package oauth import ( "crypto/sha256" "encoding/base64" "strings" "testing" "time" ) // reapPending only runs every minute via the background ticker, so // production tests can't drive it within a reasonable timeout. This // internal test exercises the reaper logic directly. func TestReapPending_RemovesExpired(t *testing.T) { now := time.Date(2026, 4, 27, 12, 0, 0, 0, time.UTC) s := &Server{now: func() time.Time { return now }} s.pending.Store("expired-1", &pendingAuth{expiresAt: now.Add(-time.Minute)}) s.pending.Store("expired-2", &pendingAuth{expiresAt: now.Add(-time.Hour)}) s.pending.Store("fresh", &pendingAuth{expiresAt: now.Add(time.Hour)}) s.reapPending() for _, key := range []string{"expired-1", "expired-2"} { if _, ok := s.pending.Load(key); ok { t.Errorf("%q should have been reaped", key) } } if _, ok := s.pending.Load("fresh"); !ok { t.Error("fresh entry was wrongly reaped") } } // secureToken's output is non-deterministic, so we test shape: hex, // expected length, and that two consecutive calls differ. func TestSecureToken_Shape(t *testing.T) { a := secureToken(16) b := secureToken(16) if a == b { t.Error("two secureToken calls produced identical output") } if len(a) != 32 { t.Errorf("secureToken(16) length = %d, want 32", len(a)) } for _, c := range a { if !strings.ContainsRune("0123456789abcdef", c) { t.Errorf("non-hex character %q in token", c) break } } } func TestVerifyPKCE_Roundtrip(t *testing.T) { verifier := "the-quick-brown-fox-jumps-over-the-lazy-dog-12345678" sum := sha256.Sum256([]byte(verifier)) challenge := base64.RawURLEncoding.EncodeToString(sum[:]) if !verifyPKCE(verifier, challenge) { t.Error("verifyPKCE should accept matching verifier+challenge") } if verifyPKCE(verifier, challenge+"x") { t.Error("verifyPKCE should reject a mutated challenge") } if verifyPKCE("WRONG", challenge) { t.Error("verifyPKCE should reject a wrong verifier") } } func TestUserIDInt64(t *testing.T) { cases := map[string]int64{ "42": 42, "": 0, "abc": 0, "123abc": 0, "99999999999": 99999999999, } for in, want := range cases { if got := userIDInt64(in); got != want { t.Errorf("userIDInt64(%q) = %d, want %d", in, got, want) } } } func TestValidateRedirectURI(t *testing.T) { cases := []struct { name string in string ok bool }{ {"https", "https://app.example.com/cb", true}, {"http_loopback_localhost", "http://localhost:1234/cb", true}, {"http_loopback_v4", "http://127.0.0.1/cb", true}, {"http_loopback_v6", "http://[::1]/cb", true}, {"http_non_loopback", "http://app.example.com/cb", false}, {"reverse_dns_scheme", "com.example.claudeapp:/cb", true}, {"single_word_scheme", "claude://oauth/cb", false}, {"javascript_scheme", "javascript:alert(1)", false}, {"data_scheme", "data:text/html,

hi

", false}, {"missing_scheme", "app.example.com/cb", false}, {"unparseable", "://no-scheme", false}, } for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { err := validateRedirectURI(tc.in) if tc.ok && err != nil { t.Errorf("expected ok, got %v", err) } if !tc.ok && err == nil { t.Error("expected error, got nil") } }) } }