)
|
|
|
|
got := map[string]string{}
|
|
for _, c := range rec.Result().Cookies() {
|
|
got[c.Name] = c.Domain
|
|
}
|
|
if got[sessionCookie] != "parodia.dev" {
|
|
t.Fatalf("session cookie domain = %q, want it shared across parodia.dev", got[sessionCookie])
|
|
}
|
|
if got[oauthCookie] != "" {
|
|
t.Fatalf("oauth cookie must stay host-only, got domain %q", got[oauthCookie])
|
|
}
|
|
}
|