-
Notifications
You must be signed in to change notification settings - Fork 42
Expand file tree
/
Copy pathoauth-state.test.ts
More file actions
124 lines (108 loc) · 3.33 KB
/
oauth-state.test.ts
File metadata and controls
124 lines (108 loc) · 3.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
import {
DEFAULT_GITLAB_OAUTH_INSTANCE_URL,
createGitLabOAuthState,
verifyGitLabOAuthState,
} from './oauth-state';
describe('gitlab oauth state', () => {
test('round-trips self-hosted instance metadata and user binding', () => {
const state = createGitLabOAuthState(
{
owner: { type: 'org', id: 'org_123' },
instanceUrl: 'https://gitlab.example.com',
customCredentialsRef: 'cached-credentials-ref',
},
'user_123'
);
expect(verifyGitLabOAuthState(state)).toEqual({
owner: { type: 'org', id: 'org_123' },
instanceUrl: 'https://gitlab.example.com',
customCredentialsRef: 'cached-credentials-ref',
userId: 'user_123',
});
});
test('defaults verified first-party state to gitlab.com', () => {
const state = createGitLabOAuthState(
{
owner: { type: 'user', id: 'user_123' },
},
'user_123'
);
expect(verifyGitLabOAuthState(state)).toEqual({
owner: { type: 'user', id: 'user_123' },
instanceUrl: DEFAULT_GITLAB_OAUTH_INSTANCE_URL,
userId: 'user_123',
});
});
test('rejects signed state for an http instance URL', () => {
const state = createGitLabOAuthState(
{
owner: { type: 'user', id: 'user_123' },
instanceUrl: 'http://gitlab.example.com',
},
'user_123'
);
expect(verifyGitLabOAuthState(state)).toBeNull();
});
test('round-trips a validated return path', () => {
const state = createGitLabOAuthState(
{
owner: { type: 'user', id: 'user_123' },
returnTo: '/claw/new?step=gitlab',
},
'user_123'
);
expect(verifyGitLabOAuthState(state)).toEqual({
owner: { type: 'user', id: 'user_123' },
instanceUrl: DEFAULT_GITLAB_OAUTH_INSTANCE_URL,
returnTo: '/claw/new?step=gitlab',
userId: 'user_123',
});
});
test('rejects invalid return paths', () => {
const state = createGitLabOAuthState(
{
owner: { type: 'user', id: 'user_123' },
returnTo: 'https://evil.example.com/path',
},
'user_123'
);
expect(verifyGitLabOAuthState(state)).toBeNull();
});
test('round-trips a collab return path', () => {
const state = createGitLabOAuthState(
{
owner: { type: 'user', id: 'user_123' },
returnTo: '/collab/authorize?services=gitlab&step=0',
},
'user_123'
);
expect(verifyGitLabOAuthState(state)).toEqual({
owner: { type: 'user', id: 'user_123' },
instanceUrl: DEFAULT_GITLAB_OAUTH_INSTANCE_URL,
returnTo: '/collab/authorize?services=gitlab&step=0',
userId: 'user_123',
});
});
test('rejects tampered state', () => {
const state = createGitLabOAuthState(
{
owner: { type: 'user', id: 'user_123' },
},
'user_123'
);
const tampered = `${state.slice(0, -1)}x`;
expect(verifyGitLabOAuthState(tampered)).toBeNull();
});
test('rejects malformed multibyte signatures without throwing', () => {
const state = createGitLabOAuthState(
{
owner: { type: 'user', id: 'user_123' },
},
'user_123'
);
const dotIndex = state.indexOf('.');
const payload = state.slice(0, dotIndex);
const signature = state.slice(dotIndex + 1);
expect(verifyGitLabOAuthState(`${payload}.${'\u00e9'.repeat(signature.length)}`)).toBeNull();
});
});