auth

Paddy 2014-11-11 Parent:e45bfa2abc00 Child:a8b86f5fba78

69:42bc3e44f4fe Go to Latest

auth/token_test.go

Stub out sessions. Stop using the Login type when getting profile by Login, removing Logins, or recording Login use. The Login value has to be unique, anyways, and we don't actually know the Login type when getting a profile by Login. That's sort of the point. Create the concept of Sessions and a sessionStore type to manage our authentication sessions with the server. As per OWASP, we're basically just going to use a transparent, SHA256-generated random string as an ID, and store it client-side and server-side and just pass it back and forth. Add the ProfileID to the Grant type, because we need to remember who granted access. That's sort of important. Set a defaultGrantExpiration constant to an hour, so we have that one constant when creating new Grants. Create a helper that pulls the session ID out of an auth cookie, checks it against the sessionStore, and returns the Session if it's valid. Create a helper that pulls the username and password out of a basic auth header. Create a helper that authenticates a user's login and passphrase, checking them against the profileStore securely. Stub out how the cookie checking is going to work for getting grant approval. Fix the stored Grant RedirectURI to be the passed in redirect URI, not the RedirectURI that we ultimately redirect to. This is in accordance with the spec. Store the profile ID from our session in the created Grant. Stub out a GetTokenHandler that will allow users to exchange a Grant for a Token. Set a constant for the current passphrase scheme, which we will increment for each revision to the passphrase scheme, for backwards compatibility. Change the Profile iterations property to an int, not an int64, to match the code.secondbit.org/pass library (which is matching the PBKDF2 library).

Download raw file
View source Diff to previous Annotate
History
1 package auth
2
3 import (
4 "testing"
5 "time"
6
7 "code.secondbit.org/uuid"
8 )
9
10 var tokenStores = []tokenStore{NewMemstore()}
11
12 func compareTokens(token1, token2 Token) (success bool, field string, val1, val2 interface{}) {
13 if token1.AccessToken != token2.AccessToken {
14 return false, "access token", token1.AccessToken, token2.AccessToken
15 }
16 if token1.RefreshToken != token2.RefreshToken {
17 return false, "refresh token", token1.RefreshToken, token2.RefreshToken
18 }
19 if !token1.Created.Equal(token2.Created) {
20 return false, "created", token1.Created, token2.Created
21 }
22 if token1.ExpiresIn != token2.ExpiresIn {
23 return false, "expires in", token1.ExpiresIn, token2.ExpiresIn
24 }
25 if token1.TokenType != token2.TokenType {
26 return false, "token type", token1.TokenType, token2.TokenType
27 }
28 if token1.Scope != token2.Scope {
29 return false, "scope", token1.Scope, token2.Scope
30 }
31 if !token1.ProfileID.Equal(token2.ProfileID) {
32 return false, "profile ID", token1.ProfileID, token2.ProfileID
33 }
34 return true, "", nil, nil
35 }
36
37 func TestTokenStoreSuccess(t *testing.T) {
38 t.Parallel()
39 token := Token{
40 AccessToken: "access",
41 RefreshToken: "refresh",
42 Created: time.Now(),
43 ExpiresIn: 3600,
44 TokenType: "bearer",
45 Scope: "scope",
46 ProfileID: uuid.NewID(),
47 }
48 for _, store := range tokenStores {
49 err := store.saveToken(token)
50 if err != nil {
51 t.Errorf("Error saving token to %T: %s", store, err)
52 }
53 err = store.saveToken(token)
54 if err != ErrTokenAlreadyExists {
55 t.Errorf("Expected ErrTokenAlreadyExists from %T, got %s", store, err)
56 }
57 retrievedAccess, err := store.getToken(token.AccessToken, false)
58 if err != nil {
59 t.Errorf("Error retrieving token from %T: %s", store, err)
60 }
61 success, field, expectation, result := compareTokens(token, retrievedAccess)
62 if !success {
63 t.Errorf("Expected field %s to be %v, but got %v from %T", field, expectation, result, store)
64 }
65 retrievedRefresh, err := store.getToken(token.RefreshToken, true)
66 if err != nil {
67 t.Errorf("Error retrieving refresh token from %T: %s", store, err)
68 }
69 success, field, expectation, result = compareTokens(token, retrievedRefresh)
70 if !success {
71 t.Errorf("Expected field %s to be %v, but got %v from %T", field, expectation, result, store)
72 }
73 retrievedProfile, err := store.getTokensByProfileID(token.ProfileID, 25, 0)
74 if err != nil {
75 t.Errorf("Error retrieving token by profile from %T: %s", store, err)
76 }
77 if len(retrievedProfile) != 1 {
78 t.Errorf("Expected 1 token retrieved by profile ID from %T, got %+v", store, retrievedProfile)
79 }
80 success, field, expectation, result = compareTokens(token, retrievedProfile[0])
81 if !success {
82 t.Errorf("Expected field %s to be %v, but got %v from %T", field, expectation, result, store)
83 }
84 err = store.removeToken(token.AccessToken)
85 if err != nil {
86 t.Errorf("Error removing token from %T: %s", store, err)
87 }
88 _, err = store.getToken(token.AccessToken, false)
89 if err != ErrTokenNotFound {
90 t.Errorf("Expected ErrTokenNotFound from %T, got %s", store, err)
91 }
92 _, err = store.getToken(token.RefreshToken, true)
93 if err != ErrTokenNotFound {
94 t.Errorf("Expected ErrTokenNotFound from %T, got %s", store, err)
95 }
96 retrievedProfile, err = store.getTokensByProfileID(token.ProfileID, 25, 0)
97 if err != nil {
98 t.Errorf("Error retrieving token by profile from %T: %s", store, err)
99 }
100 if len(retrievedProfile) != 0 {
101 t.Errorf("Expected list of 0 tokens from %T, got %+v", store, retrievedProfile)
102 }
103 err = store.removeToken(token.AccessToken)
104 if err != ErrTokenNotFound {
105 t.Errorf("Expected ErrTokenNotFound from %T, got %s", store, err)
106 }
107 }
108 }