@ -299,10 +299,11 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) {
"client_secret" : "inconsistent" ,
"client_secret" : "inconsistent" ,
} )
} )
req . Header . Add ( "Authorization" , "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9" )
req . Header . Add ( "Authorization" , "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9" )
resp = MakeRequest ( t , req , http . StatusBadRequest )
parsedError = new ( auth . AccessTokenError )
parsedError = new ( auth . AccessTokenError )
assert . NoError ( t , json . Unmarshal ( resp . Body . Bytes ( ) , parsedError ) )
assert . NoError ( t , json . Unmarshal ( resp . Body . Bytes ( ) , parsedError ) )
assert . Equal ( t , "invalid_request" , string ( parsedError . ErrorCode ) )
assert . Equal ( t , "invalid_request" , string ( parsedError . ErrorCode ) )
assert . Equal ( t , "client_id in request body inconsistent with Authorization header" , parsedError . ErrorDescription )
assert . Equal ( t , "client_secret in request body inconsistent with Authorization header" , parsedError . ErrorDescription )
}
}
func TestRefreshTokenInvalidation ( t * testing . T ) {
func TestRefreshTokenInvalidation ( t * testing . T ) {
@ -329,7 +330,33 @@ func TestRefreshTokenInvalidation(t *testing.T) {
// test without invalidation
// test without invalidation
setting . OAuth2 . InvalidateRefreshTokens = false
setting . OAuth2 . InvalidateRefreshTokens = false
refreshReq := NewRequestWithValues ( t , "POST" , "/login/oauth/access_token" , map [ string ] string {
req = NewRequestWithValues ( t , "POST" , "/login/oauth/access_token" , map [ string ] string {
"grant_type" : "refresh_token" ,
"client_id" : "da7da3ba-9a13-4167-856f-3899de0b0138" ,
// omit secret
"redirect_uri" : "a" ,
"refresh_token" : parsed . RefreshToken ,
} )
resp = MakeRequest ( t , req , http . StatusBadRequest )
parsedError := new ( auth . AccessTokenError )
assert . NoError ( t , json . Unmarshal ( resp . Body . Bytes ( ) , parsedError ) )
assert . Equal ( t , "invalid_client" , string ( parsedError . ErrorCode ) )
assert . Equal ( t , "invalid empty client secret" , parsedError . ErrorDescription )
req = NewRequestWithValues ( t , "POST" , "/login/oauth/access_token" , map [ string ] string {
"grant_type" : "refresh_token" ,
"client_id" : "da7da3ba-9a13-4167-856f-3899de0b0138" ,
"client_secret" : "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=" ,
"redirect_uri" : "a" ,
"refresh_token" : "UNEXPECTED" ,
} )
resp = MakeRequest ( t , req , http . StatusBadRequest )
parsedError = new ( auth . AccessTokenError )
assert . NoError ( t , json . Unmarshal ( resp . Body . Bytes ( ) , parsedError ) )
assert . Equal ( t , "unauthorized_client" , string ( parsedError . ErrorCode ) )
assert . Equal ( t , "unable to parse refresh token" , parsedError . ErrorDescription )
req = NewRequestWithValues ( t , "POST" , "/login/oauth/access_token" , map [ string ] string {
"grant_type" : "refresh_token" ,
"grant_type" : "refresh_token" ,
"client_id" : "da7da3ba-9a13-4167-856f-3899de0b0138" ,
"client_id" : "da7da3ba-9a13-4167-856f-3899de0b0138" ,
"client_secret" : "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=" ,
"client_secret" : "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=" ,
@ -337,24 +364,24 @@ func TestRefreshTokenInvalidation(t *testing.T) {
"refresh_token" : parsed . RefreshToken ,
"refresh_token" : parsed . RefreshToken ,
} )
} )
bs , err := io . ReadAll ( refreshRe q . Body )
bs , err := io . ReadAll ( req . Body )
assert . NoError ( t , err )
assert . NoError ( t , err )
refreshRe q . Body = io . NopCloser ( bytes . NewReader ( bs ) )
req . Body = io . NopCloser ( bytes . NewReader ( bs ) )
MakeRequest ( t , refreshRe q , http . StatusOK )
MakeRequest ( t , req , http . StatusOK )
refreshRe q . Body = io . NopCloser ( bytes . NewReader ( bs ) )
req . Body = io . NopCloser ( bytes . NewReader ( bs ) )
MakeRequest ( t , refreshRe q , http . StatusOK )
MakeRequest ( t , req , http . StatusOK )
// test with invalidation
// test with invalidation
setting . OAuth2 . InvalidateRefreshTokens = true
setting . OAuth2 . InvalidateRefreshTokens = true
refreshRe q . Body = io . NopCloser ( bytes . NewReader ( bs ) )
req . Body = io . NopCloser ( bytes . NewReader ( bs ) )
MakeRequest ( t , refreshRe q , http . StatusOK )
MakeRequest ( t , req , http . StatusOK )
// repeat request should fail
// repeat request should fail
refreshRe q . Body = io . NopCloser ( bytes . NewReader ( bs ) )
req . Body = io . NopCloser ( bytes . NewReader ( bs ) )
resp = MakeRequest ( t , refreshRe q , http . StatusBadRequest )
resp = MakeRequest ( t , req , http . StatusBadRequest )
parsedError : = new ( auth . AccessTokenError )
parsedError = new ( auth . AccessTokenError )
assert . NoError ( t , json . Unmarshal ( resp . Body . Bytes ( ) , parsedError ) )
assert . NoError ( t , json . Unmarshal ( resp . Body . Bytes ( ) , parsedError ) )
assert . Equal ( t , "unauthorized_client" , string ( parsedError . ErrorCode ) )
assert . Equal ( t , "unauthorized_client" , string ( parsedError . ErrorCode ) )
assert . Equal ( t , "token was already used" , parsedError . ErrorDescription )
assert . Equal ( t , "token was already used" , parsedError . ErrorDescription )