Ole-Morten Duesund
8369ec2cc7
Structured review of every OAuth/auth handler against the standard
attack catalog. Findings table added to design.md §8.2.
Two real issues found and fixed:
- Refresh-token replay race: tokenRefreshGrant read the row, validated
it, then minted a new pair before unconditionally revoking the old
refresh. Two concurrent /token requests with the same refresh would
both pass validation and both mint a fresh pair — token-quota
duplication and a hint to a stolen-refresh attacker. Fixed with the
same atomic UPDATE rows-affected pattern already used for auth-code
single-use. New TestToken_Refresh_ConcurrentReplay_OnlyOneSucceeds
races two goroutines and verifies exactly one wins.
- Permissive redirect_uri schemes: validateRedirectURI accepted any
non-empty scheme, including javascript: and data:. Tightened to
require https, http for loopback only, or a reverse-DNS private-use
scheme per RFC 8252 §7.1. TestValidateRedirectURI updated to cover
each variant including the rejected javascript:/data: cases.
Items deferred to backlog (already filed):
- Rate limits on /oauth/register and /oauth/token (-ttl)
- --token-fd to close the /proc/<pid>/environ window (-1n2)
- AES-GCM at-rest encryption of Forgejo tokens (-sd4)
Closes forgejo-mcp-broker-wgo. Phase 2 complete.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
113 lines
3.2 KiB
Go
113 lines
3.2 KiB
Go
package oauth
|
|
|
|
import (
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
// reapPending only runs every minute via the background ticker, so
|
|
// production tests can't drive it within a reasonable timeout. This
|
|
// internal test exercises the reaper logic directly.
|
|
func TestReapPending_RemovesExpired(t *testing.T) {
|
|
now := time.Date(2026, 4, 27, 12, 0, 0, 0, time.UTC)
|
|
s := &Server{now: func() time.Time { return now }}
|
|
|
|
s.pending.Store("expired-1", &pendingAuth{expiresAt: now.Add(-time.Minute)})
|
|
s.pending.Store("expired-2", &pendingAuth{expiresAt: now.Add(-time.Hour)})
|
|
s.pending.Store("fresh", &pendingAuth{expiresAt: now.Add(time.Hour)})
|
|
|
|
s.reapPending()
|
|
|
|
for _, key := range []string{"expired-1", "expired-2"} {
|
|
if _, ok := s.pending.Load(key); ok {
|
|
t.Errorf("%q should have been reaped", key)
|
|
}
|
|
}
|
|
if _, ok := s.pending.Load("fresh"); !ok {
|
|
t.Error("fresh entry was wrongly reaped")
|
|
}
|
|
}
|
|
|
|
// secureToken's output is non-deterministic, so we test shape: hex,
|
|
// expected length, and that two consecutive calls differ.
|
|
func TestSecureToken_Shape(t *testing.T) {
|
|
a := secureToken(16)
|
|
b := secureToken(16)
|
|
if a == b {
|
|
t.Error("two secureToken calls produced identical output")
|
|
}
|
|
if len(a) != 32 {
|
|
t.Errorf("secureToken(16) length = %d, want 32", len(a))
|
|
}
|
|
for _, c := range a {
|
|
if !strings.ContainsRune("0123456789abcdef", c) {
|
|
t.Errorf("non-hex character %q in token", c)
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestVerifyPKCE_Roundtrip(t *testing.T) {
|
|
verifier := "the-quick-brown-fox-jumps-over-the-lazy-dog-12345678"
|
|
sum := sha256.Sum256([]byte(verifier))
|
|
challenge := base64.RawURLEncoding.EncodeToString(sum[:])
|
|
|
|
if !verifyPKCE(verifier, challenge) {
|
|
t.Error("verifyPKCE should accept matching verifier+challenge")
|
|
}
|
|
if verifyPKCE(verifier, challenge+"x") {
|
|
t.Error("verifyPKCE should reject a mutated challenge")
|
|
}
|
|
if verifyPKCE("WRONG", challenge) {
|
|
t.Error("verifyPKCE should reject a wrong verifier")
|
|
}
|
|
}
|
|
|
|
func TestUserIDInt64(t *testing.T) {
|
|
cases := map[string]int64{
|
|
"42": 42,
|
|
"": 0,
|
|
"abc": 0,
|
|
"123abc": 0,
|
|
"99999999999": 99999999999,
|
|
}
|
|
for in, want := range cases {
|
|
if got := userIDInt64(in); got != want {
|
|
t.Errorf("userIDInt64(%q) = %d, want %d", in, got, want)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestValidateRedirectURI(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
in string
|
|
ok bool
|
|
}{
|
|
{"https", "https://app.example.com/cb", true},
|
|
{"http_loopback_localhost", "http://localhost:1234/cb", true},
|
|
{"http_loopback_v4", "http://127.0.0.1/cb", true},
|
|
{"http_loopback_v6", "http://[::1]/cb", true},
|
|
{"http_non_loopback", "http://app.example.com/cb", false},
|
|
{"reverse_dns_scheme", "com.example.claudeapp:/cb", true},
|
|
{"single_word_scheme", "claude://oauth/cb", false},
|
|
{"javascript_scheme", "javascript:alert(1)", false},
|
|
{"data_scheme", "data:text/html,<h1>hi</h1>", false},
|
|
{"missing_scheme", "app.example.com/cb", false},
|
|
{"unparseable", "://no-scheme", false},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
err := validateRedirectURI(tc.in)
|
|
if tc.ok && err != nil {
|
|
t.Errorf("expected ok, got %v", err)
|
|
}
|
|
if !tc.ok && err == nil {
|
|
t.Error("expected error, got nil")
|
|
}
|
|
})
|
|
}
|
|
}
|