auth
auth/authcode_test.go
Start to support deleting profiles through the API. Create a removeLoginsByProfile method on the profileStore, to allow an easy way to bulk-delete logins associated with a Profile after the Profile has been deleted. Create postgres and memstore implementations of the removeLoginsByProfile method. Create a cleanUpAfterProfileDeletion helper method that will clean up the child objects of a Profile (its Sessions, Tokens, Clients, etc.). The intended usage is to call this in a goroutine after a Profile has been deleted, to try and get things back in order. Detect when the UpdateProfileHandler API is used to set the Deleted flag of a Profile to true, and clean up after the Profile when that's the case. Add a DeleteProfileHandler API endpoint that is a shortcut to setting the Deleted flag of a Profile to true and cleaning up after the Profile. The problem with our approach thus far is that some of it is reversible and some is not. If a Profile is maliciously/accidentally deleted, it's simple enough to use the API as a superuser to restore the Profile. But doing that will not (and cannot) restore the Logins associated with that Profile, for example. While it would be nice to add a Deleted flag to our Logins that we could simply toggle, that would wreak havoc with our database constraints and ensuring uniqueness of Login values. I still don't have a solution for this, outside the superuser manually restoring a Login for the Profile, after which the user can authenticate themselves and add more Logins as desired. But there has to be a better way. I suppose since the passphrase is being stored with the Profile and not the Login, we could offer an endpoint that would automate this, but... well, that would be tricky. It would require the user remembering their Profile ID, and let's be honest, nobody's going to remember a UUID. Maybe such an endpoint would help from a customer service standpoint: we identify their Profile manually, then send them to /profiles/ID/restorelogin or something, and that lets them add a Login back to the Profile. I'll figure it out later. For now, we know we at least have enough information to identify a user is who they say they are and resolve the situation manually.
1 package auth
3 import (
4 "bytes"
5 "io/ioutil"
6 "net/http"
7 "net/http/httptest"
8 "net/url"
9 "os"
10 "strings"
11 "testing"
12 "time"
14 "code.secondbit.org/uuid.hg"
15 )
17 func init() {
18 if os.Getenv("PG_TEST_DB") != "" {
19 p, err := NewPostgres(os.Getenv("PG_TEST_DB"))
20 if err != nil {
21 panic(err)
22 }
23 authCodeStores = append(authCodeStores, &p)
24 }
25 }
27 var authCodeStores = []authorizationCodeStore{NewMemstore()}
29 func compareAuthorizationCodes(authCode1, authCode2 AuthorizationCode) (success bool, field string, authCode1val, authCode2val interface{}) {
30 if authCode1.Code != authCode2.Code {
31 return false, "code", authCode1.Code, authCode2.Code
32 }
33 if !authCode1.Created.Equal(authCode2.Created) {
34 return false, "created", authCode1.Created, authCode2.Created
35 }
36 if authCode1.ExpiresIn != authCode2.ExpiresIn {
37 return false, "expires in", authCode1.ExpiresIn, authCode2.ExpiresIn
38 }
39 if !authCode1.ClientID.Equal(authCode2.ClientID) {
40 return false, "client ID", authCode1.ClientID, authCode2.ClientID
41 }
42 if len(authCode1.Scopes) != len(authCode2.Scopes) {
43 return false, "scopes", authCode1.Scopes, authCode2.Scopes
44 }
45 for pos, scope := range authCode1.Scopes {
46 if scope != authCode2.Scopes[pos] {
47 return false, "scopes", authCode1.Scopes, authCode2.Scopes
48 }
49 }
50 if authCode1.RedirectURI != authCode2.RedirectURI {
51 return false, "redirect URI", authCode1.RedirectURI, authCode2.RedirectURI
52 }
53 if authCode1.State != authCode2.State {
54 return false, "state", authCode1.State, authCode2.State
55 }
56 if !authCode1.ProfileID.Equal(authCode2.ProfileID) {
57 return false, "profile ID", authCode1.ProfileID, authCode2.ProfileID
58 }
59 if authCode1.Used != authCode2.Used {
60 return false, "used", authCode1.Used, authCode2.Used
61 }
62 return true, "", nil, nil
63 }
65 func TestAuthorizationCodeStore(t *testing.T) {
66 t.Parallel()
67 authCode := AuthorizationCode{
68 Code: "code",
69 Created: time.Now().Round(time.Millisecond),
70 ExpiresIn: 180,
71 ClientID: uuid.NewID(),
72 Scopes: []string{"scope"},
73 RedirectURI: "redirectURI",
74 State: "state",
75 }
76 for _, store := range authCodeStores {
77 context := Context{authCodes: store}
78 err := context.SaveAuthorizationCode(authCode)
79 if err != nil {
80 t.Errorf("Error saving auth code to %T: %s", store, err)
81 }
82 err = context.SaveAuthorizationCode(authCode)
83 if err != ErrAuthorizationCodeAlreadyExists {
84 t.Errorf("Expected ErrAuthorizationCodeAlreadyExists from %T, got %+v", store, err)
85 }
86 retrieved, err := context.GetAuthorizationCode(authCode.Code)
87 if err != nil {
88 t.Errorf("Error retrieving auth code from %T: %s", store, err)
89 }
90 match, field, expectation, result := compareAuthorizationCodes(authCode, retrieved)
91 if !match {
92 t.Errorf("Expected `%v` in the `%s` field of auth code retrieved from %T, got `%v`", expectation, field, store, result)
93 }
94 err = context.UseAuthorizationCode(authCode.Code)
95 if err != nil {
96 t.Errorf("Error retrieving auth code from %T: %s", store, err)
97 }
98 retrieved, err = context.GetAuthorizationCode(authCode.Code)
99 if err != nil {
100 t.Errorf("Error retrieving auth code from %T: %s", store, err)
101 }
102 authCode.Used = true
103 match, field, expectation, result = compareAuthorizationCodes(authCode, retrieved)
104 if !match {
105 t.Errorf("Expected `%v` in the `%s` field of auth code retrieved from %T, got `%v`", expectation, field, store, result)
106 }
107 err = context.DeleteAuthorizationCode(authCode.Code)
108 if err != nil {
109 t.Errorf("Error removing auth code from %T: %s", store, err)
110 }
111 retrieved, err = context.GetAuthorizationCode(authCode.Code)
112 if err != ErrAuthorizationCodeNotFound {
113 t.Errorf("Expected ErrAuthorizationCodeNotFound from %T, got %+v and %+v", store, retrieved, err)
114 }
115 err = context.DeleteAuthorizationCode(authCode.Code)
116 if err != ErrAuthorizationCodeNotFound {
117 t.Errorf("Expected ErrAuthorizationCodeNotFound from %T, got %+v", store, err)
118 }
119 err = context.UseAuthorizationCode(authCode.Code)
120 if err != ErrAuthorizationCodeNotFound {
121 t.Errorf("Expected ErrAuthorizationCodeNotFound from %T, got %+v", store, err)
122 }
123 }
124 }
126 func TestAuthCodeGrantValidate(t *testing.T) {
127 t.Parallel()
128 store := NewMemstore()
129 testContext := Context{
130 clients: store,
131 authCodes: store,
132 profiles: store,
133 tokens: store,
134 sessions: store,
135 }
136 client := Client{
137 ID: uuid.NewID(),
138 Secret: "super secret!",
139 OwnerID: uuid.NewID(),
140 Name: "My test client",
141 Logo: "https://secondbit.org/logo.png",
142 Website: "https://secondbit.org/",
143 Type: "public",
144 }
145 endpoint := Endpoint{
146 ID: uuid.NewID(),
147 ClientID: client.ID,
148 URI: "https://test.secondbit.org/redirect",
149 Added: time.Now().Round(time.Millisecond),
150 }
151 err := testContext.SaveClient(client)
152 if err != nil {
153 t.Fatal("Can't store client:", err)
154 }
155 err = testContext.AddEndpoints([]Endpoint{endpoint})
156 if err != nil {
157 t.Fatal("Can't store endpoint:", err)
158 }
159 code := AuthorizationCode{
160 Code: "myauthcode",
161 Created: time.Now().Round(time.Millisecond),
162 ExpiresIn: 180,
163 ClientID: uuid.NewID(),
164 Scopes: []string{"scope"},
165 RedirectURI: "redirectURI",
166 State: "state",
167 }
168 err = testContext.SaveAuthorizationCode(code)
169 if err != nil {
170 t.Fatal("Can't add auth code:", err)
171 }
172 code2 := code
173 code2.Code = "otherauthcode"
174 code2.ClientID = client.ID
175 err = testContext.SaveAuthorizationCode(code2)
176 if err != nil {
177 t.Fatal("Can't add second auth code:", err)
178 }
179 req, err := http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
180 if err != nil {
181 t.Fatal("Can't build request:", err)
182 }
183 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
184 w := httptest.NewRecorder()
185 params := url.Values{}
186 body := bytes.NewBufferString(params.Encode())
187 req.Body = ioutil.NopCloser(body)
188 scope, profileID, valid := authCodeGrantValidate(w, req, testContext)
189 if valid {
190 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
191 }
192 if w.Code != http.StatusBadRequest {
193 t.Errorf("Expected status %d, got %d", http.StatusBadRequest, w.Code)
194 }
195 expectedBody := `{"error":"invalid_request"}`
196 if strings.TrimSpace(w.Body.String()) != expectedBody {
197 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
198 }
200 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
201 if err != nil {
202 t.Fatal("Can't build request:", err)
203 }
204 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
205 w = httptest.NewRecorder()
206 params = url.Values{}
207 params.Set("code", "notmycode")
208 body = bytes.NewBufferString(params.Encode())
209 req.Body = ioutil.NopCloser(body)
210 err = req.ParseForm()
211 if err != nil {
212 t.Log(err)
213 }
214 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
215 if valid {
216 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
217 }
218 if w.Code != http.StatusUnauthorized {
219 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
220 }
221 expectedBody = `{"error":"invalid_client"}`
222 if expectedBody != strings.TrimSpace(w.Body.String()) {
223 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
224 }
226 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
227 if err != nil {
228 t.Fatal("Can't build request:", err)
229 }
230 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
231 req.SetBasicAuth(client.ID.String(), client.Secret)
232 w = httptest.NewRecorder()
233 params = url.Values{}
234 params.Set("code", "notmycode")
235 body = bytes.NewBufferString(params.Encode())
236 req.Body = ioutil.NopCloser(body)
237 err = req.ParseForm()
238 if err != nil {
239 t.Log(err)
240 }
241 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
242 if valid {
243 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
244 }
245 if w.Code != http.StatusBadRequest {
246 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
247 }
248 expectedBody = `{"error":"invalid_grant"}`
249 if expectedBody != strings.TrimSpace(w.Body.String()) {
250 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
251 }
253 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
254 if err != nil {
255 t.Fatal("Can't build request:", err)
256 }
257 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
258 req.SetBasicAuth(client.ID.String(), client.Secret)
259 w = httptest.NewRecorder()
260 params = url.Values{}
261 params.Set("code", code.Code)
262 params.Set("redirect_uri", "not my redirectURI")
263 body = bytes.NewBufferString(params.Encode())
264 req.Body = ioutil.NopCloser(body)
265 err = req.ParseForm()
266 if err != nil {
267 t.Log(err)
268 }
269 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
270 if valid {
271 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
272 }
273 if w.Code != http.StatusBadRequest {
274 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
275 }
276 expectedBody = `{"error":"invalid_grant"}`
277 if expectedBody != strings.TrimSpace(w.Body.String()) {
278 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
279 }
281 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
282 if err != nil {
283 t.Fatal("Can't build request:", err)
284 }
285 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
286 req.SetBasicAuth(client.ID.String(), client.Secret)
287 w = httptest.NewRecorder()
288 params = url.Values{}
289 params.Set("code", code.Code)
290 params.Set("redirect_uri", code.RedirectURI)
291 body = bytes.NewBufferString(params.Encode())
292 req.Body = ioutil.NopCloser(body)
293 err = req.ParseForm()
294 if err != nil {
295 t.Log(err)
296 }
297 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
298 if valid {
299 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
300 }
301 if w.Code != http.StatusBadRequest {
302 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
303 }
304 expectedBody = `{"error":"invalid_grant"}`
305 if expectedBody != strings.TrimSpace(w.Body.String()) {
306 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
307 }
309 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
310 if err != nil {
311 t.Fatal("Can't build request:", err)
312 }
313 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
314 req.SetBasicAuth(client.ID.String(), client.Secret)
315 w = httptest.NewRecorder()
316 params = url.Values{}
317 params.Set("code", code2.Code)
318 params.Set("redirect_uri", code2.RedirectURI)
319 body = bytes.NewBufferString(params.Encode())
320 req.Body = ioutil.NopCloser(body)
321 err = req.ParseForm()
322 if err != nil {
323 t.Log(err)
324 }
325 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
326 if !valid {
327 t.Fatalf("Expected valid auth code, was not valid.")
328 }
329 }
331 func TestAuthCodeGrantInvalidate(t *testing.T) {
332 t.Parallel()
333 store := NewMemstore()
334 testContext := Context{
335 clients: store,
336 authCodes: store,
337 profiles: store,
338 tokens: store,
339 sessions: store,
340 }
341 code := AuthorizationCode{
342 Code: "myauthcode",
343 Created: time.Now().Round(time.Millisecond),
344 ExpiresIn: 180,
345 ClientID: uuid.NewID(),
346 Scopes: []string{"scope"},
347 RedirectURI: "redirectURI",
348 State: "state",
349 }
350 err := testContext.SaveAuthorizationCode(code)
351 if err != nil {
352 t.Fatal("Can't add auth code:", err)
353 }
354 req, err := http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
355 if err != nil {
356 t.Fatal("Can't build request:", err)
357 }
358 err = authCodeGrantInvalidate(req, testContext)
359 if err != ErrAuthorizationCodeNotFound {
360 t.Errorf("Expected `%s`, got `%+v`", ErrAuthorizationCodeNotFound, err)
361 }
362 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
363 if err != nil {
364 t.Fatal("Can't build request:", err)
365 }
366 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
367 params := url.Values{}
368 params.Set("code", "notmycode")
369 body := bytes.NewBufferString(params.Encode())
370 req.Body = ioutil.NopCloser(body)
371 err = authCodeGrantInvalidate(req, testContext)
372 if err != ErrAuthorizationCodeNotFound {
373 t.Errorf("Expected `%s`, got `%+v`", ErrAuthorizationCodeNotFound, err)
374 }
375 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
376 if err != nil {
377 t.Fatal("Can't build request:", err)
378 }
379 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
380 params.Set("code", code.Code)
381 body = bytes.NewBufferString(params.Encode())
382 req.Body = ioutil.NopCloser(body)
383 err = authCodeGrantInvalidate(req, testContext)
384 if err != nil {
385 t.Error("Error invalidating auth code:", err)
386 }
387 authCode, err := testContext.GetAuthorizationCode(code.Code)
388 if err != nil {
389 t.Error("Error retrieving auth code:", err)
390 }
391 if !authCode.Used {
392 t.Error("Expected auth code to be used, was not.")
393 }
394 }